Jalaj P. Jha

Long back I came across a utility which could expose the text (normally passwords) that were masked with Asterisks. It was hard for imagine how that was implemented, but now I think that I can now try to implement it.

The process is normally getting the handle of the Control/Window that’s just below the cursor and issue a SendMessage command to make it reveal the text. Let’s get started.

Create a new project. Add to the form, two textBoxes namely txtXPos and txtYPos which will hold the X and Y co-ordinates of the cursor position. You may choose to make them right-aligned. Add three labels to describe the boxes (See the Pic). We would populate these boxes with appropriate co-ordinates on MouseMove Event.

Before we start, a point to note that the X and Y co-ordinates passed to MouseMove event are relative to then top-left of the form and unit is not pixel. To know the co-ordinates in pixel with reference to the top-left of screen we would need to do either mathematically or call Windows API function GetCurPos to do it. We will do it the later way as the former way can result in false returns (I calculated the co-ordinates to be txtXPos = (Form1.Left + X) / 15 + 4 and txtYPos = (Form1.Top + Y) / 15 + 23, the zero-error of 4,23 may vary for different systems/resolutions, I doubt)

Copy the code below to the code section of form.

Private Declare Function GetCursorPos Lib "user32" (ByRef lpPoint As POINT) As Long

Private Type POINT
    X As Long
    Y As Long
End Type

Private Sub Form_MouseMove(Button As Integer, Shift As Integer, X As Single, Y As Single)

    Dim lpMousePos As POINT

    GetCursorPos lpMousePos

    txtXPos = lpMousePos.X
    txtYPos = lpMousePos.Y

End Sub

The API function GetCursorPos takes for parameter reference of a variable of datatype POINT (which itself needs to be defined, as defined in lines following the API declaration) and populates the same with the current position of mouse on screen.

In the MouseMove event we have defined a variable for datatype POINT which later gets the cursor position of mouse. The text fields are then populated.

Execute the code and see the result.

When you move the mouse the screen co-ordinates are displayed in relevent textboxes and keep changing as the mouse moves.

But the co-ordinates stop changing when the mouse moves out of form area. That’s because the MouseMove event stops firing when the mouse has moved out of the form. However if you click in the form area drag out of the form, the co-ordinates keeps continue changing. That’s how the utilities mentioned on top worked. They make you click and drag some icon to the other window.

Add a textBox named txtHandle and a label describing it. Add Function declaration to the code

Private Declare Function WindowFromPoint Lib "user32" (ByVal PosX As Long, _
  ByVal PosY As Long) As Long

and line below in Form_MouseMove

    txtHandle = WindowFromPoint(lpMousePos.X, lpMousePos.Y)

Now the txtHandle is populated with the handle of the Window/Control over which it is currently positioned. After getting the handle we only need to reveal the password for which we would issue SendMessage EM_SETPASSWORDCHAR

Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, _
    ByVal wMsg As Long, ByVal wParam As Integer, ByVal lParam As Any) As Long

Private Const EM_SETPASSWORDCHAR = &HCC

Add below lines of code to MouseMove event code.

    SendMessage txtHandle, EM_SETPASSWORDCHAR, 0, ""

When you drag and move cursor to the textbox (of other application) containing masked text, these lines of code removes the masking by resetting the PasswordChar property of the textBox (which is normally set to “*” to show asterisks instead of text characters) used for accepting password.

Let me rewrite the complete code.

Private Declare Function GetCursorPos Lib "user32" (ByRef lpPoint As POINT) As Long

Private Declare Function WindowFromPoint Lib "user32" (ByVal PosX As Long, _
  ByVal PosY As Long) As Long

Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, _
    ByVal wMsg As Long, ByVal wParam As Integer, ByVal lParam As Any) As Long

Private Type POINT
    X As Long
    Y As Long
End Type

Private Const EM_SETPASSWORDCHAR = &HCC

Private Sub Form_MouseMove(Button As Integer, Shift As Integer, X As Single, Y As Single)

    Dim lpMousePos As POINT

    GetCursorPos lpMousePos

    txtXPos = lpMousePos.X
    txtYPos = lpMousePos.Y

    txtHandle = WindowFromPoint(lpMousePos.X, lpMousePos.Y)

    SendMessage txtHandle, EM_SETPASSWORDCHAR, 0, ""

End Sub

PS : The Code shown here is a security threat for systems holding important text under asterisk masks. Thankfully Microsoft have handled the issue and the code no longer works for Windows 2000 and above. Those who are using earlier versions of Windows, please avoid using “Save Password” facility of Dial-up connection and other apps as “Outlook/Express” etc.