Jump to content

What Are Other Ways to Capture WindowsMessages Sent From GUI Elements?


Zohar
 Share

Recommended Posts

Hi

Up until now, I have used Spy++, and Resource Hacker, in order to know what is the WindowsMessage + wParam that is sent after performing some GUI operation,
like clicking a MenuItem/ToolbarButton/etc.

 

Are there other ways in addition to these 2 to get the message sent?

Specifically, I am having a problem in catching the WindowsMessages being sent after clicking MenuItems in the Console Window (cmd.exe).

I am using Windows XP.

Window_Menu.png

Thank you

Edited by Zohar
Link to comment
Share on other sites

I should add that If I try to Spy on the cmd.exe window,
I get this message:

spypp.png

 

That's why I can't use Spy++, and looking for another option to get the Message and wParam that goes with it for each MenuItem..

Edited by Zohar
Link to comment
Share on other sites

try like this:

  1. run the Window Detective program
  2. run the cmd.exe
  3. drag the "Pick window" icon from the Window Detective to the cmd window. Doing so the "ConsoleWindowClass"  will be highlighted in the process list on the Window Detective program.
  4. Now right click on the highlighted ConsoleWindowClass item and choose the "Messages..." item from the contestual menu.

 

image.jpeg.9f1a974c98e9f77d824b358729b089b0.jpeg Chimp

small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....

Link to comment
Share on other sites

Thank you Chimp..

I followed your steps now, and it's quite like I did before, and the result is the same the messages window remains empty even If I open the Window Menu, and click some items there, like Paste, or any other MenuItem.

Did it catch messages successfully on your computer?

(maybe it changes between versions of windows? I use Windows XP SP3)

Link to comment
Share on other sites

on a cmd.exe run on Win7 x 32 it worked, all messages about ConsoleWindowClass are shown while you use the cmd windows.

..... on a cmd.exe run on Win7 x 64 it doesn't works (messages window remains empty).


I think that on Windows XP (32-bit) should work... (?)

 

image.jpeg.9f1a974c98e9f77d824b358729b089b0.jpeg Chimp

small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....

Link to comment
Share on other sites

I use Windows XP 32bit, and unfortunately it doesn't..


But it's interesting, it might mean that one can copy the WindowsMessage + wParams from another version of windows..
(and hopefully it will be identical)


Definitely worth a check..

Link to comment
Share on other sites

probably, the cmd prompt is admin and the spy++ is not.

I am using Windows XP, and my user is an administrator user..

 

http://www.nektra.com

Spystudio and other things can deep dive into your system. 

Thank you,

I downloaded it and ran it now,

I hooked to cmd.exe's process, but I can't find anything regarding WindowsMessages there..

Link to comment
Share on other sites

I tried and get same result, apparently it is by design, something about csrss owning the console window.

There are probably way around it, if you write your own spy app and do a bit of dll injection and other such voodoo.

Too uninteresting for myself to care about looking into.

Happy hunting.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

I remember something on #32768 popup classes and spying on those but googled this maybe it helps

https://autohotkey.com/board/topic/90307-hotkeyp-spy-utility-for-detecting-wm-command-messages/

And I assume you have the same problem on the menus of calculator

With simplespy in the IUIAutomation thread in examples I can spy on your menuitems with no problem.

Link to comment
Share on other sites

on a cmd.exe run on Win7 x 32 it worked, all messages about ConsoleWindowClass are shown while you use the cmd windows.

..... on a cmd.exe run on Win7 x 64 it doesn't works (messages window remains empty).

I should get a Windows 7 32bit VM, to get the messages out of it, and hopefully it's the same wParams on Windows XP too.

Microsoft had VMs of various versions on Windows, on their website (for testing IE on diffefent versions of windows)

I will check if it's still available, and if yes will try with it..


BTW,
I remember it was once said that Microsft released a part of the code of Windows..
Maybe this part contains cmd.exe and it's window too?
(I don't believe the window and Menu are contained in the cmd.exe file, it's probably in another file that acts as a wrapper for it... the quetion is which file is it?)

Edited by Zohar
Link to comment
Share on other sites

maybe this is part of the cause as messages spying is done with setwindowhookex

If you want to inject code into system services (lsass.exe, services.exe, winlogon.exe, and so on) or into csrss.exe, set the privileges of your process to "SeDebugPrivilege" (AdjustTokenPrivileges) before opening a handle to the remote process (OpenProcess).

 

most likely a cmd.exe has a high privilege. Not sure how you could set the exe that is spying to have SeDebugPrivilege on cmd.exe

Edited by junkew
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...