- Download entire package - 180 Kb
- Download WinSpy - 20 Kb (demo application)
Contents
- Introduction
- Windows Hooks
- The CreateRemoteThread & LoadLibrary Technique
- The CreateRemoteThread & WriteProcessMemory Technique
- Some Final Words
- Appendixes
- References
- Article History
Introduction
Several password spy tutorials have been posted to The Code Project, but all of them rely on Windows hooks. Is there any other way to make such a utility? Yes, there is. But first, let me review the problem briefly, just to make sure we're all on the same page.
To "read" the contents of any control - either belonging to your application or not - you generally send the WM_GETTEXT
message to it. This also applies to edit controls, except in one special case. If the edit control belongs to another process and the ES_PASSWORD
style is set, this approach fails. Only the process that "owns" the password control can get its contents via WM_GETTEXT
. So, our problem reduces to the following: How to get
::SendMessage( hPwdEdit, WM_GETTEXT, nMaxChars, psBuffer );
executed in the address space of another process.
In general, there are three possibilities to solve this problem:
- Put your code into a DLL; then, map the DLL to the remote process via windows hooks.
- Put your code into a DLL and map the DLL to the remote process using the CreateRemoteThread & LoadLibrary technique.
- Instead of writing a separate DLL, copy your code to the remote process directly - via
WriteProcessMemory
- and start its execution withCreateRemoteThread
. A detailed description of this technique can be found here.