Three Ways to Inject Your Code into Another Process

• Download entire package - 180 Kb
• Download WinSpy - 20 Kb (demo application)

Contents

• Introduction
• Windows Hooks
• The CreateRemoteThread & LoadLibrary Technique
  • Interprocess Communications
• The CreateRemoteThread & WriteProcessMemory Technique
  • How to Subclass a Remote Control With this Technique
  • When to Use this Technique
• Some Final Words
• Appendixes
• References
• Article History

Introduction

Several password spy tutorials have been posted to The Code Project, but all of them rely on Windows hooks. Is there any other way to make such a utility? Yes, there is. But first, let me review the problem briefly, just to make sure we're all on the same page.

To "read" the contents of any control - either belonging to your application or not - you generally send the WM_GETTEXT message to it. This also applies to edit controls, except in one special case. If the edit control belongs to another process and the ES_PASSWORD style is set, this approach fails. Only the process that "owns" the password control can get its contents via WM_GETTEXT. So, our problem reduces to the following: How to get

 Collapse

::SendMessage( hPwdEdit, WM_GETTEXT, nMaxChars, psBuffer );

executed in the address space of another process.

In general, there are three possibilities to solve this problem:

1. Put your code into a DLL; then, map the DLL to the remote process via windows hooks.
2. Put your code into a DLL and map the DLL to the remote process using the CreateRemoteThread & LoadLibrary technique.
3. Instead of writing a separate DLL, copy your code to the remote process directly - via WriteProcessMemory - and start its execution withCreateRemoteThread. A detailed description of this technique can be found here.

for more information:  http://www.codeproject.com/KB/threads/winspy.aspx?df=100&forumid=16291&select=1025152&msg=1025152