RE: [GD-Windows] Hijacking application
Brought to you by:
vexxed72
Menu
▾
▴
RE: [GD-Windows] Hijacking application
|
From: Tom F. <to...@mu...> - 2003-08-19 18:40:28
|
It's because of Colin's rather strange little rant at the bottom of his email, after the dots (I've chopped it off the bottom of this email :-). Tom Forsyth - Muckyfoot bloke and Microsoft MVP. This email is the product of your deranged imagination, and does not in any way imply existence of the author. > -----Original Message----- > From: Gareth Lewin [mailto:GL...@cl...] > Sent: 19 August 2003 15:37 > To: gam...@li... > Subject: RE: [GD-Windows] Hijacking application > > > Uh, I got this reply > > MDaemon has indentified your message as spam. It will not be > delivered. > > From : gam...@li... > To : aku...@cr... > Subject : [***SPAM*** Score/Req: 05.60/05.00] RE: > [GD-Windows] Hijacking > application > Message-ID: > <495...@mi...> > > Yes, hits=5.6 required=5.0 > tests=BAD_CREDIT,EXCUSE_1,HGH,HTML_00_10,HTML_MESSAGE, > INTL_DRIVERS_LICENSE,KNOWN_MAILING_LIST,OPT_IN, QUOTED_EMAIL_TEXT > version=2.54 > ***** > ---- Start SpamAssassin results 5.60 points, 5 required; * > 2.9 -- BODY: > International driving license * 1.2 -- BODY: Human Growth > Hormone * 0.5 -- > BODY: Talks about opting in (lowercase version) * 0.4 -- > BODY: Eliminate > Bad Credit * 0.7 -- BODY: Gives a lame excuse about why you > were sent this > spam * 0.1 -- BODY: HTML included in message * 1.2 -- BODY: > Message is 0% > to 10% HTML * -0.5 -- BODY: Contains what looks like a quoted > email text * > -0.9 -- Email came from some known mailing list software ---- End of > SpamAssassin results > > : Message contains [1] file attachments > > > Please, people, whitelist stuff from mailing lists. And wow, > I'm 100% sure > I'll never use MDaemon in my life ! > > > -----Original Message----- > > From: Gareth Lewin [mailto:GL...@cl...] > > Sent: 19 August 2003 15:06 > > To: gam...@li... > > Subject: RE: [GD-Windows] Hijacking application > > > > > > What you describe is basic subclassing in windows. > > GWL_WNDPROC is the value > > you use with GetWindowLong/SetWIndowLong > > > > there are two ways to get your stuff into the product without > > really hacking > > the binary, that's either injecting your own DLL into the > > address space or > > wrapping a DLL that is used. Injecting is the 'prefered' way. > > > > > -----Original Message----- > > > From: Colin Fahey [mailto:cp...@ea...] > > > Sent: 19 August 2003 14:11 > > > To: gam...@li... > > > Subject: Re: [GD-Windows] Hijacking application > > > > > > > > > > > > Doing GetWindowLong(...) with the handle acquired by > FindWindow(...) > > > can give you the address of the WndProc() for that > window. I can't > > > remember the details, but you can essentially do > SetWindowLong(...) > > > to replace the existing WndProc() function pointer with your own. > > > > > > Your WndProc() can essentially be a pass-through function that > > > calls the previous WndProc() function with the same arguments; > > > totally transparent. > > > > > > However, you can monitor, filter, record, process, augment, etc, > > > the stream of messages. And there is a LOT you can do with plain > > > messages! Forget about undocumented functions that you MIGHT > > > discover using "dumpbin" on the EXE file; just interact with the > > > application at the same level as the user. > > > > > > Of course you don't need to insert your own WndProc() between the > > > OS and the real WndProc() if all you are doing is ADDING messages > > > to the queue; you just do PostMessage() from any separate > > application > > > to the target window handle. > > > > > > But by hooking your own WndProc() in to the application's message > > > processing you can do cool things, like draw your own controls > > > or annoying, animated "assistants" after all other painting of > > > the client area is complete, or mess with keystrokes and mouse > > > messages. Maybe add your own shortcuts to apps that cannot by > > > default have new key bindings -- and you can even have a > whole mess > > > of key and mouse macros that activate when you bring up the load > > > or save dialog boxes! (I was too cheap to buy the full Photoshop, > > > but Photoshop LE apparently does not have any automation, so I > > > have been tempted to fix this. For example, I hate having to > > > always change the file extension from "JPG" to "jpg" when doing > > > a "Save As...", and unchecking "[x] Save thumbnail" (Does that > > > even have anything to do with JPG?) So, perhaps hooking in my > > > own WndProc(), or having a separate app do PostMessage()s, > > > would make my $99 investment go a little further!) > > > > > > I don't remember details, but this stuff is documented in MSDN, > > > probably in relation to common control "subclassing" in the > > > days before C++ and MFC! > > > > > > I guess your pass-through WndProc() would be free to do its > > > own CreateWindow() calls to add child windows or controls to > > > the application. > > > > > > Here's the weird part: It MIGHT be tricky to get your WndProc() > > > in the address space of the target application at run-time, > > > if that's how you're doing things. One non-runtime option is to > > > append your WndProc() hijacking code to the tail of the > application > > > somehow (both your WndProc() and the function that does the stuff > > > with GetWindowLong() and SetWindowLong() to perform the hijack), > > > and then it is just a matter of arranging for your code to be > > > called by the real WinMain(). Maybe it would be better to put > > > the hijack code in a DLL and somehow get the app to implicitly > > > load it, and in your DllInitialize() function (or DllEntry() or > > > whatever function is called when the DLL first loads), start a > > > thread that sleeps for a while, checks for the existence of > > > the main app window, and either returns to sleep or does the > > > hijack. > > > > > > There are probably much cleaner ways! For all I know, external > > > apps can trivially hijack WndProc()s of other apps without > > > doing anything special to get the "interceptor" or "new" WndProc() > > > in to the target address space. > > > > > > --- Colin > > > > > > cp...@ea... |
