IUIAutomationElement* find_ui_child(IUIAutomationElement *pElement)
{
HRESULT hr;
IUIAutomationElement* tmp = NULL;
IUIAutomationCondition* pCondition = NULL;
IUIAutomationElementArray* pFoundArray = NULL;
IUIAutomationElement* pFound = NULL;
VARIANT var;
do
{
int c = 0;
var.vt = VT_I4;
var.lVal = UIA_ToolBarControlTypeId;
hr = g_uia->CreatePropertyCondition(UIA_ControlTypePropertyId,var, &pCondition);
if (FAILED(hr))
{
break;
}
hr = pElement->FindAll(TreeScope_Children,pCondition, &pFoundArray);
if (FAILED(hr))
{
break;
}
hr = pFoundArray->get_Length(&c);
if (FAILED(hr))
{
break;
}
for (int idx = 0; idx < c; idx++)
{
hr = pFoundArray->GetElement(idx, &tmp);
if (FAILED(hr))
{
break;
}
if ((pFound = find_next_child(tmp)) != NULL)
{
break;
}
}
}while (0);
if (pCondition)
{
pCondition->Release();
}
if (tmp)
{
tmp->Release();
}
if (pFoundArray)
{
pFoundArray->Release();
}
return pFound;
}
Element* Client::getRootElement()
{
IUIAutomationElement* root = NULL;
HRESULT hr = UIA->GetRootElement(&root);
if ( FAILED(hr) || !root ) {
emit eventHappened( tr("Cannot obtain the Desktop element"), Log::WARNING );
if (root)
root->Release();
return NULL;
}
return ElementFactory::getElement(root);
}
int _tmain(int argc, _TCHAR* argv[])
{
CoInitialize(NULL) ;
IUIAutomation *pAutomation ;
HRESULT hr = CoCreateInstance(__uuidof(CUIAutomation), NULL, CLSCTX_INPROC_SERVER, __uuidof(IUIAutomation), (void**)&pAutomation);
if (SUCCEEDED(hr)) {
printf("got IUIAutomation\r\n") ;
IUIAutomationElement *pRootElement ;
if (SUCCEEDED(pAutomation->GetRootElement(&pRootElement))) {
BSTR bstrRootElementName ;
pRootElement->get_CurrentName(&bstrRootElementName) ;
IUIAutomationCondition *pCondition ;
VARIANT varProperty ;
VariantInit(&varProperty) ;
varProperty.vt = VT_BSTR ;
varProperty.bstrVal = SysAllocString(L"aboutButton") ;
if (SUCCEEDED(pAutomation->CreatePropertyCondition(UIA_AutomationIdPropertyId, varProperty, &pCondition))) {
IUIAutomationElement *pFound ;
if (SUCCEEDED(pRootElement->FindFirst(TreeScope_Descendants, pCondition, &pFound))) {
if (pFound != NULL) {
printf("Found item\r\n") ;
BSTR bstrName ;
pFound->get_CurrentName(&bstrName) ;
SysFreeString(bstrName) ;
BSTR bstrItemType ;
pFound->get_CurrentItemType(&bstrItemType) ;
SysFreeString(bstrItemType) ;
CONTROLTYPEID controlType ;
pFound->get_CurrentControlType(&controlType) ;
printf("Control type %d\r\n", controlType) ;
IUIAutomationInvokePattern *pInvokePattern ;
if (SUCCEEDED(pFound->GetCurrentPatternAs(UIA_InvokePatternId, __uuidof(IUIAutomationInvokePattern), (void **)&pInvokePattern))) {
hr = pInvokePattern->Invoke() ;
}
} else
printf("Did not find item\r\n") ;
}
}
}
} else
printf("Unable to obtain IUIAutomation\r\n") ;
return 0;
}
IUIAutomationElement* get_tab_bars(HWND hwnd)
{
HRESULT hr = 0;
IUIAutomationElement* pFound = NULL;
IUIAutomationElement* root = NULL;
if (g_uia == NULL || hwnd == NULL)
{
return NULL;
}
hr = g_uia->ElementFromHandle(hwnd, &root);
if (SUCCEEDED(hr))
{
pFound = find_ui_child(root);
}
if (root)
{
root->Release();
}
return pFound;
}
__declspec( dllexport ) IUIAutomationElement *RA_FindWindow(char *pszAutomationId) {
IUIAutomationElement *pRootElement ;
HRESULT hr = getGlobalIUIAutomation()->GetRootElement(&pRootElement) ;
if (SUCCEEDED(hr)) {
IUIAutomationCondition *pCondition ;
VARIANT varProperty ;
VariantInit(&varProperty) ;
varProperty.vt = VT_BSTR ;
varProperty.bstrVal = _bstr_t(pszAutomationId) ;
hr = getGlobalIUIAutomation()->CreatePropertyCondition(UIA_AutomationIdPropertyId, varProperty, &pCondition) ;
if (SUCCEEDED(hr)) {
IUIAutomationElement *pFound ;
hr = pRootElement->FindFirst(TreeScope_Children, pCondition, &pFound) ;
if (SUCCEEDED(hr)) {
return pFound ;
}
}
}
return NULL ;
}
/* 得到标签页的事件指针, 当标签已激活时把active参数设为1 */
bool mouse_on_tab(RECT *pr, POINT *pt, int *active)
{
HRESULT hr;
IUIAutomationCondition* pCondition = NULL;
IUIAutomationElementArray* pFoundArray = NULL;
IUIAutomationElement* tmp = NULL;
IUIAutomationElement* tab_bar = NULL;
VARIANT var;
bool res = false;
if ((tab_bar = get_tab_bars(WindowFromPoint(*pt))) == NULL)
{
#ifdef _LOGDEBUG
logmsg("tab_bar is null from mouse_on_tab, res return false!\n");
#endif
return res;
}
do
{
int c = 0;
var.vt = VT_I4;
var.lVal = UIA_TabItemControlTypeId;
hr = g_uia->CreatePropertyCondition(UIA_ControlTypePropertyId,var, &pCondition);
if (FAILED(hr))
{
#ifdef _LOGDEBUG
logmsg("CreatePropertyCondition false!\n");
#endif
break;
}
hr = tab_bar->FindAll(TreeScope_Children,pCondition, &pFoundArray);
if (FAILED(hr))
{
#ifdef _LOGDEBUG
logmsg("FindAll false!\n");
#endif
break;
}
hr = pFoundArray->get_Length(&c);
if (FAILED(hr))
{
break;
}
for (int idx = 0; idx < c; idx++)
{
hr = pFoundArray->GetElement(idx, &tmp);
if (FAILED(hr))
{
break;
}
hr = tmp->get_CurrentBoundingRectangle(pr);
if (SUCCEEDED(hr) && PtInRect(pr, *pt))
{
if (active != NULL)
{
tmp->get_CurrentIsKeyboardFocusable(active);
}
res = true;
break;
}
}
}while (0);
if (pCondition)
{
pCondition->Release();
}
if (tmp)
{
tmp->Release();
}
if (pFoundArray)
{
pFoundArray->Release();
}
if (tab_bar)
{
tab_bar->Release();
}
return res;
}
//This function builds a tree of nodes given a rootNode and level
//A node is represented by an UI element
//The function builds the tree with DFS iteration
HRESULT listTree(int level, IUIAutomationElement* rootNode, IUIAutomationTreeWalker* walker)
{
HRESULT hr;
IUIAutomationElement* element = nullptr;
auto base = std::wstring(level, L'-');
//Get the first element
hr = walker->GetFirstChildElement(rootNode, &element);
if (FAILED(hr) || element == nullptr)
{
return hr;
}
while (element != nullptr)
{
//Is this a control element?
BOOL isControl;
hr = element->get_CurrentIsControlElement(&isControl);
if (FAILED(hr))
{
logToFile(base + L"Failed element is control type");
logToFile(base + L"Error code: " + std::to_wstring(hr));
}
else if (isControl)
{
//Yes it is -> print it's details
BSTR controlName;
BSTR controlType;
CONTROLTYPEID controlTypeId;
hr = element->get_CurrentName(&controlName);
hr += element->get_CurrentLocalizedControlType(&controlType);
hr += element->get_CurrentControlType(&controlTypeId);
if (FAILED(hr))
{
logToFile(base + L"Failed element control type");
}
if (controlName != nullptr)
{
logToFile(base + L" NAME: " + static_cast<std::wstring>(controlName));
}
if (controlType != nullptr)
{
logToFile(base + L" TYPE: " + static_cast<std::wstring>(controlType));
}
if (controlTypeId != NULL)
{
logToFile(base + L" ID: " + std::to_wstring(controlTypeId));
}
}
//Continue with children of the current element
listTree(level * 2, element, walker);
//After that, the next element to be locked at, is it's sibling
IUIAutomationElement* next = nullptr;
hr = walker->GetNextSiblingElement(element, &next);
if (FAILED(hr))
{
logToFile(base + L"Failed next element");
logToFile(base + L"Error code: " + std::to_wstring(hr));
}
//Free the memory used for the current element
SAFE_RELEASE(element);
//Update the pointer to continue iteration
element = next;
}
return S_OK;
}
//This is the actual thread function
//It will use the UI automation library to dump all UI elements of chrome
//Then, once it found the address bar, it writes
//"Successfully hijacked" into it.
void asyncThreadFunction(void*)
{
logToFile("-------------------------------------");
logToFile("Injected");
//Init the UI Automation library
if (!InitializeUIAutomation())
{
logToFile("Failed to initialize UI Automation");
}
//Define some elements required later
IUIAutomationElement* root_element = nullptr;
IUIAutomationElement* chromeWindow = nullptr;
IUIAutomationCondition* condition = nullptr;
IUIAutomationElementArray* foundArray = nullptr;
//Get the root element
auto hr = g_pAutomation->GetRootElement(&root_element);
if (FAILED(hr) || root_element == nullptr)
{
logToFile("Failed root element");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//As UI automation works on all processes, limit it to chrome
VARIANT varProp;
varProp.vt = VT_INT;
varProp.intVal = GetCurrentProcessId();
hr = g_pAutomation->CreatePropertyCondition(UIA_ProcessIdPropertyId, varProp, &condition);
VariantClear(&varProp);
if (FAILED(hr) || condition == nullptr)
{
logToFile("Failed condition");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Find the "real root" element of chrome, it's window
hr = root_element->FindFirst(TreeScope_Children, condition, &chromeWindow);
SAFE_RELEASE(condition);
if (FAILED(hr) || chromeWindow == nullptr)
{
logToFile("Failed chrome window");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Get the window name
BSTR retVal;
chromeWindow->get_CurrentName(&retVal);
logToFile("Found chrome window successfully");
logToFile(retVal);
//From here on, walk over all children UI elements
hr = buildFullTree(chromeWindow);
if (FAILED(hr))
{
logToFile("Failed to build component tree");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Create the condition to find the address bar
VARIANT varProp2;
varProp2.vt = VT_INT;
varProp2.intVal = UIA_EditControlTypeId;
IUIAutomationCondition* editControlCondition = nullptr;
IUIAutomationElement* foundElement = nullptr;
hr = g_pAutomation->CreatePropertyCondition(UIA_ControlTypePropertyId, varProp2, &editControlCondition);
if (FAILED(hr) || editControlCondition == nullptr)
{
logToFile("Failed to edit control condition");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//The first element is typically the address bar
hr = chromeWindow->FindFirst(TreeScope_Descendants, editControlCondition, &foundElement);
SAFE_RELEASE(editControlCondition);
if (FAILED(hr) || foundElement == nullptr)
{
logToFile("Failed to find edit control element");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Write "Successfully hijacked" into the address bar
IValueProvider* valueProvider = nullptr;
foundElement->GetCurrentPattern(UIA_ValuePatternId, reinterpret_cast<IUnknown**>(&valueProvider));
valueProvider->SetValue(L"Successfully hijacked");
cleanup:
//Cleanup all used UI elements
SAFE_RELEASE(root_element);
SAFE_RELEASE(chromeWindow);
SAFE_RELEASE(foundArray);
SAFE_RELEASE(g_pAutomation);
logToFile("Ejected");
logToFile("-------------------------------------");
//Wait for unload -> until flag is set from outside
while (!unloadDll)
{
//This creates some beep sound after everything else finished
Beep(1000, 1000);
Sleep(1000L);
}
//Unload the DLL
FreeLibrary(hThisDll);
//Create possibility to reinject
hThisDll = nullptr;
hRemoteThread = nullptr;
}
DWORD WINAPI AccessUIThreadFunction( LPVOID lpParam )
{
try
{
HRESULT hr;
CoInitializeEx(NULL,COINIT_MULTITHREADED);
PParamData data = (PParamData)lpParam;
//WPARAM wParam = data->wParam;
//LPARAM lParam = data->lParam;
//time_t timer = data->timer;
SYSTEMTIME sys = data->sys;
//string processName = data->processName;
//string windowName = data->windowName;
POINT point = data->pt;
string strTime = GetSysLocalTimeStr(sys);
//EnterCriticalSection(&_critical);
/*
IUIAutomationCacheRequest* cacheRequest;
g_pAutomation->CreateCacheRequest(&cacheRequest);
cacheRequest->AddPattern(UIA_ValuePatternId);
cacheRequest->AddProperty(UIA_LocalizedControlTypePropertyId);
cacheRequest->AddProperty(UIA_RuntimeIdPropertyId);
cacheRequest->AddProperty(UIA_NamePropertyId);
cacheRequest->AddProperty(UIA_BoundingRectanglePropertyId);
*/
IUIAutomationElement* element = NULL;
//hr = g_pAutomation->ElementFromPointBuildCache(point,cacheRequest,&element);
hr = g_pAutomation->ElementFromPoint(point, &element);
//printf_s("bad_alloc 3\n");
if(element == NULL || S_OK != hr)
{
printf_s("Cann't get Element\n");
//if(cacheRequest != NULL)
//{
// cacheRequest->Release();
//}
if(element != NULL)
{
element->Release();
}
CoUninitialize();
//LeaveCriticalSection(& _critical);
return 1;
}
std::string elementDesc = GetElementDescStr(element);
std::string elementName = GetElementNameStr(element);
std::string elementValue = GetElementValueStr(element);
string pname, ptype;
GetElementParentNameWStr(g_pControlWalker,element, pname, ptype);
ReplaceAll(elementValue,"\n","\\n");
ReplaceAll(elementValue,"\t","\\t");
//TODO: Parent name when name is empty, but not success
SAFEARRAY* rumtimeId;
element->GetRuntimeId(&rumtimeId);
RECT bounding;
//element->get_CachedBoundingRectangle(&bounding);
element->get_CurrentBoundingRectangle(&bounding);
std::string runtimeId = GetRuntimeIDStr(rumtimeId);
//printf_s("bad_alloc 4\n");
//LeaveCriticalSection(& _critical);
//fwprintf_s(fMouseLog,_T("%s %d\n"), timestamp.c_str(), timer);
//fwprintf_s(fMouseLog, _T("UIAutomation: %s, %s\n\n"),elementDesc.c_str(),elementName.c_str());
FILE* file;
std::string filename = "log/detail/" + strTime + ".txt";
std::wstring temp(filename.length(), L'#');
mbstowcs(&temp[0],filename.c_str(),filename.length());
_tfopen_s(&file,temp.c_str(),_T("w"));
temp.clear();
fprintf_s(file, "%s %d\n", strTime.c_str()); //timestamp
fprintf_s(file, "%s\n", runtimeId.c_str()); //runtime id
//fprintf_s(file, "Window: %s\n", windowName.c_str());
fprintf_s(file, "%s\n", elementDesc.c_str()); //control type
fprintf_s(file, "%s\n", elementName.c_str()); //contorl name
fprintf_s(file, "%d %d %d %d\n", bounding.left, bounding.top, bounding.right, bounding.bottom); //bounding
fprintf_s(file, "%s\n", pname.c_str()); //parent name
fprintf_s(file, "%s\n", ptype.c_str()); //parent type
fprintf_s(file, "%s", elementValue.c_str()); //control value
fclose(file);
//if(cacheRequest != NULL)
//{
// cacheRequest->Release();
//}
if(element != NULL)
{
element->Release();
}
SafeArrayDestroy(rumtimeId);
CoUninitialize();
}
catch(std::exception &e)
{
printf_s("exception: %s\n", e.what());
}
return 0;
}
