My Dll Injector Code Does Not Work-, listing processes and injecting .dll- Help! - C / C++ / MFC Discussion Boards

I want to capture client area of a window.

I am using vc++ and vs2005.

Be prepared for long stakeout. The client areas only come out at certain hours during the night and tend to be sensitive to noise and light. It takes a lot of skill to capture them.

Nice joke, I am able to capture a window and also able to solve this image into a file but the problem is i can't print only the client area.

I have also use the flag PW_CLIENTAREA.

Please help to solve this

I assume you wanted to do this in MFC...

bool CaptureWindow(CWnd* pWnd, CBitmap* pBitmap)
{
    CRect rc;
    pWnd->GetClientRect( rc );
    CClientDC dc(pWnd);
    if ( pBitmap->CreateCompatibleBitmap(&dc, rc.Width(), rc.Height()))
    {
       CDC memdc;
       memdc.CreateCompatibleDC( &dc );
       CBitmap* pOldBitmap = (CBitmap*) memdc.SelectObject( pBitmap );
       memdc.BitBlt(0, 0, rc.Width(), rc.Height(), &dc, 0, 0, SRCCOPY);
       memdc.SelectObject( pOldBitmap );
       memdc.DeleteDC();
       return true;
    }
    return false;
}

God bless,
Ernest Laurentin

is it possible to do this using printwindow?

I want to capture client area of a transparent layered window

I've never used that API (PrintWindow) (or WM_PRINTCLIENT message) but I would believe that should do the trick. Not sure about the layered window though.

God bless,
Ernest Laurentin

this is a console app. what it is supposed to do is list the info for notepad.exe and then inject the .dll into the notepad.exe executable space.

it seems to list the program info correctly, but the injection does not work. (verified with ollydbg, the .dll isn't present)

anyone can help would be appreciated.

best,
Mike

here's the main code:

// List Processes and Modules.cpp : Defines the entry point for the console application.<br />
//<br />
<br />
#include "stdafx.h"<br />
<br />
// test.cpp : Defines the entry point for the console application.<br />
//<br />
<br />
#include <windows.h><br />
#include <tlhelp32.h><br />
#include <tchar.h><br />
#include <stdio.h><br />
#include <string><br />
 <br />
#define MAXWAIT 10000<br />
<br />
//  Forward declarations:<br />
BOOL GetProcessList( );<br />
BOOL ListProcessModules( DWORD dwPID );<br />
BOOL ListProcessThreads( DWORD dwOwnerPID );<br />
void printError( TCHAR* msg );<br />
bool insertDll(DWORD procID, std::string dll);<br />
<br />
<br />
<br />
void main( )<br />
{<br />
  GetProcessList( );<br />
<br />
<br />
}<br />
<br />
BOOL GetProcessList( )<br />
{<br />
  HANDLE hProcessSnap;<br />
  HANDLE hProcess;<br />
  PROCESSENTRY32 pe32;<br />
  DWORD dwPriorityClass;<br />
  CHAR filename[260] = "notepad.exe";<br />
<br />
<br />
  // Take a snapshot of all processes in the system.<br />
  hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );<br />
  if( hProcessSnap == INVALID_HANDLE_VALUE )<br />
  {<br />
    printError( TEXT("CreateToolhelp32Snapshot (of processes)") );<br />
    return( FALSE );<br />
  }<br />
<br />
  // Set the size of the structure before using it.<br />
  pe32.dwSize = sizeof( PROCESSENTRY32 );<br />
<br />
  // Retrieve information about the first process,<br />
  // and exit if unsuccessful<br />
  if( !Process32First( hProcessSnap, &pe32 ) )<br />
  {<br />
    printError( TEXT("Process32First") ); // show cause of failure<br />
    CloseHandle( hProcessSnap );          // clean the snapshot object<br />
    return( FALSE );<br />
  }<br />
<br />
  // Now walk the snapshot of processes, and<br />
  // display information about each process in turn<br />
  do<br />
  {<br />
<br />
	  if (!strcmp(pe32.szExeFile,filename))<br />
	  {<br />
<br />
<br />
    printf( "\n\n=====================================================" );<br />
    _tprintf( TEXT("\nPROCESS NAME:  %s"), filename);//pe32.szExeFile );<br />
    printf( "\n-----------------------------------------------------" );<br />
<br />
    // Retrieve the priority class.<br />
    dwPriorityClass = 0;<br />
    hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );<br />
    if( hProcess == NULL )<br />
      printError( TEXT("OpenProcess") );<br />
    else<br />
    {<br />
      dwPriorityClass = GetPriorityClass( hProcess );<br />
      if( !dwPriorityClass )<br />
        printError( TEXT("GetPriorityClass") );<br />
      CloseHandle( hProcess );<br />
    }<br />
<br />
    printf( "\n  Process ID        = 0x%08X", pe32.th32ProcessID );<br />
    printf( "\n  Thread count      = %d",   pe32.cntThreads );<br />
    printf( "\n  Parent process ID = 0x%08X", pe32.th32ParentProcessID );<br />
    printf( "\n  Priority base     = %d", pe32.pcPriClassBase );<br />
    if( dwPriorityClass )<br />
      printf( "\n  Priority class    = %d", dwPriorityClass );<br />
<br />
    // List the modules and threads associated with this process<br />
<br />
	insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); // this is where we try to inject<br />
<br />
    ListProcessModules( pe32.th32ProcessID );<br />
    ListProcessThreads( pe32.th32ProcessID );<br />
<br />
	  }<br />
<br />
  } while( Process32Next( hProcessSnap, &pe32 ) );<br />
<br />
  CloseHandle( hProcessSnap );<br />
  return( TRUE );<br />
}<br />
<br />
<br />
BOOL ListProcessModules( DWORD dwPID )<br />
{<br />
  HANDLE hModuleSnap = INVALID_HANDLE_VALUE;<br />
  MODULEENTRY32 me32;<br />
<br />
  // Take a snapshot of all modules in the specified process.<br />
  hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );<br />
  if( hModuleSnap == INVALID_HANDLE_VALUE )<br />
  {<br />
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") );<br />
    return( FALSE );<br />
  }<br />
<br />
  // Set the size of the structure before using it.<br />
  me32.dwSize = sizeof( MODULEENTRY32 );<br />
<br />
  // Retrieve information about the first module,<br />
  // and exit if unsuccessful<br />
  if( !Module32First( hModuleSnap, &me32 ) )<br />
  {<br />
    printError( TEXT("Module32First") );  // show cause of failure<br />
    CloseHandle( hModuleSnap );           // clean the snapshot object<br />
    return( FALSE );<br />
  }<br />
<br />
  // Now walk the module list of the process,<br />
  // and display information about each module<br />
  do<br />
  {<br />
    _tprintf( TEXT("\n\n     MODULE NAME:     %s"),   me32.szModule );<br />
    _tprintf( TEXT("\n     Executable     = %s"),     me32.szExePath );<br />
    printf( "\n     Process ID     = 0x%08X",         me32.th32ProcessID );<br />
    printf( "\n     Ref count (g)  = 0x%04X",     me32.GlblcntUsage );<br />
    printf( "\n     Ref count (p)  = 0x%04X",     me32.ProccntUsage );<br />
    printf( "\n     Base address   = 0x%08X", (DWORD) me32.modBaseAddr );<br />
    printf( "\n     Base size      = %d",             me32.modBaseSize );<br />
<br />
  } while( Module32Next( hModuleSnap, &me32 ) );<br />
<br />
  CloseHandle( hModuleSnap );<br />
  return( TRUE );<br />
}<br />
<br />
BOOL ListProcessThreads( DWORD dwOwnerPID ) <br />
{ <br />
  HANDLE hThreadSnap = INVALID_HANDLE_VALUE; <br />
  THREADENTRY32 te32; <br />
 <br />
  // Take a snapshot of all running threads  <br />
  hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); <br />
  if( hThreadSnap == INVALID_HANDLE_VALUE ) <br />
    return( FALSE ); <br />
 <br />
  // Fill in the size of the structure before using it. <br />
  te32.dwSize = sizeof(THREADENTRY32 ); <br />
 <br />
  // Retrieve information about the first thread,<br />
  // and exit if unsuccessful<br />
  if( !Thread32First( hThreadSnap, &te32 ) ) <br />
  {<br />
    printError( TEXT("Thread32First") ); // show cause of failure<br />
    CloseHandle( hThreadSnap );          // clean the snapshot object<br />
    return( FALSE );<br />
  }<br />
<br />
  // Now walk the thread list of the system,<br />
  // and display information about each thread<br />
  // associated with the specified process<br />
  do <br />
  { <br />
    if( te32.th32OwnerProcessID == dwOwnerPID )<br />
    {<br />
      printf( "\n\n     THREAD ID      = 0x%08X", te32.th32ThreadID ); <br />
      printf( "\n     Base priority  = %d", te32.tpBasePri ); <br />
      printf( "\n     Delta priority = %d", te32.tpDeltaPri ); <br />
    }<br />
  } while( Thread32Next(hThreadSnap, &te32 ) ); <br />
<br />
  CloseHandle( hThreadSnap );<br />
  return( TRUE );<br />
}<br />
<br />
void printError( TCHAR* msg )<br />
{<br />
  DWORD eNum;<br />
  TCHAR sysMsg[256];<br />
  TCHAR* p;<br />
<br />
  eNum = GetLastError( );<br />
  FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,<br />
         NULL, eNum,<br />
         MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language<br />
         sysMsg, 256, NULL );<br />
<br />
  // Trim the end of the line and terminate it with a null<br />
  p = sysMsg;<br />
  while( ( *p > 31 ) || ( *p == 9 ) )<br />
    ++p;<br />
  do { *p-- = 0; } while( ( p >= sysMsg ) &&<br />
                          ( ( *p == '.' ) || ( *p < 33 ) ) );<br />
<br />
  // Display the message<br />
  _tprintf( TEXT("\n  WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );<br />
}<br />
<br />
<br />
<br />
 <br />
bool insertDll(DWORD procID, std::string dll)<br />
{<br />
    //Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process<br />
    HMODULE hLocKernel32 = GetModuleHandle("Kernel32");<br />
    FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA");<br />
    <br />
 <br />
    //Open the process with all access<br />
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);<br />
 <br />
    //Allocate memory to hold the path to the Dll File in the process's memory<br />
    dll += '\0';<br />
    LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE);<br />
 <br />
    //Write the path to the Dll File in the location just created<br />
    DWORD numBytesWritten;<br />
    WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten);<br />
 <br />
    //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer<br />
    HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);<br />
<br />
	ResumeThread(hRemoteThread);<br />
 <br />
    //cout << hRemoteThread << endl;<br />
 <br />
    //Wait for the thread to finish<br />
    bool res = false;<br />
    if (hRemoteThread)<br />
        res = (bool)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT;<br />
 <br />
    //Free the memory created on the other process<br />
    VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE);<br />
<br />
 <br />
    //Release the handle to the other process<br />
    CloseHandle(hProc);<br />
 <br />
    return res;<br />
}

i included the project file for visual studio 2008 c++ in the linked Projects.rar and also the Caliber.dll that gets injected. (this .dll doesn't do anything at all, it's just for testing the injection.)

www.steveandmike.com/backup/Projects.rar

You must have notepad.exe running to see anything. probably best to build the application and then run the build in a console window.

thanks for any help!

best,
Mike

Format your code so it's readable.

Steve

what do you mean format so it is readable? i don't understand-

also i posted the actual project file for download-

at any rate, not sure what you mean.

can you give me an example of what isn't readable in the code i posted?

thanks for replying-

best,
Mike

There is no indentation.

Steve

ok. i have never posted here before. i simply copied the text from the actual IDE and then pasted here and then pressed the code formatting button below. what could i have done differently?

also, what does that matter? it is formatted and indented very nicely with color coding and etc. in the project file which is downloadable from the link included.

i really could use some help here. hopefully arguing over indentation isn't the norm here? i apologize for posting inappropriately but i have no idea how to get it like you want it. could you at least look at the code itself or perhaps load the project file and see what i am talking about? i would appreciate it-

best,
Mike

Mike Yurgalavage wrote:
also, what does that matter? it is formatted and indented very nicely with color coding and etc. in the project file which is downloadable from the link included.

I'll answer a question if it's easy for me to do so; normally I would not go to the trouble of downloading a project file.

Steve

Try something like this:

EXE:

// InjectDLL.cpp : Defines the entry point for the console application.
//
 
#include "stdafx.h"
using namespace std;
 
#ifdef __cplusplus
extern "C"
{
#endif
 
void __stdcall SetHook();
 
#ifdef __cplusplus
}
#endif

int main(int argc, char* argv[])
{
	SetHook();
 
	return 0;
}

DLL:

// InjectMe.cpp : Defines the entry point for the DLL application.
//
 
#include "stdafx.h"
#include <tchar.h>
 
HMODULE g_hMod = NULL;
 
#pragma comment(linker, "/SECTION:.shared,RWS")
#pragma data_seg(".shared")
HHOOK g_hHook = NULL;
#pragma data_seg()
 
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
	LRESULT res = CallNextHookEx(NULL, code, wParam, lParam);
 
	static bool bDone = false;
	if (bDone && res==HC_ACTION)
	{
		bDone = true;
 
		UnhookWindowsHookEx(g_hHook);
 
		::MessageBox(NULL, _T("Hello"), _T("Hello"), MB_OK);
	}
 
	return res;
}
 
#ifdef __cplusplus
extern "C"
{
#endif
 
void __stdcall SetHook()
{
	// Find Notepad's window.
	HWND hwnd = FindWindow(_T("Notepad"), NULL);
	if (hwnd == NULL)
	{
		return;
	}
 
	// Get the main thread's ID.
	DWORD ThreadId = GetWindowThreadProcessId(hwnd, NULL);
 
	// Hook it.
	HHOOK g_hHook = SetWindowsHookEx(
				WH_GETMESSAGE,					// int idHook
				reinterpret_cast<HOOKPROC>(&GetMsgProc),	// HOOKPROC lpfn
				g_hMod,						// HINSTANCE hMod
				ThreadId					// DWORD dwThreadId
				);
	if (g_hHook == NULL)
	{
		return;
	}


	// Post a "do nothing" message to Notepad so our hook is called.
	PostMessage(hwnd, WM_NULL, 0, 0);
}
 
#ifdef __cplusplus
}
#endif
 
BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		g_hMod = reinterpret_cast<HMODULE>(hModule);
		DisableThreadLibraryCalls(g_hMod);
		break;
	}

    return TRUE;
}

Steve

modified on Tuesday, March 11, 2008 12:14 AM

thanks for taking the time to respond to my .dll injection questions. i have all of this working in my purebasic programs (they only compile to 32bit), but unfortunately to make the move to 64 bit i have to move on to c++. it's like starting over. i am just trying to get this to work in 32 bit environment using c++ code first, which i am failing at already!

sadly, i have to make alot changes and of course begin the learning process all over again. i am a novice at c++ and these types of topics (dll injection, etc.) are a little more advanced than the hello world apps.

at any rate, the .dll i have in the project file is the file that needs to be injected. it is more of a place holder and not a hook. unfortunately i need to be able to inject that particular file into the space of notepad.exe .

i wish i could tell why my code does not do this. i followed the same steps that i did with purebasic (the same API calls). it just won't inject-

any further help is appreciated and if none, then a sincere thanks for all you did!

best,
Mike

ok i figured out the problem with my code.

you cannot inject into a process that runs from the system32 directory of windows using this code.

if i move the notepad.exe to the c: drive and run it from there, then it will inject fine with no problems-

crazy how it is the simple things.

thanks again for reading and posting to all those who helped-

best,
Mike

create a docking toolbar which is not in any window,frame or dialog box and each button of toolbar opens a menu list.

If it's not in any window, frame or dialog, whoere and how can it dock ?

ok, but what is the question ? what are you wanting us to do for you?

Maximilien Lincourt
Your Head A Splode - Strong Bad

hi everyone,
good evening to all.i am having one problem with lables.iwant to change the font size of the lable how can i do it.i want to do it for indidual lables.please help me out.

THANKU,
savitri Blush | :O

See the Extras section of this article. It shows how to change the font of a static control.

"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for, in order to get to the job you need to pay for the clothes and the car and the house you leave vacant all day so you can afford to live in it." - Ellen Goodman

"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne

Hi all,

Actually i am making a dialog box application in that dialog box i have made a static text box, now what i want is i'll provide value for this static box at run time. Length of text may vary. so how could i can make a variable text box.

Can anybody help me in this...

Thanks in advance

movewindow api could help, you have to check the size of font and do the reszing of control your self!

"Opinions are neither right nor wrong. I cannot change your opinion. I can, however, change what influences your opinion." - David Crow
Never mind - my own stupidity is the source of every "problem" - Mixture

cheers,
Alok Gupta
VC Forum Q&A :- I/IV
Support CRY- Child Relief and You/codeProject$$>

Make it large enough so that it can contain the largest text. That's the easiest solution and you won't see the difference.

Cédric Moonen
Software developer

Charting control [v1.3 - Updated]

In MFC, you can make a so called control-variable. It is of the type of the control class (CStatic in your case) and you can call all functions of CStatic on it.
For example MoveWindows to fit to the text size.

But this, in turn, might need to affect the layout of the other controls in the dialog.
Here you might need to use a framework like resizableLib[^].

Let's think the unthinkable, let's do the undoable, let's prepare to grapple with the ineffable itself, and see if we may not eff it after all.
Douglas Adams, "Dirk Gently's Holistic Detective Agency"

I think if you used of editbox was better.