Log in

View Full Version : Is there such a win32 tool?

homersux
December 23rd, 2005, 22:37
In ollydbg, when you choose 'View'->'Windows', ollydbg shows a nice
hierarchical view of all windows of the debuggee. Now, is it possible to do the same thing from an external program instead not attached as a debugger. Is there already a tool for this purpose (my search hasn't returned anything even remotely as powerful). Even something that only shows the window hierarchical HWND/wndproc would be useful.

If there is no such kind of tool, what are the knowledge/techniques invovled to write such a tool?

Sorry too many questions, but I hope you see my point.
HAVOK
December 24th, 2005, 05:40
Hi,

I thought some of the sysinternals utilities would do the job, but i can't find anything there. Anyway you can use:

Quote:
EnumWindows Function

The EnumWindows function enumerates all top-level windows on the screen by passing the handle to each window, in turn, to an application-defined callback function. EnumWindows continues until the last top-level window is enumerated or the callback function returns FALSE.

Syntax

BOOL EnumWindows(
WNDENUMPROC lpEnumFunc,
LPARAM lParam
);

Parameters

lpEnumFunc
[in] Pointer to an application-defined callback function. For more information, see EnumWindowsProc.
lParam
[in] Specifies an application-defined value to be passed to the callback function.

Return Value

If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.

In this case, the callback function should call SetLastError to obtain a meaningful error code to be returned to the caller of EnumWindows.


I've seen this used as anti-debug in some packers/crackmes. In fact, if my computer wasn't such a mess i could have pointed my own example code Hope this is what you looked for.

Note: given the window handle, you can call GetWindowThreadProcessId to know who is the owner and discard the irrelevant ones.

Quote:
The GetWindowThreadProcessId function retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window.

Syntax

DWORD GetWindowThreadProcessId(

HWND hWnd,
LPDWORD lpdwProcessId
);
Peres
December 24th, 2005, 06:39
What HAVOK says is true and valid indeed. I feel like integrating it because calling EnumWindows will just enumerate top level windows, not child ones. You need EnumChildWindows to do so. Just call it recursively and you will get the windows hierarchy you're searching for (and much else, too).

If you want to get window procedures addresses, then your guess should be GetWindowLong. You can get a bunch of information about windows handles with it, so you should definitely look for MSDN and samples on the Internet.

Regards
Peres
_xhp_
December 24th, 2005, 10:08
And the tool that can do it is winspector or spy++ . Not it's primary use but it will show you a simple hierarchical view of the windows along with some other info...
Maximus
December 24th, 2005, 10:09
Isn't what WinSight of Borland do?
Silver
December 24th, 2005, 12:11
Winspector is a great tool, far more powerful than Spy++ (either VC6 or VC2003 incarnations). One note in advance though, you can't get Winspector to display the actual messages that get sent to windows when Winspector thinks it can decrypt the parameters for you. So where Spy++ will show LPARAM and WPARAM in their virgin states, Winspector won't give you access to that information. No idea why and as far as I can determine it's not a bug or hidden feature.
homersux
December 24th, 2005, 20:24
winspector is pretty cool, I wish wndproc address can be displayed, at least for standard ole controls. Thanks for the feedbacks.