Thread: RE: [GD-Windows] Hijacking application
Brought to you by:
vexxed72
From: Gareth L. <GL...@cl...> - 2003-08-19 09:09:29
|
The first thing you want to do is inject a DLL into the address space of the tool. Another way is to write a dummy dll wrapper for a dll it uses (D3d.dll is often used) and then you can just agregate the original DLL and add your own stuff. A lot depends on what you want to actually do. Probably the best example of a forced in plugin that I know of DECAL. It's basically a framework for plugins into Asheron's Call's client. Take a look at http://sourceforge.net/projects/decalac/ So share with us your goal, and we'll try help you hax0r them :) > -----Original Message----- > From: Brian Hook [mailto:ho...@py...] > Sent: 19 August 2003 02:51 > To: gam...@li... > Subject: [GD-Windows] Hijacking application > > > I have a feeling this can't be done, but I figured I'd ask the list > anyways just in case. > > Say I want to write a plug-in for random application XYZ. XYZ, > however, may not have a plug-in API or it may be broken. Use Notepad > as an example. > > If I wanted to add a plug-in, it seems like it would be pretty much > impossible unless my plug-in didn't require any of the application's > other data. > > I swore there were a few plug-ins I've seen that have forced > their way > into an application, but I can't think of what they might be > now. The > obvious ones are like Visual Assist, Max plug-ins, Maya plug-ins, > Photoshop plug-ins, VS plug-ins, etc. but those all have registered > APIs. I've seen screenshots of people that have retrofitted a new > menu into Notepad just to prove it can be done, but I'm not sure what > the point of that is. > > The typical way you do this is a pretty convoluted process involving > subclassing and message hooks, but even then you can only trap new > menu items and maybe a couple of key messages like WM_DESTROY. You > obviously can't grab application data and do anything meaningful with > it. > > Brian > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet > _072303_01/01 > _______________________________________________ > Gamedevlists-windows mailing list > Gam...@li... > https://lists.sourceforge.net/lists/listinfo/gamedevlists-windows > Archives: > http://sourceforge.net/mailarchive/forum.php?forum_idU5 > |
From: Rich <leg...@xm...> - 2003-08-19 17:44:22
|
In article <495...@mi...>, Gareth Lewin <GL...@cl...> writes: > there are two ways to get your stuff into the product without really hacking > the binary, that's either injecting your own DLL into the address space or > wrapping a DLL that is used. Injecting is the 'prefered' way. What's injecting again? Unless they link against your import library or LoadLibrary() your DLL, how are you going to get it in their address space without wrapping an existing DLL that they use? "MXMonitor" is an example of a program that inserts itself into another program by wrapping the DLL, I think. MXMonitor is a control client for the WinMX peer-to-peer file sharing client. -- "The Direct3D Graphics Pipeline"-- code samples, sample chapter, FAQ: <http://www.xmission.com/~legalize/book/> Pilgrimage: Utah's annual demoparty <http://pilgrimage.scene.org> |
From: Brian H. <ho...@py...> - 2003-08-20 00:32:16
|
> What's injecting again? Unless they link against your import > library or LoadLibrary() your DLL, how are you going to get it in > their address space without wrapping an existing DLL that they use? IIRC, there's a way (via registry) to force your DLL to get loaded at startup, and then you go from there. Brian |
From: Tom F. <to...@mu...> - 2003-08-19 18:40:28
|
It's because of Colin's rather strange little rant at the bottom of his email, after the dots (I've chopped it off the bottom of this email :-). Tom Forsyth - Muckyfoot bloke and Microsoft MVP. This email is the product of your deranged imagination, and does not in any way imply existence of the author. > -----Original Message----- > From: Gareth Lewin [mailto:GL...@cl...] > Sent: 19 August 2003 15:37 > To: gam...@li... > Subject: RE: [GD-Windows] Hijacking application > > > Uh, I got this reply > > MDaemon has indentified your message as spam. It will not be > delivered. > > From : gam...@li... > To : aku...@cr... > Subject : [***SPAM*** Score/Req: 05.60/05.00] RE: > [GD-Windows] Hijacking > application > Message-ID: > <495...@mi...> > > Yes, hits=5.6 required=5.0 > tests=BAD_CREDIT,EXCUSE_1,HGH,HTML_00_10,HTML_MESSAGE, > INTL_DRIVERS_LICENSE,KNOWN_MAILING_LIST,OPT_IN, QUOTED_EMAIL_TEXT > version=2.54 > ***** > ---- Start SpamAssassin results 5.60 points, 5 required; * > 2.9 -- BODY: > International driving license * 1.2 -- BODY: Human Growth > Hormone * 0.5 -- > BODY: Talks about opting in (lowercase version) * 0.4 -- > BODY: Eliminate > Bad Credit * 0.7 -- BODY: Gives a lame excuse about why you > were sent this > spam * 0.1 -- BODY: HTML included in message * 1.2 -- BODY: > Message is 0% > to 10% HTML * -0.5 -- BODY: Contains what looks like a quoted > email text * > -0.9 -- Email came from some known mailing list software ---- End of > SpamAssassin results > > : Message contains [1] file attachments > > > Please, people, whitelist stuff from mailing lists. And wow, > I'm 100% sure > I'll never use MDaemon in my life ! > > > -----Original Message----- > > From: Gareth Lewin [mailto:GL...@cl...] > > Sent: 19 August 2003 15:06 > > To: gam...@li... > > Subject: RE: [GD-Windows] Hijacking application > > > > > > What you describe is basic subclassing in windows. > > GWL_WNDPROC is the value > > you use with GetWindowLong/SetWIndowLong > > > > there are two ways to get your stuff into the product without > > really hacking > > the binary, that's either injecting your own DLL into the > > address space or > > wrapping a DLL that is used. Injecting is the 'prefered' way. > > > > > -----Original Message----- > > > From: Colin Fahey [mailto:cp...@ea...] > > > Sent: 19 August 2003 14:11 > > > To: gam...@li... > > > Subject: Re: [GD-Windows] Hijacking application > > > > > > > > > > > > Doing GetWindowLong(...) with the handle acquired by > FindWindow(...) > > > can give you the address of the WndProc() for that > window. I can't > > > remember the details, but you can essentially do > SetWindowLong(...) > > > to replace the existing WndProc() function pointer with your own. > > > > > > Your WndProc() can essentially be a pass-through function that > > > calls the previous WndProc() function with the same arguments; > > > totally transparent. > > > > > > However, you can monitor, filter, record, process, augment, etc, > > > the stream of messages. And there is a LOT you can do with plain > > > messages! Forget about undocumented functions that you MIGHT > > > discover using "dumpbin" on the EXE file; just interact with the > > > application at the same level as the user. > > > > > > Of course you don't need to insert your own WndProc() between the > > > OS and the real WndProc() if all you are doing is ADDING messages > > > to the queue; you just do PostMessage() from any separate > > application > > > to the target window handle. > > > > > > But by hooking your own WndProc() in to the application's message > > > processing you can do cool things, like draw your own controls > > > or annoying, animated "assistants" after all other painting of > > > the client area is complete, or mess with keystrokes and mouse > > > messages. Maybe add your own shortcuts to apps that cannot by > > > default have new key bindings -- and you can even have a > whole mess > > > of key and mouse macros that activate when you bring up the load > > > or save dialog boxes! (I was too cheap to buy the full Photoshop, > > > but Photoshop LE apparently does not have any automation, so I > > > have been tempted to fix this. For example, I hate having to > > > always change the file extension from "JPG" to "jpg" when doing > > > a "Save As...", and unchecking "[x] Save thumbnail" (Does that > > > even have anything to do with JPG?) So, perhaps hooking in my > > > own WndProc(), or having a separate app do PostMessage()s, > > > would make my $99 investment go a little further!) > > > > > > I don't remember details, but this stuff is documented in MSDN, > > > probably in relation to common control "subclassing" in the > > > days before C++ and MFC! > > > > > > I guess your pass-through WndProc() would be free to do its > > > own CreateWindow() calls to add child windows or controls to > > > the application. > > > > > > Here's the weird part: It MIGHT be tricky to get your WndProc() > > > in the address space of the target application at run-time, > > > if that's how you're doing things. One non-runtime option is to > > > append your WndProc() hijacking code to the tail of the > application > > > somehow (both your WndProc() and the function that does the stuff > > > with GetWindowLong() and SetWindowLong() to perform the hijack), > > > and then it is just a matter of arranging for your code to be > > > called by the real WinMain(). Maybe it would be better to put > > > the hijack code in a DLL and somehow get the app to implicitly > > > load it, and in your DllInitialize() function (or DllEntry() or > > > whatever function is called when the DLL first loads), start a > > > thread that sleeps for a while, checks for the existence of > > > the main app window, and either returns to sleep or does the > > > hijack. > > > > > > There are probably much cleaner ways! For all I know, external > > > apps can trivially hijack WndProc()s of other apps without > > > doing anything special to get the "interceptor" or "new" WndProc() > > > in to the target address space. > > > > > > --- Colin > > > > > > cp...@ea... |
From: Mike B. <mi...@wi...> - 2003-08-20 04:11:41
|
Or you could do some binary instrumentation and hook in that way (no pun intended ;)) http://research.microsoft.com/sn/detours/ "Detours is a library for instrumenting arbitrary Win32 functions on x86 machines. Detours intercepts Win32 functions by re-writing target function images." HTH, Mike -----Original Message----- From: gam...@li... [mailto:gam...@li...] On Behalf Of Brian Hook Sent: Monday, August 18, 2003 6:51 PM To: gam...@li... Subject: [GD-Windows] Hijacking application I have a feeling this can't be done, but I figured I'd ask the list=20 anyways just in case. Say I want to write a plug-in for random application XYZ. XYZ,=20 however, may not have a plug-in API or it may be broken. Use Notepad=20 as an example. If I wanted to add a plug-in, it seems like it would be pretty much=20 impossible unless my plug-in didn't require any of the application's=20 other data. =20 I swore there were a few plug-ins I've seen that have forced their way=20 into an application, but I can't think of what they might be now. The=20 obvious ones are like Visual Assist, Max plug-ins, Maya plug-ins,=20 Photoshop plug-ins, VS plug-ins, etc. but those all have registered=20 APIs. I've seen screenshots of people that have retrofitted a new=20 menu into Notepad just to prove it can be done, but I'm not sure what=20 the point of that is. The typical way you do this is a pretty convoluted process involving=20 subclassing and message hooks, but even then you can only trap new=20 menu items and maybe a couple of key messages like WM_DESTROY. You=20 obviously can't grab application data and do anything meaningful with=20 it. Brian ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Gamedevlists-windows mailing list Gam...@li... https://lists.sourceforge.net/lists/listinfo/gamedevlists-windows Archives: http://sourceforge.net/mailarchive/forum.php?forum_idU5 |
From: Gareth L. <GL...@cl...> - 2003-08-20 09:14:58
|
Injecting a DLL into the address space of a process is basically running a DLL as if it was loaded by the program itself. When you run a program in MSVC you'll see all the DLLs loaded with your process, sometimes you'll be surprised at what runs there (THere are a few programs that hook every process as it runs) SetWindowsHooksEx is the best way to do it. Here is a nice tutorial about the stuff http://www.codeproject.com/useritems/winspy.asp#section_2 > -----Original Message----- > From: Rich [mailto:leg...@xm...] > Sent: 19 August 2003 17:23 > To: gam...@li... > Subject: Re: [GD-Windows] Hijacking application > > > > In article > <495...@mi...>, > Gareth Lewin <GL...@cl...> writes: > > > there are two ways to get your stuff into the product > without really hacking > > the binary, that's either injecting your own DLL into the > address space or > > wrapping a DLL that is used. Injecting is the 'prefered' way. > > What's injecting again? Unless they link against your import library > or LoadLibrary() your DLL, how are you going to get it in their > address space without wrapping an existing DLL that they use? > > "MXMonitor" is an example of a program that inserts itself into > another program by wrapping the DLL, I think. MXMonitor is a control > client for the WinMX peer-to-peer file sharing client. > -- > "The Direct3D Graphics Pipeline"-- code samples, sample chapter, FAQ: > <http://www.xmission.com/~legalize/book/> > Pilgrimage: Utah's annual demoparty > <http://pilgrimage.scene.org> > > > ------------------------------------------------------- > This SF.net email is sponsored by Dice.com. > Did you know that Dice has over 25,000 tech jobs available today? From > careers in IT to Engineering to Tech Sales, Dice has tech > jobs from the > best hiring companies. http://www.dice.com/index.epl?rel_code=104 > _______________________________________________ > Gamedevlists-windows mailing list > Gam...@li... > https://lists.sourceforge.net/lists/listinfo/gamedevlists-windows > Archives: > http://sourceforge.net/mailarchive/forum.php?forum_id=555 > |