We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Hooking / DLL injection

Medium Priority
676 Views
Last Modified: 2013-12-04
I have some applications at work that I bought.

They put information in the title bar, which we grab.  This is on XP.  There are two ways to do this.  One involves polling to see if the title bar of the app we monitor has changed.  Another involves hooking - we run a program before the apps start grab the changes to the title bar.  What is dll injection?  Is it hooking.  To essentially become part of another app we don't have code to, do we have to have a program running?

I appreciate very much the time it takes to reply.

gsgi
Comment
Watch Question

CERTIFIED EXPERT
Author of the Year 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
evilrixSenior Software Engineer (Avast)
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
If the information is in the titlebar, enumerating the top level windows and grabbing the text from them surely is senseful doing.

Installing a hook is another game. You need all admin priviliges on a system and would need to care for not opening doors to malicious programs when doing so. Moreover, spying out data from users other than yourself without the users know that they were spied out is at least questionable and may be forbidden by national laws.
jkr
CERTIFIED EXPERT
Top Expert 2012

Commented:
Well yu won't need admin privileges for a Windows hook that runs in your current session (global to that session or not), see http://msdn.microsoft.com/en-us/library/ms997537.aspx ("Win32 Hooks"). Tis also injects a DLL into all running (GUI) applicationsYou'd basically check for 'WM_SETTEXT' being sent to the handle of the window that you're monitoring. The scoop would be to
LRESULT CALLBACK HookProc  (       int             nCode,  // hook code
                                WPARAM  wParam, // removal flag 
                                LPARAM  lParam  // address of structure with message 
                            )
{
    PMSG        pmsg    =       ( PMSG) lParam;
 
    if  (       0       >       nCode   ||      PM_NOREMOVE     ==      wParam) 
        {
            return      (       CallNextHookEx  (       g_hhk,
                                            nCode,
                                            wParam,
                                            lParam
                                        )
                    );
        }
 
    if  (WM_STTEXT == pmsg->message && hWndToCheck == pwmg->hwnd)
        {
            /* this one is for us, so grab the new window title here */
        }
 
    return      (       CallNextHookEx  (       g_hhk,
                                    nCode,
                                    wParam,
                                    lParam
                                )
            );
}

Open in new window

>>>> Well yu won't need admin privileges for a Windows hook that runs in your current session
Is there no way to keep a trojan from installing a session hook?
jkr
CERTIFIED EXPERT
Top Expert 2012

Commented:
No, what happens in your session with your session's priveleges is OK (from an OS point of view).
>>>> from an OS point of view
Windows is an OS?   ;-)

It is always striking to experience how many open doors a windows system has. Do you know a reason why this security hole wasn't fixed?

Author

Commented:
Here is the code my programmer has come up with and I appreciate any feedback, constructive critique etc.  BTW I am still not clear on when you would choose the hook over either of the createremotethread techinques mentioned.  i really appreciate your time and assistance and thought.  As stated above my goal is for each of my user sessions on a terminal server, to capture the text in the title bar of the apps that the user is using.

The code attached seems to be working.  It needs to be changed now from a dos to a background processes and tested more.  Also I am curious if there is an advantage to either createremotethread technique as presented in the link provided above by evilrix.

http://files.getdropbox.com/u/1461313/Development/HookingVersion.zip

thanks, gsgi

Author

Commented:
Whoops the link above was the build, here is the code:
http://files.getdropbox.com/u/1288178/TitleHook.zip

Thanks,
gsgi
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.