Keypress and what will happen then?

[trodas]

I do wonder, how hard is to change the program behaviour on keypress. I mean simple unpacked Win32 application. When I did not like the behaviour on, for example F1 keypress, it is possible to do something in ResourceHacker or similar to replace the "F1 keypess input" as to behave the same, when I hit F2 key, for example?
I just wonder how hard this is to do... Meaning - if I can do it. Or how hard is the input change on Win programs in general (Win2k)

[Av0id]

as always the way you go depends on target, it can be accelerator-keys and they're defined in resources (link) or just registered as hotkeys (link) or something else

[deepzero]

or grabbed directly from the window's callback.

[|roe]

In K&R (ANSI) C you find an explanation about this in the following (adapted by me a bit) form:

Quote:

Originally Posted by K&R

Before offering CR (Carriage Return) to the Operating System all your keystrokes will be stored in a buffer. Since each key is mapped in ASCII to a hexadecimal code, these values will be stored in the specified buffer before. The reason why it is easy to compare plain values to keystrokes (here it was about buffer['character'-0]). After hitting Enter (Carriage Return), the syscall will be triggered and the OS's kernel will perform it's task on the buffer, fetching the data and executing on it.

Something like that :-) So I guess for a keylogger, it will sit in between the Kernel and the Keyboard, grabbing data detected, or at least, hooking up to some specific functions/API that provide keypress data to it. The rest, is left to your imagination to do with this knowledge.

More (Linux topic):
[1] Keyboard generalities - http://www.tldp.org/HOWTO/Keyboard-and-Console-HOWTO-2.html
[2] Interrupt Handlers (Kernel specific) - http://www.tldp.org/LDP/lkmpg/2.4/html/x1210.html

[RedBlkJck]

I would think it would be hard coded in the app and not in the resources. Track down the KeyDown event and change the push value (key code) before it to the key code you want to use. Function keys shouldn't be a problem but on some notebooks the BIOS can have other virtual keys locked. Use a program called AquaKeyTest if you need to see how your keyboard is mapped with the OS. It will return the key code of the key you pressed. Small Freeware app - attached

[RedBlkJck]

Just to clarify. It could easily be located in the resources also. Got to consider what programming lang and how the author implemented it. If in the resources it may be listed as a 'ShortCut' with a decimal value. F1 key should be 112d 70h

[trodas]

Damn, I can't understand the thread now.

Av0id - interestinf links, however I have no real idea, how can help me out that I know, that, for example, this code do the F1 keypress:

Quote:

VK_F1, IDDCLEAR, VIRTKEY ; F1
VK_F1, IDDSTAR, CONTROL, VIRTKEY ; control F1
VK_F1, IDDELLIPSE, SHIFT, VIRTKEY ; shift F1
VK_F1, IDDRECT, ALT, VIRTKEY ; alt F1

Also it is great to know, that using the User32.dll can be handled by simple code, these keypreses in Win:

Quote:

#include "stdafx.h"
...
if (RegisterHotKey(
...
MOD_ALT | MOD_NOREPEAT,
0x42)) //0x42 is 'b'

...however chage the key in already compiled program is what I looking for. And this did not seems to provide any answer to me...


|roe - interesting keylogger idea, however I did not looking for that. Yet thanks for the good explaination on how this works on almost HW level.


RedBlkJck -

Quote:

I would think it would be hard coded in the app and not in the resources.

How can I make sure about this?

Quote:

Track down the KeyDown event and change the push value (key code) before it to the key code you want to use. Function keys shouldn't be a problem

Sounds fairly simple. Now I would like to start with very simple change and then move to more problematic one

Quote:

It could easily be located in the resources also.

If I opened the exe in ResHacker and search for the "shortcut" and find only strings like this:

Quote:

STRINGTABLE
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
...
167, "Creating shortcuts"

...then it is not in the resources, right?

[Av0id]

trodas, in olly search for all intermodular calls and then search for provided API's, and check code against keycodes, i'll do it as

[RedBlkJck]

What is the app compiled with?

If the app is looking for hard coded, try searching for 'Push 70' Push and then the hex num of the keycode. There should be an api call afterward that is for the keyboard like GetKeyState.

In the resources. Since you are looking for F1 and this is normally for the Help screen, look for the reference to the MainMenu. If it's not opening the Help screen, look for the window in which F1 can be pressed ie the main form. Give PE Explorer a try, I find it a little easier to sort through the resources.

[athapa]

I'm not sure about editing resources to change shortcut.

You can probably use a system wide keyboard hook. So in your example if you want keypress F2 to behave as F1 then once you detect F2 keypress, you will send F1 keypress message.

Not the perfect example but this may be helpful:
http://www.codeproject.com/Articles/6362/Global-System-Hooks-in-NET

[piccolo]

Also check out the msdn online library it is THE reference you need:
msdn.microsoft.com/en-us/library/windows/desktop/ms644985(v=vs.85).aspx
and also on codeproject: www.codeproject.com/Articles/1264/KeyBoard-Hooks
The SetWindowsHookEx routine. Be aware that you need a 64 bit version AND a 32 bit version if you want to run it on a 64 bit windows, otherwise you are not able to hook the 32 bits programs. Anyway codeproject has a whole set on hooks: www.codeproject.com/KB/DLL/#Hooks
Have fun with it, it is not that difficult...
I suggest that if you only want to hook the keyboard to not use dll injection of lower level api hooking. This may trigger antivirus programs and bock your program.

if your application compiled by delphi , its very easily to change the shortcut keys by edit it with any resourcers , but its better to use pe explorer , you could change keys in properties