I have following piece of code that is working on the following steps:
Open the RegistryKey using RegOpenKeyEx
After opening key, Create a event using CreateEvent.
Using RegNotifyChangeKeyValue for getting Notification.
The above steps only gives me a notification of change occured but not the information on where the change occured. eg consider following code:
#include <Windows.h>
#include <iostream>
#include <string>
int main()
{
DWORD dwFilter = REG_NOTIFY_CHANGE_NAME|
REG_NOTIFY_CHANGE_ATTRIBUTES |
REG_NOTIFY_CHANGE_LAST_SET |
REG_NOTIFY_CHANGE_SECURITY;
HKEY pHresult=0;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\aaaa",0,KEY_NOTIFY|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_QUERY_VALUE|KEY_WOW64_64KEY,&pHresult)!=ERROR_SUCCESS){
std::cout << "FAIL IN OPEN SOFTWARE" << std::endl;
}
std::cout << " OPEN software//aaaa" << std::endl;
while(1)
{
HANDLE hevent = CreateEvent(NULL,FALSE, TRUE, NULL);
if(RegNotifyChangeKeyValue(pHresult,TRUE,dwFilter,hevent,TRUE) != ERROR_SUCCESS)
{
std::cout << "NOTIFICATION FAILED " << std::endl;
}
DWORD dwret = WaitForSingleObject(hevent, 2000);
if(dwret == WAIT_TIMEOUT)
{
std::cout << " TIMEOUT " << std::endl;
}
else if (dwret == WAIT_FAILED)
{
//
}
else
{
std::cout << "Change Occured" << std::endl;
}
//Sleep(2000);
}
RegCloseKey(pHresult);
}
In above code, if change is done in aaaa, i get Change Occured. How do I get the location where the change occured. One way would be using recursion and scanning the whole path. Is there any better way or API for reducing the overhead of recursion way?
Related
`
#include <iostream>
#include <windows.h>
#include <Tlhelp32.h>
HANDLE hProc = NULL;
DWORD pID;
bool attachProc(char* procName)
{
PROCESSENTRY32 procEntry32;
procEntry32.dwSize = sizeof(PROCESSENTRY32);
auto hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcSnap == INVALID_HANDLE_VALUE)
{
std::cout << "FAILED to take snapshot of processes\n";
return false;
}
while(Process32Next(hProcSnap, &procEntry32))
{
std::cout << procEntry32.szExeFile << std::endl;
if (procEntry32.th32ProcessID != 996)
{
if (!strcmp(procName, procEntry32.szExeFile))
{
std::cout << "found process " << procEntry32.szExeFile << " with process id " << procEntry32.th32ProcessID << std::endl;
hProc = OpenProcess(PROCESS_ALL_ACCESS,FALSE,procEntry32.th32ProcessID);
pID = procEntry32.th32ProcessID;
if (hProc == NULL)
{
std::cout << "failed getting handle to process" << std::endl;
}
CloseHandle(hProcSnap);
return true;
}
}
}
std::cout << "couldnt find " << procName << "in the process snapshot" << std::endl;
CloseHandle(hProcSnap);
return false;
}
template <class dataType>
void wpm(dataType valToWrite, DWORD adressToWrite)
{
WriteProcessMemory(hProc, (PVOID)adressToWrite, &valToWrite, sizeof(dataType), 0);
}
template <class dataType>
dataType rpm(DWORD adressToRead)
{
dataType rpmBuffer;
ReadProcessMemory(hProc, (PVOID)adressToRead, &rpmBuffer, sizeof(dataType), 0);
return rpmBuffer;
}
int main()
{
DWORD memoryAdress = 0x288469A7A28;
int value = 1
attachProc((char*)"dummy.exe");
while (true)
{
wpm<int>(value, memoryAdress);
}
}
`
i think there is a problem in getting the handle but i dont know where or how do i debug this.
is there any different way on how to get a handle? bestsides FindWindow() because this doesnt work either
i was trying to write process memory but id didnt work for some reason the adress should be good i tested it in cheat engine multiple times
i'm trying to make a little program to my university that can change values in the memory of another process. With the exact address value that the Cheat Engine give me i can do this, but not ever the value is the same then my problem is with the memory pointers. In the following image i has the every offset that i found in the pointer scan map:
I already make a program but it not work and ever gives me 299 error code, i Run it as administrator. The code is the following:
#include <iostream>
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <queue>
using namespace std;
int main() {
PROCESSENTRY32 pEntry;
pEntry.dwSize = sizeof(PROCESSENTRY32);
// Snapshot to list all process
HANDLE pHandlers = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (pHandlers == NULL) {
cout << "Error 1";
return 1;
}
// Listing process
if (Process32First(pHandlers, &pEntry)) {
while (Process32Next(pHandlers, &pEntry)) {
// Convert value to string
wstring wstr(pEntry.szExeFile);
string str(wstr.begin(), wstr.end());
// Check if is the process that i wan't
if (str == "Playgroundd.exe") {
MODULEENTRY32 mEntry;
mEntry.dwSize = sizeof(MODULEENTRY32);
// Snapshot to list all modules inside process
HANDLE mHandlers = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pEntry.th32ProcessID);
if (mHandlers == NULL) {
cout << "Error 2";
return 1;
}
// Usually the first process is the main module
if (Module32First(mHandlers, &mEntry)) {
// Convert the name to string
wstring wstrr(mEntry.szExePath);
string strr(wstrr.begin(), wstrr.end());
if (strr.find("Playgroundd.exe")) {
// Get the base address of module
DWORD moduleBaseAddress = (DWORD)mEntry.modBaseAddr;
// Append initial value
moduleBaseAddress += (DWORD)0x000000E8;
// Offsets defined
DWORD offsets[] = {0x88,0x98,0x90,0x20,0x10,0x48,0x904};
// Open process with the right process id
cout << "process id: " << pEntry.th32ProcessID << endl << endl;
HANDLE processHandler = OpenProcess(PROCESS_ALL_ACCESS, 0, pEntry.th32ProcessID);
if (processHandler == NULL) {
cout << "Can't open the process";
return 1;
}
// Sum offsets
for (int i = 0; i < 7;i++) {
moduleBaseAddress += offsets[i];
}
int receive = 0;
size_t bytesRead = 0;
bool resultStatus = ReadProcessMemory(processHandler,
(LPCVOID)moduleBaseAddress, &receive, sizeof(receive), &bytesRead);
cout << "result status :" << resultStatus << endl;
cout << "Received : " << receive << endl;
cout << "Bytes read : " << bytesRead << endl;
cout << "Possible error code : " << GetLastError() << endl;
}
else {
cout << "Can't find module";
return 1;
}
}
}
}
}
};
This is the output of the above program, the error code can be ignored if the result status be non-zero
result status :0
Received : 0
Bytes read : 0
Possible error code : 299
What i am doing wrong?
As pointed by the comment above, your calculation of the target address is questionable.
Your use of GetLastError is unsafe - you should call it immediately after FAILED call to ReadProcessMemory. However, in this case, cout << ... doesn't change that code, so you are OK.
According to docs
ERROR_PARTIAL_COPY
299 (0x12B)
Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
And this post states
ReadProcessMemory would return FALSE and GetLastError would return ERROR_PARTIAL_COPY when the copy hits a page fault.
I'm trying to entirely disable the keyboard using the windows SetupAPI.
At present I can remove the keyboard successfully with no issues using the DIF_REMOVE function like so:
#include <windows.h>
#include <SetupAPI.h>
#include <iostream>
#include <string>
const std::string keyboard_device_instance_path("<my_path_here>"); // Win7
HDEVINFO DeviceInfoSet = ::SetupDiGetClassDevs(nullptr, nullptr, nullptr, DIGCF_ALLCLASSES | DIGCF_ALLCLASSES);
SP_DEVINFO_DATA DeviceInfoData;
::ZeroMemory(&DeviceInfoData, sizeof(SP_DEVINFO_DATA));
DeviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA);
DWORD DeviceIndex = 0;
std::vector<char> DeviceInstanceId(128, '\0');
DWORD RequiredSize = 0;
// Query all devices
while (::SetupDiEnumDeviceInfo(DeviceInfoSet, DeviceIndex++, &DeviceInfoData))
{
// Find the Keyboard
if (::SetupDiGetDeviceInstanceIdA(DeviceInfoSet, &DeviceInfoData, &DeviceInstanceId[0], DWORD(DeviceInstanceId.size()), &RequiredSize))
{
if (keyboard_device_instance_path == &DeviceInstanceId[0])
{
std::cout << "Breaking keyboard\n";
if (!SetupDiCallClassInstaller(DIF_REMOVE, DeviceInfoSet, &DeviceInfoData))
{
std::cerr << "Failed to remove keyboard: " << ::GetLastError() << '.' << std::endl;
}
}
After disabling it, I want to re-enable the keyboard when a condition is met. For this I naturally looked to 'DIF_UNREMOVE' but have had no success.
Here is the code that attempts to re-enable the keyboard:
SP_UNREMOVEDEVICE_PARAMS UnRemoveParams;
UnRemoveParams.ClassInstallHeader.cbSize = sizeof(SP_CLASSINSTALL_HEADER);
UnRemoveParams.ClassInstallHeader.InstallFunction = DIF_UNREMOVE;
UnRemoveParams.Scope = DI_UNREMOVEDEVICE_CONFIGSPECIFIC;
UnRemoveParams.HwProfile = 0;
if (::SetupDiSetClassInstallParams(DeviceInfoSet, &DeviceInfoData, &UnRemoveParams.ClassInstallHeader, sizeof(UnRemoveParams)))
{
std::cout << "Fixing keyboard\n";
if (!SetupDiCallClassInstaller(DIF_UNREMOVE, DeviceInfoSet, &DeviceInfoData))
{
std::cerr << "Failed to re-enable keyboard: " << ::GetLastError() << std::endl;
}
}
This code is used in the while loop immediately after the removal code. I get an error "No such device installed". What is the correct way to do this? I can only use headers supported by windowsXP
I eventually solved this by instead re-enumerating the systems hardware devices like so:
DWORD pdnDevInst = 0;
if (CM_Locate_DevNodeA(PDEVINST(&pdnDevInst), NULL, CM_LOCATE_DEVNODE_NORMAL) != CR_SUCCESS)
{
std::cout << "Failed to revive keyboard\n";
}
else if (CM_Reenumerate_DevNode(pdnDevInst, CM_REENUMERATE_NORMAL) != CR_SUCCESS)
{
std::cout << "Failed to revive keyboard: Renumerate dev node Error\n";
}
I'm trying to use the following code to change the wall paper on a Windows 7 machine. I'm compiling with Multi Byte Character Set.
if(SystemParametersInfoW(SPI_SETDESKWALLPAPER, 0, L"c:\\temp\\extracted.png", SPIF_SENDCHANGE) != 0)
{
std::cout << "Success !" << std::endl;
}
else
{
std::cout << "Failure :(" << std::endl;
std::cout << "Error: " << GetLastError() << std::endl;
system("title :(");
}
I have no idea of why this is not working since it doesn't return an error code (GetLastError gives 0). No need to say that the wall paper remains unchanged.
EDIT: tried to change to this and to put a bmp file instead.
int error(0);
if(SystemParametersInfoW(SPI_SETDESKWALLPAPER, 0, L"c:\\temp\\extracted.bmp", SPIF_SENDCHANGE) != 0)
{
std::cout << "Success !" << std::endl;
}
else
{
error = GetLastError();
std::cout << "Failure :(" << std::endl;
std::cout << "Error: " << error << std::endl;
system("title :(");
}
system("pause");
Output in console is Failure :( followed by Error: 0
From the advice on the comments I abandoned ChangeParametersInfo and implemented this quick function I found. Worked instantly.
void SetWallpaper(LPCWSTR file)
{
CoInitializeEx(0, COINIT_APARTMENTTHREADED);
IActiveDesktop* desktop;
HRESULT status = CoCreateInstance(CLSID_ActiveDesktop, NULL, CLSCTX_INPROC_SERVER, IID_IActiveDesktop, (void**)&desktop);
WALLPAPEROPT wOption;
ZeroMemory(&wOption, sizeof(WALLPAPEROPT));
wOption.dwSize = sizeof(WALLPAPEROPT);
wOption.dwStyle = WPSTYLE_CENTER;
status = desktop->SetWallpaper(file, 0);
status = desktop->SetWallpaperOptions(&wOption, 0);
status = desktop->ApplyChanges(AD_APPLY_ALL);
desktop->Release();
CoUninitialize();
}
Usage
SetWallpaper(L"c:\\temp\\extracted.png");
This is so much easier than bothering with the old one. Still wondering why it wasn't giving an error. Hope this will help someone else.
Thanks for the advices everyone.
I am having a really hard time with some API calls to the Wininet dll. I am trying to read cookies client side set by IE 9. Here's the code.
#include "stdafx.h"
#include <Windows.h>
#include <WinInet.h>
#include <iostream>
int _tmain(int argc, _TCHAR* argv[])
{
LPTSTR lpData = NULL;
DWORD dwSz = 500;
std::cout << "Hello Chris" << std::endl;
lpData = new TCHAR[dwSz];
std::wcout << "Arg 0: " << argv[1] << std::endl;
bool val = InternetGetCookieEx(argv[1], argv[2], lpData, &dwSz, INTERNET_COOKIE_THIRD_PARTY | INTERNET_FLAG_RESTRICTED_ZONE, NULL);
if (!val)
{
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
std::cout << "Insufficent Buffer size" << std::endl;
lpData = new TCHAR[dwSz];
val = InternetGetCookieEx(argv[1], argv[2], lpData, &dwSz, INTERNET_COOKIE_THIRD_PARTY | INTERNET_FLAG_RESTRICTED_ZONE, NULL);
if (val)
{
std::cout << "Cookie Data: " << lpData << std::endl;
}
else
{
std::cout << "ERROR Code: " << GetLastError() << std::endl;
}
}
else
{
int err = GetLastError();
std::cout << "ERROR Code: " << err << std::endl;
}
}
else
{
std::cout << "Cookie Data: " << lpData << std::endl;
}
//}
return 0;
}
The problem that I am having is that when I call InternetGetCookeEx I always return false and get an error code of 259, which means no more data available. When you consult the API essentially what that means is that it couldn't find my cookie.
Because I am using IE 9 the names for files that the cookie is being stored in are obviously mangled , which is why I am trying to read my cookie data that way.
I have removed the company name to protect the company. Essentially what I am trying to do is. Find the lUsrCtxPersist cookie value. Therefore I am calling the code as such CookieReader.ext http://[CompanyDomain].com lUsrCtxPersist.
However I always get a false and an error code of 259. Any light you might be able to shed on this would be greatly appreciated.
http://msdn.microsoft.com/en-us/library/ms537312%28v=vs.85%29.aspx
Try to use IEGetProtectedModeCookie
Assuming the cookie name is correct, then try removing the INTERNET_COOKIE_THIRD_PARTY and/or INTERNET_FLAG_RESTRICTED_ZONE flags and see what happens. Or try calling InternetGetCookie() instead, which has no such flags available.
On a separate note, when InternetGetCookieEx() returns ERROR_INSUFFICIENT_BUFFER, you are leaking memory. You need to delete[] your existing buffer before then calling new[] to allocate a new buffer.