Its not working, i'm testing it on notepad. What I do is do a global dll injection with my first temporary dll, this dll will go through all the hwnds through the WH_CBT hook and try to find my targets window title, and then if I found it I inject my second real dll and unhook my hook.

This is my console:

[code]
#include <windows.h>
#include <iostream>

using namespace std;

void main()
{ 
 HMODULE hDll = LoadLibraryA("C:\\...\\...\\Documents\\Visual Studio 2008\\Projects\\SetWindowsHookEx\\Debug\\System.dll");
 HOOKPROC GetCBT = (HOOKPROC) GetProcAddress(hDll, "CBTProc");
 HHOOK Hook = SetWindowsHookEx(WH_CBT, GetCBT, hDll, 0); 
 system("PAUSE");
}
[/code]

This is my Dll:

[code]
#include <windows.h>
#include <iostream>

using namespace std;

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD fdwReason, LPVOID lpReserved)
{
 return TRUE;
}

LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)
{ 
 if (nCode == HCBT_ACTIVATE)
 {  
  HWND hWnd = (HWND) wParam;
  char Title[500] = {0};
  GetWindowTextA(hWnd, (LPSTR) Title, MAX_PATH);
    
  if ((LPSTR) Title == "Untitled - Notepad")
  {
   LoadLibraryA("MyDll");
   UnhookWindowsHookEx(0);
  }
 }

 return CallNextHookEx(0, nCode, wParam, lParam);
}
[/code]

Please help, this wont work, I keep clicking on Notepad when the dll is injected to try and get my WH_CBT callback to work.

Taking just a quick cursory glance at this code --

 

if ((LPSTR) Title == "Untitled - Notepad")

 

C-strings are not compared with the == operator. With Win32 using StrCmp - http://msdn.microsoft.com/en-us/library/bb759938%28VS.85%29.aspx would be the correct way to compare the two values.

{ LoadLibraryA("MyDll"); UnhookWindowsHookEx(0); }

 

If you're injecting a DLL with SetWindowsHookEx then your DLL will be in the address space of the process with the PID supplied as the dwThreadId (0 for all processes as you're trying to do) so there's no need to load an additional library. Also, you're trying to unhook a hook that doesn't exist. UnhookWindowsHookEx takes a HHOOK parameter that was obtained through calling SetWindowsHookEx -- what you're doing doesn't do anything and the function will always fail. Lastly, since you're intercepting the HCBT_ACTIVATE message, this code will also be executed each time you're about to activate a window. Since you're injecting this DLL into every process you'll be hitting this code a lot from lots of different address spaces.

 

On the next topic, when you do

HOOKPROC GetCBT = (HOOKPROC) GetProcAddress(hDll, "CBTProc");

GetProcAddress will always fail. This is because you're not exporting the CBTProc function in your DLL. Exporting functions from a DLL is done by using __declspec(dllexport) and/or a .def file. You can read about these things here -- http://msdn.microsoft.com/en-us/library/a90k134d%28VS.80%29.aspx and here http://msdn.microsoft.com/en-us/library/d91k01sh%28VS.80%29.aspx.

Lastly, a more unknown issue would be the name mangling of your function. Even if you export the function it won't be exported as "CBTProc" but closer to something like "_CBTProc@12", @12 being for the arguments passed in (4 * 3). This is compiler dependent and others may export it differently depending on what you're using. This can be prevented by

... pragmas / includes / preprocessor directives #ifdef __cplusplus extern "C" { #endif ... your code here } #ifdef __cplusplus } #endif

in combination with an exports definition file if your calling convention is __stdcall.

 

For example

 

#include <windows.h> #ifdef __cplusplus extern "C" { #endif BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD fdwReason, LPVOID lpReserved) { switch(fdwReason){ case DLL_PROCESS_ATTACH: case DLL_PROCESS_DETACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: break; } return TRUE; } __declspec(dllexport) void __stdcall printMessage(const wchar_t* message) { MessageBox(NULL, L"printMessage successfully called", L"Yay", MB_OK); } #ifdef __cplusplus } #endif

With an Exports.def file containing

EXPORTS printMessage

will export an unmangled version of the printMessage function.

This can be verified quickly with testing

#include <windows.h> #include <iostream> using std::cout; typedef void* (__stdcall* dllFuncPtr)(const wchar_t*); int main(void) { HMODULE hDLL = LoadLibrary(L"TestDll.dll"); if(hDLL != NULL) { dllFuncPtr dllPrint = (dllFuncPtr) GetProcAddress(hDLL, "printMessage"); if(dllPrint != NULL) dllPrint(L"Hello World!"); else cout<<"Couldn't export the function\n"; } else cout<<"Couldn't load the DLL\n"; return 0; }

A few minor notes

In your DLL:

#include <iostream> using namespace std;

You don't need this as you're not using any I/O routines.

In your application:

void main()

The C and C++ standards both state that main should be one of

int main(void) int main(int argc, char **argv)

A successful return value is 0.

system("PAUSE");

Using two cin.get(); statements works equally well and doesn't rely on a system call.

The SetWindowsHookEx method of DLL injection is pretty poor. Hooks in general are detected easily, but you're also injecting this into every process on the system. At the very least you can GetWindowThreadProcessId to obtain the PID for the window that you want to inject to (or CreateToolhelp32Snapshot -> Process32First -> (Process32Next in a loop) if the process has no windows).

I'd first suggest actually learning C (or C++) before diving into the Windows API. Hopefully you'll read this and actually understand some of what was said and follow up on anything that wasn't made clear. I haven't actually compiled your code so there may be some more syntaxtical issues that I didn't spot but at least you're trying from the looks of it instead of blindly ripping off DLL injection code from somewhere.

Last modified by boringwall on November 20, 2009, 1:45 am

I did make a .def file to export my functions, I also used StrCmp and it also didn't help.

 

if {(StrCmp((LPCTSTR) Title, (LPCTSTR) "Untitled - Notepad") = 0) { // worked } else { // failed }

1. Check that the function is being exported, and if it is check to see that it's name is unmangled.

2. You've got an extra brace before your "if" expression

3. You're not checking the return of StrCmp properly.