受欢迎的博客标签

MFC c++模拟键盘按键,鼠标移动控制其他程序窗口(c++ Global Low Level Keyboard Hook)

Published

The program app is in another process

project source:TskingVS2019/src/Tool/DzhTestReadDataConsole/

Table of Content

 

Sendmessage to Listview Problem

 

I can use SendMessage to get information from a RichTextBox and a ComboBox. I was
very much hoping i could do the same with the listview. 

Could someone be able to outline the steps
i need to take, given the handle to the syslistview32 control, to get
an item from a multi-column listview and find out the text in each
column for that item?

Is the listview in your application or in a different process? Most of
these messages will only work in the same process since the message
parameters don't marshal correctly cross process boundaries.

#include "stdafx.h"
#include <Windows.h>//必备
#include <iostream>//要用到c++的输出,测试用
#include <string> //cout输出字符串string 必备

using namespace std;



int main()
{
 //1.获得窗口句柄 获得游戏进程
 //2.根据进程id打开进程
 //3.取进程内存数据
 //4.读取棋盘数据,遍历
 //5.分析炸弹和方块
 //6.鼠标模拟点击方块
    return 0;
}

 

Let's press RETURN key to Edit Area, you can easily see WM_KEYDOWN message on Microsoft Spy++ Dash Broad. Then, right click to that message and choose properties, you can easily know LPARAM and WPARAM value.

HWND hwnd = FindWindowA("Notepad", NULL );
HWND hWndChild = ::FindWindowEx(hwnd, NULL, L"Edit", NULL);

https://www.codeproject.com/tips/1029254/sendmessage-and-postmessage

我想修改通达信程序的交易快捷键,有朋友可以帮忙吗?我的要求:将原来闪电买入的快捷键21改为F1,原撤单查询快捷键22改为F2,原闪电卖出的快捷键23改为F3,而行情软件原来的F1,F2,F3的功能都废除,小弟搞了好多天了,头都爆了,还是不行,有朋友可以帮忙吗?谢谢您,最好能将要修改的地方贴出来,以及怎么改

那个键盘精灵接收字符的 10数字和26字母 流程如下

::PostMessage(hView,WM_KEYDOWN,0x32,0x00500001);

Sleep(50);

HWND hDlg = ::GetForegroundWindow();
HWND hEdit = ::GetDlgItem(hDlg,0x400);

::SendMessage(hEdit,EM_SETSEL,-1,-1);
::PostMessage(hEdit,WM_KEYUP,0x32,0xC0500001);

::PostMessage(hEdit,WM_CHAR,0x31,0x00490001);
::PostMessage(hEdit,WM_KEYDOWN,0xD,0x011C0001);
::PostMessage(hEdit,WM_KEYUP,0xD,0xC11C0001);

你的要求 可能要HOOK才可以

 

EnumChildWindows 

 

https://forums.codeguru.com/showthread.php?278464-Using-EnumChildWindows

 

read ListViewSystem32 data

The listview is in another process.

1.Wrote code to get parent handle,listview handle,listview item to click
2.shared memory to other process using -"Creating Named Shared Memory"
3.Used hooking concept
4.Inside the hook proc code,added the code which is above.
#include <commctrl.h> //for ListViewSystem32

There a few possibilities.

1.DLL Injection Using windows hooks. Pros: simple and straight forward. Cons: many processes get this dll loaded.

2.DLL Injection Making process to load library by opening it for debugging, allocating a chunc of virtual memory using VallocEx in the context of this process, writing it's memory with WriteProcessMemory and creating a remote thread with start address of LoadLibrary function. Pros: a single process is affected. Cons: A bit more complex than hooks solution.

3.Read of process memory. Same as option 2 but instead of writing this memory and executing the code remotely, send the message LVM_GETITEMTEXT to the window in question providing a valid known memory location and then read that location with ReadProcessMemory.

1.ListView messages that pass around buffers only work within the address space of the process that owns the ListView. You will have to use VirtualAllocEx() to allocate a memory block within that same process, then you can write to it with WriteProcessMemory() and have the ListView fill it as needed, then you can read it with ReadProcessMemory() and deallocate it with VirtualFreeEx(). 

--see:https://stackoverflow.com/questions/12679518/win32-getting-listview-control-content-from-another-application

2.You are allocating virtual memory for text. You must also allocate virtual memory for LVITEM. Then assign the text memory to lvItem.pszText, and then read both memory. It has to be compiled 64-bit for 64-bit systems. Add more error checks.

Windows ListView LVM_GETITEM iImage is always zero

 

//---------------------------------------------------------------------------
// 读取ListView中的Item
// hWindow为目标ListView的句柄
// strlist用来存放ListView的Item字符串
// 来自http://www.ccrun.com
// by ccrun(老妖)
//---------------------------------------------------------------------------
void MyGetListViewItem(HWND hWindow,TStrings *strlist)
{
    const nMaxLen=1023;
    char szBuf[nMaxLen+1];
    char buf[nMaxLen+1];
 
    int          nLVItemCount;
    int          nColumns;
    DWORD        dwProcessID;
    HANDLE       hProcess;
    HANDLE       hHeaderCtrl;
    LVITEM       lvItemLocal;
    HDITEM       hdItemLocal;
    DWORD        dwBytesRead, dwBytesWrite;
    bool         bSuccess,bWriteOK;
 
    //注意:本文来自www.ccrun.com,by ccrun(老妖),转载请注明出处。
    //本文转自 C++Builder研究 - http://www.ccrun.com/article.asp?i=583&d=eahk4z
    //为防止某些不负责任的转载者,故出此下策,在代码中加入声明,请大家原谅。
 
    GetWindowThreadProcessId(hWindow,&dwProcessID);
    hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
    if(!hProcess)  //得不到指定进程的句柄
        return;
    //在指定进程内分配存储空间
    LPVOID lpTextRemote=VirtualAllocEx(hProcess,NULL,nMaxLen+1,MEM_COMMIT,PAGE_READWRITE);
    LPVOID lpListItemRemote=VirtualAllocEx(hProcess,NULL,sizeof(LVITEM),MEM_COMMIT,PAGE_READWRITE);
    LPVOID lpHeadItemRemote=VirtualAllocEx(hProcess,NULL,sizeof(HDITEM),MEM_COMMIT,PAGE_READWRITE);
    if((!lpTextRemote) || (!lpListItemRemote) || (!lpHeadItemRemote)) //不能在指定进程内分配存储空间
        return;
 
    nLVItemCount=ListView_GetItemCount(hWindow);
    hHeaderCtrl=ListView_GetHeader(hWindow);
    nColumns=Header_GetItemCount(hHeaderCtrl);
    if (nColumns<=0) {
        nColumns=1;
    } else {
        buf[0]=0;
        for (int j=0;j<nColumns;j++) {
            ZeroMemory(szBuf,nMaxLen+1);
            bWriteOK= WriteProcessMemory(hProcess,lpTextRemote,(LPVOID)szBuf,nMaxLen+1,(LPDWORD)&dwBytesWrite);
            if(!bWriteOK) //写内存错误
                return;
            hdItemLocal.mask=HDI_TEXT;
            hdItemLocal.cchTextMax=nMaxLen;
            hdItemLocal.pszText=(LPTSTR)lpTextRemote;
            dwBytesWrite=0;
            bWriteOK=WriteProcessMemory(hProcess,lpHeadItemRemote,(LPVOID)&hdItemLocal,sizeof(HDITEM),(LPDWORD)&dwBytesWrite);
            if(!bWriteOK) //写内存错误
                return;
 
            SendMessage(hHeaderCtrl,HDM_GETITEM,(WPARAM)j,(LPARAM)lpHeadItemRemote);
            bSuccess=ReadProcessMemory(hProcess,lpTextRemote,szBuf,nMaxLen+1,&dwBytesRead);
            //从指定进程存储空间读取文本
            if(!bSuccess) //不能在指定进程内读取文本
                return;
            if (j>0) strcat(buf,"|");
            strcat(buf,AnsiString(szBuf).c_str());
        }
        strlist->Add(buf);
    }
//  strlist->Add("ListView的Columns数: " + String(nColumns));
//  strlist->Add("---------------------------");
 
    for (int i=0;i<nLVItemCount;i++) {
        buf[0]=0;
        for (int j=0;j<nColumns;j++) {
            ZeroMemory(szBuf,nMaxLen+1);
            bWriteOK= WriteProcessMemory(hProcess,lpTextRemote,(LPVOID)szBuf,nMaxLen+1,(LPDWORD)&dwBytesWrite);
            if(!bWriteOK) //写内存错误
                return;
            lvItemLocal.iItem=i;
            lvItemLocal.iSubItem=j;
            lvItemLocal.mask=LVIF_TEXT;
            lvItemLocal.cchTextMax=nMaxLen;
            lvItemLocal.pszText=(LPTSTR)lpTextRemote;
            dwBytesWrite=0;
            bWriteOK=WriteProcessMemory(hProcess,lpListItemRemote,(LPVOID)&lvItemLocal,sizeof(LVITEM),(LPDWORD)&dwBytesWrite);
            if(!bWriteOK) //写内存错误
                return;
            SendMessage(hWindow,LVM_GETITEMTEXT,(WPARAM)i,(LPARAM)lpListItemRemote);
            bSuccess=ReadProcessMemory(hProcess,lpTextRemote,szBuf,nMaxLen+1,&dwBytesRead);
            //从指定进程存储空间读取文本
            if(!bSuccess) //不能在指定进程内读取文本
                return;
            if (j>0) strcat(buf,"|");
            strcat(buf,AnsiString(szBuf).c_str());
        }
        strlist->Add(buf);
    }//end of for(i)
    //在指定进程内释放存储空间
    VirtualFreeEx(hProcess,lpHeadItemRemote,0,MEM_RELEASE);
    VirtualFreeEx(hProcess,lpListItemRemote,0,MEM_RELEASE);
    VirtualFreeEx(hProcess,lpTextRemote,0,MEM_RELEASE);
    //关闭指定进程句柄
    CloseHandle(hProcess);
}

 

http://www.codeproject.com/Articles/2890/Using-ListView-control-under-Win32-API

List View Messages

https://docs.microsoft.com/en-us/windows/win32/controls/bumper-list-view-control-reference-messages

 

 

777777

/// <summary>
/// ReadProcessMemory/C++
/// DzhTestReadDataConsole.exe in path= F:\stock\TskingVS2019\Debug
/// copy dzhtest.exe and other files to F:\stock\TskingVS2019\Debug
/// come from: https://blog.csdn.net/cqlboat/article/details/9010073
/// </summary>
/// <returns></returns>
int testReadProcessMemory()
{
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	HANDLE hProcess = NULL;

	ZeroMemory(&si, sizeof(si));

	si.cb = sizeof(si);

	ZeroMemory(&pi, sizeof(pi));

	if (!CreateProcess(L".\\Dzhtest.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
	{
		printf("CreateProcess Dzhtest.exe failed (%d)\n", GetLastError());
	}
	else
	{
		printf("CreateProcess Dzhtest.exe success (%d)\n", GetLastError());
	}

	WaitForSingleObject(pi.hProcess, 1000);

	byte* readtemp = new byte[256 * 16];

	DWORD dwNumberOfBytesRead;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId);

	if (hProcess != NULL)
	{
		int i = 0x00020000;

		while (!ReadProcessMemory(hProcess, (LPCVOID)i, readtemp, 0x10, &dwNumberOfBytesRead))
		{
			i++;
		}

		printf("ReadProcessMemory success,baseAddress=%X \n", i);

		for (int i = 0; i < dwNumberOfBytesRead; i++)
		{
			printf("%X \n", readtemp[i]);
		}
	}

	CloseHandle(pi.hProcess);

	CloseHandle(pi.hThread);

	return 0;
}

 

come from:https://forums.codeguru.com/showthread.php?355903-Sendmessage-across-applications

bool
getItemTextFromListBox(HWND hWndListView, int item, int subItem, TCHAR** ppwszText)
{
bool retcode=false;
TCHAR szReadBuffer[1024];
memset(szReadBuffer, 0, sizeof(szReadBuffer) );
LV_ITEM* plvi=NULL;

DWORD dwProcessId;
GetWindowThreadProcessId(hWndListView, &dwProcessId);
// Open a handle to the remote process's kernel object
HANDLE hProcess = OpenProcess(
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, dwProcessId);

if (hProcess == NULL) {
MessageBox(NULL, __TEXT("Could not communicate with process"),
"ERROR", MB_OK | MB_ICONWARNING);
goto cleanup;
}

// Allocate memory in the remote process's address space
plvi = (LV_ITEM*) VirtualAllocEx(hProcess,
NULL, 4096, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

if(plvi==NULL) {
goto cleanup;
}

// Get the ListView item's text data
// Initialize a local LV_ITEM structure
LV_ITEM lvi;
memset(&lvi, 0, sizeof(LV_ITEM) );
lvi.mask = LVIF_TEXT;
lvi.iItem = item;
lvi.iSubItem = subItem;
// NOTE: The text data immediately follows the LV_ITEM structure
// in the memory block allocated in the remote process.
lvi.pszText = (LPTSTR) (plvi + 1);
lvi.cchTextMax = 100;

// Write the local LV_ITEM structure to the remote memory block
if( !WriteProcessMemory(hProcess, plvi, &lvi, sizeof(lvi), NULL) ) {
goto cleanup;
}

// Tell the ListView control to fill the remote LV_ITEM structure
ListView_GetItem(hWndListView, plvi);

// Read the remote text string into the end of our clipboard buffer
if( !ReadProcessMemory(hProcess, plvi + 1, (LPVOID) &szReadBuffer, sizeof(szReadBuffer), NULL) ) {
goto cleanup;
}

*ppwszText = (TCHAR*) malloc( _tcslen( szReadBuffer ) + sizeof(TCHAR) );
if(!*ppwszText) {
goto cleanup;
}

retcode=true;
_tcscpy(*ppwszText, szReadBuffer);

// ListView_SetItemState(hWndListView, -1, 0, LVIS_SELECTED);

cleanup:
// Free the memory in the remote process's address space
if(hProcess) {
VirtualFreeEx(hProcess, plvi, 0, MEM_RELEASE);
// Cleanup and put our results on the clipboard
CloseHandle(hProcess);
}
return retcode;
}

 

/// <summary>
/// Win32- Getting ListView Control content from another application /C++
/// DzhTestReadDataConsole.exe in path= F:\stock\TskingVS2019\Debug
/// copy dzhtest.exe and other files to F:\stock\TskingVS2019\Debug
/// come from: https://stackoverflow.com/questions/12679518/win32-getting-listview-control-content-from-another-application
/// 
/// </summary>
/// <returns></returns>
int testListViewControlcontentfromDzhtest()
{
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	

	ZeroMemory(&si, sizeof(si));

	si.cb = sizeof(si);

	ZeroMemory(&pi, sizeof(pi));

	if (!CreateProcess(L".\\Dzhtest.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
	{
		printf("CreateProcess Dzhtest.exe failed (%d)\n", GetLastError());
	}
	else
	{
		printf("CreateProcess Dzhtest.exe success (%d)\n", GetLastError());
	}

	WaitForSingleObject(pi.hProcess, 1000);


	HWND mainHwnd = FindWindowA(NULL, "dzhtest");//Finds the Window called " "
	if (!mainHwnd) //If none, display an error
	{
		// if it's still not running, give up
		printf("mainHwnd of window dzhtest.exe not found!\n");
		return -3;
	}
	else
	{


		printf("DzhTest HWND (%p)\n", mainHwnd);
	}


	HWND btnWndUnzip = GetDlgItem(mainHwnd, btnDecompId);

	if (!btnWndUnzip)
	{
		// if it's still not running, give up
		printf("btnWndUnzip of unzip button not found!\n");
		return -3;
	}
	else
	{


		printf("unzip button HWND (%p)\n", btnWndUnzip);
	}

	//unzip one stock
	SendMessage(mainHwnd, WM_COMMAND, MAKEWPARAM(btnDecompId, BN_CLICKED), (LPARAM)btnWndUnzip);


	//http://www.codeproject.com/Articles/2890/Using-ListView-control-under-Win32-API

	//根据控件类型SysListView32 找句柄 ok
	//HANDLE to the ListView control within the Dialog, having class name - "SysListView32"
	HWND WndSysListView32 = FindWindowEx(mainHwnd, NULL, L"SysListView32", NULL);

	//itemCount=3520
	//returns CORRECT item count of the ListView Control
	int itemCount = SendMessage(WndSysListView32, LVM_GETITEMCOUNT, 0, 0);   // number of items

	printf("SysListView32 ITEMCOUNT %d\n", itemCount);

	//come from:https://stackoverflow.com/questions/12679518/win32-getting-listview-control-content-from-another-application
	DWORD dwProcessId;
	GetWindowThreadProcessId(WndSysListView32, &dwProcessId);

	HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwProcessId);

	LVITEM* pLvItem = (LVITEM*)VirtualAllocEx(hProcess, NULL, sizeof(LVITEM), MEM_COMMIT, PAGE_READWRITE);
	LPTSTR pText = (LPTSTR)VirtualAllocEx(hProcess, NULL, sizeof(TCHAR) * 256, MEM_COMMIT, PAGE_READWRITE);
	
	for (int nItem = 0; nItem < itemCount; ++nItem)
	{

		TCHAR Text[256] = { 0 };

		LVITEM LvItem = { 0 };
		LvItem.mask = LVIF_TEXT;
		LvItem.iSubItem = 1;
		LvItem.pszText = pText;
		LvItem.cchTextMax = 256;
		LvItem.iItem = nItem;

		WriteProcessMemory(hProcess, pLvItem, &LvItem, sizeof(LVITEM), NULL);

		int nRes = (int) ::SendMessage(WndSysListView32, LVM_GETITEMTEXT, nItem, (LPARAM)pLvItem);
		if (nRes > 0)
			ReadProcessMemory(hProcess, pText, &Text[0], sizeof(TCHAR) * nRes, NULL);



	}

	VirtualFreeEx(hProcess, pText, 0, MEM_RELEASE);
	VirtualFreeEx(hProcess, pLvItem, 0, MEM_RELEASE);
	CloseHandle(hProcess);
	
	
	
	return 0;

 

交叉进程

MFC c++模拟键盘按键,鼠标移动

C++ PostMessage 模拟键盘鼠标

https://blog.csdn.net/Simon798/article/details/102403618

 

C++ SendMessage 模拟鼠标点击扫雷方块

https://blog.csdn.net/qq_33473476/article/details/80641198

 

open .exe as 子进程并读取内存

读取子进程内存,基址在程序运行前会变化,所有用了while语句,直到成功时才跳出循环

https://blog.csdn.net/cqlboat/article/details/9010073

ListView

MFC c++向taskmgr.exe中的ListView控件发送LVM_GETNEXTITEM消息

《Stealing Program''s Memory》-利用WriteProcessMemory()函数将LVITEM结构插入到目标进程中

https://www.codeproject.com/Articles/5570/Stealing-Program-s-Memory

 

在现有的输入法中注册自己的输入法c++

https://github.com/chinatiny/WindowsPlatform/blob/67c77765249f5db0256232e47aa266465b94fbb6/%E6%B3%A8%E5%85%A5/007%E8%BE%93%E5%85%A5%E6%B3%95%E6%B3%A8%E5%85%A5_%E6%B3%A8%E5%85%A5%E5%99%A8/main.cpp

https://github.com/laiyierjiangsu/GameModifier/blob/110e642d75e9d036bf3c8d52f6c1ef40f60ea3f9/GameModifier/InputInject.cpp