Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hooking / DLL injection

Posted on 2009-07-07
11
Medium Priority
?
661 Views
Last Modified: 2013-12-04
I have some applications at work that I bought.

They put information in the title bar, which we grab.  This is on XP.  There are two ways to do this.  One involves polling to see if the title bar of the app we monitor has changed.  Another involves hooking - we run a program before the apps start grab the changes to the title bar.  What is dll injection?  Is it hooking.  To essentially become part of another app we don't have code to, do we have to have a program running?

I appreciate very much the time it takes to reply.

gsgi
0
Comment
Question by:gsgi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
11 Comments
 
LVL 49

Assisted Solution

by:DanRollins
DanRollins earned 400 total points
ID: 24800562
"DLL Injection" is the act of writing and running a global Windows Hook.  Your hook DLL will be loaded into the address space of every program.  You can then use some tricks to access the data of that program.  But it is not for the faint-of-heart, and difficult to do for even seasoned C++ programmers.  
You can start your reading here:
   Hooks
   http://msdn.microsoft.com/en-us/library/ms632589(VS.85).aspx
0
 
LVL 40

Assisted Solution

by:evilrix
evilrix earned 400 total points
ID: 24801253
You might find this useful...

"Three Ways to Inject Your Code into Another Process"
http://www.codeproject.com/KB/threads/winspy.aspx
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24802454
If the information is in the titlebar, enumerating the top level windows and grabbing the text from them surely is senseful doing.

Installing a hook is another game. You need all admin priviliges on a system and would need to care for not opening doors to malicious programs when doing so. Moreover, spying out data from users other than yourself without the users know that they were spied out is at least questionable and may be forbidden by national laws.
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 86

Expert Comment

by:jkr
ID: 24803713
Well yu won't need admin privileges for a Windows hook that runs in your current session (global to that session or not), see http://msdn.microsoft.com/en-us/library/ms997537.aspx ("Win32 Hooks"). Tis also injects a DLL into all running (GUI) applicationsYou'd basically check for 'WM_SETTEXT' being sent to the handle of the window that you're monitoring. The scoop would be to
LRESULT CALLBACK HookProc  (       int             nCode,  // hook code
                                WPARAM  wParam, // removal flag 
                                LPARAM  lParam  // address of structure with message 
                            )
{
    PMSG        pmsg    =       ( PMSG) lParam;
 
    if  (       0       >       nCode   ||      PM_NOREMOVE     ==      wParam) 
        {
            return      (       CallNextHookEx  (       g_hhk,
                                            nCode,
                                            wParam,
                                            lParam
                                        )
                    );
        }
 
    if  (WM_STTEXT == pmsg->message && hWndToCheck == pwmg->hwnd)
        {
            /* this one is for us, so grab the new window title here */
        }
 
    return      (       CallNextHookEx  (       g_hhk,
                                    nCode,
                                    wParam,
                                    lParam
                                )
            );
}

Open in new window

0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24804479
>>>> Well yu won't need admin privileges for a Windows hook that runs in your current session
Is there no way to keep a trojan from installing a session hook?
0
 
LVL 86

Expert Comment

by:jkr
ID: 24804733
No, what happens in your session with your session's priveleges is OK (from an OS point of view).
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24805030
>>>> from an OS point of view
Windows is an OS?   ;-)

It is always striking to experience how many open doors a windows system has. Do you know a reason why this security hole wasn't fixed?

0
 
LVL 13

Author Comment

by:gsgi
ID: 24846359
Here is the code my programmer has come up with and I appreciate any feedback, constructive critique etc.  BTW I am still not clear on when you would choose the hook over either of the createremotethread techinques mentioned.  i really appreciate your time and assistance and thought.  As stated above my goal is for each of my user sessions on a terminal server, to capture the text in the title bar of the apps that the user is using.

The code attached seems to be working.  It needs to be changed now from a dos to a background processes and tested more.  Also I am curious if there is an advantage to either createremotethread technique as presented in the link provided above by evilrix.

http://files.getdropbox.com/u/1461313/Development/HookingVersion.zip

thanks, gsgi
0
 
LVL 13

Author Comment

by:gsgi
ID: 24851037
Whoops the link above was the build, here is the code:
http://files.getdropbox.com/u/1288178/TitleHook.zip

Thanks,
gsgi
0
 
LVL 86

Accepted Solution

by:
jkr earned 1200 total points
ID: 24851528
>>I am still not clear on when you would choose the hook over either of the
>>createremotethread techinques

Because it is way easier, more documented and more stable. Windows hooks are services provided by the system, whereas creating a remote thread leaves everything to you. And even worse, you still have to patch entry points in the remote process to get notified about a title change without having to poll.
0
 
LVL 13

Author Closing Comment

by:gsgi
ID: 31600900
Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question