Navigation Menu

[Ryuu99]

my code work fine but I want to understand your method

BOOL Inject(HWND hTarget, LPTSTR dll)

hTarget is the the parent window or the child and your const MAXWAIT is how many miliseconds.

and how i can call my function in my dll like my code on top after de dll is injected

thanks in advance

I just reread what I typed earlier and it probably seemed rather confusing… so allow me to just answer your questions in order.

hTarget is the target window handle that you want to inject your code into (it’s a thread specific hook). My const MAXWAIT is 10 seconds (10000 milliseconds, but it never takes that long. That’s just an indication that the call failed miserably. With that injection method, you cannot make calls to export functions in the dll. You have no form of communication whats-so-ever.

[Ryuu99]

As of now, I am no longer using my method to inject the dll. I am now using a CBT hook (similar to your method). The difference the hooking method and my previously written method is that in my previous method, there was no contact ever made between the injector and the injectee(is that a word? haha). Basically I allocated memory in the target process and wrote the LoadLibrary parameter in the allocated memory. Then I get the proc address of LoadLibrary in MY OWN thread (windows ALWAYS loads the kernel library in every process at the same address). I then tell the target process to create a new thread, where the new thread’s entry point is LoadLibrary, and LoadLibrary’s parameter (the dll to load) is a pointer to the memory I had written to the process earlier. I then wait a maximum of X seconds for the LoadLibrary call to finish and the dll to attach.

There is NO communication between the ‘server’ application and the injected dll with that method. The positive side of it is that it doesn’t require hooking either. I am using a CBT hook now so that I could see when Paltalk was activating new windows.

[Ryuu99]

The following code is in C++… Someone should be able to convert it though.. This is a snippet example of how to use EM_STREAMOUT.

The following function injects my dll into the target window’s thread.

BOOL Inject(HWND hTarget, LPTSTR dll)

{

DWORD procID;

GetWindowThreadProcessId(hTarget, &procID);



// Find the address of the LoadLibrary api

HMODULE hLocKernel32 = GetModuleHandle("Kernel32");

FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA");



//Adjust token privileges to open system processes

HANDLE hToken;

TOKEN_PRIVILEGES tkp;

if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))

{

LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);

tkp.PrivilegeCount = 1;

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL);

}



//Open the process with all access

HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);



//Allocate memory to hold the path to the dll File in the process's memory

dll += '';   //Add the null-terminator just in case

LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, strlen(dll)+1, MEM_COMMIT, PAGE_READWRITE);



//Write the path to the Dll File in the location just created

DWORD numBytesWritten;

WriteProcessMemory(hProc, hRemoteMem, dll, strlen(dll)+1, &numBytesWritten);



//Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer

HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);



//Wait for the thread to finish

BOOL res = FALSE;

if (hRemoteThread)

res = (BOOL)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT;

else

{

VirtualFreeEx(hProc, hRemoteMem, strlen(dll)+1, MEM_RELEASE);

MessageBox(NULL, "Failed to create remote thread!", "", MB_OK);

}



//Free the memory created on the other process

VirtualFreeEx(hProc, hRemoteMem, strlen(dll)+1, MEM_RELEASE);



//Release the handle to the other process

CloseHandle(hProc);



return res;

}

After the dll in injected.. You can use EM_STREAMOUT within the dll. You may also use other methods to inject the dll (hooks, etc..). The following is an example:

The Callback Function:

DWORD MyCallback(DWORD dwCookie, LPBYTE pbBuff, LONG cb, LONG *pcb)

{

// cb is the number of bytes you need to read

// pcb needs to be set to the number of bytes you actually read

// pbBuff is a pointer to the buffer that contains the RTF data

// dwCookie is the same value that you passed with the SendMessage call



// If you read all the data, use  *pcb = cb

// If you read, say 10 bytes, use *pcb = 10



return 0; // Return 0 to indicate success, non-zero for error

}

The Call

EDITSTREAM es;

es.dwCookie = NULL;  // This is an unsigned long value that is sent to callback, basically just app-defined data

es.dwError = NULL;  // This contains the last error that occured, 0 means success

es.pfnCallback = (EDITSTREAMCALLBACK)MyCallback;



SendMessage(hTargetRichEditBox, EM_STREAMOUT, SF_RTF, (LPARAM)&es);

Note the following:

The control calls the callback function repeatedly, transferring a portion of the data with each call. The control continues to call the callback function until one of the following conditions occurs:

* The callback function returns a nonzero value.
* The callback function returns zero in the *pcb parameter.
* An error occurs that prevents the rich edit control from transferring data into or out of itself. Examples are out-of-memory situations, failure of a system function, or an invalid character in the read buffer.

That means your callback function will be called at minimum TWICE. Be prepared for reading NO data and returning 0, lol.

[Ryuu99]

@Departure wrote:

what do you mean anyone daring to subclass??

All the paltalk programs on here are made because of subclassing down to the richedit box, thats what every single pal app is based on (subclassing)

On the contrary, most programs I have seen here worked strictly through SendMessage/PostMessage commands. Subclassing requires being in the same addressing space as the application, and I haven’t seen much code injection going on here.

It’s true that for a lot of applications dealing with Paltalk, dll injection isn’t necessary, or even worth the performance loss. It isn’t so much subclassing which causing the performance drop, but using hooks can slow it down a bit. I decided to go the injection/subclassing route because of two things. a) I wanted to modify the toolbar in chat/IM windows to replace the standard font dialog with my own, and b) I wanted to implement the color fading utilizing the rich edit control already provided by Paltalk, and subclassing made it MUCH faster and cleaner to write.

[Ryuu99]

Alright, I trashed my other project and am currently working on a new one. This project consists of a loader application (basically sits in the taskbar looking for paltalk applications, and hooks them when it finds them)..

The loaded dll then monitors the creation of new windows, and if a window is detected to be an IM session or chat room, it subclasses the editbox and formats the text for yet ANOTHER fader… My fader is pretty cool however, it’s a lot like yahoo IM’s color fader (multiple colors).

Anyway, I still have to create the loader and setup the hook (right now it just directly injects the dlls via WriteProcessMemory/LoadModule) but once I do I’ll post my complete source for it! 🙂

Oh, and for anyone who’s daring enough to try subclassing the editbox and/or toolbar in any chat window, you MUST MUST MUST subclass their parent window as well, and when you receive a WM_DESTROY command, remove the child subclassing immediately or Paltalk WILL crash. I’m not entirely sure why this occurs, but probably has something to do with their richeditbox code being in a seperate dll, not sure, dont care, lol.

[Ryuu99]

This is a good article to get you started… It’s written for C++ but it will at least teach you the concepts required.

(Edit: Basically, you can use a windows hook on WH_GETMESSAGE and then use SetWindowLong to set the message proc to your own. You MUST subclass from within the Paltalk process – hence the necessary hook. I dont know much about vb, so I have no idea if a) you can compile shared memory segments, and b) if it’s possible to dll inject.)

Good luck 🙂

[Ryuu99]

Hmm, you’re right, this is a great idea! I’ll try to work on this one too, hehe.

[Ryuu99]

I’ve just successfully called the EM_STREAMOUT message! It works beautifully with giving the full RTF formatting. My code at the moment is extremely sloppy, but after a few days I’ll rewrite it to make it a little prettier… This is the first time I’ve tried a) working with hooks and b) doing anything with paltalk, but I’m pretty happy with the results so far.

The app I’m making is a simple greeter (I know, done to death hehe) that accomplishes the following tasks:

1) Injects a dll into the first paltalk chat room thread that it finds
2) Subclasses the SysListView32 control and monitors LVM_SETITEM messages for whenever they are setting text to subitem 2 (tells me a new person has entered the room and gets the name it’s adding to the list)
3) The dll is then sent a user-defined message to send EM_STREAMOUT to grab the text that’s currently in the edit control containing text that will be sent (in order to restore text that the user has already typed)

The next steps that need to be written will be

4) Replace the text via EM_STREAMIN with the (now RTF formatted hehe) message I want to send

5) Send the message

6) Restore the text the user had typed

Now, as for whether or not this can be programmed in VB, I have no idea… I’m writing mine in C++. One thing I should mention, you have to be REALLY careful when subclassing another processes control so you don’t crash Paltalk. If you want the source when it’s finished, lemme know and maybe someone could find a way to port it into VB. ^_~

Thx BIG time for the tip on EM_STREAMOUT ^_^

Edit: Steps 4, 5 and 6 are accomplished. I will rewrite the program in MUCH cleaner code and then share it with you if you wish.

2nd Edit: Just for fun I now intercept everytime a message is about to be sent and reformat it in colorful ways lol… Basically, I just got bored and made a fader.

[Ryuu99]

I’m going to look more into it, but I believe EM_STREAMOUT requires a callback method. If I remember correctly, this presents a problem since you can’t pass a pointer to a function to another process (the process doesn’t know where the actual callback is located since it’s all relative addressing).

In other words, you probably have to specify a callback function that is located within the paltalk process. I’m experimenting with this via dll injection.

[Author]

Posts