.dll question

I am trying to inject my .dll into another process... So I found out that you can just hook the dll and it will map into the other process memory space. Easy enough... but my .dll has no exports to CALLBACK to. Thus I tried to add in Megatron's code about how he hooked the notepad edit area:

http://vbforums.com/showthread.php?t...highlight=hook

it gives me an error saying:

error C2059: syntax error : 'string'

It points to the opening line of the code:

extern "C" __declspec(dllexport) LRESULT CALLBACK GetMsgProc(INT nCode,
WPARAM wParam,LPARAM lParam)


I see no strings and I even tried adding string.h...no dice. anyone?

:ehh:

I think someone needs to make a zip with sample projects in VB including the c++ dll source, of hooking another application and responding to messages. It seems all the questions in this forum lately have been directed towards this.

http://vbforums.com/showthread.php?t=322261

with source by great moeur :)

his project uses an active x control that handles the hooking i do believe.

avoids alot of the trouble which people have with this...but they will learn nothing from it then. :ehh:

Quote:

---

his project uses an active x control that handles the hooking i do believe. avoids alot of the trouble which people have with this...but they will learn nothing from it then.

---

But the source is included, so learn away! :)

This however is not the solution to Lyric's problem.
The only reason the hooking programs inject themselves is that the external App has to call the GetMsgProc of your dll when a message arrives.

This won't work for you since you're not relying on message arrival. Take a look at the DebugInjector class in the APISPYLD example.

Here the code is injected on Debug assertions which can be forced.

...

...

I don't have an export in my .dll as I explained. However I can use just some really simple .dll to hook and get it in the process's memory. I then just use a LoadLibrary call from that simple .dll and it should load the real .dll into the same address space. Here is the problem. When you do call loadlibrary the .dll is mapped into the address space. However it isn't actually put in there until something is used from the .dll and it has to be moved in. Thus, I have to create some type of function call pointer to the .dll. I am here so far: (This is the code in the simple .dll that is already in the process address space and now is making a fake function call just to get the .dll loaded)

BOOL (*funcPtr) (int);
BOOL fakeReturn;
HINSTANCE theDll;
FARPROC fakeHandle;

theDll = LoadLibrary("D:\myDLL.dll");
fakeHandle = GetProcAddress(theDll, "DummyFunction");
funcPtr = fakeHandle; //here is the problem
fakeReturn = funcPtr(8);


error C2064: term does not evaluate to a function
Error executing cl.exe.

or

cannot convert from 'int' to 'int (__cdecl *)(int)'
Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast

The function I am pointing to called DummyFunction takes on one int parameter and returns a BOOL.

Quote:

---

Originally Posted by moeur

But the source is included, so learn away! :)

This however is not the solution to Lyric's problem.
The only reason the hooking programs inject themselves is that the external App has to call the GetMsgProc of your dll when a message arrives.

This won't work for you since you're not relying on message arrival. Take a look at the DebugInjector class in the APISPYLD example.

Here the code is injected on Debug assertions which can be forced.

...

...

---

I want to attach to the process and not be forced to load it through a loader program. I am not sure if that is what this is doing for sure...but I know that APISPYLD makes you load the .exe and not just attach to it. However I will look through it and see if maybe I can draw something from it.

OK, I see what you're doing.

Why do you need two dll's?
Can't you put everything into the "simple" dll to avoid the LoadLibrary?

Also, did you try the C++ forum?

..

Maybe I am a complete idiot now... in order to use a function from a .dll it must be in the export section of the .dll. Thus in order to call this fake function...it must be labeled as an export. is this correct?

Maybe you could list the general steps of what you are doing.

Including:
how do you plan to inject
How do you plan to interact with dll
etc..

I tried combining them and I got nothing but errors. Of course I am sure it is because I didn't have the proper layout for combining them. Maybe you can tell me the proper way to combine:

The normal APISPY32.dll project and this: ( I got the function pointer to compile, but it crashes when the .dll is loaded. I assume it never finds the correct pointer, because the function it is looking for is not an export, and when it makes a call to the function it just crashes. Thus I removed it from this code as this is a different method anyway)

#include "stdafx.h"
#include <windows.h>
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved )
{
return TRUE;
}
HHOOK hHook;
extern "C" __declspec(dllexport) LRESULT CALLBACK GetMsgProc(INT nCode,
WPARAM wParam, LPARAM lParam)
{
return CallNextHookEx( hHook, nCode, wParam, lParam );
}

I plan to inject with a simple vb app: (working)

Private Sub Form_Load()

'Receives the address of the GetMsgProc function, which will be imported
Dim lpfn As Long

'Loads our DLL into memory. Change the path to the path of your DLL
hModule = LoadLibrary("D:\Documents and Settings\Administrator\Desktop\base.dll")

If hModule <> 0 Then
'Retrieve the address of the GetMsgProc function in our DLL
lpfn = GetProcAddress(hModule, "_GetMsgProc@12")
'Install the WH_GETMESSAGE hook
If lpfn <> 0 Then hHook = SetWindowsHookEx(WH_GETMESSAGE, lpfn, hModule, 0)
Else
MsgBox "Cannot load module"
End If

End Sub


Then the .dll I load is in the memory space and I hope that once inside it will start reading the API's as normal. Which I assume it will do as it worked before. The .dll I load is still up for grabs as nothing has worked yet. I have read an article on code project ( http://www.codeproject.com/threads/winspy.asp ) and they use 2 .dlls as I was earlier. I dont really care how it works to be honest. The system performance does not seem to be to far reduced with the hook staying there anyway.

Here is the error I get when I try to combine them


error C2059: syntax error : 'string'

and it points to this:

extern "C" __declspec(dllexport) LRESULT CALLBACK GetMsgProc(INT nCode,
WPARAM wParam, LPARAM lParam)


I don't even have string class added or anything.

Quote:

---

Originally Posted by moeur

Maybe you could list the general steps of what you are doing.

Including:
how do you plan to inject
How do you plan to interact with dll
etc..

---

missed the interact question earlier...
I plan to interact with the .dll with the WM_Copydata function. I believe that is what you said is best.

I'm still unclear as to where and when you're trying to do things
1. hook External App - why do you need a hook?
2. load 2nd dll - why not combine the two dlls into one?

You can't just load the APISPY32.dll into the memory space of the external app and expect it to work if that is what you're planning. You have to go through all the steps in APISPYDL.exe.

Quote:

---

Originally Posted by moeur

I'm still unclear as to where and when you're trying to do things
1. hook External App - why do you need a hook?
2. load 2nd dll - why not combine the two dlls into one?

You can't just load the APISPY32.dll into the memory space of the external app and expect it to work if that is what you're planning. You have to go through all the steps in APISPYDL.exe.

---

1. you have to use hooks to load into a different process addresss space unless you execute the program yourself (which I want to attach and not execute so hooks are the way to go)

2. i tried that, my error is shown a few posts up

Also, I think that it is possible that apispy32.dll can run independent of the loader. you could be completely correct, but here me out. all the loader does is put the dll into the address space. it doesnt even access the functions in the .dll. I put a messagebox for when it gets a hook on a DrawText and it displays the text in the messagebox. Currently I have a system wide hook and when I execute the program it hooks itself also. When I close the app it displays a few messageboxes that I assume meet the specifications for being a DrawText API call and having 0xFFFFFFFF as the third parameter (meaning it is drawn to a picture and not a text box). Even if it isn't messaging correctly, just the fact that I know it gets to that part of the code means that it is doing some API hooking and is executing the APISPY32.dll.

Quote:

---

you have to use hooks to load into a different process addresss space unless you execute the program yourself

---

Not true. You might be able to replace the CreateProcess call in APISPYLD with a call to DebugActiveProcess.

The APISPYLD.exe is mainly responsible for doing the injection. Injection is more than just loading the dll into the address space of the external process. The routine that does the injection is CDebugInjector::PlaceInjectionStub
You've got to do these steps to do the injection yourself
1. Locate where the stub will be in the target process
2. Copy the stub into the target process
3. Change the EIP register in the target thread to point at the stub we just copied in.

...

Quote:

---

Originally Posted by ice_531

his project uses an active x control that handles the hooking i do believe.

avoids alot of the trouble which people have with this...but they will learn nothing from it then. :ehh:

---

i believe the source to active x control is included too so you do learn...alot :p

I may have a solution for you.
Let's avoid trying to load a seperate library from within another dll.
Try to add some new routines to SPYAPI32.dll

First create a .def file and include in your project

Code:

---

//APISPY32.def
LIBRARY APISPY32.dll
EXPORTS
        InstallFilterDLL        @1
        UnInstallFilterDLL        @2

---

Then declare some things

Code:

---

HHOOK        hmsgHooks = 0;                // Hook handle for WH_GETMESSAGE

---

Add a routine to set the hook

Code:

---

__declspec(dllexport) int _stdcall InstallFilterDLL(DWORD dwThreadId)
{
  if (hmsgHooks==0)
        hmsgHooks = SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC) GetMsgProc, (HINSTANCE) HInstance, dwThreadId);
  if (hmsgHooks==0) return GetLastError();
  return 0;
}

---

A routine to Remove the hook

Code:

---

__declspec(dllexport) int UnInstallFilterDLL(void)
{
  LRESULT result;
  if (hmsgHooks != 0){
  result = UnhookWindowsHookEx(hmsgHooks);
  if (result == 0) return GetLastError();
  hmsgHooks = 0;
  }
  return 0;
}

---

And a dummy routine to trap messages

Code:

---

LRESULT CALLBACK GetMsgProc(int nCode, WPARAM wParam, LPARAM lParam)
{
  return(CallNextHookEx(hmsgHooks, nCode, wParam, lParam));
}

---

Now to set the hook and inject the code, call from VB

VB Code:

Private Declare Function InstallFilterDLL Lib "C:\bin\APISPY32.dll" ( _
    ByVal dwThreadID As Long _
) As Long
 
 Private Declare Function UnInstallFilterDLL Lib "C:\bin\APISPY32.dll" () As Long
 
'To set The Hook
  If InstallFilterDLL(ThreadID) Then
    MsgBox "Cannot Install Hook"
  End If
 
'To Remove the hook
  UnInstallFilterDLL

Want to give it a try?

I think there is a little problem with my above method.
The apispy initialization takes place in the process_Attach section of dllMain. This means that it will happen both for the external app as well as the VB app.

We need to move those calls to the message handling section and perform them upon receipt of a user defined message that we will send from VB. I'll try that when I get a chance.

OK, I've got it and have attached working code below.
As mentioned above, I added some subroutines to APISPY32.c

I modified the DllMain routine to keep APISPY from installing when the dll
attaches to the VB end of things

Code:

---

  case DLL_PROCESS_ATTACH:
    HInstance = hInst;
    FChicago = (BOOL)((GetVersion() & 0xC0000000) == 0xC0000000);
    if (hWndVB > 0){//only do this for external process
        if ( InitializeAPISpy32() == FALSE )
          return 0;
        if ( InitThreadReturnStack() == FALSE )
          return 0;
        hWndSPY = hInst;//mark this instance
    }
    break;

    case DLL_THREAD_ATTACH:
        if (HInstance = hWndSPY)
          if ( InitThreadReturnStack() == FALSE )
                return 0;
            break;

      case DLL_THREAD_DETACH:
        if (HInstance = hWndSPY)
            if ( ShutdownThreadReturnStack() == FALSE )
              return 0;
            break;

      case DLL_PROCESS_DETACH:
        if (HInstance = hWndSPY){
          ShutDownAPISpy32();
          ShutdownThreadReturnStack();
          if (hhookHooks != 0){
          result = UnhookWindowsHookEx(hhookHooks);                          hhookHooks = 0;
          hWndVB = 0;
      }
  }
  break;

---

Added two exported functions to be called from VB:
A function to Set a hook from VB; we pass to it the ThreadID to hook as well as a handle to a window in VB to receive callback messages from dll.

Code:

---

__declspec(dllexport) int _stdcall InstallFilterDLL(DWORD dwThreadId, HANDLE hWndReturn)
{
  if (hhookHooks==0)
        hhookHooks = SetWindowsHookEx(WH_CALLWNDPROC,(HOOKPROC) CallWndProc, (HINSTANCE)
  HInstance, dwThreadId);
  if (hhookHooks==0) return GetLastError();
  hWndVB = hWndReturn;
  return 0;
}

---

And one to remove the hook

Code:

---

__declspec(dllexport) int UnInstallFilterDLL(void)
{
  LRESULT result;
  if (hhookHooks != 0){
  result = UnhookWindowsHookEx(hhookHooks);
  hhookHooks = 0;
  hWndVB = 0;
  }
  return 0;
}

---

The Window Procedure function for monitoring the messages
Currently it only serves to monitor for shutdown of target app

Code:

---

LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam, LPARAM lParam)
{
  CWPSTRUCT *lpMsg;
  LRESULT result = 0;
  //return immediately for negative nCodes
  if (nCode >= 0){
    if (nCode==HC_ACTION){
        lpMsg = (CWPSTRUCT *) lParam;
        switch (lpMsg->message){
          case WM_CLOSE://we're shutting down
          //notify VB we're shutting down
          if (hWndVB>0) SendMessage(hWndVB, UM_STOP, 0, (LPARAM)result);
          //remove the hook
          if (hhookHooks !=        0){
            result = UnhookWindowsHookEx(hhookHooks);
            hhookHooks = 0;
            hWndVB = 0;
          }
          break;
        }//end switch
    }//end HC_ACTION
  }//end nCode >=0
 return(CallNextHookEx(hhookHooks, nCode, wParam, lParam));
}

---

Here we have three two user-defined messages and two other constants

Code:

---

#define UM_STOP                WM_USER + 0x101 //message from dll to VB; dll is shutting down
#define UM_ERROR        WM_USER + 0x102 //message sent from dll to VB; an error has occurred
#define ERR_INITSPY        1 //Error type; InitializeAPISpy32 failed
#define ERR_INITTHREAD 2 //Error type; InitThreadReturnStack failed

---

I've also added some shared variables

Code:

---

#pragma data_seg(".shared")
        HANDLE hWndVB = 0; //handle back to subclassed VB Window
        HHOOK hhookHooks = 0; // Hook handle
        HANDLE hWndSPY = 0; //external process handle
#pragma data_seg()
#pragma comment(linker, "/SECTION:.shared,RWS")

---

Finally, Ive added a local routine to send data back to the VB App

Code:

---

void SendData(char* pszOutStr)
{
  if (hWndVB > 0){
    COPYDATASTRUCT MyCDS;
    MyCDS.dwData = 1;          // function identifier
    MyCDS.cbData = strlen( pszOutStr );  // size of data
    MyCDS.lpData = pszOutStr;      // data structure
    SendMessage(hWndVB, WM_COPYDATA, (WPARAM) HInstance, (LPARAM) &MyCDS);
  }
}

---

In Addition to these modifications, I modified LOG.C to send data back to VB
Define our sending function which resides in WINAPISPY32.c

Code:

---

void SendData(char* pszOutStr);

---

At two spots LOG.c writes data, so at those points send data to our function also
One is in function LogCall

Code:

---

void __stdcall LogCall(PSTR pszName, PBYTE pParams, PDWORD pFrame)
{
        char szOutstr[1024];//buffer to hold entire data string
        .
        .
        .
    fprintf(PLogFile, "%s%s(%s)\n", szIndent, pszName, szParams);
    fflush(PLogFile);
//********* Added By Moeur **************************************
    wsprintf(szOutstr, "%s%s(%s)\n", szIndent, pszName, szParams);
        SendData(szOutstr);
//-----------------------------------------------------------------
        .
        .
        .
}

---

The other is in LogReturn

Code:

---

void LogReturn(PSTR pszName, DWORD returnValue, DWORD level)
{
    char szIndent[128];
//********* Added By Moeur **************************************
        char szOutstr[1024];//buffer to hold output string
//-----------------------------------------------------------------
    if ( !PLogFile ) return;
    MakeIndentString(szIndent, level);
    fprintf(PLogFile, "%s%s returns: %X\n", szIndent, pszName, returnValue);
    fflush(PLogFile);
//********* Added By Moeur **************************************
    wsprintf(szOutstr, "%s%s returns: %X\n", szIndent, pszName, returnValue);
        SendData(szOutstr);
//-----------------------------------------------------------------
}

---

Don't forget your .def file

On the VB end, we have to declare our two dll routines as well as some other API stuff

VB Code:

Option Explicit
'Change to where your dll is located
Private Declare Function InstallFilterDLL Lib "C:\bin\APISPY32.dll" ( _
    ByVal dwThreadID As Long, _
    ByVal lhWnd As Long _
) As Long
 
 Private Declare Function UnInstallFilterDLL Lib "C:\bin\APISPY32.dll" () As Long
 
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" ( _
    ByVal lpClassName As String, _
    ByVal lpWindowName As String _
) As Long
 
Private Declare Function GetWindowThreadProcessId Lib "user32" ( _
    ByVal hwnd As Long, _
    lpdwProcessId As Long _
) As Long
 
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" ( _
    ByVal hwnd As Long, _
    ByVal wMsg As Long, _
    ByVal wParam As Long, _
    lParam As Any _
) As Long
 
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
    Destination As Any, _
    Source As Any, _
    ByVal Length As Long _
)
 
Const WM_COPYDATA = &H4A 'message from dll with our data
Const WM_USER = &H400
Const UM_STOP = WM_USER + &H101   'message from dll to VB; dll is shutting down
Const UM_ERROR = WM_USER + &H102  'message sent from dll to VB; an error has occurred
Const ERR_INITSPY = 1 'Error type; InitializeAPISpy32 failed
Const ERR_INITTHREAD = 2 'Error type; InitThreadReturnStack failed
 
'data structure for WM_COPYDATA
Private Type COPYDATASTRUCT
        dwData As Long
        cbData As Long
        lpData As Long
End Type

Next we subclass something to receive callback messages from the dll, get a handle to the target, and set the hook.

VB Code:

Private Sub Command1_Click()
 Dim hWndCalc As Long, ThreadID As Long
 
 'Subclass the subclass control
 subClass.Enable 0
 
 'Get handle to Calculator
 hWndCalc = FindWindow("SciCalc", "Calculator")
 While hWndCalc = 0
    If MsgBox("Open Calculator", vbOKCancel) = vbCancel Then Exit Sub
    hWndCalc = FindWindow("SciCalc", "Calulator")
 Wend
 
 'Get ThreadID to Calculator
 ThreadID = GetWindowThreadProcessId(hWndCalc, 0)
 
 'set The Hook which starts APISPY
 If InstallFilterDLL(ThreadID, subClass.hwnd) Then
    MsgBox "Cannot Install Hook"
 End If
 
End Sub

Before our program ends, remove the hook and subclass

VB Code:

Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
 UnInstallFilterDLL
 subClass.Disable
End Sub

When one of our special messages comes in we deal with it

VB Code:

Private Sub subClass_WindProc(ByVal hwnd As Long, ByVal uMsg As Long, ByVal wParam As Long, ByVal lParam As Long)
 Dim inData As COPYDATASTRUCT
    Select Case uMsg
    Case Is = UM_STOP
        MsgBox "App is shutting down"
    Case Is = UM_ERROR
        If lParam = ERR_INITSPY Then
            MsgBox "DLL Error Initializing APISPY"
        Else
            MsgBox "DLL Error Initializing APISPY"
        End If
 
    Case Is = WM_COPYDATA ' our data has arrived
        'wParam - Handle to window passing us the data
        'lParam - pointer to data
        Call CopyMemory(inData, ByVal lParam, 12)
        'inData.dwData - function identifier
        'inData.cbData - number of bytes in lpData
        'inData.lpData - pointer to data
        Text1 = Text1 & StrFromPtr(inData.lpData, inData.cbData)
    End Select
End Sub

Here is the utility to deal with strings from pointers

VB Code:

Function StrFromPtr(pStr As Long, strCNT As Long) As String
 Dim bTemp As Byte
 Dim i As Long
 Dim x As String
 x = ""
 For i = 0& To strCNT - 1
   CopyMemory bTemp, ByVal pStr + i, 1
   If bTemp = 10 Then
     x = x & vbCrLf
   Else
     x = x & Chr(bTemp)
   End If
 Next i
 StrFromPtr = x
End Function

The attached code should work out of the box, but if there is a problem let me know

uhhhh....wow! I haven't been on the boards for about 3 days now because I have had sooo much damn school work to do. I will be able to give this a try tomorrow and get back with you. Thanks a lot for your help!

I used the exact project from your zip and the C++ section doesn't actually compile the .dll. It puts APISPY32.exp and APISPY32.lib into the debug directory where the .dll would normally be. Something I have set wrong or what?

It's trying to put the dll into "C:\bin" change project/settings/link/output file name

Ok i got the .dll and i assume the .def file is not working because vb is giving errors about the entry point isnt found.

Wasn't added correctly...I GOT IT! Also I just wanted to add that right before you posted your great solution and I was using the 2 .dll method, I did in fact get it working. All you have to do is get the APISPY into the address space and it does in fact take over from there. This is obviously much better so forget it... Thanks and now I will be up allll night =P

I got it to monitor the APIs and it turns out it does it perfectly, but then crashes when you close one of the apps from what I assume are CopyData calls. The error message talks about unreferenced memory and memory trying to be "read" and something "wrote". Thus I assume it has to be this call. Trying to find a better way to disable.

I am actually trying right now to just leave the .dll in the process and just not have it send out messages after the vb app closes. That has not worked either. Another problem could be it isn't replacing the IAT table back. Thus the functions never get rerouted to the actual correct spot in USER32.dll


***** Update

Dont know why I didn't think of this first...but i removed the Copydata call and it still crashes. Now I assume it is the IAT. If not that then....damn out of ideas.

Use the shutdownapi command provided and it works fine.

Quote:

---

..., but then crashes when you close one of the apps

---

Damn! I thought I fixed that.

Quote:

---

Use the shutdownapi command provided and it works fine.

---

I don't understand.??? Are you saying get rid of the changes I made to shutdownapi or what?
Exactly what changes did you make so that it exits gracefully?

I had everything working great. Then I went and played some hoop, come back and now it acts like it is complete ****. I can't even really compile changes anymore and it wont work on another machine because of the .ocx **** (in the future I will avoid .ocx like the clap). I don't even know where I am anymore. Is there some way to just keep this version control **** out of my life?

Is the .ocx really needed? It seems to be nothing but problems thus far... I cant even properly load or compile with it saying it cant load the .ocx. It is in the correct path and everything. no dice...

here is the error that was dumped to Form1.log when the project fails:

Line 12: Class SubClass.subClassControl of control subClass was not a loaded control class.

I found the version control option and turned that off...still....no dice

ALSO...when i finally get it to get into project mode and not saying that it didnt load the .ocx. It gives me this error ( I assume this is the first line that it reads that is undefined because it never really loaded the .ocx functions)

Compile error
Method or data member not found:

subClass.Enable 0

I'll rewrite the control as a class instead
In the meantime.
open the project, choose OK on all errors
open the form with the control on it, OK on all errors
delete the control from the form
Add it back to the form and name it SubClass

if you want to compile it, you'll have to
compile the ActiveX control project,
select binary compatibilty, choosing the OCX you just compiled
recompile the activex control project
compile the main project

I know, it's a pain-in-the-ass

Got it to compile now... **slaps in head** why didn't I think of those 45 easy steps :rolleyes: Thanks for help.

OK,
Here is the new TestAPISPY VB project that uses a class to do the subclassing instead of an activeX control.

BTW, what changes did you have to make to the dll source to stop it from crashing?

Thought I had it but when you restart comp and then try again then it crashes.

I'm working on fixing the crashes.
I think it's related to removing the hook If you add a remove hook button to the VB form, press it, then when you move the mouse over your external app your external app will crash.
I also discovered some errors in my code and some stupid things I did, but still haven't gotten rid of the crash.

Crashes fixed (I hope)

The problem seems to be an interaction between the APISPY initialization and the hook.

The solution is don't ever remove the hook. This is OK since if the VB program is shutting down, the dll knows not to send messages anymore. If the dll is shutting down, then the hook goes away anyway. So, remove all calls to UnInstallFilterDLL from the VB app.

Attached is an improved APISPY32.c source with calls to UnhookWindowsHookEx removed and some bugs fixed.

Let me know if it does not work.

Time for coffee.

There is a problem in programs that spawn other windows. For example if you tried this on a vb app that had lots of forms and you attached to one of the secondary forms, then when you close the secondary form and try return to main it will crash.

***Update

Unless you close the vb app and then close the secondary window.

Quote:

---

There is a problem in programs that spawn other windows.

---

I hadn't considered that. I have an idea, I'll try it out and get back.

I have tried some random things and all failed... you?

EJ12N,

I totally forgot to post this injection code you wanted.
I tested it on APISPY32 and it worked. Unfortunately for Lyric it worn't work for him because it creates a new thread to inject into and that's not he wants.

Put all this into a module

VB Code:

Option Explicit
 
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" ( _
  ByVal dwFlags As Long, _
  ByVal th32ProcessID As Long _
) As Long
 
'dwFlags
Public Const TH32CS_INHERIT = &H80000000
Public Const TH32CS_SNAPHEAPLIST = &H1
Public Const TH32CS_SNAPMODULE = &H8
Public Const TH32CS_SNAPPROCESS = &H2
Public Const TH32CS_SNAPTHREAD = &H4
Public Const TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or _
    TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE)
 
Public Const INVALID_HANDLE_VALUE = -1&
'------------------------------------------------------------------
 
Public Const MAX_PATH = 260
Type PROCESSENTRY32
  dwSize As Long
  cntUsage As Long
  th32ProcessID As Long
  th32DefaultHeapID As Long
  th32ModuleID As Long
  cntThreads As Long
  th32ParentProcessID As Long
  pcPriClassBase As Long
  dwFlags As Long
  szExeFile(1 To MAX_PATH) As Byte
End Type
 
Public Declare Function Process32First Lib "kernel32" ( _
  ByVal hSnapshot As Long, _
  lppe As PROCESSENTRY32 _
) As Boolean
 
Public Declare Function Process32Next Lib "kernel32" ( _
  ByVal hSnapshot As Long, _
  lppe As PROCESSENTRY32 _
) As Boolean
'------------------------------------------------------------------
 
Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
Public Const SYNCHRONIZE = &H100000
Public Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
 
Public Declare Function OpenProcess Lib "kernel32" ( _
    ByVal dwDesiredAccess As Long, _
    ByVal bInheritHandle As Long, _
    ByVal dwProcessId As Long _
) As Long
'------------------------------------------------------------------
 
Public Declare Function VirtualAllocEx Lib "kernel32" ( _
    ByVal hProcess As Long, _
    ByVal lpAddress As Long, _
    ByVal dwSize As Long, _
    ByVal flAllocationType As Long, _
    ByVal flProtect As Long _
) As Long
 
'Allocation Types
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_RESET = &H80000
Public Const MEM_TOP_DOWN = &H100000
 
'memory protection
Public Const PAGE_NOACCESS = &H1
Public Const PAGE_READONLY = &H2
Public Const PAGE_READWRITE = &H4
Public Const PAGE_WRITECOPY = &H8
Public Const PAGE_EXECUTE = &H10
Public Const PAGE_EXECUTE_READ = &H20
Public Const PAGE_EXECUTE_READWRITE = &H40
Public Const PAGE_EXECUTE_WRITECOPY = &H80
Public Const PAGE_GUARD = &H100
Public Const PAGE_NOCACHE = &H200
Public Const PAGE_WRITECOMBINE = &H400
'------------------------------------------------------------------
 
Public Declare Function WriteProcessMemory Lib "kernel32" ( _
    ByVal hProcess As Long, _
    ByVal lpBaseAddress As Long, _
    ByVal lpBuffer As String, _
    ByVal nSize As Long, _
    lpNumberOfBytesWritten As Long _
) As Long
'------------------------------------------------------------------
 
Public Type SECURITY_ATTRIBUTES
        nLength As Long
        lpSecurityDescriptor As Long
        bInheritHandle As Long
End Type
 
Public Declare Function CreateRemoteThread Lib "kernel32" ( _
    ByVal hProcess As Long, _
    ByVal lpThreadAttributes As Long, _
    ByVal dwStackSize As Long, _
    ByVal lpStartAddress As Long, _
    ByVal lpParameter As Long, _
    ByVal dwCreationFlags As Long, _
    lpThreadId As Long _
) As Long
'------------------------------------------------------------------
 
Public Declare Function GetProcAddress Lib "kernel32" ( _
    ByVal hModule As Long, _
    ByVal lpProcName As String _
) As Long
 
Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" ( _
    ByVal lpModuleName As String _
) As Long
 
Public Declare Function CloseHandle Lib "kernel32" ( _
    ByVal hObject As Long _
) As Long
 
'-------------------------------------------------------------------------
'    used for GetAPIErrorText
Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000
Private Const FORMAT_MESSAGE_IGNORE_INSERTS = &H200
 
Private Declare Function GetLastError Lib "kernel32" () As Long
 
Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" ( _
    ByVal dwFlags As Long, _
    lpSource As Any, _
    ByVal dwMessageId As Long, _
    ByVal dwLanguageId As Long, _
    ByVal lpBuffer As String, _
    ByVal nSize As Long, _
    Arguments As Long _
) As Long
 
Public Function InjectDLL(szTarget As String, szdlltoinject As String) As Boolean
Dim still_injected As Boolean
Dim isInjected As Boolean
Dim result As Long
Dim hSnapshot As Long, hModule As Long, hProcess As Long, hThread As Long
Dim PE32 As PROCESSENTRY32
 
    isInjected = False
    still_injected = False
    PE32.dwSize = Len(PE32)
 
    'Take a snapshot of all processes in the system.
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    If hSnapshot = INVALID_HANDLE_VALUE Then
        Debug.Print "CreateToolhelp32Snapshot Error: "; GetAPIErrorText(GetLastError)
        InjectDLL = False
        Exit Function
    End If
    'Retrieve information about the first process encountered in the system snapshot.
    If Process32First(hSnapshot, PE32) = False Then
        Debug.Print "Process32First Error: "; GetAPIErrorText(GetLastError)
        GoTo ExitOnError
    End If
    
    Do 'walk the snapshot of processes to find our target
        'If executable file name of process matches our target’s name then...
        If StrFromByteArray(PE32.szExeFile) = szTarget Then
            If isInjected Then 'If already injected don’t do again
                still_injected = True
            Else
                'open an existing process object.
                hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, PE32.th32ProcessID)
                If hProcess = 0 Then
                    Debug.Print "OpenProcess Error: "; GetAPIErrorText(GetLastError)
                    GoTo ExitOnError
                End If
                Debug.Print "Process Handle: "; Hex(hProcess)
                'Commit a region of memory within the virtual address space of the specified process.
                hModule = VirtualAllocEx(hProcess, 0, Len(szdlltoinject), MEM_COMMIT, _
                    PAGE_EXECUTE_READWRITE)
                If hModule = 0 Then
                    Debug.Print "VirtualAllocEx Error: "; GetAPIErrorText(GetLastError)
                    GoTo ExitOnError
                End If
                Debug.Print "Virtual Allocation: "; Hex(hModule)
                'writes name of dll to an area of memory in the process.
                result = WriteProcessMemory(hProcess, hModule, szdlltoinject, _
                    Len(szdlltoinject), ByVal 0)
                If result = 0 Then
                    Debug.Print "WriteProcessMemory Error: "; GetAPIErrorText(GetLastError)
                    GoTo ExitOnError
                End If
                Debug.Print "Write Process Memory: "; result
                'create a thread that runs in the virtual address space of the other process.
                hThread = CreateRemoteThread(hProcess, 0, 0, GetProcAddress(GetModuleHandle("kernel32"), _
                    "LoadLibraryA"), hModule, 0, ByVal 0)
                If hThread = 0 Then
                    Debug.Print "CreateRemoteThread Error: "; GetAPIErrorText(GetLastError)
                    GoTo ExitOnError
                End If
                'This Runs LoadLibraryA with parameter hModule(pointer to name of dll) in the
                'other process which in turn, maps the specified DLL file into the address space
                'of the calling process.
                isInjected = True
                still_injected = True
            End If
            Exit Do 'found our target
        End If 'end if found target
    
    'Retrieve information about the next process recorded in the system snapshot.
    Loop While (Process32Next(hSnapshot, PE32))
        Debug.Print "Process32Next Error: "; GetAPIErrorText(GetLastError)
        GoTo ExitOnError
    
    'if our target wasn't found, then isinjected=false
 
ExitOnError:
Call CloseHandle(hProcess)
 
InjectDLL = isInjected
 
End Function
 
 
Public Function StrFromByteArray(bArray() As Byte) As String
    Dim i As Integer
    Dim x As String
    x = ""
    For i = 1 To MAX_PATH
        If bArray(i) = 0 Then Exit For
        x = x & Chr(bArray(i))
    Next i
    StrFromByteArray = x
End Function
 
'Return the text of the API error denoted by lError
Public Function GetAPIErrorText(ByVal lError As Long) As String
 Dim sOut As String
 Dim sMsg As String
 Dim lret As Long
 GetAPIErrorText = ""
 sMsg = String(256, 0)
 lret = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS, _
    0&, lError, 0&, sMsg, Len(sMsg), 0&)
 sOut = lError & " (&H" & Hex(lError) & "): "
 If lret <> 0 Then
    sMsg = Trim(sMsg)
    If Right(sMsg, 2) = vbCrLf Then sMsg = Left(sMsg, Len(sMsg) - 2)
    sOut = sOut & Trim(sMsg)
 Else
    sOut = sOut & "<no such error> "
 End If
 GetAPIErrorText = sOut
End Function

Let me know if it doesn't work.

Lyric,

I think I have a solution for you.

I went back to the old method of APISPY injection; using a debug injector.
The problem with the original method was that he used CreateProcess to start a new process and you need to inject into an already running process. So, I used DebugActiveProcess instead. It actually turns out to be simpler this way.

The original method inserted a breakpoint into the first byte of the main thread before the thread started. Then, once the thread started, the breakpoint passed control over to the debugger where he injected the bootstrap code. At the end of the bootstrap code is another breakpoint which allows the debugger to restart the thread at the beginning with the proper code this time.

This method doesn't work if you're trying to inject into an already running process since you're no longer at the beginning of the thread and you can't put a breakpoint into the thread. Instead what you can do is inject the code as soon as you receive a CREATE_PROCESS Debug notification. Since the thread is already running you don't have to mess with those added steps of adding an extra break point.

Anyway, here is the code with a little VB demo program to run it. After starting the code, drag the little pointer picture over to the window you want to spy on. Once you do that you can press the "Start Spying" button.

Let me know if it crashes like the other program did.

A couple more points
The APISPY code still resides in APISPY32.dll and runs in the target application's main thread.
The debugger resides in APISPY2.dll and runs in the VB Apps process, but I created a new thread for it to run in since it has a lot of waiting to do.
Data is passed from the Target App to the debugger via calls to OutputDebugString. This puts data into to debugger's thread. To get it to the VB App I had to rely on Windows messages since I could not figure out how to make a callback to the VB app from a seperate thread. I did a lot of work trying to figure this out, in fact you can see a few threads in this forum I started to look for the answer. The answer still eludes me so I had to settle for Window's mesages.

welldone, its my problem. thanks