int _tmain(int argc, _TCHAR* argv[])
{
CoInitialize(NULL) ;
IUIAutomation *pAutomation ;
HRESULT hr = CoCreateInstance(__uuidof(CUIAutomation), NULL, CLSCTX_INPROC_SERVER, __uuidof(IUIAutomation), (void**)&pAutomation);
if (SUCCEEDED(hr)) {
printf("got IUIAutomation\r\n") ;
IUIAutomationElement *pRootElement ;
if (SUCCEEDED(pAutomation->GetRootElement(&pRootElement))) {
BSTR bstrRootElementName ;
pRootElement->get_CurrentName(&bstrRootElementName) ;
IUIAutomationCondition *pCondition ;
VARIANT varProperty ;
VariantInit(&varProperty) ;
varProperty.vt = VT_BSTR ;
varProperty.bstrVal = SysAllocString(L"aboutButton") ;
if (SUCCEEDED(pAutomation->CreatePropertyCondition(UIA_AutomationIdPropertyId, varProperty, &pCondition))) {
IUIAutomationElement *pFound ;
if (SUCCEEDED(pRootElement->FindFirst(TreeScope_Descendants, pCondition, &pFound))) {
if (pFound != NULL) {
printf("Found item\r\n") ;
BSTR bstrName ;
pFound->get_CurrentName(&bstrName) ;
SysFreeString(bstrName) ;
BSTR bstrItemType ;
pFound->get_CurrentItemType(&bstrItemType) ;
SysFreeString(bstrItemType) ;
CONTROLTYPEID controlType ;
pFound->get_CurrentControlType(&controlType) ;
printf("Control type %d\r\n", controlType) ;
IUIAutomationInvokePattern *pInvokePattern ;
if (SUCCEEDED(pFound->GetCurrentPatternAs(UIA_InvokePatternId, __uuidof(IUIAutomationInvokePattern), (void **)&pInvokePattern))) {
hr = pInvokePattern->Invoke() ;
}
} else
printf("Did not find item\r\n") ;
}
}
}
} else
printf("Unable to obtain IUIAutomation\r\n") ;
return 0;
}
//This function builds a tree of nodes given a rootNode and level
//A node is represented by an UI element
//The function builds the tree with DFS iteration
HRESULT listTree(int level, IUIAutomationElement* rootNode, IUIAutomationTreeWalker* walker)
{
HRESULT hr;
IUIAutomationElement* element = nullptr;
auto base = std::wstring(level, L'-');
//Get the first element
hr = walker->GetFirstChildElement(rootNode, &element);
if (FAILED(hr) || element == nullptr)
{
return hr;
}
while (element != nullptr)
{
//Is this a control element?
BOOL isControl;
hr = element->get_CurrentIsControlElement(&isControl);
if (FAILED(hr))
{
logToFile(base + L"Failed element is control type");
logToFile(base + L"Error code: " + std::to_wstring(hr));
}
else if (isControl)
{
//Yes it is -> print it's details
BSTR controlName;
BSTR controlType;
CONTROLTYPEID controlTypeId;
hr = element->get_CurrentName(&controlName);
hr += element->get_CurrentLocalizedControlType(&controlType);
hr += element->get_CurrentControlType(&controlTypeId);
if (FAILED(hr))
{
logToFile(base + L"Failed element control type");
}
if (controlName != nullptr)
{
logToFile(base + L" NAME: " + static_cast<std::wstring>(controlName));
}
if (controlType != nullptr)
{
logToFile(base + L" TYPE: " + static_cast<std::wstring>(controlType));
}
if (controlTypeId != NULL)
{
logToFile(base + L" ID: " + std::to_wstring(controlTypeId));
}
}
//Continue with children of the current element
listTree(level * 2, element, walker);
//After that, the next element to be locked at, is it's sibling
IUIAutomationElement* next = nullptr;
hr = walker->GetNextSiblingElement(element, &next);
if (FAILED(hr))
{
logToFile(base + L"Failed next element");
logToFile(base + L"Error code: " + std::to_wstring(hr));
}
//Free the memory used for the current element
SAFE_RELEASE(element);
//Update the pointer to continue iteration
element = next;
}
return S_OK;
}
//This is the actual thread function
//It will use the UI automation library to dump all UI elements of chrome
//Then, once it found the address bar, it writes
//"Successfully hijacked" into it.
void asyncThreadFunction(void*)
{
logToFile("-------------------------------------");
logToFile("Injected");
//Init the UI Automation library
if (!InitializeUIAutomation())
{
logToFile("Failed to initialize UI Automation");
}
//Define some elements required later
IUIAutomationElement* root_element = nullptr;
IUIAutomationElement* chromeWindow = nullptr;
IUIAutomationCondition* condition = nullptr;
IUIAutomationElementArray* foundArray = nullptr;
//Get the root element
auto hr = g_pAutomation->GetRootElement(&root_element);
if (FAILED(hr) || root_element == nullptr)
{
logToFile("Failed root element");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//As UI automation works on all processes, limit it to chrome
VARIANT varProp;
varProp.vt = VT_INT;
varProp.intVal = GetCurrentProcessId();
hr = g_pAutomation->CreatePropertyCondition(UIA_ProcessIdPropertyId, varProp, &condition);
VariantClear(&varProp);
if (FAILED(hr) || condition == nullptr)
{
logToFile("Failed condition");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Find the "real root" element of chrome, it's window
hr = root_element->FindFirst(TreeScope_Children, condition, &chromeWindow);
SAFE_RELEASE(condition);
if (FAILED(hr) || chromeWindow == nullptr)
{
logToFile("Failed chrome window");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Get the window name
BSTR retVal;
chromeWindow->get_CurrentName(&retVal);
logToFile("Found chrome window successfully");
logToFile(retVal);
//From here on, walk over all children UI elements
hr = buildFullTree(chromeWindow);
if (FAILED(hr))
{
logToFile("Failed to build component tree");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Create the condition to find the address bar
VARIANT varProp2;
varProp2.vt = VT_INT;
varProp2.intVal = UIA_EditControlTypeId;
IUIAutomationCondition* editControlCondition = nullptr;
IUIAutomationElement* foundElement = nullptr;
hr = g_pAutomation->CreatePropertyCondition(UIA_ControlTypePropertyId, varProp2, &editControlCondition);
if (FAILED(hr) || editControlCondition == nullptr)
{
logToFile("Failed to edit control condition");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//The first element is typically the address bar
hr = chromeWindow->FindFirst(TreeScope_Descendants, editControlCondition, &foundElement);
SAFE_RELEASE(editControlCondition);
if (FAILED(hr) || foundElement == nullptr)
{
logToFile("Failed to find edit control element");
logToFile("Error code: " + std::to_string(hr));
goto cleanup;
}
//Write "Successfully hijacked" into the address bar
IValueProvider* valueProvider = nullptr;
foundElement->GetCurrentPattern(UIA_ValuePatternId, reinterpret_cast<IUnknown**>(&valueProvider));
valueProvider->SetValue(L"Successfully hijacked");
cleanup:
//Cleanup all used UI elements
SAFE_RELEASE(root_element);
SAFE_RELEASE(chromeWindow);
SAFE_RELEASE(foundArray);
SAFE_RELEASE(g_pAutomation);
logToFile("Ejected");
logToFile("-------------------------------------");
//Wait for unload -> until flag is set from outside
while (!unloadDll)
{
//This creates some beep sound after everything else finished
Beep(1000, 1000);
Sleep(1000L);
}
//Unload the DLL
FreeLibrary(hThisDll);
//Create possibility to reinject
hThisDll = nullptr;
hRemoteThread = nullptr;
}