AddressOf Form_Initialize()

F3B14N · 28 Febrero 2011, 23:41 PM

Hola gente, estoy buscando obtener la direccion de Form_Initialize. A mi se me ocurre por medio de un hook, pero no me gusta es muy groncho

Gracias

raul338 · 28 Febrero 2011, 23:49 PM

AdressOf no funciona con algo que no sea una funcion de modulo publico

F3B14N · 1 Marzo 2011, 00:08 AM

Cita de: raul338 en 28 Febrero 2011, 23:49 PM
AdressOf no funciona con algo que no sea una funcion de modulo ~~publico~~

por ello hice este post

raul338 · 1 Marzo 2011, 01:12 AM

Lo siento

tuve una larga interrupcion cuando intentaba responder y mande eso solo

Yo te diria (era mi idea tambien, pero no dispongo de muucho tiempo disponible) que se podria hacer con TypeLib Library (lo que Mr Frog uso para hacer un CallByNameEx en su clsContest) pero junto con ASM (vi una cierta tecnica que era lanzar un CallWndProc a un puntero cualquiera que apunte a una interfaz)
No se nada de ello, pero confio e investigare si se puede o no

LeandroA · 1 Marzo 2011, 02:03 AM

hola, por curiosidad para que nececistas el adress de Form_Initialize? si vos estas buscando interceptar la inicializacion de una ventana es combeniente interceptarlo con un hook (fuera del formulario obiamente) digo fuera del formulario porque este aun no se creo, me refiero exactamente a arrancar la aplicacion desde un sub main crear el gancho llamar al form y interceptar el msg WM_CREATE

ejemplo

Código [Seleccionar]


Option Explicit

Private Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Private Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function GetClassName Lib "user32" Alias "GetClassNameA" (ByVal hwnd As Long, ByVal lpClassName As String, ByVal nMaxCount As Long) As Long

Private Type CWPSTRUCT
    lParam As Long
    wParam As Long
    message As Long
    hwnd As Long
End Type

Private Enum HookConstants
    HC_ACTION = 0
    HC_GETNEXT = 1
    HC_SKIP = 2
    HC_NOREMOVE = 3
    HC_NOREM = HC_NOREMOVE
    HC_SYSMODALOFF = 5
    HC_SYSMODALON = 4
End Enum

Private Const WH_CALLWNDPROC = 4
Private Const WM_CREATE = &H1
Private Const WM_DESTROY As Long = &H2

Private hHook As Long

Private Sub main()
    StartHooking
    Form1.Show
End Sub

Public Function HookProc(ByVal uCode As Long, ByVal wParam As Long, lParam As CWPSTRUCT) As Long

    HookProc = CallNextHookEx(hHook, uCode, wParam, lParam)

    If uCode = HC_ACTION Then
    
        Select Case lParam.message
       
            Case WM_CREATE
                If GetWinClassName(lParam.hwnd) = "ThunderFormDC" Then
                    Debug.Print "Inicializa Form: " & lParam.hwnd
                End If
                
            Case WM_DESTROY
                Call EndHooking
    
        End Select
    
    End If
End Function



Public Sub EndHooking()
    If hHook <> 0 Then
        UnhookWindowsHookEx hHook
        hHook = 0
    End If
End Sub

Public Sub StartHooking()
    hHook = SetWindowsHookEx(WH_CALLWNDPROC, AddressOf HookProc, 0, App.ThreadID)
End Sub


Public Function GetWinClassName(hwnd As Long) As String
    Dim sClass As String * 255, ret&
    sClass = String(255, 0)
    ret = GetClassName(hwnd, ByVal sClass, 255)
    GetWinClassName = Left$(sClass, ret)
End Function

F3B14N · 1 Marzo 2011, 03:57 AM

Gracias Leandro, pero no es eso lo que busco sino:

Código [Seleccionar]

Option Explicit

Private Type GUID
    Data1 As Long
    Data2 As Integer
    Data3 As Integer
    Data4(7) As Byte
End Type

Public Declare Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function CreateThread Lib "kernel32" (ByVal lpSecurityAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function VBDllGetClassObject Lib "MSVBVM60" (g1 As Long, g2 As Long, ByVal g3_vbHeader As Long, REFCLSID As Long, REFIID As GUID, ppv As Long) As Long
Private Declare Function CreateIExprSrvObj Lib "MSVBVM60" (ByVal p1_0 As Long, ByVal p2_4 As Long, ByVal p3_0 As Long) As Long
Private Declare Function CoInitialize Lib "OLE32" (ByVal pvReserved As Long) As Long
Private Declare Sub CoUninitialize Lib "OLE32" ()
Private m_nFakeHeader As Long
Public Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long

Public Sub CreateNewThread(ByVal lAddress As Long, ByVal lVal As Long, Optional ByRef lHandle As Long, Optional ByRef lThread As Long)
    If m_nFakeHeader = 0 Then
        Call GetFakeHeader

    End If
    lHandle = CreateThread(ByVal 0&, ByVal 0&, lAddress, ByVal lVal, 0, lThread)
End Sub

Public Sub InitCurrentThread()
    Call CreateIExprSrvObj(0, 4, 0)
    Call CoInitialize(0)
    Call InitVBdll
End Sub

Public Sub TerminateCurrentThread()
    Call CoUninitialize
End Sub

Public Sub GetFakeHeader()
    Dim lPtr            As Long
    Dim lProc           As Long
    Dim bdata(1024)     As Byte
    Dim sData           As String
    Dim lRet            As Long
       
    lPtr = App.hInstance
    Do While lRet = 0
        If Not ReadProcessMemory(-1, ByVal lPtr, bdata(0), 1024, 0&) = 0 Then
            sData = StrConv(bdata, vbUnicode)
            lRet = InStr(1, sData, "VB5!", vbBinaryCompare)
        Else
            Exit Sub
        End If
        lPtr = lPtr + 1024
    Loop
    m_nFakeHeader = lPtr + lRet - 1024 - 1
End Sub

Private Sub InitVBdll()
    Dim pIID As GUID

    With pIID
        .Data1 = 1
        .Data4(0) = &HC0
        .Data4(7) = &H46
    End With
    
    'Escribir en (AddressOf Main o AddressOf Form_Initialize): &HC3 (RETN)
    Call VBDllGetClassObject(0, 0, m_nFakeHeader, 0, pIID, 0)
End Sub

Public Sub aaa()
InitCurrentThread
Form2.Show vbModal
TerminateCurrentThread
End Sub

Si probas el código, podrás ver que al crear un thread nuevo se ejecuta la función principal del programa (Main o Form_Init..), yo creo poder evitar eso escribiendo un RETN &HC3, en la dirección de "la función principal" pero no se crear una función genérica que me devuelva la dirección sea un modulo o form.

La función principal es llamada al llamar VBDllGetClassObject, estuve viendo las estructuras http://vb-decompiler.com/viewtopic.php?t=2 , pensando que podria encontrar la dirección ahi pero tampoco $:-\$

Bueno eso es lo que quiero hacer, pero necesito ayuda

Saludos

MCKSys Argentina · 4 Marzo 2011, 00:17 AM

Podrias usar las estructuras definidas en este script de IDA: http://www.openrce.org/downloads/details/245/VB_Helper_Script

Solo debes convertirlas para usarlas con VB y listo...

Saludos!

F3B14N · 9 Marzo 2011, 21:47 PM

Cita de: MCKSys Argentina en 4 Marzo 2011, 00:17 AM
Podrias usar las estructuras definidas en este script de IDA: http://www.openrce.org/downloads/details/245/VB_Helper_Script

Solo debes convertirlas para usarlas con VB y listo...

Saludos!

Gracias, pero aún sigo sin lograr lo que busco, seguiré intentandolo $:-\$
Aca dejo las estructuras y poco mas para quienes las puedan necesitar:

Código (vb) [Seleccionar]

Private Type VBHeader
    szVbMagic As Long '0x00, VB5! String
    wRuntimeBuild  As Integer '0x04, Build of the VB6 Runtime
    szLangDll(13) As Byte '0x06, Language Extension DLL
    szSecLangDll(13) As Byte '0x14, Language Extension DLL
    wRuntimeRevision As Integer '0x22, Internal Runtime Revision
    dwLcid  As Long '0x24, LCID of Language DLL
    dwSecLCID   As Long '0x28, LCID of 2nd Language DLL
    lpSubMain   As Long '0x2C, Pointer to Sub Main Code
    lpProjectData As Long '0x30, Pointer to Project Data
    fMdlIntCtls As Long '0x34, VB Control Flags for IDs < 32
    fMdlIntCtls2 As Long '0x38, VB Control Flags for IDs > 32
    dwThreadFlags As Long '0x3C, Threading Mode
    dwThreadCount As Long '0x40, Threads to support in pool
    wFormCount As Long '0x44, Number of forms present
    wExternalCount As Integer '0x46, Number of external controls
    dwThunkCount As Long '0x48, Number of thunks to create
    lpGuiTable As Long '0x4C, Pointer to GUI Table
    lpExternalTable As Long '0x50, Pointer to External Table
    lpComRegisterData As Long '0x54, Pointer to COM Information
    bSZProjectDescription As Long '0x58, Offset to Project Description
    bSZProjectExeName As Long '0x5C, Offset to Project EXE Name
    bSZProjectHelpFile As Long '0x60, Offset to Project Help File
    bSZProjectName As Long '0x64, Offset to Project Name
End Type
                                                     
Private Type COMRegistrationData
    bRegInfo As Long '0x00, Offset to COM Interfaces Info
    bSZProjectName As Long '0x04, Offset to Project/Typelib Name
    bSZHelpDirectory As Long '0x08, Offset to Help Directory
    bSZProjectDescription As Long '0x0C, Offset to Project Description
    uuidProjectClsId(15) As Byte ' 0x10, CLSID of Project/Typelib
    dwTlbLcid As Long '0x20, LCID of Type Library
    wUnknown As Integer '0x24, Might be something. Must check
    wTlbVerMajor As Integer '0x26, Typelib Major Version
End Type
                                                       
Private Type COMRegistrationInfo
    bNextObject     As Long '0x00, Offset to COM Interfaces Info
    bObjectName     As Long '0x04, Offset to Object Name
    bObjectDescription  As Long '0x08, Offset to Object Description
    dwInstancing    As Long '0x0C, Instancing Mode
    dwObjectId  As Long '0x10, Current Object ID in the Project
    uuidObject(15) As Byte  '0x14, CLSID of Object
    fIsInterface    As Long '0x24, Specifies if the next CLSID is valid
    bUuidObjectIFace    As Long '0x28, Offset to CLSID of Object Interface
    bUuidEventsIFace    As Long '0x2C, Offset to CLSID of Events Interface
    fHasEvents  As Long '0x30, Specifies if the CLSID above is valid
    dwMiscStatus    As Long '0x34, OLEMISC Flags (see MSDN docs)
    fClassType As Byte '0x38, Class Type
    fObjectType As Byte '0x39, Flag identifying the Object Type
    wToolboxBitmap32 As Integer '0x3A, Control Bitmap ID in Toolbox
    wDefaultIcon As Integer '0x3C, Minimized Icon of Control Window
    fIsDesigner As Integer ' 0x3E, Specifies whether this is a Designer
    bDesignerData As Long '0x40, Offset to Designer Data
End Type
                                                     
Private Type DesignerInfo
    uuidDesigner(15) As Byte '0x00, CLSID of the Addin/Designer
    cbStructSize As Long '0x10, Total Size of the next fields.
    '    ea = ea + 0x18;
    '    MakeDword       (ea - 0x04
    'bstrAddinRegKey     FixStr          (ea, Registry Key of the Addin
    '    ea = ea + 0x04 + Dword(ea - 0x04
    '    MakeDword       (ea - 0x04
    'bstrAddinName   FixStr          (ea, Friendly Name of the Addin
    '    ea = ea + 0x04 + Dword(ea - 0x04
    '    MakeDword       (ea - 0x04
    'bstrAddinDescription    FixStr          (ea, Description of Addin
    '    ea = ea + Dword(ea - 0x04
    'dwLoadBehaviour     FixDword        (ea, CLSID of Object
    '    ea = ea + 0x08;
    '    MakeDword       (ea - 0x04
    'bstrSatelliteDll    FixStr          (ea, Satellite DLL, if specified
    '    ea = ea + 0x04 + Dword(ea - 0x04
    '    MakeDword       (ea - 0x04
    'bstrAdditionalRegKey    FixStr          (ea, Extra Registry Key, if specified
    '    ea = ea + Dword(ea - 0x04
    'dwCommandLineSafe   FixDword        (ea, Specifies a GUI-less Addin if 1.
End Type
                                                     
Private Type ProjectInformation
    dwVersion   As Long '0x00, 5.00 in Hex (0x1F4). Version.
    lpObjectTable   As Long '0x04, Pointer to the Object Table
    dwNull  As Long '0x08, Unused value after compilation.
    lpCodeStart     As Long '0x0C, Points to start of code. Unused.
    lpCodeEnd   As Long '0x10, Points to end of code. Unused.
    dwDataSize  As Long '0x14, Size of VB Object Structures. Unused.
    lpThreadSpace   As Long '0x18, Pointer to Pointer to Thread Object.
    lpVbaSeh    As Long '0x1C, Pointer to VBA Exception Handler
    lpNativeCode    As Long '0x20, Pointer to .DATA section.
    szPathInformation(527) As Byte '0x24, Contains Path and ID string. < SP6
    lpExternalTable     As Long '0x234, Pointer to External Table.
    dwExternalCount     As Long '0x238, Objects in the External Table.
End Type

Private Type SecondaryProjectInformation
    lpHeapLink  As Long '0x00, Unused after compilation, always 0.
    lpObjectTable   As Long '0x04, Back-Pointer to the Object Table.
    dwReserved  As Long '0x08, Always set to -1 after compiling. Unused
    dwUnused    As Long '0x0C, Not written or read in any case.
    lpObjectList    As Long '0x10, Pointer to Object Descriptor Pointers.
    dwUnused2   As Long '0x14, Not written or read in any case.
    szProjectDescription    As Long '0x18, Pointer to Project Description
    szProjectHelpFile   As Long '0x1C, Pointer to Project Help File
    dwReserved2     As Long '0x20, Always set to -1 after compiling. Unused
    dwHelpContextId     As Long '0x24, Help Context ID set in Project Settings.
End Type
            
Private Type ObjectTable
    lpHeapLink  As Long '0x00, Unused after compilation, always 0.
    lpExecProj  As Long '0x04, Pointer to VB Project Exec COM Object.
    lpProjectInfo2  As Long '0x08, Secondary Project Information.
    dwReserved  As Long '0x0C, Always set to -1 after compiling. Unused
    dwNull  As Long '0x10, Not used in compiled mode.
    lpProjectObject     As Long '0x14, Pointer to in-memory Project Data.
    uuidObject(15) As Byte '0x18, GUID of the Object Table.
    fCompileState   As Integer '0x28, Internal flag used during compilation.
    dwTotalObjects  As Integer '0x2A, Total objects present in Project.
    dwCompiledObjects   As Integer '0x2C, Equal to above after compiling.
    dwObjectsInUse  As Integer '0x2E, Usually equal to above after compile.
    lpObjectArray   As Long '0x30, Pointer to Object Descriptors
    fIdeFlag    As Long '0x34, Flag/Pointer used in IDE only.
    lpIdeData   As Long '0x38, Flag/Pointer used in IDE only.
    lpIdeData2  As Long '0x3C, Flag/Pointer used in IDE only.
    lpszProjectName     As Long '0x40, Pointer to Project Name.
    dwLcid  As Long '0x44, LCID of Project.
    dwLcid2     As Long '0x48, Alternate LCID of Project.
    lpIdeData3  As Long '0x4C, Flag/Pointer used in IDE only.
    dwIdentifier    As Long '0x50, Template Version of Structure.
End Type
                                                       
Private Type PrivateObjectDescriptor
    lpHeapLink  As Long '0x00, Unused after compilation, always 0.
    lpObjectInfo    As Long '0x04, Pointer to the Object Info for this Object.
    dwReserved  As Long '0x08, Always set to -1 after compiling.
    dwIdeData   As Long '0x0C, [3] Not valid after compilation.
    Unknown1 As Long '0x10
    Unknown2 As Long '0x14
    lpObjectList    As Long '0x18, Points to the Parent Structure (Array)
    dwIdeData2  As Long '0x1C, Not valid after compilation.
    lpObjectList2   As Long '0x20, [3] Points to the Parent Structure (Array).
    Unknown3 As Long '0x24
    Unknown4 As Long ' 0x28
    wIdeData3  As Long '0x2C, [3] Not valid after compilation.
    Unknown5 As Long '0x30
    Unknown6 As Long '0x34
    dwObjectType    As Long '0x38, Type of the Object described.
    dwIdentifier    As Long '0x3C, Template Version of Structure.
End Type
                                                       
Private Type PublicObjectDescriptor
    lpObjectInfo    As Long '0x00, Pointer to the Object Info for this Object.
    dwReserved  As Long '0x04, Always set to -1 after compiling.
    lpPublicBytes   As Long '0x08, Pointer to Public Variable Size integers.
    lpStaticBytes   As Long '0x0C, Pointer to Static Variable Size integers.
    lpModulePublic  As Long '0x10, Pointer to Public Variables in DATA section
    lpModuleStatic  As Long '0x14, Pointer to Static Variables in DATA section
    lpszObjectName  As Long '0x18, Name of the Object.
    dwMethodCount   As Long '0x1C, Number of Methods in Object.
    lpMethodNames   As Long '0x20, If present, pointer to Method names array.
    bStaticVars     As Long '0x24, Offset to where to copy Static Variables.
    fObjectType     As Long '0x28, Flags defining the Object Type.
    dwNull  As Long '0x2C, Not valid after compilation.
End Type
                                                     
Private Type ObjectInformation
    wRefCount   As Integer '0x00, Always 1 after compilation.
    wObjectIndex    As Integer '0x02, Index of this Object.
    lpObjectTable   As Long '0x04, Pointer to the Object Table
    lpIdeData   As Long '0x08, Zero after compilation. Used in IDE only.
    lpPrivateObject     As Long '0x0C, Pointer to Private Object Descriptor.
    dwReserved  As Long '0x10, Always -1 after compilation.
    dwNull  As Long '0x14, Unused.
    lpObject    As Long '0x18, Back-Pointer to Public Object Descriptor.
    lpProjectData   As Long '0x1C, Pointer to in-memory Project Object.
    wMethodCount    As Integer '0x20, Number of Methods
    wMethodCount2   As Integer '0x22, Zeroed out after compilation. IDE only.
    lpMethods   As Long '0x24, Pointer to Array of Methods.
    wConstants  As Integer '0x28, Number of Constants in Constant Pool.
    wMaxConstants   As Integer '0x2A, Constants to allocate in Constant Pool.
    lpIdeData2  As Long '0x2C, Valid in IDE only.
    lpIdeData3  As Long '0x30, Valid in IDE only.
    lpConstants     As Long '0x34, Pointer to Constants Pool.
End Type
    
Private Type OptionalObjectInformation
    dwObjectGuids   As Long '0x00, How many GUIDs to Register. 2 = Designer
    lpObjectGuid    As Long '0x04, Unique GUID of the Object *VERIFY*
    dwNull  As Long '0x08, Unused.
    lpuuidObjectTypes   As Long '0x0C, Pointer to Array of Object Interface GUIDs
    dwObjectTypeGuids   As Long '0x10, How many GUIDs in the Array above.
    lpControls2     As Long '0x14, Usually the same as lpControls.
    dwNull2     As Long '0x18, Unused.
    lpObjectGuid2   As Long '0x1C, Pointer to Array of Object GUIDs.
    dwControlCount  As Long '0x20, Number of Controls in array below.
    lpControls  As Long '0x24, Pointer to Controls Array.
    wEventCount     As Integer '0x28, Number of Events in Event Array.
    wPCodeCount     As Integer '0x2A, Number of P-Codes used by this Object.
    bWInitializeEvent   As Integer '0x2C, Offset to Initialize Event from Event Table.
    bWTerminateEvent    As Integer '0x2E, Offset to Terminate Event in Event Table.
    lpEvents    As Long '0x30, Pointer to Events Array.
    lpBasicClassObject  As Long '0x34, Pointer to in-memory Class Objects.
    dwNull3     As Long '0x38, Unused.
    lpIdeData   As Long '0x3C, Only valid in IDE.
End Type
                                                       
Private Type ControlInformation
    fControlType    As Long '0x00, Type of control.
    wEventCount     As Integer '0x04, Number of Event Handlers supported.
    bWEventsOffset  As Integer '0x06, Offset in to Memory struct to copy Events.
    lpGuid  As Long '0x08, Pointer to GUID of this Control.
    dwIndex     As Long '0x0C, Index ID of this Control.
    dwNull  As Long '0x10, Unused.
    dwNull2     As Long '0x14, Unused.
    lpEventTable    As Long '0x18, Pointer to Event Handler Table.
    lpIdeData   As Long '0x1C, Valid in IDE only.
    lpszName    As Long '0x20, Name of this Control.
    dwIndexCopy     As Long '0x24, Secondary Index ID of this Control.
End Type

Private Function GetFakeHeader() As Long
    Dim lPtr            As Long
    Dim lProc           As Long
    Dim bData(1024)     As Byte
    Dim sData           As String
    Dim lRet            As Long
       
    lPtr = App.hInstance
    Do While lRet = 0
        Call ReadProcessMemory(-1, ByVal lPtr, bData(0), 1024, 0&)
        sData = StrConv(bData, vbUnicode)
        lRet = InStr(1, sData, "VB5!", vbBinaryCompare)
        lPtr = lPtr + 1024
    Loop
    GetFakeHeader = lPtr + lRet - 1024 - 1
End Function

Public Function GetFormAddress() As Long
Dim dd As VBHeader
Dim tt As ProjectInformation
Dim ss As ObjectTable
Dim aa As PublicObjectDescriptor
Dim jj As OptionalObjectInformation
Dim yy As ControlInformation

Call ReadProcessMemory(-1, ByVal GetFakeHeader, dd, LenB(dd), 0)
Call ReadProcessMemory(-1, ByVal dd.lpProjectData, tt, LenB(tt), 0)
Call ReadProcessMemory(-1, ByVal tt.lpObjectTable, ss, LenB(ss), 0)
Call ReadProcessMemory(-1, ByVal ss.lpObjectArray, aa, LenB(aa), 0)

Call ReadProcessMemory(-1, ByVal aa.lpObjectInfo, jj, LenB(jj), 0)
Call ReadProcessMemory(-1, ByVal jj.lpControls, yy, LenB(yy), 0)
MsgBox jj.bWInitializeEvent
MsgBox jj.bWTerminateEvent
MsgBox yy.lpEventTable