0

I created an SSH agent (similar to PuTTY's pageant.exe) which has a predefined protocol and authentication requests are sent to the agent window via WM_COPYDATA.

I now want to display which process requested authentication. For this I need to know which process sent the WM_COPYDATA.

As said, I can not change the protocol (e.g. sending the process ID along with the message itself) because it is predefined.

divB
  • 896
  • 1
  • 11
  • 28

1 Answers1

4

The wParam you receive is intended to be the window handle of the window that sent the message. (See note below, though.)

From that, you can use GetWindowThreadProcessID to get a process ID, which you can then use as input to GetProcessImageFileName to retrieve the name of the process.

NOTE: As @RemyLeBeau points out in the comment below, this is of course based on the wParam provided actually being that of the window that sent the WM_COPYDATA message. Sending WM_COPYDATA does not itself enforce that as a requirement.

If it's not, you're out of luck; there's no way I'm aware of to trace back to the process that actually sent the message without that being so. You can at best confirm that it is an actual window handle using IsWindow, but it doesn't confirm that it actually was the window that sent the message.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Ken White
  • 123,280
  • 14
  • 225
  • 444
  • 2
    Assuming the sender conforms to the requirement of specifying its own `HWND` in the `wParam` field. `SendMessage(WM_COPYDATA)` does not enforce that. Although you can determine if the `wParam` contains a valid `HWND` by using `IsWindow()`, there is nothing to prevent a malicious sender from specifying someone else's `HWND`. – Remy Lebeau Nov 28 '13 at 02:16
  • 1
    @Remy: Of course it presumes that the HWND passed in is the one sending the message, which is what the question asked. There is no other way I'm aware of to retrieve the information requested without that being true. It's not possible to trace back to the application that dispatched a fraudulent HWND value as the wParam with a WM_COPYDATA message, is it? It's a good point, though; I've added that to my answer, with proper credit being given to you for providing it. – Ken White Nov 28 '13 at 02:25
  • Thanks you. That's sad. I looked at wParam already, it's 0 always. That's really the first time I hear that something just doesn't work ... – divB Nov 28 '13 at 08:12
  • There may be another chance to find the process because the sender creates a file mapping. I created a new question for this: http://stackoverflow.com/questions/20296441/windows-api-find-process-for-a-file-mapping-handle – divB Nov 30 '13 at 04:20
  • @divB: Yes, that is in fact a different question. If your question in this post has been answered, you should accept the answer to indicate so. See [How does accepting an answer work](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work). – Ken White Nov 30 '13 at 04:24
  • @RemyLebeau **there is nothing to prevent a malicious sender from specifying someone else's HWND.** is that apply for `SendMessage(WM_COPYDATA)` only or all WMs. – RepeatUntil Sep 22 '15 at 09:30
  • 1
    @AbdulrahmanAljehani: it applies to any message that carries an `HWND` as data. Not many messages do, but `WM_COPYDATA` is not the only one. If you really want to detect a malicious sender, you would likely have to inject code into every running process to detour the `SendMessage...()` family of functions so you can know which process is sending which message to which `HWND`, and in the case of `WM_COPYDATA` you would then be able to use `GetCurrentProcessId()` and `GetWindowThreadProcessId()` to check if the `HWND` in the `wParam` parameter belongs to the process that is sending the message. – Remy Lebeau Sep 22 '15 at 16:53