16,470
社区成员
发帖
与我相关
我的任务
分享
/* 分析ToolbarWindow32控件
* 1.先获取 button command id
* 1.再获取 button 文本信息
*/
if(_tcscmp(v_cname,TEXT("ToolbarWindow32")) == 0)
{
int count = i_pwnd->SendMessage(TB_BUTTONCOUNT,0,0);
HWND hWnd = i_pwnd->m_hWnd;
DWORD dwProcessID;
GetWindowThreadProcessId(hWnd,&dwProcessID);
HANDLE hProcess;
hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessID);
if(hProcess == NULL)
{
cout << "打开进程失败!" << endl;
exit(-1);
}
PVOID lpAddress = (TBBUTTON*) VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT,PAGE_READWRITE);
for(int idx=0;idx<count;idx++)
{
TBBUTTON tb;
memset(&tb,0,sizeof(TBBUTTON));
long ret=WriteProcessMemory(hProcess,lpAddress,(TBBUTTON*)(&tb),sizeof(TBBUTTON),NULL);
ret = SendMessage(hWnd, TB_GETBUTTON, idx, (LONG)lpAddress);
ret = ReadProcessMemory(hProcess, lpAddress, &tb, sizeof(tb), NULL);
char buffer[200]={0};
WriteProcessMemory(hProcess,lpAddress,buffer,sizeof(buffer),NULL);
ret = SendMessage(hWnd, TB_GETBUTTONTEXTA, (WPARAM)tb.idCommand, (LPARAM)lpAddress);
ReadProcessMemory(hProcess, lpAddress, buffer, sizeof(buffer), NULL);
TBBUTTONINFO tbi;
tbi.cbSize = sizeof(tbi);
tbi.dwMask = TBIF_COMMAND;
ret = WriteProcessMemory(hProcess,lpAddress,(TBBUTTONINFO*)&tbi,sizeof(tbi),NULL);
/*SendMessage(hWnd, TB_GETBUTTONINFO 返回值-1 上面两个SendMessage成功*/
ret = SendMessage(hWnd, TB_GETBUTTONINFO, (WPARAM)tb.idCommand, (LPARAM)lpAddress);
ret = ReadProcessMemory(hProcess, lpAddress, &tbi, sizeof(buffer), NULL);
}
}
// TravFormVc.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "TravFormVc.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 唯一的应用程序对象
CWinApp theApp;
using namespace std;
size_t EnumTrayWindow(HWND hWnd, DWORD* pProcessId, size_t nCount);
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// 初始化 MFC 并在失败时显示错误
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: 更改错误代码以符合您的需要
_tprintf(_T("错误: MFC 初始化失败\n"));
nRetCode = 1;
}
else
{
/*打开一个 文件.chm 扫描 隐藏 打印 选项 按钮 */
HWND hwnd = FindWindow(NULL, TEXT("新编WIN32API大全"));
if (hwnd)
{
HWND hchild = FindWindowEx(hwnd, NULL, TEXT("ToolbarWindow32"), NULL);
DWORD dwProccessId = 0;
HANDLE hProcess = NULL;
if (GetWindowThreadProcessId(hchild, &dwProccessId) && dwProccessId != 0)
{
hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProccessId);
if(hProcess)
{
int nTBCount = (int)SendMessage(hchild, TB_BUTTONCOUNT, 0, 0);
PVOID pBuffer = VirtualAllocEx(hProcess, NULL, sizeof(TBBUTTON), MEM_COMMIT, PAGE_READWRITE);
for (int i = 0; (i != nTBCount) && (pBuffer != NULL); ++i)
{
SendMessage(hchild, TB_GETBUTTON, i, (LPARAM)pBuffer);
TBBUTTON tbi = { 0 };
if (!ReadProcessMemory(hProcess, pBuffer, &tbi, sizeof(TBBUTTON), NULL))
{
continue;
}
typedef struct _tagTRAYDATA
{
HWND hwnd;
UINT uID;
UINT uCallbackMessage;
DWORD Reserved[2];
HICON hIcon;
}TRAYDATA, *PTRAYDATA;
TRAYDATA data = { 0 };
/*代码执行到这里失败了*/
if (!ReadProcessMemory(hProcess, (LPCVOID)tbi.dwData, &data, sizeof(TRAYDATA), NULL))
{
cout << GetLastError() << endl; // 错误码299
continue;
}
TCHAR szText[MAX_PATH] = { 0 };
if (!ReadProcessMemory(hProcess, (LPCVOID)tbi.iString, szText, sizeof(szText), NULL))
{
cout << GetLastError() << endl; // 错误码299
break;
}
wcout << szText << endl;
}
}
}
}
}
return nRetCode;
}
BOOL CCommon::TrayIsValid(DWORD dwProcessId)
{
BOOL bRet = FALSE;
DWORD* pProcessId = NULL;
do
{
if (0 == dwProcessId) { break; }
ASSERT(0 != dwProcessId);
#define DEFAULT_MAX_PROCESS_COUNT (64)
pProcessId = new DWORD[DEFAULT_MAX_PROCESS_COUNT];
ASSERT(NULL != pProcessId);
if (NULL == pProcessId) { break; }
memset(pProcessId, 0, sizeof(DWORD) * DEFAULT_MAX_PROCESS_COUNT);
// Find Noraml Tray Window
HWND hWnd = FindTrayWindow(FALSE);
size_t nCount = EnumTrayWindow(hWnd, pProcessId, DEFAULT_MAX_PROCESS_COUNT);
// Find Overflow Tray Window
hWnd = FindTrayWindow(TRUE);
nCount += EnumTrayWindow(hWnd, &pProcessId[nCount], DEFAULT_MAX_PROCESS_COUNT - nCount);
for (size_t i = 0; i != min(nCount, DEFAULT_MAX_PROCESS_COUNT); ++i)
{
if (dwProcessId == pProcessId[i]) { bRet = TRUE; break; }
}
// Completed
} while (0);
if (NULL != pProcessId) { delete[] pProcessId; pProcessId = NULL; }
return bRet;
}
size_t CCommon::EnumTrayWindow(HWND hWnd, DWORD* pProcessId, size_t nCount)
{
size_t nIndex = 0;
HANDLE hProcess = NULL;
PVOID pBuffer = NULL;
do
{
if (NULL == hWnd) { break; }
if ((NULL == pProcessId) || (nCount <= 0)) { break; }
ASSERT(NULL != hWnd);
ASSERT(NULL != pProcessId);
ASSERT(nCount > 0);
// Get HWND Process ID
DWORD dwProccessId = 0;
if(0 == GetWindowThreadProcessId(hWnd, &dwProccessId) || (0 == dwProccessId)) { break; }
// Open Process
if (NULL == (hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProccessId))) { break; }
int nTBCount = (int)SendMessage(hWnd, TB_BUTTONCOUNT, 0, 0);
if (nTBCount <= 0) { break; }
// Allocate Virtual Memory Space
if (NULL == (pBuffer = VirtualAllocEx(hProcess, NULL, sizeof(TBBUTTON), MEM_COMMIT, PAGE_READWRITE))) { break; }
for (int i = 0; (i != nTBCount) && (nIndex != nCount); ++i)
{
SendMessage(hWnd, TB_GETBUTTON, i, (LPARAM)pBuffer);
TBBUTTON tbi = { 0 };
if (!ReadProcessMemory(hProcess, pBuffer, &tbi, sizeof(TBBUTTON), NULL))
{
continue;
}
typedef struct _tagTRAYDATA
{
HWND hwnd;
UINT uID;
UINT uCallbackMessage;
DWORD Reserved[2];
HICON hIcon;
}TRAYDATA, *PTRAYDATA;
TRAYDATA data = { 0 };
if (!ReadProcessMemory(hProcess, (LPCVOID)tbi.dwData, &data, sizeof(TRAYDATA), NULL))
{
continue;
}
TCHAR szText[MAX_PATH] = { 0 };
if (!ReadProcessMemory(hProcess, (LPCVOID)tbi.iString, szText, sizeof(szText), NULL))
{
break;
}
if (0 != GetWindowThreadProcessId(data.hwnd, &dwProccessId)
&& (0 != dwProccessId))
{
#ifdef _DEBUG
TRACE(TEXT("[%u] - %s\n"), dwProccessId, szText);
#endif
BOOL bExist = FALSE;
for (size_t j = 0; j != nCount; ++j)
{
if (dwProccessId == pProcessId[j]) { bExist = TRUE; break; }
}
if (!bExist) { pProcessId[nIndex++] = dwProccessId; }
}
}
// Completed
} while (0);
if (NULL != pBuffer) { VirtualFreeEx(hProcess, pBuffer, sizeof(pBuffer), MEM_RELEASE); }
if (NULL != hProcess) { CloseHandle(hProcess); hProcess = NULL; }
return nIndex;
}
HWND CCommon::FindTrayWindow(BOOL bOverflowNotifyIcon)
{
HWND hWnd = NULL;
do
{
if (bOverflowNotifyIcon)
{
if (NULL == (hWnd = FindWindow(TEXT("NotifyIconOverflowWindow"), NULL))) { break; }
if (NULL == (hWnd = FindWindowEx(hWnd, NULL, TEXT("ToolbarWindow32"), NULL))) { break; }
}
else
{
if (NULL == (hWnd = FindWindow(TEXT("Shell_TrayWnd"), NULL))) { break; }
if (NULL == (hWnd = FindWindowEx(hWnd, NULL, TEXT("TrayNotifyWnd"), NULL))) { break; }
if (NULL == (hWnd = FindWindowEx(hWnd, NULL, TEXT("SysPager"), NULL))) { break; }
if (NULL == (hWnd = FindWindowEx(hWnd, NULL, TEXT("ToolbarWindow32"), NULL))) { break; }
}
// Completed
} while (0);
return hWnd;
}
void ParseSysTabControl32(CWnd* i_pwnd)
{
int count = i_pwnd->SendMessage(TCM_GETITEMCOUNT,0,0);
CTabCtrl * v_ctab_c = (CTabCtrl*)i_pwnd;
HWND hWnd = i_pwnd->m_hWnd;
DWORD dwProcessID;
GetWindowThreadProcessId(hWnd,&dwProcessID);
HANDLE hProcess;
hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessID);
TCITEM* lpAddress = (TCITEM*)VirtualAllocEx(hProcess,NULL,sizeof(TCITEM),MEM_COMMIT,PAGE_READWRITE);
TCHAR* pItemTitle = (TCHAR*) VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
for(int idx=0;idx<count;idx++)
{
TCHAR buff[256]={0};
TCITEM tci;
memset(&tci,0,sizeof(TCITEM));
tci.mask = TCIF_TEXT;
tci.pszText = pItemTitle;
tci.cchTextMax =256;
long ret = WriteProcessMemory(hProcess,lpAddress,(TCITEM*)&tci,sizeof(TCITEM),NULL);
ret = SendMessage(hWnd, TCM_GETITEMW , (WPARAM)idx, (LPARAM)(lpAddress));
ret = ReadProcessMemory(hProcess, pItemTitle, buff, 200, NULL);
wcout << buff << endl;
}
VirtualFreeEx(hProcess,lpAddress,sizeof(TCITEM),MEM_RELEASE);
VirtualFreeEx(hProcess,pItemTitle,256,MEM_RELEASE);
}