Inject .dll into Qt and call functions
-
Hi, so I'm trying to inject a .dll into a QT application and call the SetGeometry (or any other resizing function) on one of its windows. Resizing the window with the WinAPI doesn't work, but I know there is a way to make it work with the injection and calls to QT functions.
I have gotten the .dll injected into the other application, but I'm completely lost on how to proceed. Do I have to include QWidget.h into my own .dll? How do I get a hold of the QWidget class and its member funtions? How do I obtain the target HWND as a QWidget, can I just cast it?
Can someone please help me to get started with this?I would really appreciate any help you can give! Thanks in advance!
-
Hi, so I'm trying to inject a .dll into a QT application and call the SetGeometry (or any other resizing function) on one of its windows. Resizing the window with the WinAPI doesn't work, but I know there is a way to make it work with the injection and calls to QT functions.
I have gotten the .dll injected into the other application, but I'm completely lost on how to proceed. Do I have to include QWidget.h into my own .dll? How do I get a hold of the QWidget class and its member funtions? How do I obtain the target HWND as a QWidget, can I just cast it?
Can someone please help me to get started with this?I would really appreciate any help you can give! Thanks in advance!
@Johannes-S
I can't help but wonder, why do you want to do such things??!Read and abide by the Qt Code of Conduct
-
@Johannes-S
I can't help but wonder, why do you want to do such things??!@kshegunov Although I'm running the risk of being accused of trying to cheat, the software I'm trying to inject code into is the new IPoker software. No, I definitely don't want to cheat at online poker, but in online poker its common to play multiple tables simultaneously. I want to be able to "manage" those tables, therefore I have to be able to resize them. I usually did that with the WinAPI and SetWindowPos(). However with the new software that doesn't work anymore. I know for sure however, that it is possible with the above mentioned method, I just don't know HOW..
Thanks for the quick reply!
-
@kshegunov Although I'm running the risk of being accused of trying to cheat, the software I'm trying to inject code into is the new IPoker software. No, I definitely don't want to cheat at online poker, but in online poker its common to play multiple tables simultaneously. I want to be able to "manage" those tables, therefore I have to be able to resize them. I usually did that with the WinAPI and SetWindowPos(). However with the new software that doesn't work anymore. I know for sure however, that it is possible with the above mentioned method, I just don't know HOW..
Thanks for the quick reply!
@Johannes-S said:
Although I'm running the risk of being accused of trying to cheat
Leaving that aside and noting I'm not legally trained I don't think you should do it if the code (compiled or not) is not distributed with the appropriate license. Otherwise you'd break the licence agreement that goes with the program. If you need the resize feature, I suggest contacting the developers directly and asking them for it.
-
Disclaimer: I'm not a lawyer.
If the application is using a commercial Qt license, then you really ought not be messing with it, unless the copyright holder of that software has licensed you to do so (sounds unlikely in this case).
If the application is using Qt under the [L]GPL, then the [L]GPL protectes your right to replace the Qt libraries with your own modified versions, if you so wish. Of course, whether or not it's morally appropriate, is something for you to figure out.
So, which Qt license is the application using?
-
Disclaimer: I'm not a lawyer.
If the application is using a commercial Qt license, then you really ought not be messing with it, unless the copyright holder of that software has licensed you to do so (sounds unlikely in this case).
If the application is using Qt under the [L]GPL, then the [L]GPL protectes your right to replace the Qt libraries with your own modified versions, if you so wish. Of course, whether or not it's morally appropriate, is something for you to figure out.
So, which Qt license is the application using?
@Paul-Colby I tried to find something out about the license, but couldn't find any files in the directory, any info in the software itself and could also not find anything on the website..
@kshegunov I already have contacted the developers, I don't think I will have any luck there..all they told me was to "reinstall please..".
-
@Paul-Colby I tried to find something out about the license, but couldn't find any files in the directory, any info in the software itself and could also not find anything on the website..
@kshegunov I already have contacted the developers, I don't think I will have any luck there..all they told me was to "reinstall please..".
@Johannes-S
It's possible to do, however I really wish the @Moderators to take a look at this thread and give the green light. I hope you understand the reason for that ...Read and abide by the Qt Code of Conduct
-
@Johannes-S
It's possible to do, however I really wish the @Moderators to take a look at this thread and give the green light. I hope you understand the reason for that ...@kshegunov Sure, I hope they do give green light ;) So far thank you very much for the time you took!
Btw, this is what happens when I resize the tables with the WinAPI. The client area of the window simply doesn't adjust... -
This is not something that is automatically illegal (I assume). I have done this on two occasions in order to access information from software that was part of equipment I purchased in order to use it the way I need to. I've tried going through the manufacturer without success in both cases. The last one I wrote I told them what I was going to do to add the needed feature to their software and even sent them a working example. I couldn't wait for them to take action (which would be time measured in years if they decided to do this). They were not going to give me the source code and they didn't have anything suitable for my specific needs. If this is illegal then everyone who has ever written a debugger is breaking the law (another example of a practical use).
Now, when you do it this way there are many (many) problems. I limit what I do to hooking into specific message queues. Finding the window you want involves moving from the top level HWND (the only one you can directly find from an external process) and working your way down by searching for children with specific class and instance names. You are doing this from a separate thread you inject in the process space of the target application so this is another thing to be careful of. You need to make sure your hook doesn't create a problem with the target software.
If you can do this with something like SendMessage/PostMessage (i.e. WM_SIZE) then I am sure you can do it. If you need to call an API function from a thread specific instance in the running process I don't know about this. I only know a little about this subject (enough to do what I needed to do) so I assume anything is possible with enough time and effort.
-
This is not something that is automatically illegal (I assume). I have done this on two occasions in order to access information from software that was part of equipment I purchased in order to use it the way I need to. I've tried going through the manufacturer without success in both cases. The last one I wrote I told them what I was going to do to add the needed feature to their software and even sent them a working example. I couldn't wait for them to take action (which would be time measured in years if they decided to do this). They were not going to give me the source code and they didn't have anything suitable for my specific needs. If this is illegal then everyone who has ever written a debugger is breaking the law (another example of a practical use).
Now, when you do it this way there are many (many) problems. I limit what I do to hooking into specific message queues. Finding the window you want involves moving from the top level HWND (the only one you can directly find from an external process) and working your way down by searching for children with specific class and instance names. You are doing this from a separate thread you inject in the process space of the target application so this is another thing to be careful of. You need to make sure your hook doesn't create a problem with the target software.
If you can do this with something like SendMessage/PostMessage (i.e. WM_SIZE) then I am sure you can do it. If you need to call an API function from a thread specific instance in the running process I don't know about this. I only know a little about this subject (enough to do what I needed to do) so I assume anything is possible with enough time and effort.
@Rondog said:
I only know a little about this subject (enough to do what I needed to do) so I assume anything is possible with enough time and effort.
Once you get the binary you can always reverse engineer the assembly, in the end everything is executed at some point at that level. Of course, there are smarter (and easier) things to do (as you pointed out). Whether it's legal, I can't really say, such things are out of my expertise, I only wanted to make sure such kind of advice doesn't brake some forum rule.
-
Okay, so as I said, the WinAPI and SendMessage is not the way this will work.
I know how to do that and it used to work with the older version of their software, but now it doesn't work anymore.What I really want to do, once I injected my .dll, is call QT functions directly on those windows.
I know how to find the HWND of the window I want to manipulate. What I don't know, is how to get that window as an instance of a QWidget and then how I would call for example QWidget::setGeometry() on that. -
Okay, so as I said, the WinAPI and SendMessage is not the way this will work.
I know how to do that and it used to work with the older version of their software, but now it doesn't work anymore.What I really want to do, once I injected my .dll, is call QT functions directly on those windows.
I know how to find the HWND of the window I want to manipulate. What I don't know, is how to get that window as an instance of a QWidget and then how I would call for example QWidget::setGeometry() on that.@Johannes-S
Well, no one objected, so I suppose discussing this isn't a problem. There are several approaches to this. One of the more popular ones is to attach to the running process, and load a dll into the address space. Then by some means (ordinarily starting a thread) to start your code. Another option is to have a custom loader, that does what the OS loader does, but at some point it'd load additional dlls. Another possibility is to attach to an interrupt (for example I/O operation) and inject code there. In any case Windows provides a documented API to do most of those things. Hooks installed at the system level are also a possibility, they work similarly to how Qt handles event filters, and are executed before a message is passed to the application to process. You could find some more detailed information here.Once you have your code loaded into the process' address space. You can use
QCoreApplication::instance()to retrieve the application object;QGuiApplication::topLevelWindows()to retrieve a list of the top level windows, orQApplication::topLevelWidgets()for top-level widgets if the application is using widgets (this can be discerned by the dlls it ships. If the Qt5Widgets.dll is present, most probably the application is using widgets). Once a pointer to widget or a window is known dynamic_casts/qobject_cast can be used to get the exact type of the widget/window, and Qt messages can be posted to them withQCoreApplication::postEvent()(this static function is thread-safe). By such means a resize event can be marshaled to an arbitrary widget/window thus providing the functionallity you're after.Directly resizing the HWND handle by means of the WinAPI (supposedly) doesn't work, because in Qt most of the windows/widgets don't actually have a handle and are using the top-level widget's/window's to draw themselves. Additionally the main window's drawing surface is changed externally, but child objects (layouts/child widgets) are not notified, so you get clipping.
Kind regards.
Read and abide by the Qt Code of Conduct
-
@Johannes-S
Well, no one objected, so I suppose discussing this isn't a problem. There are several approaches to this. One of the more popular ones is to attach to the running process, and load a dll into the address space. Then by some means (ordinarily starting a thread) to start your code. Another option is to have a custom loader, that does what the OS loader does, but at some point it'd load additional dlls. Another possibility is to attach to an interrupt (for example I/O operation) and inject code there. In any case Windows provides a documented API to do most of those things. Hooks installed at the system level are also a possibility, they work similarly to how Qt handles event filters, and are executed before a message is passed to the application to process. You could find some more detailed information here.Once you have your code loaded into the process' address space. You can use
QCoreApplication::instance()to retrieve the application object;QGuiApplication::topLevelWindows()to retrieve a list of the top level windows, orQApplication::topLevelWidgets()for top-level widgets if the application is using widgets (this can be discerned by the dlls it ships. If the Qt5Widgets.dll is present, most probably the application is using widgets). Once a pointer to widget or a window is known dynamic_casts/qobject_cast can be used to get the exact type of the widget/window, and Qt messages can be posted to them withQCoreApplication::postEvent()(this static function is thread-safe). By such means a resize event can be marshaled to an arbitrary widget/window thus providing the functionallity you're after.Directly resizing the HWND handle by means of the WinAPI (supposedly) doesn't work, because in Qt most of the windows/widgets don't actually have a handle and are using the top-level widget's/window's to draw themselves. Additionally the main window's drawing surface is changed externally, but child objects (layouts/child widgets) are not notified, so you get clipping.
Kind regards.
@kshegunov Thanks alot for your reply.
I already got the .dll injected, what I'm struggling with is the second part. Your suggestions already helped alot. But one more question: how do I get the declaration of QApplication in my .dll code? Do I have to include the QT header files when compiling the .dll? Or do I have to load the classes dynamically? In that case: how would I do that?About your last paragraph: Is there any chance to forward those events to the children, so I don't need all that dll-injection crap?
Really BIG thanks! That already helped alot!
-
@kshegunov Thanks alot for your reply.
I already got the .dll injected, what I'm struggling with is the second part. Your suggestions already helped alot. But one more question: how do I get the declaration of QApplication in my .dll code? Do I have to include the QT header files when compiling the .dll? Or do I have to load the classes dynamically? In that case: how would I do that?About your last paragraph: Is there any chance to forward those events to the children, so I don't need all that dll-injection crap?
Really BIG thanks! That already helped alot!
@Johannes-S said:
how do I get the declaration of QApplication in my .dll code?
Yes, for the declarations you'd need the header files for Qt. Actually, Qt makes this easier by it's insistence of being binary compatible (which is a great thing on itself). This means that you shouldn't much care about the minor and patch versions of the Qt you obtain (to get the header files).
Additional note:
The headers won't be just enough, the linker will want to know about the symbols exported from the library. One way is find out the exact Qt version the said application is using, build Qt yourself (or download it) to finally obtain the.libfile and then use that to pass it to the linker. Or alternatively, you can obtain the library exports from thedllthe application ships as described here or any equivalent method.Is there any chance to forward those events to the children, so I don't need all that dll-injection crap?
You can post events to any
QObjectwithQCoreApplication::postEvent, however you'd need to obtain aQObject *pointing to the object of interest. You are doing the dll injection, because your code has to run in the process' address space, not because you can't query the application/widgets/windows/objects for their children.Kind regards.
-
Wow okay, that doesn't sound too complicated. Ill probably just need to create lib files from the .dlls of Qt5Widgtes.dll, Qt5Core.dll and maybe Qt5.Gui, right?
I'll give it a try this afternoon and probably come back after I've failed ;)Big thanks!
-
Okay, I got to thank you guys a million times, this really worked and I got my .dll injected and am able to find the QWidgets and call QT functions on them.
Thank you!
However, the problem still persists: I tried resizing with setGeometry() and resize(), I tried to call update() and repaint() afterwards, but the clipping still does occur.
Any idea how I can fix that? Is there a chance I can identify the functions that are called when I resize the window manually (by mouse dragging?).
If I knew the function, I guess I could get it to work! -
Okay, I got to thank you guys a million times, this really worked and I got my .dll injected and am able to find the QWidgets and call QT functions on them.
Thank you!
However, the problem still persists: I tried resizing with setGeometry() and resize(), I tried to call update() and repaint() afterwards, but the clipping still does occur.
Any idea how I can fix that? Is there a chance I can identify the functions that are called when I resize the window manually (by mouse dragging?).
If I knew the function, I guess I could get it to work!@Johannes-S
Hi,However, the problem still persists: I tried resizing with setGeometry() and resize(), I tried to call update() and repaint() afterwards, but the clipping still does occur.
Does the window resize itself though, the clipping aside?
Any idea how I can fix that?
It really depends on how the application actually implemented the resizing/painting.
Is there a chance I can identify the functions that are called when I resize the window manually (by mouse dragging?).
Well, dragging the window will fire
QResizeEvents, but how exactly those are handled can't be known at that level. The events can be intercepted before they reach the widget by installing an event filter, but I don't see how this'd help.Read and abide by the Qt Code of Conduct
-
@Johannes-S
Hi,However, the problem still persists: I tried resizing with setGeometry() and resize(), I tried to call update() and repaint() afterwards, but the clipping still does occur.
Does the window resize itself though, the clipping aside?
Any idea how I can fix that?
It really depends on how the application actually implemented the resizing/painting.
Is there a chance I can identify the functions that are called when I resize the window manually (by mouse dragging?).
Well, dragging the window will fire
QResizeEvents, but how exactly those are handled can't be known at that level. The events can be intercepted before they reach the widget by installing an event filter, but I don't see how this'd help.@kshegunov said:
Does the window resize itself though, the clipping aside?
So yeah, the window is smaller/bigger than before. Only the client area doesn't adjust properly.
I've tried sending QResizeEvents, but that didnt really help.Isn't there a way to monitor the functions that are being called? If I could do that, I could resize the window by mouse and watch which functions are being used to resize..
-
@kshegunov said:
Does the window resize itself though, the clipping aside?
So yeah, the window is smaller/bigger than before. Only the client area doesn't adjust properly.
I've tried sending QResizeEvents, but that didnt really help.Isn't there a way to monitor the functions that are being called? If I could do that, I could resize the window by mouse and watch which functions are being used to resize..
@Johannes-S said:
Isn't there a way to monitor the functions that are being called?
In an optimized compiled code (like Qt that's used in this case), no, not really. The compiler have probably inlined whatever it could and stripped many of the
callinstructions (you'd expect such when a function is called). And even if it hadn't it would take ages to sift through the assembly, and all that for a dubious result. The stack frame won't have any references to function names, only to addresses, so it's simply not worth even trying.One thing you could attempt is to inspect the properties of the main window or the central widget. It may be set to not resize through the size policy and/or minimum/maximum size, or in some other fashion. Currently, I don't have any better ideas.
Although I haven't done this, as a last resort you could in principle try to overwrite the virtual table, if in fact the
resizeEventfunction was overriden ... -
Isn't it the purpose of GammaRay?
https://github.com/KDAB/GammaRay
