I am currently trying to implement a simple Parent PID Spoofing in Rust but I'm facing with Segfault errors / Invalid Handle when creating process whom I'm trying to spoof its parent.
I made this code and modified it a lot in order to accomplish the wanted result:
let mut sinfo = STARTUPINFOEXA::default();
let mut cb_attribute_list_size = 0;
const PROC_THREAD_ATTRIBUTE_PARENT_PROCESS: DWORD = 0x00020000;
let mut h_parent_process: HANDLE = NULL as HANDLE;
let dw_pid: DWORD = 2176;
const CMDLINE: &str = "notepad";
unsafe {
InitializeProcThreadAttributeList(
null_mut(),
1,
0,
&mut cb_attribute_list_size
);
sinfo.lpAttributeList = HeapAlloc(
GetProcessHeap(),
0,
cb_attribute_list_size
).cast();
if InitializeProcThreadAttributeList(
sinfo.lpAttributeList,
1,
0,
&mut cb_attribute_list_size
) == 0 {
eprintln!("[x] Error Initializing proccess attribute");
return Ok(());
}
h_parent_process = OpenProcess(
PROCESS_ALL_ACCESS,
0,
dw_pid // explorer.exe
);
if h_parent_process.is_null() {
eprintln!("[x] Error opening parent process");
return Ok(());
}
if UpdateProcThreadAttribute(
sinfo.lpAttributeList,
0,
0x00020000,
transmute::<PHANDLE, LPVOID>(&mut h_parent_process),
size_of::<HANDLE>(),
null_mut(),
null_mut()
) == 0 {
eprintln!("[x] Error updating PROC_THREAD_ATTRIBUTE_PARENT_PROCESS");
return Ok(());
}
let mut process_info= PROCESS_INFORMATION::default();
sinfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
sinfo.StartupInfo.wShowWindow = 0;
sinfo.StartupInfo.cb = size_of::<STARTUPINFOEXA>() as u32;
if CreateProcessA(
null_mut(),
CMDLINE.to_string().as_ptr() as LPSTR,
null_mut(),
null_mut(),
0,
EXTENDED_STARTUPINFO_PRESENT,
null_mut(),
null_mut(),
&mut sinfo.StartupInfo,
&mut process_info
) == 0 {
eprintln!("[x] Error creating process");
return Ok(());
}
println!("[+] Process created: {}", process_info.dwProcessId);
DeleteProcThreadAttributeList(sinfo.lpAttributeList);
CloseHandle(process_info.hProcess);
CloseHandle(process_info.hThread);
CloseHandle(h_parent_process);
}
I tried allocating the pAttributeList from Rust with Vec::with_capacity() or from C with HeapAlloc().
The same code works in C but I don't know what am I doing wrong in Rust. I didn't success to find an actual implementation of Parent PID Spoofing in Rust but I found some usage of UpdateProcThreadAttributeList() function.
The C source code I am trying to convert to Rust can be found here: https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing#ppid-spoofing
Thanks for help 🐼
---EDIT---
I reviewed the code to use Ansi version of the API, the code works fine but does not produce the result I wanted. It spawn a notepad but with no parent (System is its).
I wonder if my call to UpdateProcThreadAttributeList() is correct, I think I would have to pass the reference to the Handle of the Parent Process but HANDLE structure is a *mut c_void and LPVOID/PVOID is also a *mut c_void. I'm not quite sure if the problem reside in this thing.
As one of comment suggested, there is my C code that I try to convert:
STARTUPINFOEX sie = { sizeof(sie) };
PROCESS_INFORMATION pi;
SIZE_T cbAttributeListSize = 0;
PPROC_THREAD_ATTRIBUTE_LIST pAttributeList = nullptr;
HANDLE hParentProcess = nullptr;
DWORD dwPid = 2176;
const char* lpCommandLine = "notepad";
InitializeProcThreadAttributeList(NULL, 1, 0, &cbAttributeListSize);
pAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, cbAttributeListSize);
if (NULL == pAttributeList)
{
std::cout << "[x] Error allocating heap: " << GetLastError() << std::endl;
return 0;
}
if (!InitializeProcThreadAttributeList(pAttributeList, 1, 0, &cbAttributeListSize))
{
std::cout << "[x] Error Initializing proccess attribute: " << GetLastError() << std::endl;
return 0;
}
hParentProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (NULL == hParentProcess)
{
std::cout << "[x] Error opening parent process: " << GetLastError() << std::endl;
return 0;
}
if (!UpdateProcThreadAttribute(pAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess, sizeof(HANDLE), NULL, NULL))
{
std::cout << "[x] Error updating PROC_THREAD_ATTRIBUTE_PARENT_PROCESS: " << GetLastError() << std::endl;
return 0;
}
sie.lpAttributeList = pAttributeList;
if (!CreateProcessA(NULL, const_cast<LPSTR>(lpCommandLine), NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &sie.StartupInfo, &pi))
{
std::cout << "[x] Error creating process: " << GetLastError();
return 0;
}
std::cout << "[+] Process created: " << pi.dwProcessId << std::endl;
DeleteProcThreadAttributeList(pAttributeList);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(hParentProcess);
Thanks again 🐼
--LAST EDIT--
I finally figured out what I was making wrong !
During CreateProcessA() call it was trying to read the location pointed by the value of the Parent Process Handle but I was passing its value directly instead of its reference.
I edited the Rust code above. Thanks all I can close this issue.
Related
I've got a program that enumerates all processes with the Toolhelp API. With my Sysinternals Process Explorer I also can see a description of all processes. Is this description coming from the executable ? How do I get its name ?
That's my current code to enumerate the processes:
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <vector>
#include <system_error>
#include <memory>
using namespace std;
vector<PROCESSENTRY32W> getAllProcesses();
int main()
{
for( PROCESSENTRY32W &pe : getAllProcesses() )
wcout << pe.szExeFile << endl;
}
using XHANDLE = unique_ptr<void, decltype([]( HANDLE h ) { h && h != INVALID_HANDLE_VALUE && CloseHandle( h ); })>;
vector<PROCESSENTRY32W> getAllProcesses()
{
auto throwSysErr = []() { throw system_error( (int)GetLastError(), system_category(), "error enumerating processes" ); };
vector<PROCESSENTRY32W> processes;
XHANDLE xhSnapshot( CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ) );
if( xhSnapshot.get() == INVALID_HANDLE_VALUE )
throwSysErr();;
PROCESSENTRY32W pe;
pe.dwSize = sizeof pe;
if( !Process32FirstW( xhSnapshot.get(), &pe ) )
throwSysErr();
for( ; ; )
{
processes.emplace_back( pe );
pe.dwSize = sizeof pe;
if( !Process32NextW( xhSnapshot.get(), &pe ) )
if( GetLastError() == ERROR_NO_MORE_FILES )
break;
else
throwSysErr();
}
return processes;
}
#RemyLebeau 's way with code implement which is adapted from VerQueryValueA document sample. And as OpenProcess states,
If the specified process is the System Idle Process (0x00000000), the
function fails and the last error code is ERROR_INVALID_PARAMETER. If
the specified process is the System process or one of the Client
Server Run-Time Subsystem (CSRSS) processes, this function fails and
the last error code is ERROR_ACCESS_DENIED because their access
restrictions prevent user-level code from opening them.
int main()
{
TCHAR szFile[MAX_PATH] = {};
DWORD dwSize = MAX_PATH;
for (PROCESSENTRY32W& pe : getAllProcesses())
{
wcout << pe.szExeFile << endl;
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
FALSE, pe.th32ProcessID);
if (hProcess == NULL)
{
//ErrorExit(TEXT("OpenProcess"));
}
else
{
memset(szFile, 0, MAX_PATH);
dwSize = MAX_PATH;
QueryFullProcessImageName(hProcess,0, szFile,&dwSize);
DWORD s = GetFileVersionInfoSize(szFile,NULL);
if (s != 0)
{
LPVOID lpData = HeapAlloc(GetProcessHeap(), 0, s);
GetFileVersionInfo(szFile,0,s, lpData);
HRESULT hr;
UINT cbTranslate;
struct LANGANDCODEPAGE {
WORD wLanguage;
WORD wCodePage;
} *lpTranslate;
// Read the list of languages and code pages.
VerQueryValue(lpData,
TEXT("\\VarFileInfo\\Translation"),
(LPVOID*)&lpTranslate,
&cbTranslate);
// Read the file description for each language and code page.
LPVOID lpBuffer;
UINT dwBytes;
for (int i = 0; i < (cbTranslate / sizeof(struct LANGANDCODEPAGE)); i++)
{
TCHAR SubBlock[255] = {};
hr = StringCchPrintf(SubBlock, 50,
TEXT("\\StringFileInfo\\%04x%04x\\FileDescription"),
lpTranslate[i].wLanguage,
lpTranslate[i].wCodePage);
if (FAILED(hr))
{
// TODO: write error handler.
}
// Retrieve file description for language and code page "i".
VerQueryValue(lpData,
SubBlock,
&lpBuffer,
&dwBytes);
wcout << (TCHAR*)(lpBuffer) << endl;
}
HeapFree(GetProcessHeap(), 0, lpData);
}
//GetProcessImageFileName(hProcess, szFile, dwSize);
}
}
}
Other than creating pipes for standard in/out/error, is there any easy way in Win32 API to redirect those handles to the parent process? If the child process has a console window, the output/error seems to go to it, rather than the parent's console window, even when the handles are inherited. What I'd really like is for a windowless child process to send its out/error to the parent's console (easily?). Advice appreciated.
If you only want to display the stdout and stderr of your child process to the console of the parent process, you can use AttachConsole(ATTACH_PARENT_PROCESS) in the child process to attach it to the console of the parent process. Or In parent, specify dwCreationFlags of CreateProcess as 0, according to the Creation of a Console:
By default, a console process inherits its parent's console.
(there is no guarantee that input is received by the process for which it was intended. Make sure you don' t need to use the stdin for child process)
However, this method cannot interact with the parent process. If the parent process needs to obtain these output data, it still needs to use Interprocess Communications to send the data to the parent process.
This method allows the child process and the parent process to use the same console, but the parent process cannot directly obtain the output data of the child process. If the parent process needs to get the data, it still needs to use Interprocess Communications to send the data to the parent process.
EDIT:
Here is the sample
child:
#include <windows.h>
#include <iostream>
int main(VOID)
{
AttachConsole(ATTACH_PARENT_PROCESS);
int i = 5;
while (i--)
{
printf("printf\n");
std::cout << "child " << i << std::endl;
fflush(stdout);
Sleep(1000);
}
return 0;
}
parent:
#include <windows.h>
#include <iostream>
int main()
{
STARTUPINFO si = {};
si.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION pi = {};
WCHAR cmd[] = L"Path\\child.exe";
SECURITY_ATTRIBUTES se = {};
se.nLength = sizeof(SECURITY_ATTRIBUTES);
se.bInheritHandle = true;
se.lpSecurityDescriptor = NULL;
HANDLE hFile = CreateFileW(L"test.txt", GENERIC_WRITE, FILE_SHARE_READ, &se, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
BOOL ret = SetStdHandle(STD_OUTPUT_HANDLE, hFile);
printf("parent1\n");
ret = CreateProcessW(cmd, NULL, 0, 0, 1, 0, 0, 0, &si, &pi);
std::cout << "parent2 " << std::endl;
WaitForSingleObject(pi.hProcess,INFINITE);
system("pause");
}
result:
Another sample:
child
int main(VOID)
{
//AttachConsole(ATTACH_PARENT_PROCESS);
int i = 5;
while (i--)
{
printf("printf\n");
std::cout << "child " << i << std::endl;
fflush(stdout);
Sleep(1000);
}
return 0;
}
parent
int main()
{
SECURITY_ATTRIBUTES se = {};
se.nLength = sizeof(SECURITY_ATTRIBUTES);
se.bInheritHandle = true;
se.lpSecurityDescriptor = NULL;
HANDLE hFile = CreateFileW(L"test.txt", GENERIC_WRITE, FILE_SHARE_READ, &se, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
BOOL ret = SetStdHandle(STD_OUTPUT_HANDLE, hFile);
printf("parent1\n");
STARTUPINFO si = {};
si.cb = sizeof(STARTUPINFO);
si.hStdError = GetStdHandle(STD_ERROR_HANDLE);
si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
si.dwFlags |= STARTF_USESTDHANDLES;
PROCESS_INFORMATION pi = {};
WCHAR cmd[] = L"Path\\child.exe";
CreateProcessW(cmd, NULL, 0, 0, 1, 0, 0, 0, &si, &pi);
std::cout << "parent2 " << std::endl;
WaitForSingleObject(pi.hProcess, INFINITE);
system("pause");
}
In my project I have two applications, one is Pipe Server and Pipe Client(Slave).
I am trying to send text via pipe to display it on client's console. Thus effectively creating disposable consoles.
I have tested the code by manually running the server first and then client. It runs perfectly. Then I added some code in the constructor of Server to invoke Slave.exe with pipename as arguments however the console of Slave disappears after couple seconds.
Slave's Constructor calls this function:
int OpenNamedPipe(std::string pipename)
{
pipeurl += pipename;
hPipe = CreateNamedPipe(
pipeurl .c_str(), // pipe name
PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, // read/write access
PIPE_TYPE_BYTE | // Datatype Byte
PIPE_WAIT, // blocking mode
1, // max. instances
outputBuffer, // output buffer size
inputBuffer, // input buffer size
0, // client time-out
NULL); // default security attribute
if (hPipe == INVALID_HANDLE_VALUE)
{
try
{
Throw_Last_Error("CreateNamedPipe failed");
}
catch (const std::runtime_error err)
{
std::cout << "Runtime Error: " << err.what();
return 0;
}
}
int timeout = 100000;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
int retnVal = CreateProcessA("Slave.exe", (LPSTR)pipename.c_str(), NULL, NULL, NULL, DETACHED_PROCESS, NULL, NULL, &si, &pi);
if (!retnVal)
{
retnVal = GetLastError();
}
if (!ConnectNamedPipe(hPipe, NULL))
{
if (!GetLastError() == ERROR_PIPE_CONNECTED)
{
try
{
Throw_Last_Error("Error while connecting to named pipe.");
}
catch (std::runtime_error err)
{
std::cout << "GLE= " << GetLastError();
Block();
return 0;
}
}
}
std::cout << "Connected to pipe.\n";
return 0;
}
In Client's main program:
int main(int argc, char *argv[])
{
AllocConsole();
std::string argstr = " ";
argstr = argv[1];
PipeClient pc(argstr);
pc.Update();
system("pause");
return 0;
}
Now I need both Server's console and Client's console to remain open for further testing but when Server is waiting for the Slave to connect to pipe, Slave's console and process closes, which shouldn't happen as I have paused it before it can return.
Edit: Pipe Client object constructor:
PipeClient(std::string pipename)
{
pipeName = pipeName + pipename;
Connect();
if (hPipe != INVALID_HANDLE_VALUE || GetLastError() != ERROR_PIPE_BUSY)
{
std::cout << "Created Pipe, GLE=" << GetLastError();
}
if (hPipe == INVALID_HANDLE_VALUE)
{
ThrowLastError("Failed to connect to named pipe.");
}
}
int Connect()
{
while (true)
{
WaitNamedPipeA(pipeName.c_str(), NMPWAIT_WAIT_FOREVER);
hPipe = CreateFileA(
pipeName.c_str(),
GENERIC_READ |
GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hPipe != INVALID_HANDLE_VALUE || GetLastError() != ERROR_PIPE_BUSY)
{
std::cout << "Created Pipe, GLE=" << GetLastError();
break;
}
}
return 0;
}
Class Fields:
DWORD inputBuffer = 256;
DWORD outputBuffer = 256;
HANDLE hPipe;
std::string pipeName = "\\\\.\\pipe\\";
char * testpipename = "\\\\.\\pipe\\namedpipe";
Github repo:https://github.com/BhayanakMoth2/PipedConsole
So I fixed the problem, I was not using the CreateProcess function properly.
This should be the fixed function call:
std::string cmd = "Slave.exe " + pipename;
int retnVal = CreateProcessA("Slave.exe", (LPSTR)cmd.c_str(), NULL, NULL, NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
I misread the documentation. And the reason Slave.exe was crashing because the arguments were not being passed properly and so when it reached:
argstr = argv[1]
it crashed silently. The second argument in CreateProcessA() fixes this problem by properly passing the arguments.
I've spent a couple of hours pouring through Microsoft's Dev Center; however, I can't seem to figure out how to do the following two things:
Cycle through and view the names of each program under the 'Expert Advisors' section of the 'Navigator' sub window (for example 'MACD Sample' in screenshot below)
select and double click the program (e.g. 'MACD Sample').
Winspector(Left) | Application(Right)
My main problem seems to be that I don't know how to properly use HTREEITEM to access the information. I noticed there is a function ListView_GetItemText, but I've been unable to find a TreeView_GetItemText or equivalent function.
Any help would be greatly appreciated.
Below is the main function of my program:
int _tmain(int argc, _TCHAR* argv[])
{
wcout << TEXT("Enumerating Windows...") << endl;
HWND handle = NULL;
//--- Success: gets application handle
bool success1 = getHandle(L"MetaTrader", L"20", handle);
cout << "Success1: " << success1 << endl;
cout << "Result1: " << handle << endl;
//--- Success: gets navigator window
bool success2 = getChildHandle(handle, L"", L"Navigator", handle);
cout << "Success2: " << success2 << endl;
cout << "Result2: " << handle << endl;
//--- Success: gets "SysTreeView32" handle
handle = FindWindowEx(handle, 0, L"SysTreeView32", L"");
cout << "Result3: " << handle << endl;
//--- Success: get "SysTreeView32" root nod
HTREEITEM root = TreeView_GetNextItem(handle, NULL, TVGN_ROOT);
cout << "root: " << root << endl;
return 0;
}
The result of running the code seems to be working properly
Entire code for completeness:
// MT4Terminal-test.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#pragma once
#include "targetver.h"
#include <iostream>
#include <map>
#include <string>
namespace std {
#if defined _UNICODE || defined UNICODE
typedef wstring tstring;
#else
typedef string tstring;
#endif
}
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <psapi.h>
#include <Windows.h>
#include <Commctrl.h>
#include <windows.system.h>
using namespace std;
HWND glb_handle;
tstring glb_searchWindowTitle;
tstring glb_seachClassName;
BOOL CALLBACK enumWindowsChildProc(
__in HWND hWnd,
__in LPARAM lParam
) {
return TRUE;
}
BOOL CALLBACK enumWindowsProc(
__in HWND hWnd,
__in LPARAM lParam
) {
int length = ::GetWindowTextLength(hWnd);
if (0 == length) return TRUE;
TCHAR* bufferA;
bufferA = new TCHAR[length + 1];
memset(bufferA, 0, (length + 1) * sizeof(TCHAR));
TCHAR* bufferB;
bufferB = new TCHAR[100];
memset(bufferB, 0, 100 * sizeof(TCHAR));
GetWindowText(hWnd, bufferA, length + 1);
GetClassName(hWnd, bufferB, 100);
tstring windowTitle = tstring(bufferA);
tstring className = tstring(bufferB);
delete bufferA;
delete bufferB;
if (windowTitle.find(glb_searchWindowTitle) < string::npos &&
className.find(glb_seachClassName) < string::npos)
glb_handle = hWnd;
wcout.clear();
return TRUE;
}
bool getHandle(wstring searchClassName, wstring searchWindowTitle, HWND &handle)
{
handle = NULL;
glb_handle = NULL;
glb_searchWindowTitle = searchWindowTitle;
glb_seachClassName = searchClassName;
BOOL enumeratingWindowsSucceeded = EnumWindows(enumWindowsProc, NULL);
if (enumeratingWindowsSucceeded)
{
if (glb_handle != NULL)
{
handle = glb_handle;
return true;
}
}
glb_handle = NULL;
glb_searchWindowTitle = L"";
glb_seachClassName = L"";
return false;
}
bool getChildHandle(HWND parent_handle, wstring searchClassName, wstring searchWindowTitle, HWND &handle)
{
handle = NULL;
glb_handle = NULL;
glb_searchWindowTitle = searchWindowTitle;
glb_seachClassName = searchClassName;
BOOL enumeratingWindowsSucceeded = EnumChildWindows(parent_handle, enumWindowsProc, NULL);
if (enumeratingWindowsSucceeded)
{
if (glb_handle != NULL)
{
handle = glb_handle;
return true;
}
}
glb_handle = NULL;
glb_searchWindowTitle = L"";
glb_seachClassName = L"";
return false;
}
int _tmain(int argc, _TCHAR* argv[])
{
wcout << TEXT("Enumerating Windows...") << endl;
HWND handle = NULL;
//--- Success: gets application handle
bool success1 = getHandle(L"MetaTrader", L"20", handle);
cout << "Success1: " << success1 << endl;
cout << "Result1: " << handle << endl;
//--- Success: gets navigator window
bool success2 = getChildHandle(handle, L"", L"Navigator", handle);
cout << "Success2: " << success2 << endl;
cout << "Result2: " << handle << endl;
//--- Success: gets "SysTreeView32" handle
handle = FindWindowEx(handle, 0, L"SysTreeView32", L"");
cout << "Result3: " << handle << endl;
//--- Success: get "SysTreeView32" root nod
HTREEITEM root = TreeView_GetNextItem(handle, NULL, TVGN_ROOT);
cout << "root: " << root << endl;
return 0;
}
Selecting a SysTreeView32 item
(For clarification, when I say selecting a SysTreeView32 item, I'm referring to simulating a double-click operation on a tree node -- similar to how one can double click an icon on their Desktop to open a program)
After looking at the documentation, I'm convinced:
There doesn't exist an explicit message that will simulate double-clicking a node on a tree using the handle to the tree-view item
A possible work around would be to send the TVM_GETITEMRECT message to get the coordinates of the tree node, and then use SendInput() to send a click
Are the above two statements correct?
After implementing Barmak Shemirani's code, I tried to implement #2 above using the same methodology as in Barmak Shemirani's fix. Specifically, I attempted to allocate a Rect struct in the other Application program's memory with VirtualAllocEx(), call the TreeView_GetItemRect macro in my program with a pointer to the rectangle, and read the results with ReadProcessMemory().
However, my program crashes when I call TreeView_GetItemRect(), while passing the pointer to the Rect in the other Apps memory. Most likely, because TreeView_GetItemRect() is trying to write the Rect coordinates to an invalid memory address. This caused me to realize that I don't really understand what the macro is doing:
Hence, checking out the source, I found:
#define HELLO
#define TV_FIRST 0x1100 // TreeView messages
#define TVM_GETITEMRECT (TV_FIRST + 4)
#define TreeView_GetItemRect(hwnd, hitem, prc, code) \
(*(HTREEITEM *)(prc) = (hitem), (BOOL)SNDMSG((hwnd), TVM_GETITEMRECT, (WPARAM)(code), (LPARAM)(RECT *)(prc)))
I mostly understand everything except for the part before the SNDMSG function:
(*(HTREEITEM *)(prc) = (hitem),
What exactly does the above statement mean? Is this casting the rectangle pointer that I pass to a HTREEITEM pointer, which is somehow causing the program to crash?
Screenshot of console freezing
New code
int _tmain(int argc, _TCHAR* argv[])
{
wcout << TEXT("Enumerating Windows...") << endl;
HWND handle = NULL;
//--- Success: gets application handle
bool success1 = getHandle(L"MetaTrader", L"20", handle);
//--- Success: gets navigator window
bool success2 = getChildHandle(handle, L"", L"Navigator", handle);
//--- Success: gets "SysTreeView32" handle
handle = FindWindowEx(handle, 0, L"SysTreeView32", L"");
//--- Success: get "SysTreeView32" root nod
HTREEITEM root = TreeView_GetNextItem(handle, NULL, TVGN_ROOT);
unsigned long pid;
GetWindowThreadProcessId(handle, &pid);
HANDLE process = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE |
PROCESS_QUERY_INFORMATION, FALSE, pid);
TVITEM item, *_item;
wchar_t buf[CHAR_BUF_LEN];
wchar_t *_buf;
memset(buf, 0, sizeof(buf) / sizeof(buf[0]));
_item = (TVITEM*)VirtualAllocEx(process, NULL, sizeof(TVITEM), MEM_COMMIT, PAGE_READWRITE);
_buf = (wchar_t*)VirtualAllocEx(process, NULL, CHAR_BUF_LEN, MEM_COMMIT, PAGE_READWRITE);
item.cchTextMax = CHAR_BUF_LEN;
item.pszText = _buf;
item.mask = TVIF_TEXT;
//--- find Experts Advisors branch in tree
HTREEITEM node = TreeView_GetNextItem(handle, root, TVGN_CHILD);
node = TreeView_GetNextItem(handle, node, TVGN_NEXT);
node = TreeView_GetNextItem(handle, node, TVGN_NEXT);
RECT rect, *_rect;
_rect = (RECT*)VirtualAllocEx(process, NULL, sizeof(RECT), MEM_COMMIT, PAGE_READWRITE);
rect = { 0 };
WriteProcessMemory(process, _rect, &rect, sizeof(RECT), NULL);
//--- step into Expert Advisors
node = TreeView_GetNextItem(handle, node, TVGN_CHILD);
//--- target program to open
wchar_t ea_name[] = L"MACD Sample";
while (node != NULL)
{
ZeroMemory(buf, CHAR_BUF_LEN);
item.hItem = node;
//Binds item and _item
WriteProcessMemory(process, _item, &item, sizeof(TVITEM), NULL);
TreeView_GetItem(handle, _item);
//Read buffer back to this program's process memory
ReadProcessMemory(process, _buf, buf, CHAR_BUF_LEN, NULL);
//Print program name
wcout << buf << endl;
if (wcscmp(ea_name, buf) == 0)
{
cout << "Found target program: " << ea_name << endl;
cout << "get rectangle coordinates: " << TreeView_GetItemRect(handle, node, _rect, TRUE) << endl;
}
node = TreeView_GetNextItem(handle, node, TVGN_NEXT);
}
VirtualFreeEx(process, _item, 0, MEM_RELEASE);
VirtualFreeEx(process, _buf, 0, MEM_RELEASE);
VirtualFreeEx(process, _rect, 0, MEM_RELEASE);
return 0;
}
This is the method you would normally use to read a TreeView item's text:
wchar_t buf[100];
memset(buf, 0, sizeof(buf));
TVITEM item = { 0 };
item.hItem = hitem;
item.cchTextMax = 100;
item.pszText = buf;
item.mask = TVIF_TEXT;
TreeView_GetItem(hwnd, &item);
This will not work in your program. TreeView_GetItem is a macro based on SendMessage, it copies data through LPARAM parameter. But this exchange is not allowed between different processes.
You could spend hours, possibly days, trying to hack it
(See this example)
Or you may want to research and see if the target program supports UI Automation
Edit, here is example to get HTREEITEM text. This won't work unless:
caller and target program are both 32-bit, or both 64-bit
caller and target program are both unicode
If target program is ANSI then change this function to ANSI.
HTREEITEM hitem = TreeView_GetSelection(hwndTree);
if (!hitem)
debug << "!hitem\n";
const int buflen = 512;
DWORD pid;
GetWindowThreadProcessId(hwndTree, &pid);
HANDLE process = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE
| PROCESS_QUERY_INFORMATION, FALSE, pid);
TVITEMEX* ptv = (TVITEMEX*)VirtualAllocEx(process, NULL, sizeof(TVITEMEX),
MEM_COMMIT, PAGE_READWRITE);
wchar_t* pbuf = (wchar_t*)VirtualAllocEx(process, NULL, buflen,
MEM_COMMIT, PAGE_READWRITE);
TVITEMEX tv = { 0 };
tv.hItem = hitem;
tv.cchTextMax = buflen / 2;
tv.pszText = pbuf;
tv.mask = TVIF_TEXT | TVIF_HANDLE;
WriteProcessMemory(process, ptv, &tv, sizeof(TVITEMEX), NULL);
if (SendMessageW(hwndTree, TVM_GETITEM, 0, (LPARAM)(TVITEMEX*)(ptv)))
{
wchar_t buf[buflen / 2];
ReadProcessMemory(process, pbuf, buf, buflen, 0);
debug << "Result:" << buf << "\n";
}
else
debug << "!SendMessageW\n";
VirtualFreeEx(process, ptv, 0, MEM_RELEASE);
VirtualFreeEx(process, pbuf, 0, MEM_RELEASE);
CloseHandle(process); //*** I forgot this line before
The most voted answer has solved your problem, but I'd like to add some comment on the statement:
(*(HTREEITEM *)(prc) = (hitem),
TVM_GETITEMRECT has explained that :
When sending this message, the lParam parameter contains the handle of the item that the rectangle is being retrieved for.
In macro TreeView_GetItemRect, prc will be replaced by _rect, which is allocated in other process. So the program crashed.
For your situation, you can replace the code:
TreeView_GetItemRect(handle, node, _rect, TRUE)
by:
RECT rect, *_rect;
_rect = (RECT*)VirtualAllocEx(process, NULL, sizeof(RECT), MEM_COMMIT, PAGE_READWRITE);
*(HTREEITEM*)&rect = node;
WriteProcessMemory(process, _rect, &rect, sizeof(RECT), NULL);
SendMessage(handle, TVM_GETITEMRECT, true, (LPARAM)_rect);
I wrote a simple test file:
#include "iostream"
using namespace std;
int main(int argc, char const *argv[]) {
char s[512];
while(cin >> s) {
for(int i=0; s[i]; ++i) {
s[i] ^= 32;
}
cout << s << endl;
}
return 0;
}
And in another program, I want to launch it as a child process and communicate with it using pipe.
I use CreatePipe to create two pipe, and use CreateProcess to launch it with the redirected stdio flags.
code for creating pipe:
HANDLE _stdin_rd = NULL;
HANDLE _stdin_wr = NULL;
HANDLE _stdout_rd = NULL;
HANDLE _stdout_wr = NULL;
BOOL br;
SECURITY_ATTRIBUTES sa;
PROCESS_INFORMATION gdb_info; // the process information
void _init() {
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = TRUE; // the handles are inheritable
sa.lpSecurityDescriptor = NULL;
// Create stdin pipe.
br = CreatePipe(&_stdin_rd, &_stdin_wr, &sa, NULL);
if(!br) {
cerr << "Can't create stdin pipe." << endl;
abort();
}
// ensure the write handle to the pipe for stdin is not inherited.
br = SetHandleInformation(_stdin_wr, HANDLE_FLAG_INHERIT, 0);
if(!br) {
cerr << "change stdin pipe attr error" << endl;
abort();
}
// Create stdout pipe.
br = CreatePipe(&_stdout_rd, &_stdout_wr, &sa, NULL);
if(!br) {
cerr << "Can't create stdout pipe." << endl;
abort();
}
// ensure the read handle to the pipe for stdout is not inherited.
br = SetHandleInformation(_stdout_rd, HANDLE_FLAG_INHERIT, 0);
if(!br) {
cerr << "change stdout pipe attr error" << endl;
abort();
}
}
void _launch() {
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&gdb_info, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.dwFlags |= STARTF_USESTDHANDLES; // so as to enable text pipe
si.hStdInput = _stdin_rd; // redirection
si.hStdOutput = _stdout_wr;
si.hStdError = _stdout_wr;
br = CreateProcess(
NULL,
"test", // command line
NULL, // process security attributes
NULL, // primary thread security attributes
TRUE, // handles are inherited
NULL, // creation flags
NULL, // use parent's environment
NULL, // use parent's current directory
&si, // STARTUPINFO pointer
&gdb_info // receives PROCESS_INFORMATION
);
if(!br) {
cerr << "Can't start test file!" << endl;
abort();
} else {
cout << "test file invoked." << endl
<< "Process " << gdb_info.dwProcessId << endl
<< "Thread " << gdb_info.dwThreadId << endl;
}
}
void test_loop() {
HANDLE console_out = GetStdHandle(STD_OUTPUT_HANDLE);
char buf[512];
DWORD len;
WriteFile(gdb_stdin_wr, "Helloworld", strlen("Helloworld"), &len, NULL);
ReadFile(gdb_stdout_rd, buf, 512, &len, NULL);
WriteFile(console_out, buf, len, &len, NULL);
//
WriteFile(_stdin_wr, "PipeCommuni", strlen("PipeCommuni"), &len, NULL);
ReadFile(_stdout_rd, buf, 512, &len, NULL);
WriteFile(console_out, buf, len, &len, NULL);
//
WriteFile(gdb_stdin_wr, "HAHAhehe", strlen("HAHAhehe"), &len, NULL);
ReadFile(gdb_stdout_rd, buf, 512, &len, NULL);
WriteFile(console_out, buf, len, &len, NULL);
}
The problem is, after I start the program, it launches the test program successfully. But the program just stuck there, no error reported.
If I change the command line "test" into a program like "gdb", then I could receive output from gdb.
Can anyone help me with this problem?