So I'm going to post some more content to discuss.
I've created a Win 32 C++ Programm (not that hard with VS 2010), which should inject itself into the notepad.exe... but there are some problems, maybe i can start at this point, by getting some help of the codegurus.
so here it is: the Winmain.cpp consists of the following relevant code:
int APIENTRY _tWinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadID = 0;
HWND hWnd = FindWindow(NULL,L"Unnamed - Notepad");
dwThreadID = GetWindowThreadProcessId(hWnd,NULL);
fnSetMyHook(dwThreadID);
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
MSG msg;
HACCEL hAccelTable;
// Globale Zeichenfolgen initialisieren
LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
LoadString(hInstance, IDC_WINDOWSHOOK, szWindowClass, MAX_LOADSTRING);
MyRegisterClass(hInstance);
// Anwendungsinitialisierung ausführen:
if (!InitInstance (hInstance, nCmdShow))
{
return FALSE;
}
hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_WINDOWSHOOK));
// Hauptnachrichtenschleife:
while (GetMessage(&msg, NULL, 0, 0))
{
if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
return (int) msg.wParam;
}if I use the following code out of this:
DWORD dwThreadID = 0; HWND hWnd = FindWindow(NULL,L"Unnamed - Notepad"); dwThreadID = GetWindowThreadProcessId(hWnd,NULL); fnSetMyHook(dwThreadID);
dwThreadID gets an Thread ID of my Notepad.exe (the title of Notepad.exe in german windows sounds: "Unbenannt - Editor" so I don't exactly know the title name in english windows systems).
If I use fnSetMyHook(dwThreadID) with the right ThreadID it calls the code in my injector.cpp:
#include "stdafx.h"
#define INJECTIONDLL_API __declspec(dllexport)
#include "InjectionDLL.h"
HANDLE g_DllHandle;
HHOOK g_hMyHook;
LRESULT CALLBACK fnMyCallBack(int nCode, WPARAM wParam, LPARAM lParam);
BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
g_DllHandle = hModule;
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
INJECTIONDLL_API int fnSetMyHook(DWORD dwThreadId)
{
int nRetVal = 1;
g_hMyHook = SetWindowsHookEx(WH_GETMESSAGE,fnMyCallBack,(HINSTANCE)g_DllHandle,dwThreadId);
if(!g_hMyHook)
{
nRetVal = 0;
}
return nRetVal;
}
LRESULT CALLBACK fnMyCallBack(int nCode, WPARAM wParam, LPARAM lParam)
{
MSG * pmsg = (MSG*)lParam;
static bool fDone = FALSE;
switch(pmsg->message)
{
case WM_DESTROY:
{
if(!fDone)
{
MessageBox(NULL,L"Messagebox called by target program.",L"Injected DLL",MB_OK);
UnhookWindowsHookEx(g_hMyHook);
fDone = TRUE;
}
}
break;
}
return (CallNextHookEx (g_hMyHook,nCode,wParam,lParam));
}This function is called:
INJECTIONDLL_API int fnSetMyHook(DWORD dwThreadId)
{
int nRetVal = 1;
g_hMyHook = SetWindowsHookEx(WH_GETMESSAGE,fnMyCallBack,(HINSTANCE)g_DllHandle,dwThreadId);
if(!g_hMyHook)
{
nRetVal = 0;
}
return nRetVal;
}but it always returns me a 0. Does anyone know why? Oh Yes, here is the injector.h file:
#ifndef INJECTIONDLL_API #define INJECTIONDLL_API __declspec(dllexport) #endif INJECTIONDLL_API int fnSetMyHook(DWORD dwThreadId);
Any Help would be appreciated. Also I don't know how to go on then, which methods should be called in the injector.cpp next, if I wan't to catch the WM_Quit Message from Notepad.exe? And how can I use non standard Windows API functions? Like functions that only are implemented in Notepad.exe?
Anyone? Please, I really want to solve, understand and document this kind of problems.
Edit: Tools Available to use: OllyDB and Visual Studio 2010 or Visual Studio 11 developers preview.