Solved

LVM_FINDITEM from task manager.

Posted on 2008-06-24
6
1,164 Views
Last Modified: 2013-12-14
I am creating an application which queries windows using pdm to find out specifics for memory usage, processes, etc. and then has flags for when criteria are met.  It also monitors what windows are open, etc. and will be deployed in call centers on call agents computers and is meant as an application to help managers see what all their agents are doing and what resources they are using.  One of the requirements we have heard is for the user to be unaware of the application, which is easy for the most part but it still shows up in the processes list under task manager.  I know this is going to raise up questions of why I want to remove the item from the task manager but it is for a legitimate purpose for which the company whose computers this application is going onto will be aware of what all the application will do and will put it on there willingly.  With that said I am trying to use LVM_FINDITEM.  Here is my code that I have wrote into a really basic test app to try to do it:


#include "stdafx.h"
#include <iostream>
#include <stdio.h>
#include <string.h>
#include <commctrl.h>
using namespace std;
#define TASKMGR_FIND_TIMER  101

string m_status;
BOOL CALLBACK EnumChildProcedure(HWND hWnd,LPARAM lParam)
{
      char name[256];
      GetWindowText(hWnd,name,256);

      char ClassName[256];
      GetClassName(hWnd,ClassName,256);
      
      int test = 0x1000 + 28;
      if((strcmp(ClassName,"SysListView32")==0)&&(strcmp(name,"Processes")==0))
      {
            DWORD pid;
            GetWindowThreadProcessId(hWnd, &pid);
            HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, false, (DWORD)pid);

            if(proc > 0)
            {
                  DWORD written;

                  LVFINDINFO info;
                  
                  ZeroMemory(&info, 0, sizeof(LVFINDINFO));
                  info.flags = LVFI_STRING | LVFI_PARTIAL;
                  info.lParam = NULL;
                  info.vkDirection = VK_DOWN;
                  info.psz = (LPCSTR)"HideTaskManager.exe";
                  
                  //LPVOID m_hBufferMem = VirtualAllocEx(proc, 0, 255, MEM_COMMIT, PAGE_READWRITE);
                  LPVOID address = VirtualAllocEx(proc, 0, sizeof(info), MEM_COMMIT, PAGE_READWRITE);
                  WriteProcessMemory(proc,address,&info,sizeof(LVFINDINFO),&written);
                  int iIndex = ::SendMessage(hWnd, LVM_FINDITEM, -1, (LPARAM)address);
                  if(iIndex > 0)
                        ::SendMessage(hWnd, LVM_DELETEITEM, iIndex, 0);                        
            }
      }

      if((strcmp(ClassName,"SysListView32")==0)&&(strcmp(name,"Tasks")==0))
      {
            ::SendMessage(hWnd,0x1000 + 28,(WPARAM)5,0);
      }

      if(name==NULL)
            return FALSE;
      return TRUE;
}

void DetectTM()
{
      HWND hWnd = NULL;
      hWnd = ::FindWindow(NULL,"Windows Task Manager");
      if(!hWnd)
      {
            m_status = "Status : Task Manager NOT found";
            return;
      }                  
      m_status = "     Status : Task Manager Found     ";
    EnumChildWindows(hWnd,EnumChildProcedure,NULL);
}


int _tmain(int argc, _TCHAR* argv[])
{
      bool hasFound = false;
      while(!hasFound)
      {
            DetectTM();
            cout << m_status.c_str() << endl;
            m_status = "";
            Sleep(1000);
      }
      return 0;
}


I have tried googling and hunting through forums but to no avail.  If anyone could please offer help I would be most appreciative.  Thanks in advance.

Matt
0
Comment
Question by:cc_dev
  • 4
  • 2
6 Comments
 
LVL 19

Expert Comment

by:mrwad99
ID: 21864058
Still looking at your code, but have you looked at

http://www.codeproject.com/KB/system/Hack_Windows_Task_Manager.aspx

?
0
 
LVL 19

Accepted Solution

by:
mrwad99 earned 125 total points
ID: 21865557
Matt

I have been playing with this as not knowing the answer was bugging me :o)

The problem lies in the fact that you are passing a pointer to a string in your LPFINDINFO structure:

>> info.psz = (LPCSTR)"HideTaskManager.exe";

You correctly allocate memory for your LVFINDINFO in the context of the task manager process, but fail to allocate memory for this string also.  So when the SendMessage gets called, you are passing a valid LVFINDINFO that contains an invalid location as the psz member.  Do this instead:

TCHAR szBuff [ 128 ];
_tcscpy_s ( szBuff, _T("HideTaskManager.exe") );
LPVOID szText = VirtualAllocEx ( proc, 0, sizeof ( szBuff ), MEM_COMMIT, PAGE_READWRITE );
BOOL b = WriteProcessMemory( proc, szText, &szBuff, sizeof ( szBuff ), &written );

ZeroMemory ( &info, sizeof ( LVFINDINFO ) );      // Only two parameters here: you had three!
info.flags = LVFI_STRING;
info.lParam = NULL;
info.vkDirection = VK_DOWN;
info.psz = ( LPCSTR ) szText;  // !!

// etc

I tried this and it worked for me :)
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 21866215
PS

>> if(iIndex > 0)

must be

if(iIndex > -1 )

as the original code will not work if the item is located first in the list (i.e. at index 0!)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:cc_dev
ID: 21866968
Wow.  That made me feel quite silly ;).  Thanks for the help.  That worked like a charm.
0
 

Author Closing Comment

by:cc_dev
ID: 31470363
Thanks again!
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 21872860
No problem; glad to help, and welcome to EE :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Here is a helpful source code for C++ Builder programmers that allows you to manage and manipulate HTML content from C++ code, while also handling HTML events like onclick, onmouseover, ... Some objects defined and used in this source include: …
The viewer will learn how to use and create new code templates in NetBeans IDE 8.0 for Windows.
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now