Send WM_NOTIFY from injected DLL or used __published function?

Question

Hello. I'm have ListView control in another process. I wan't press click on ListView.

Because windows forbiden send WM_NOTIFY throw process, i decide inject dll into app.

When i try to send WM_NOTIFY message from injected dll, i'm get error 998.

NMITEMACTIVATE nmbh;
nmbh.hdr.code = NM_DBLCLK;
nmbh.hdr.hwndFrom = a_FirstChild;
nmbh.hdr.idFrom = GetDlgCtrlID(a_FirstChild);
nmbh.iItem = 1;
nmbh.iSubItem = 0;
nmbh.uNewState = 0;
nmbh.uOldState = 0;
nmbh.uChanged = 0;
nmbh.uKeyFlags = 0;
SendMessage(GetParent(a_FirstChild), WM_NOTIFY, (WPARAM)a_FirstChild, (LPARAM)&nmbh);

When i try execute ListViewClick function by address, app crash.

typedef void(__cdecl *pFunctionAddress)();
pFunctionAddress pBtn = (pFunctionAddress)(0x00402F12); 
pBtn();

Somebody help.

Very much doubt that you need to inject to automate this app. Why not use automation? — David Heffernan, May 16 '16 at 13:36
@DavidHeffernan like AutoIT? All my press goes down on third session which user dont see, so i'm used winapi from dll. — r1se, May 16 '16 at 13:49
[UI Automation](https://msdn.microsoft.com/en-us/library/windows/desktop/ee684009.aspx). — IInspectable, May 16 '16 at 13:52
@DavidHeffernan I don't have source code, and GUI used VCL model, — r1se, May 16 '16 at 14:03
So what? VCL is just a wrapper of Win32 and so can be automated. WM_NOTIFY can be sent across process boundaries. I think you need to get a better grip on what you are doing before you can hope to make progress. — David Heffernan, May 16 '16 at 14:47
@DavidHeffernan i'm want send double click on listview control, NM_DBLCLK. Can you give me link on article, where i can read about WM_NOTIFY across process? — r1se, May 16 '16 at 14:56
You don't need an article. Just send the message to the window, meh — David Heffernan, May 16 '16 at 14:57
@DavidHeffernan "For Windows Vista and later systems, the WM_NOTIFY message cannot be sent between processes." (c)msdn — r1se, May 16 '16 at 15:02
I doubt that you care about the double click so much as to the operation it initiates. — IInspectable, May 16 '16 at 15:02
@IInspectable OnClick event, have function, which i'm need execut, how i can do it without WM_NOTIFY? — r1se, May 16 '16 at 15:07
[UI Automation](https://msdn.microsoft.com/en-us/library/windows/desktop/ee684009.aspx). We've been here before. If you don't terminate the recursion, you are risking the universe as we know it. — IInspectable, May 16 '16 at 15:09
OK, fair enough. Still, why won't you contemplate automation? — David Heffernan, May 16 '16 at 15:30
UI Automation used same message function, like i'm create without fraemwork. — r1se, May 16 '16 at 15:49
No, it doesn't. UI Automation does not rely on message sending. Automating a UI may result in the UI/system generating messages, but that is not the same as blindly sending/posting those messages. The observable messages are only the visible side effect of processing input. There is more to it, and UI Automation makes sure that the invisible part takes place as well. — IInspectable, May 16 '16 at 16:49
@IInspectable So, i'm used UI Automation, but this don't help me. Because event bind on action ListView:OnClick. I'm try, Invoke on ListItem, try accDoDefaultAction. Nothing work on List control, ListItem works fine, but code which have click not working. — r1se, May 17 '16 at 12:49
@DavidHeffernan i'm used UI automation, but event attached not in ItemClick. List Type control, dont have select or invoke patterns, for use action, also List Control dont;h have default action. So, may be i can click on list control? — r1se, May 17 '16 at 13:20

score 0 · Answer 1 · answered May 19 '16 at 14:00

For running event function which attached to control with parametr TObject* sender, your need send 2 argument: this and TObject.

For getting parametrs you need export MainForm(TForm), and derefernce pointer to address, after run prototype by address use arguments.

unsigned int* proc = (unsigned int*)GetProcAddress(GetModuleHandle(NULL),MAKEINTRESOURCEA(17));
void* obj = (void *)(*proc);
typedef void(__cdecl *pFunctionAddress)(void* thisobj, void* tobjectsend);
pFunctionAddress pBtn = (pFunctionAddress)(0x00402EE4); 
pBtn(obj, obj);

Send WM_NOTIFY from injected DLL or used __published function?

1 Answers1