Clicking a button, without having the windowhandle open

delphi package - getting into other processes

Clicking a button, without having the windowhandle open

Postby Calandoriel » Thu Jun 26, 2008 4:38 pm

Hi, for all you guys out there being an real Administrator. You've might have came across Pop3 Connectors in Exchange.

There is this option which lets you set how offen it should check for new e-mails there, and the min limit is set to 15 mins, which is awfully long.

Now, here is the deal. There is also a button in that specific window
which lets you download the e-mails.

Using PostMessage, this is simple stuff. Allthough, its painful to be forced have to have that window open ALWAYS, since you poke around with other stuff in the Server Administration interface.

So what we have left is two options.

Debug the process, and find the call that sends that "Check for new email" function. It should be a call so, meaning we should be able to trigger it.

The second method would be to find a dll which holds that function in export.

If i would have to use the first solution, how would i trigger the call in exchange from my own application?

Even so, normally a call holds arguments, and most likly the "check for email" button does not send any arguments. Could someone please spawn forth a solution with me to success with this?

Thanks

Cal
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Started

Postby Calandoriel » Thu Jun 26, 2008 5:25 pm

Code: Select all
Procedure Visa;
begin
Form2.Label1.Caption := 'I've been triggerd';
end;

procedure VisaASM;
var func : procedure; stdcall;
begin
  //Visa;
  func := pointer(strtoint(Form2.Edit1.Text));
  func;
end;

procedure TForm2.Button1Click(Sender: TObject);
begin
Visa;
end;

procedure TForm2.FormClose(Sender: TObject; var Action: TCloseAction);
begin
Label1.Caption := 'nom';
end;

procedure TForm2.Button2Click(Sender: TObject);
begin
asm
call VisaASM
end
end;

en


I manage to trigger the call by calling 0045025C
in( dont forget to transform the hex into dec)
Code: Select all
0045025C   E8C3FFFFFF             call    00450224


However, how would i be able todo this in a remote application?
I mean, its one thing when you are in the same adress-space as the remote application, but now, im not. How can i solve that?
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

hihi

Postby Calandoriel » Thu Jun 26, 2008 6:39 pm

Solved that quite quickly aswell by Injection into the adress-space

Thanks :)
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

hm

Postby Calandoriel » Thu Jun 26, 2008 6:59 pm

Annoying as it is, you have to specify the imagebase
however, you should be able to calculate a free imagebase space to inject yourself into, Anyone have any experience with doing just this?

Meaning, Instead of specifying {$IMAGEBASE $02000000}

I just inject into a clear free adress in space of the remote process.
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Postby madshi » Thu Jul 03, 2008 9:30 pm

Hello,

not sure why you worry about the image base. You want to call a function of the executable file, which is already loaded at a specific image base. It doesn't really matter where your dll is loaded.

The biggest problem with situations like this is that you first have to find out which function address you want to call. You can find it out by reverse engineering (debugging and/or disassembling). But even if you did that, the very next version of the target application is likely to have different function addresses. And of course calling a wrong function address will most probably crash the target application. So unless you find a way to automatically find out the right function address, regardless of the exact version of the target exe, I'd suggest going the "simulate button press" solution. Sometimes windows are already created and just invisible. You can try pressing the button of the invisible window. You could also use SetWindowsHookEx (or madCodeHook) to stop the window from becoming visible.
madshi
Site Admin
 
Posts: 9414
Joined: Sun Mar 21, 2004 5:25 pm


Return to madRemote

Who is online

Users browsing this forum: No registered users and 1 guest