Thread: Fake keystrokes to another process

Originally Posted by BobS0327

Unfortunately, I could not get PostThreadMessage to work. This problem was really stumping me.

Originally Posted by PostThreadMessage

Messages sent by PostThreadMessage are not associated with a window. As a general rule, messages that are not associated with a window cannot be dispatched by the DispatchMessage function

While that suggests there are exceptions, WM_KEYDOWN doesn't seem to be one. Without a window handle, who is it going to dispatch the (apparent) keystroke to? On XP SP3, the answer is no one, so nothing happens. It is removed from the message queue with no visible effect that it ever made it to its destination. WM_QUIT works because it causes GetMessage to return 0 which stops the message loop.

How about posting a complete working example of using EnumChildWindows as needed in the context of this thread? I'm sure we'll all benefit from it . Especially, the OP.

This is an extended version of yours

Code:

#undef UNICODE
#undef _UNICODE
#define WIN32_LEAN_AND_MEAN
#define _WIN32_WINNT 0x0500

#include <windows.h>
#include <iostream>
#include <shlwapi.h>
#include <sstream>
#include <iostream>

#pragma comment(lib, "shlwapi.lib")

// our enumerators
BOOL WINAPI ChildEnumerator(HWND hwnd, LPARAM lParam);
BOOL WINAPI ParentEnumerator(HWND hwnd, LPARAM lParam);

// Struct masquerading as a text sink
struct Buffer
{
    // constructor sets up where to dump the final buffer, defaults to cout
    inline Buffer(std::ostream& out = std::cout) : out(out){}

    // destructor dumps it
    inline ~Buffer()
    {
        Dump();
    }

    // this allows nicer syntax for print operations, similar to printf.
    // Less typing required both here and invocation than operator()
    // with no real loss IMHO
    template<class T>
    Buffer& operator,(const T& data)
    {
        buf << data;
        return *this;
    }

    // this is retained from cout syntax, so we can see where the 
    // data is being streamed to just by looking at the first output
    // it's usage is not necessary
    template<class T>
    Buffer& operator<<(const T& data)
    {
        buf << data;
        return *this;
    }

    // dumps the text to the output stream specified in the constructor
    inline void Dump()
    {
        out << buf.str();
        out << std::endl;
    }

    // the ultimate output stream, and our buffer
private:
    std::ostream& out;
    std::ostringstream buf;
};

void OutputWindowProperties(HWND hwnd, Buffer& printer)
{
    char winText[512] = {0};
     // Get the text it's displaying
    if(SendMessage(hwnd, WM_GETTEXT, 512, reinterpret_cast<LPARAM>(winText)))
    {
        printer << "\tText: ", winText, '\n';
    }
    // Find out which file created it
    if(GetWindowModuleFileName(hwnd, winText, 512))
    {
        printer << "\tCreated by: ", PathFindFileName(winText), '\n';
    }

    // see what thread/process it came from
    DWORD procID = 0;
    DWORD threadID = GetWindowThreadProcessId(hwnd, &procID);
    printer << "\tOwning Process ID: ", procID, " Thread ID: ", threadID, '\n';

    // get some misc info
    WINDOWINFO wInfo = {sizeof(wInfo), 0};
    GetWindowInfo(hwnd, &wInfo);

    // se if we can get the class it belongs to
    WNDCLASSEX wcl = {sizeof(wcl), 0};
    if(GetClassInfoEx(reinterpret_cast<HINSTANCE>(GetWindowLongPtr(hwnd, GWLP_HINSTANCE)), 
       reinterpret_cast<LPCSTR>(wInfo.atomWindowType), &wcl))
    {
        printer << "\tClassInfo:\n\t\tName: ";
        // try and get the name of the class
        if(GetAtomName(wInfo.atomWindowType, winText, 512))
        {
            printer << winText, '\n';
        }
        // if we can't, see if the class belongs to the current process
        // if it does, we can dereference the string
        else if(GetCurrentProcessId() == procID)
        {
            printer << wcl.lpszClassName, '\n';
        }
        // otherwise, just print the class id
        else
        {
            printer << wInfo.atomWindowType, '\n';
        }
        // output the wndproc address in hex
        printer << "\t\tWndProc at address: ", std::hex, wcl.lpfnWndProc, std::dec, '\n';
    }
    // finally the window X/Y location
    printer << "\tX Location: ", wInfo.rcWindow.left, ", Y Location: ", wInfo.rcWindow.top, '\n';
}

// called for each top level window
BOOL WINAPI ParentEnumerator(HWND hwnd, LPARAM lParam)
{
    // our dumping ground
    Buffer printer;
    // output window handles in hex, then change the number format back to decimal
    printer << "Top-Level Window - ", std::hex, hwnd, std::dec, '\n';
    // Get its' properties
    OutputWindowProperties(hwnd, printer);
    // go through any children and do the same, passing in the text buffer
    // so we can have a roughly hierachichal structure to the output
    EnumChildWindows(hwnd, ChildEnumerator, reinterpret_cast<LPARAM>(&printer));
    // keep calling us for windows we haven't encountered yet
    return TRUE;
}

// called for each child window
BOOL WINAPI ChildEnumerator(HWND hwnd, LPARAM lParam)
{
    // get the text buffer we passed in
    Buffer& printer = *(reinterpret_cast<Buffer*>(lParam));
    // everything else is the same as the one above
    printer << "\n  Child Window ", std::hex, hwnd, std::dec, '\n';
    OutputWindowProperties(hwnd, printer);
    return TRUE;
}

int main(int argc, char *argv[])
{
    // start the chain of window enumeration
    // warning, will spew out lots of data
    EnumWindows(ParentEnumerator, 0);
}

This is an extended version of yours

No. it's not even close since it doesn't provide the required info that the original poster needs to complete his task. Execute my snippet and you'll see the information that he needs.

Originally Posted by BobS0327

How do you know that I really know what I'm talking about or whether it's just BULL?

That's the thing, there's a blockage somewhere and you don't know in anyway I interpret it. I'm not sure whether it's just a fundemental misunderstanding or I'm not explaining things clearly but whatever. It takes about 5 minutes to attach to notepad and seen for yourself that it does exactly the same as the app above. PostMessage and PostThreadMessage are one and the same except one fills in the HWND member of the message struct retrieved by Get\PeekMessage, one doesn't. That's the entirety of the difference as to why one will "type" in notepad while the other doesn't. There's a mapping between HWNDs and WndProcs, not between threads and WndProcs.

In a child window, there isn't necesarily a message queue.

Of course not since both queues and windows belong to threads. A thread creates a window, a thread pumps messages for that window; that's how it is and knowing MS that's how it will always be. Notepad has one thread and creates 3 windows -> the single thread pumps messages for all 3 windows. If you really wanted to you could spawn a thread to create an edit control for the app above, if that thread doesn't go into its own message loop the edit window will do nothing, the Get/PeekMessage docs spell this out.

I'm basing my stuff on remote apps such as Notepad, MSWord etc.

The above paragraph contains the rules for everybody, it's not one rule for them and one for us. Again, 5 minutes in a disassembler and debugger shows you haven't quite got the concept right in some shape or form.

Case in point CloakDll which is a worthless piece of excrement.
EDIT. There are actually 5 windows opened when notepad starts.

Oh the irony here is delicious, I welcome attempts to show me where I've gone wrong but that's just laughable.