Three Ways to Inject Your Code into Another Process

• Download entire package - 180 Kb
• Download WinSpy - 20 Kb(demo application)

Contents

• Introduction
• Windows Hooks
• The CreateRemoteThread & LoadLibrary Technique
  • Interprocess Communications
• The CreateRemoteThread & WriteProcessMemory Technique
  • How to Subclass a Remote Control With this Technique
  • When to Use this Technique
• Some Final Words
• Appendixes
• References
• Article History

Introduction

Several password spy tutorials have been posted to The Code Project, but all of them rely on Windows hooks. Is there any other way to make such a utility? Yes, there is. But first, let me review the problem briefly, just to make sure we're all on the same page.

To "read" the contents of any control - either belonging to your application or not - you generally send theWM_GETTEXTmessage to it. This also applies to edit controls, except in one special case. If the edit control belongs to another process and theES_PASSWORDstyle is set, this approach fails. Only the process that "owns" the password control can get its contents viaWM_GETTEXT. So, our problem reduces to the following: How to get

Collapse

::SendMessage( hPwdEdit, WM_GETTEXT, nMaxChars, psBuffer );

executed in the address space of another process.

In general, there are three possibilities to solve this problem:

1. Put your code into a DLL; then, map the DLL to the remote process viawindows hooks.
2. Put your code into a DLL and map the DLL to the remote process using theCreateRemoteThread & LoadLibrarytechnique.
3. Instead of writing a separate DLL, copy your code to the remote process directly - viaWriteProcessMemory- and start its execution withCreateRemoteThread. A detailed description of this technique can be foundhere.