How to get window procedures for windows in other processes

Development environment: Windows XP + vc6+platform SDK or vs.net 2003+

Test environment: Windows XP

Once thought to get a window of the window process is very simple, not just getwindowlong, see how smooth spyxx acquisition. It turned out that it was not so simple. Getting the window process within the process window is really simple, call GetWindowLong (HWND,GWL_WNDPROC) directly (note that depending on whether the window is Unicode, you have to judge to call Getwindowlonga, Or GETWINDOWLONGW, it can be judged by Iswindowunicode, but getwindowlong this function internally checks whether the calling process and the window handle belong to the same process, and if not, simply returns 0.

In this way, we can not modify the GetWindowLong, it is only to find ways to let it think that we and that window is in a process. Recall that Windows core programming says that by creating a remote thread, you can create a new thread within another process, and you can specify the thread function for that thread. Because the addresses between the Windows processes are not visible to each other, we cannot specify the local thread functions, but allocate the memory remotely and write the things we need to do in machine code.

(How does spyxx do it?) It starts with a global hook wh_getmessage, so that almost every program that has a message loop loads its hook DLL so that it can invoke GetWindowLong in the address space of other processes. It would be a bit too wasteful if we were to install a global hook just to get the window process:)

Let's first analyze what our thread functions need to do.

First, you need to call GetWindowLong to get the window of this window process, and then tell us. We can notify our program in a postmessage or postthreadmessage manner. The details are as follows:

//hWndTarget是我们要获取其窗口过程的窗口句柄， 假设 hWndTarget = 0x12345678
//dwThreadId是我们的线程Id　　　　　　　　　　，假设 dwThreadId = 0x5678
LONG wndProc = GetWindowLong(hWndTarget,GWL_WNDPROC);
PostThreadMessage(dwThreadId,WM_MYMESSAGE,(WPARAM)hWndTarget,(LPARAM)wndProc);

Because this time the parameters of the function we already know, so you can directly hard-coded into the program. First look at the Getwindowlonga function prototype:

WINUSERAPI LONG WINAPI GetWindowLongA( HWND hWnd, int nIndex)

A total of two parameters, the assembly code of our Getwindowlonga (HWND,GWL_WNDPROC) function call is probably the same as this (right is the response machine code):

//参数入栈的顺序是从右向左，所以先push nIndex，然后是push hWnd
push 0xFC //6A FC //GWL_WNDPROC的值是-4，写成16进制就是0xFC
push hWndTarget //58 78 56 34 12 //假设 hWndTarget = 0x12345678
call GetWindowLongA //E8 (GetWindowLongA-下一条指令的地址)

The return value of the Getwindowlonga function is in the EAX register, in our Postthreadmessagea function, the window handle is sent with the wparam parameter, and the window process is sent with the LParam parameter, so the push LParam is the push eax