问题
I am trying to access a TreeView
running in another process. Many of the tree view messages work correctly. However, trying to use the TVM_GETITEM
causes that other process to crash.
The code below is a simple program that illustrates the crash. To get it to run, you will need some CHM help file. I'm using a CHM help file because hh.exe uses a TreeView
control for the table of contents.
The goal is to be able to get the a tree node's text.
using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
using System.Windows.Forms;
namespace TreeViewTest {
public class TVForm : Form {
String chmFile = @"C:\temp\QuickGuide.chm"; // change this to some help file on local computer
Button btnOpenFile = new Button { Text = "Open File", AutoSize = true };
Button btnDeleteSelected = new Button { Text = "Delete Selected", AutoSize = true };
Button btnGetCount = new Button { Text = "Get Count", AutoSize = true };
Button btnGetText = new Button { Text = "Get Text", AutoSize = true }; // causes hh.exe process to crash
Button btnSelectNext = new Button { Text = "Select Next", AutoSize = true };
Process process = null;
IntPtr ptrTreeView = IntPtr.Zero;
public TVForm() {
FlowLayoutPanel p = new FlowLayoutPanel { FlowDirection = System.Windows.Forms.FlowDirection.TopDown, Dock = DockStyle.Fill };
p.Controls.Add(btnOpenFile);
p.Controls.Add(btnGetCount);
p.Controls.Add(btnDeleteSelected);
p.Controls.Add(btnGetText);
p.Controls.Add(btnSelectNext);
Controls.Add(p);
btnOpenFile.Click += buttonClicked; // works fine
btnDeleteSelected.Click += buttonClicked; // works fine
btnGetCount.Click += buttonClicked;
btnGetText.Click += buttonClicked;
btnSelectNext.Click += buttonClicked;
}
void buttonClicked(object sender, EventArgs e) {
if (!File.Exists(chmFile)) {
MessageBox.Show("Cannot find CHM file: " + chmFile);
return;
}
IntPtr hwndTreeView = GetTreeViewHandle();
if (hwndTreeView == IntPtr.Zero) {
MessageBox.Show("Cannot find TreeView handle.");
return;
}
if (sender == btnDeleteSelected) {
// get the handle to the selected node in the tree view
IntPtr hwndItem = SendMessage(hwndTreeView, (int) TVM.TVM_GETNEXTITEM, (int) TVGN.TVGN_CARET, 0);
if (hwndItem == IntPtr.Zero)
MessageBox.Show("no item selected");
else
SendMessage(hwndTreeView, (int) TVM.TVM_DELETEITEM, IntPtr.Zero, hwndItem);
}
else if (sender == btnGetCount) {
IntPtr count = SendMessage(hwndTreeView, (int) TVM.TVM_GETCOUNT, 0, 0);
MessageBox.Show(String.Format("There are {0} nodes in the tree view.", count.ToInt32()));
}
else if (sender == btnSelectNext) {
IntPtr hwndItem = SendMessage(hwndTreeView, (int) TVM.TVM_GETNEXTITEM, (int) TVGN.TVGN_CARET, 0);
if (hwndItem == IntPtr.Zero) {
MessageBox.Show("no item selected");
return;
}
hwndItem = SendMessage(hwndTreeView, (int) TVM.TVM_GETNEXTITEM, new IntPtr((int) TVGN.TVGN_NEXT), hwndItem);
if (hwndItem == IntPtr.Zero)
MessageBox.Show("there is no next item");
else
SendMessage(hwndTreeView, (int) TVM.TVM_SELECTITEM, new IntPtr((int) TVGN.TVGN_CARET), hwndItem);
}
else if (sender == btnGetText) { // crashes hh.exe
IntPtr hwndItem = SendMessage(hwndTreeView, (int) TVM.TVM_GETNEXTITEM, (int) TVGN.TVGN_CARET, 0);
if (hwndItem == IntPtr.Zero) {
MessageBox.Show("no item selected");
return;
}
var item = new TVITEMEX(); // have tried both TVITEM and TVITEMEX
item.hItem = hwndItem;
item.mask = (int) (TVIF.TVIF_TEXT | TVIF.TVIF_HANDLE);
item.cchTextMax = 260;
item.pszText = Marshal.AllocHGlobal(item.cchTextMax);
IntPtr ptr = Marshal.AllocHGlobal(Marshal.SizeOf(item));
Marshal.StructureToPtr(item, ptr, false);
// have tried TVM_GETITEM and TVM_GETITEMA
SendMessage(hwndTreeView, (int) TVM.TVM_GETITEM, IntPtr.Zero, ptr); // this line crashes hh.exe
String text = Marshal.PtrToStringAuto(item.pszText);
MessageBox.Show(text);
Marshal.FreeHGlobal(item.pszText);
Marshal.FreeHGlobal(ptr);
}
}
public Process GetProcess() {
if (process != null && !process.HasExited)
return process;
ptrTreeView = IntPtr.Zero;
process = Process.Start(chmFile);
Thread.Sleep(1000); // sleep a little to give the process time to open (otherwise cannot find the TreeView control)
return process;
}
public IntPtr GetTreeViewHandle() {
if (ptrTreeView != IntPtr.Zero && !process.HasExited)
return ptrTreeView;
var list = new List<IntPtr>();
Process p = GetProcess();
FindSysTreeView(p.MainWindowHandle, new Hashtable(), list);
if (list.Count == 0) {
return IntPtr.Zero;
}
ptrTreeView = list[0];
return ptrTreeView;
}
private static void FindSysTreeView(IntPtr p, Hashtable ht, List<IntPtr> list) {
var cn = GetClassName(p);
//var txt = GetWindowText(p);
if (cn == "SysTreeView32") {
if (!list.Contains(p))
list.Add(p);
}
if (ht[p] == null) {
ht[p] = p;
foreach (var c in GetChildWindows(p))
FindSysTreeView(c, ht, list);
}
}
public static String GetClassName(IntPtr hWnd) {
StringBuilder sb = new StringBuilder(256);
GetClassName(hWnd, sb, sb.Capacity);
return sb.ToString();
}
public static List<IntPtr> GetChildWindows(IntPtr parent) {
List<IntPtr> result = new List<IntPtr>();
GCHandle listHandle = GCHandle.Alloc(result);
try {
Win32Callback childProc = new Win32Callback(EnumWindow);
EnumChildWindows(parent, childProc, GCHandle.ToIntPtr(listHandle));
} finally {
if (listHandle.IsAllocated)
listHandle.Free();
}
return result;
}
private static bool EnumWindow(IntPtr handle, IntPtr pointer) {
GCHandle gch = GCHandle.FromIntPtr(pointer);
List<IntPtr> list = gch.Target as List<IntPtr>;
if (list == null)
throw new InvalidCastException("GCHandle Target could not be cast as List<IntPtr>");
list.Add(handle);
return true;
}
[DllImport("user32.dll")]
static extern int GetClassName(IntPtr hWnd, StringBuilder lpClassName, int nMaxCount);
[DllImport("user32.Dll")]
private static extern bool EnumChildWindows(IntPtr parentHandle, Win32Callback callback, IntPtr lParam);
private delegate bool Win32Callback(IntPtr hwnd, IntPtr lParam);
[DllImport("user32.dll")]
static extern IntPtr SendMessage(IntPtr hWnd, int Msg, IntPtr wParam, IntPtr lParam);
[DllImport("user32.dll")]
static extern IntPtr SendMessage(IntPtr hWnd, int Msg, int wParam, int lParam);
private const int TV_FIRST = 0x1100;
public enum TVM {
TVM_GETNEXTITEM = (TV_FIRST + 10),
TVM_GETITEMA = (TV_FIRST + 12),
TVM_GETITEM = (TV_FIRST + 62),
TVM_GETCOUNT = (TV_FIRST + 5),
TVM_SELECTITEM = (TV_FIRST + 11),
TVM_DELETEITEM = (TV_FIRST + 1),
TVM_EXPAND = (TV_FIRST + 2),
TVM_GETITEMRECT = (TV_FIRST + 4),
TVM_GETINDENT = (TV_FIRST + 6),
TVM_SETINDENT = (TV_FIRST + 7),
TVM_GETIMAGELIST = (TV_FIRST + 8),
TVM_SETIMAGELIST = (TV_FIRST + 9),
TVM_GETISEARCHSTRING = (TV_FIRST + 64),
TVM_HITTEST = (TV_FIRST + 17),
}
public enum TVGN {
TVGN_ROOT = 0x0,
TVGN_NEXT = 0x1,
TVGN_PREVIOUS = 0x2,
TVGN_PARENT = 0x3,
TVGN_CHILD = 0x4,
TVGN_FIRSTVISIBLE = 0x5,
TVGN_NEXTVISIBLE = 0x6,
TVGN_PREVIOUSVISIBLE = 0x7,
TVGN_DROPHILITE = 0x8,
TVGN_CARET = 0x9,
TVGN_LASTVISIBLE = 0xA
}
[Flags]
public enum TVIF {
TVIF_TEXT = 1,
TVIF_IMAGE = 2,
TVIF_PARAM = 4,
TVIF_STATE = 8,
TVIF_HANDLE = 16,
TVIF_SELECTEDIMAGE = 32,
TVIF_CHILDREN = 64,
TVIF_INTEGRAL = 0x0080,
TVIF_DI_SETITEM = 0x1000
}
[StructLayout(LayoutKind.Sequential)]
public struct TVITEMEX {
public uint mask;
public IntPtr hItem;
public uint state;
public uint stateMask;
public IntPtr pszText;
public int cchTextMax;
public int iImage;
public int iSelectedImage;
public int cChildren;
public IntPtr lParam;
public int iIntegral;
public uint uStateEx;
public IntPtr hwnd;
public int iExpandedImage;
public int iReserved;
}
[StructLayout(LayoutKind.Sequential)]
public struct TVITEM {
public uint mask;
public IntPtr hItem;
public uint state;
public uint stateMask;
public IntPtr pszText;
public int cchTextMax;
public int iImage;
public int iSelectedImage;
public int cChildren;
public IntPtr lParam;
}
}
}
回答1:
Here is the code used to access the node text from a TreeView running in another process:
[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint dwFreeType);
// privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
// used for memory allocation
const uint MEM_COMMIT = 0x00001000;
const int MEM_DECOMMIT = 0x4000;
const uint MEM_RESERVE = 0x00002000;
const uint PAGE_READWRITE = 4;
///<summary>Returns the tree node information from another process.</summary>
///<param name="hwndItem">Handle to a tree node item.</param>
///<param name="hwndTreeView">Handle to a tree view control.</param>
///<param name="process">Process hosting the tree view control.</param>
private static NodeData AllocTest(Process process, IntPtr hwndTreeView, IntPtr hwndItem) {
// code based on article posted here: http://www.codingvision.net/miscellaneous/c-inject-a-dll-into-a-process-w-createremotethread
// handle of the process with the required privileges
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, process.Id);
// Write TVITEM to memory
// Invoke TVM_GETITEM
// Read TVITEM from memory
var item = new TVITEMEX();
item.hItem = hwndItem;
item.mask = (int) (TVIF.TVIF_HANDLE | TVIF.TVIF_CHILDREN | TVIF.TVIF_TEXT);
item.cchTextMax = 1024;
item.pszText = VirtualAllocEx(procHandle, IntPtr.Zero, (uint) item.cchTextMax, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // node text pointer
byte[] data = getBytes(item);
uint dwSize = (uint) data.Length;
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // TVITEM pointer
uint nSize = dwSize;
UIntPtr bytesWritten;
bool successWrite = WriteProcessMemory(procHandle, allocMemAddress, data, nSize, out bytesWritten);
var sm = SendMessage(hwndTreeView, (int) TVM.TVM_GETITEM, IntPtr.Zero, allocMemAddress);
UIntPtr bytesRead;
bool successRead = ReadProcessMemory(procHandle, allocMemAddress, data, nSize, out bytesRead);
UIntPtr bytesReadText;
byte[] nodeText = new byte[item.cchTextMax];
bool successReadText = ReadProcessMemory(procHandle, item.pszText, nodeText, (uint) item.cchTextMax, out bytesReadText);
bool success1 = VirtualFreeEx(procHandle, allocMemAddress, dwSize, MEM_DECOMMIT);
bool success2 = VirtualFreeEx(procHandle, item.pszText, (uint) item.cchTextMax, MEM_DECOMMIT);
var item2 = fromBytes<TVITEMEX>(data);
String name = Encoding.Unicode.GetString(nodeText);
int x = name.IndexOf('\0');
if (x >= 0)
name = name.Substring(0, x);
NodeData node = new NodeData();
node.Text = name;
node.HasChildren = (item2.cChildren == 1);
return node;
}
public class NodeData {
public String Text { get; set; }
public bool HasChildren { get; set; }
}
private static byte[] getBytes(Object item) {
int size = Marshal.SizeOf(item);
byte[] arr = new byte[size];
IntPtr ptr = Marshal.AllocHGlobal(size);
Marshal.StructureToPtr(item, ptr, true);
Marshal.Copy(ptr, arr, 0, size);
Marshal.FreeHGlobal(ptr);
return arr;
}
private static T fromBytes<T>(byte[] arr) {
T item = default(T);
int size = Marshal.SizeOf(item);
IntPtr ptr = Marshal.AllocHGlobal(size);
Marshal.Copy(arr, 0, ptr, size);
item = (T) Marshal.PtrToStructure(ptr, typeof(T));
Marshal.FreeHGlobal(ptr);
return item;
}
// Note: different layouts required depending on OS versions.
// https://msdn.microsoft.com/en-us/library/windows/desktop/bb773459%28v=vs.85%29.aspx
[StructLayout(LayoutKind.Sequential)]
public struct TVITEMEX {
public uint mask;
public IntPtr hItem;
public uint state;
public uint stateMask;
public IntPtr pszText;
public int cchTextMax;
public int iImage;
public int iSelectedImage;
public int cChildren;
public IntPtr lParam;
public int iIntegral;
public uint uStateEx;
public IntPtr hwnd;
public int iExpandedImage;
public int iReserved;
}
来源:https://stackoverflow.com/questions/27682170/sendmessage-treeview-tvm-getitem-crashes-that-process