Clicking a button, without having the windowhandle open

delphi package - getting into other processes
Post Reply
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Clicking a button, without having the windowhandle open

Post by Calandoriel »

Hi, for all you guys out there being an real Administrator. You've might have came across Pop3 Connectors in Exchange.

There is this option which lets you set how offen it should check for new e-mails there, and the min limit is set to 15 mins, which is awfully long.

Now, here is the deal. There is also a button in that specific window
which lets you download the e-mails.

Using PostMessage, this is simple stuff. Allthough, its painful to be forced have to have that window open ALWAYS, since you poke around with other stuff in the Server Administration interface.

So what we have left is two options.

Debug the process, and find the call that sends that "Check for new email" function. It should be a call so, meaning we should be able to trigger it.

The second method would be to find a dll which holds that function in export.

If i would have to use the first solution, how would i trigger the call in exchange from my own application?

Even so, normally a call holds arguments, and most likly the "check for email" button does not send any arguments. Could someone please spawn forth a solution with me to success with this?

Thanks

Cal
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Started

Post by Calandoriel »

Code: Select all

Procedure Visa;
begin
Form2.Label1.Caption := 'I've been triggerd';
end;

procedure VisaASM;
var func : procedure; stdcall;
begin
  //Visa;
  func := pointer(strtoint(Form2.Edit1.Text));
  func;
end;

procedure TForm2.Button1Click(Sender: TObject);
begin
Visa;
end;

procedure TForm2.FormClose(Sender: TObject; var Action: TCloseAction);
begin
Label1.Caption := 'nom';
end;

procedure TForm2.Button2Click(Sender: TObject);
begin
asm
call VisaASM
end
end;

en
I manage to trigger the call by calling 0045025C
in( dont forget to transform the hex into dec)

Code: Select all

0045025C   E8C3FFFFFF             call    00450224
However, how would i be able todo this in a remote application?
I mean, its one thing when you are in the same adress-space as the remote application, but now, im not. How can i solve that?
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

hihi

Post by Calandoriel »

Solved that quite quickly aswell by Injection into the adress-space

Thanks :)
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

hm

Post by Calandoriel »

Annoying as it is, you have to specify the imagebase
however, you should be able to calculate a free imagebase space to inject yourself into, Anyone have any experience with doing just this?

Meaning, Instead of specifying {$IMAGEBASE $02000000}

I just inject into a clear free adress in space of the remote process.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Hello,

not sure why you worry about the image base. You want to call a function of the executable file, which is already loaded at a specific image base. It doesn't really matter where your dll is loaded.

The biggest problem with situations like this is that you first have to find out which function address you want to call. You can find it out by reverse engineering (debugging and/or disassembling). But even if you did that, the very next version of the target application is likely to have different function addresses. And of course calling a wrong function address will most probably crash the target application. So unless you find a way to automatically find out the right function address, regardless of the exact version of the target exe, I'd suggest going the "simulate button press" solution. Sometimes windows are already created and just invisible. You can try pressing the button of the invisible window. You could also use SetWindowsHookEx (or madCodeHook) to stop the window from becoming visible.
Post Reply