Three Ways to Inject Your Code into Another Process

Download entire package - 180 Kb
Download WinSpy - 20 Kb (demo application)

Contents

Introduction
Windows Hooks
The CreateRemoteThread & LoadLibrary TechniqueInterprocess Communications

The CreateRemoteThread & WriteProcessMemory TechniqueHow to Subclass a Remote Control With this Technique
When to Use this Technique

Some Final Words
Appendixes
References
Article History

Introduction

Several password spy tutorials have been posted to The Code Project, but all of them rely on Windows hooks. Is there any other way to make such a utility? Yes, there is. But first, let me review the problem briefly, just to make sure we're all on the same page.To "read" the contents of any control - either belonging to your application or not - you generally send the 

WM_GETTEXT

 message to it. This also applies to edit controls, except in one special case. If the edit control belongs to another process and the 

ES_PASSWORD

 style is set, this approach fails. Only the process that "owns" the password control can get its contents via 

WM_GETTEXT

. So, our problem reduces to the following: How to get

 Collapse

::SendMessage( hPwdEdit, WM_GETTEXT, nMaxChars, psBuffer );

executed in the address space of another process.In general, there are three possibilities to solve this problem:Put your code into a DLL; then, map the DLL to the remote process via windows hooks.
Put your code into a DLL and map the DLL to the remote process using the CreateRemoteThread & LoadLibrary technique.
Instead of writing a separate DLL, copy your code to the remote process directly - via 

WriteProcessMemory

 - and start its execution with

CreateRemoteThread

. A detailed description of this technique can be found here.

for more information: http://www.codeproject.com/KB/threads/winspy.aspx?df=100&forumid=16291&select=1025152&msg=1025152