How to find First window of newly created process

[GautamGreat]

Hello,

My question is simple. How we can detect the first window of a program which is created by CreateProcessA api? My objective is simple

1. create process with CreateProcessA api

2. Wait for first window to appear (same like advance loader generator)

3. Suspend thread and patch bytes.

Can someone please help me to know how I can wait till the first window appear?

[atom0s]

The easiest method would be to hook the window creation API being used. (ie. CreateWindowA / CreateWindowW / CreateWindowExA / CreateWindowExW)

Or, if you don't want to hook anything, you can constantly call EnumWindows and look for windows owned by the parent process id you are looking at. When a handle finally appears you know it created something.

[GautamGreat]

  On 9/17/2017 at 1:40 AM, atom0s said:

The easiest method would be to hook the window creation API being used. (ie. CreateWindowA / CreateWindowW / CreateWindowExA / CreateWindowExW)

Or, if you don't want to hook anything, you can constantly call EnumWindows and look for windows owned by the parent process id you are looking at. When a handle finally appears you know it created something.

Expand  

Hi,

So I go for the second method that you say. Now, the problem is It is not found any window regarding the created process. Here is my code.

  Quote

var
  SI : TStartupInfo;
  PI : TProcessInformation;
  flag : Boolean;

function EnumWindowProc(hwnd : HWND; lParam : LPARAM):Boolean;stdcall;
var
  proid : cardinal;
begin
  GetWindowThreadProcessId(hwnd, proid);
  if proid = PI.dwProcessId then
  begin
    flag = True;       //in my case it never gone trigged
    Result := False;
    Exit;
  end; 
  Result := True;  
end;

begin
  CreateProcessA(PChar('target.exe'), nil, nil, nil, False, 0, nil, nil, SI, PI);
  EnumWindows(@EnumWIndowProc, 0);
  if flag then
     SuspendThread(Pi.hThread);
end;

Expand  

2

 

[h4sh3m]

Hi

1 - you should wait some time before enum windows ! (about 100~500 ms for quick apps  ) or check it in other thread with infinite loop (exit thread after found window in this case).

2 - you can use "FindWindow" API if you have window title (fixed one !)

3 - if your target is packed you can check bytes before patch (easier than finding window ,  etc...) !

 

 

BR,

h4sh3m

[GautamGreat]

  On 9/17/2017 at 9:09 AM, h4sh3m said:

Hi

1 - you should wait some time before enum windows ! (about 100~500 ms for quick apps  ) or check it in other thread with infinite loop (exit thread after found window in this case).

2 - you can use "FindWindow" API if you have window title (fixed one !)

3 - if your target is packed you can check bytes before patch (easier than finding window ,  etc...) !

 

 

BR,

h4sh3m

Expand  

Hi,

So, My objective is too make a loader same like Advance Loader Generator. As we know Advance Loader Generator, generate loader in vb format. I am not good with that to reverse that If someone can reverse a loader which is generated by ALG and tell me how it find the first window.

[atom0s]

You will need to call EnumWindows in a loop to keep looking for the windows until one is found. Calling it once can result in your EnumWindows call happening too fast and missing the window creation. Instead, call it in a loop for either an infinite amount of time or a set amount of time you want to consider a 'timeout'. 

Also, the dwCreationFlags parameter to CreateProcessA should contain a valid creation param value. 0 is generally not what you should be using. If you want to just regularly launch the process, you should be using NORMAL_PRIORITY_CLASS (or 0x00000020 in its hex form). 

[GautamGreat]

Thanks a lot @atom0s

As you said I have to call EnumWindows function in a loop. So, I just make a while loop and keep calling EnumWindows procedure until I found the window that I need. It works same as I want.

Again Thanks

[necroxia]

hi bro you can give me it source code