-
-
[原创]手工消息断点的一个小例子
-
2010-4-4 15:00 8793
-
一直想对消息机制感兴趣
涉及
1。消息过程
2。消息记录断点
3。在调试的过程中捕捉消息
4。欺骗消息过程
用一个小对话框来看看
代码
#include "stdafx.h"
LRESULT CALLBACK PwdWindow(HWND, UINT, WPARAM, LPARAM);
int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
MSG msg;
WNDCLASSEX wcex;
HWND hWnd = NULL;
HWND hEdit = NULL;
(void) memset( &wcex, 0x00, sizeof(WNDCLASSEX) );
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.style = CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = PwdWindow;
wcex.hCursor = LoadCursor(NULL, IDC_ARROW);
wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+2);
wcex.lpszClassName = "@PWDWIN@";
RegisterClassEx(&wcex);
hWnd = CreateWindow( "@PWDWIN@",
" Type the password ...",
WS_OVERLAPPED,
GetSystemMetrics(SM_CXSCREEN)/2-100,
GetSystemMetrics(SM_CYSCREEN)/2-75,
200, 150,
NULL, NULL, NULL, NULL);
if (!hWnd)
return 0;
CreateWindow("BUTTON", "OK", WS_CHILD | WS_VISIBLE | BS_TEXT, 10, 80, 70, 30, hWnd, (HMENU)10123, NULL, NULL);
CreateWindow("BUTTON", "Cancel", WS_CHILD | WS_VISIBLE | BS_TEXT, 110, 80, 70, 30, hWnd, (HMENU)10456, NULL, NULL);
hEdit = CreateWindow("EDIT", NULL, WS_CHILD | WS_VISIBLE | WS_BORDER | ES_PASSWORD | ES_AUTOHSCROLL, 10, 20, 170, 25, hWnd, (HMENU)10789, NULL, NULL);
ShowWindow(hWnd, SW_SHOW);
UpdateWindow(hWnd);
SetFocus(hEdit);
while ( GetMessage(&msg, NULL, 0, 0) )
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
if ( (int)msg.wParam == 0 )
exit(0);
DestroyWindow(hWnd);
return 0;
}
LRESULT CALLBACK PwdWindow(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
int wmId = -1;
char pwd[32];
switch (message)
{
case WM_COMMAND:
{
wmId = LOWORD(wParam);
switch (wmId)
{
case 10123:
{
(void) memset( pwd, 0x00, sizeof(pwd) );
GetWindowText( GetDlgItem(hWnd, 10789), pwd, 32 );
if ( strcmp( pwd, "123456" ) )
{
MessageBox( hWnd, "Sorry! Wrong password.", "Password", MB_ICONERROR );
}
else
::MessageBoxA(hWnd, "Right password.", "Password",MB_OK);
}
break;
case 10456:
PostQuitMessage(0);
break;
default:
break;
}
}
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
GetMessage 取数据放入&msg
TranslateMessage 取&msg 进行一下处理
DispatchMessage 取&msg发送给处理循环消息PwdWindow
》》如图1
Msg结构为
tagMSG struc ; (sizeof=0x1C)
00000000 hwnd dd ? ; offset
00000004 message dd ?
00000008 wParam dd ?
0000000C lParam dd ?
00000010 time dd ?
00000014 pt POINT ?
0000001C tagMSG ends
我们实际操作验证一下
1)对DispatchMessageA 下条件记录断点
如图2
》》
dispatchMessageA log
》》F9
log窗口观察生成很多记录
如下
Log data
地址 消息
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C1) wParam = 11 lParam = 1009EA
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0CC) hw = 1B097C ("CicMarshalWndMOKB") wParam = 0 lParam = 0
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = 100AA8 (" Type the password ...")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = F0A0A ("OK")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = F0A22 ("Cancel")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = F0A94 (class="Edit")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_TIMER hw = F0A60 ("M") ID = 1 Callback = 0
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 102. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 98. Y = 90.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 87. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 83. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 82. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 81. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 68. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 66. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 64. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 63. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 62. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 61. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 60. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 61. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 66. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 80. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 82. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 87. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 89. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 95. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 98. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 100. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 105. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 109. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 2. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 7. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 9. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 10. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 13. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 18. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 19. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 20. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 21. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 22. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 21. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 19. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 13. Y = 13.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 2. Y = 14.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 94. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 88. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 83. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 68. Y = 14.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 64. Y = 15.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 62. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 56. Y = 15.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 53. Y = 15.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 48. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 47. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_LBUTTONDOWN hw = F0A0A ("OK") Keys = MK_LBUTTON X = 46. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C1) wParam = 11 lParam = F0A0A
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0CC) hw = 1B097C ("CicMarshalWndMOKB") wParam = 0 lParam = 0
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_LBUTTONUP hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.
》》观察到
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_LBUTTONDOWN hw = F0A0A ("OK") Keys = MK_LBUTTON
Log data, 条目 3
消息= pMsg = WM_LBUTTONUP hw = F0A0A ("OK") Keys = 0 X = 51. Y = 17.
0042D857 |. 50 |push eax ; /pMsg
0042D858 |. FF15 BC744900 |call dword ptr <&USER32.DispatchMessageA>] ; \DispatchMessageA
[esp+4] 指向tagMSG 放系统中受到的消息 [[esp+4]+4] 含义为message 代码
因此将表达式改为[[esp+4]+4]再运行
Log中
>>图4
上图的00000202是不是很眼熟啊
对了,就是WM_LBUTTONUP
2)最终改记录条件断点
>>图5
结果如下
》》图6
输入密码后按下ok键
断在 是user32领空
77D196B8 > 8BFF mov edi, edi ; ntdll.7C92E920
77D196BA 55 push ebp
77D196BB 8BEC mov ebp, esp
77D196BD 6A 01 push 1
77D196BF FF75 08 push dword ptr [ebp+8]
77D196C2 E8 2AF2FFFF call 77D188F1
77D196C7 5D pop ebp
77D196C8 C2 0400 retn 4
堆栈内容为
0012FE50 0042D85E /CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
0012FE54 0012FEDC \pMsg = WM_LBUTTONUP hw = 120616 ("OK") Keys = 0 X = 55. Y = 17.
可以看到DispatchMessageA发送量WM_LBUTTONUP,句柄hw = 120616 ("OK")即ok按钮这个句柄值不固定,什么原因我就不说了。
有兴趣可以看看msg结构在内存中的情况怎么看呢
0012FE54 0012FEDC \pMsg = WM_LBUTTONUP hw = 120616 ("OK") Keys = 0 X = 55. Y = 17.
0012FEDC即msg结构在内存中得首地址
Dd 0012FEDC
》》图7
0012FEDC 00120616 . --》hwnd===120616
0012FEE0 00000202 .. --》message==202= WM_LBUTTONUP
0012FEE4 00000000 .... --》wParam
0012FEE8 00110037 7. . --》lParam
0012FEEC 01AEB9FD ? --》time
0012FEF0 000001E0 ?.. --》POINT
4要返回代码
Alt+m对00400000到00498000下F2再按F9
断在42c2f2
Jmp 42d8f0
0042D8F0 即消息处理函数的
后面我就不多说了
0042D8F0 /> \55 push ebp ; winmain
0042D8F1 |. 8BEC mov ebp, esp
0042D8F3 |. 83EC 6C sub esp, 6C
0042D8F6 |. A1 10304900 mov eax, dword ptr [493010]
0042D8FB |. 33C5 xor eax, ebp
0042D8FD |. 8945 FC mov dword ptr [ebp-4], eax
0042D900 |. 53 push ebx
0042D901 |. 56 push esi
0042D902 |. 57 push edi
0042D903 |. C745 F8 FFFFF>mov dword ptr [ebp-8], -1
0042D90A |. 8B45 0C mov eax, dword ptr [ebp+C]
0042D90D |. 8945 94 mov dword ptr [ebp-6C], eax
0042D910 |. 817D 94 11010>cmp dword ptr [ebp-6C], 111
0042D917 |. 74 05 je short 0042D91E
0042D919 |. E9 AE000000 jmp 0042D9CC
0042D91E |> 8B45 10 mov eax, dword ptr [ebp+10]
0042D921 |. 25 FFFF0000 and eax, 0FFFF
0042D926 |. 0FB7C8 movzx ecx, ax
0042D929 |. 894D F8 mov dword ptr [ebp-8], ecx
0042D92C |. 8B45 F8 mov eax, dword ptr [ebp-8]
0042D92F |. 8945 94 mov dword ptr [ebp-6C], eax
0042D932 |. 817D 94 8B270>cmp dword ptr [ebp-6C], 278B
0042D939 |. 74 0E je short 0042D949
0042D93B |. 817D 94 D8280>cmp dword ptr [ebp-6C], 28D8
0042D942 |. 74 7E je short 0042D9C2
0042D944 |. E9 81000000 jmp 0042D9CA
0042D949 |> 6A 20 push 20
0042D94B |. 6A 00 push 0
0042D94D |. 8D45 D8 lea eax, dword ptr [ebp-28]
0042D950 |. 50 push eax
0042D951 |. E8 F5DBFFFF call 0042B54B
0042D956 |. 83C4 0C add esp, 0C
0042D959 |. 6A 20 push 20 ; /Count = 20 (32.)
0042D95B |. 8D45 D8 lea eax, dword ptr [ebp-28] ; |
0042D95E |. 50 push eax ; |Buffer
0042D95F |. 68 252A0000 push 2A25 ; |/ControlID = 2A25 (10789.)
0042D964 |. 8B4D 08 mov ecx, dword ptr [ebp+8] ; ||
0042D967 |. 51 push ecx ; ||hWnd
0042D968 |. FF15 84744900 call dword ptr [<&USER32.GetDlgItem>] ; |\GetDlgItem
0042D96E |. 50 push eax ; |hWnd
0042D96F |. FF15 88744900 call dword ptr [<&USER32.GetWindowTextA>] ; \GetWindowTextA
0042D975 |. 68 EC3D4800 push 00483DEC ; ASCII "123456"
0042D97A |. 8D45 D8 lea eax, dword ptr [ebp-28]
0042D97D |. 50 push eax
0042D97E |. E8 B7DDFFFF call 0042B73A
0042D983 |. 83C4 08 add esp, 8
0042D986 |. 85C0 test eax, eax
0042D988 |. 74 20 je short 0042D9AA
0042D98A |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0042D98C |. 68 E03D4800 push 00483DE0 ; |Title = "Password"
0042D991 |. 68 C43D4800 push 00483DC4 ; |Text = "Sorry! Wrong password."
0042D996 |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0042D999 |. 50 push eax ; |hOwner
0042D99A |. FF15 8C744900 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0042D9A0 |. 90 nop
0042D9A1 |. 00FF add bh, bh
0042D9A3 |. 15 90744900 adc eax, <&USER32.PostQuitMessage>
0042D9A8 |. EB 16 jmp short 0042D9C0
0042D9AA |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0042D9AC |. 68 E03D4800 push 00483DE0 ; |Title = "Password"
0042D9B1 |. 68 B03D4800 push 00483DB0 ; |Text = "Right password."
0042D9B6 |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0042D9B9 |. 50 push eax ; |hOwner
0042D9BA |. FF15 8C744900 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0042D9C0 |> EB 08 jmp short 0042D9CA
0042D9C2 |> 6A 00 push 0 ; /ExitCode = 0
0042D9C4 |. FF15 90744900 call dword ptr [<&USER32.PostQuitMessage>] ; \PostQuitMessage
0042D9CA |> EB 18 jmp short 0042D9E4
0042D9CC |> 8B45 14 mov eax, dword ptr [ebp+14]
0042D9CF |. 50 push eax ; /lParam
0042D9D0 |. 8B4D 10 mov ecx, dword ptr [ebp+10] ; |
0042D9D3 |. 51 push ecx ; |wParam
0042D9D4 |. 8B55 0C mov edx, dword ptr [ebp+C] ; |
0042D9D7 |. 52 push edx ; |Message
0042D9D8 |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0042D9DB |. 50 push eax ; |hWnd
0042D9DC |. FF15 94744900 call dword ptr [<&USER32.DefWindowProcA>] ; \DefWindowProcA
0042D9E2 |. EB 02 jmp short 0042D9E6
0042D9E4 |> 33C0 xor eax, eax
0042D9E6 |> 5F pop edi
0042D9E7 |. 5E pop esi
0042D9E8 |. 5B pop ebx
0042D9E9 |. 8B4D FC mov ecx, dword ptr [ebp-4]
0042D9EC |. 33CD xor ecx, ebp
0042D9EE |. E8 C5D7FFFF call 0042B1B8
0042D9F3 |. 8BE5 mov esp, ebp
0042D9F5 |. 5D pop ebp
0042D9F6 \. C2 1000 retn 10
doc文档
dispatchMessageA log2.doc
-----------------------------------------------------------------------------------
欺骗消息过程
前面已经定位到msg的位置,只要我们在 DispatchMessage前重写msg 结构体,比如将code变为WM_CLOSE,
调整
tagMSG struc ; (sizeof=0x1C)
00000000 hwnd dd ? ; offset
00000004 message dd ?
00000008 wParam dd ?
0000000C lParam dd ?
00000010 time dd ?
00000014 pt POINT ?
0000001C tagMSG ends
,就可以达到我们关闭的要求,消息过程收到欺骗。
或者对此溢出攻击。
-----------------------------------------------------------------------------------
本人承接工作,或加盟团队 有意者联系
qq:584401165
涉及
1。消息过程
2。消息记录断点
3。在调试的过程中捕捉消息
4。欺骗消息过程
用一个小对话框来看看
代码
#include "stdafx.h"
LRESULT CALLBACK PwdWindow(HWND, UINT, WPARAM, LPARAM);
int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
MSG msg;
WNDCLASSEX wcex;
HWND hWnd = NULL;
HWND hEdit = NULL;
(void) memset( &wcex, 0x00, sizeof(WNDCLASSEX) );
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.style = CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = PwdWindow;
wcex.hCursor = LoadCursor(NULL, IDC_ARROW);
wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+2);
wcex.lpszClassName = "@PWDWIN@";
RegisterClassEx(&wcex);
hWnd = CreateWindow( "@PWDWIN@",
" Type the password ...",
WS_OVERLAPPED,
GetSystemMetrics(SM_CXSCREEN)/2-100,
GetSystemMetrics(SM_CYSCREEN)/2-75,
200, 150,
NULL, NULL, NULL, NULL);
if (!hWnd)
return 0;
CreateWindow("BUTTON", "OK", WS_CHILD | WS_VISIBLE | BS_TEXT, 10, 80, 70, 30, hWnd, (HMENU)10123, NULL, NULL);
CreateWindow("BUTTON", "Cancel", WS_CHILD | WS_VISIBLE | BS_TEXT, 110, 80, 70, 30, hWnd, (HMENU)10456, NULL, NULL);
hEdit = CreateWindow("EDIT", NULL, WS_CHILD | WS_VISIBLE | WS_BORDER | ES_PASSWORD | ES_AUTOHSCROLL, 10, 20, 170, 25, hWnd, (HMENU)10789, NULL, NULL);
ShowWindow(hWnd, SW_SHOW);
UpdateWindow(hWnd);
SetFocus(hEdit);
while ( GetMessage(&msg, NULL, 0, 0) )
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
if ( (int)msg.wParam == 0 )
exit(0);
DestroyWindow(hWnd);
return 0;
}
LRESULT CALLBACK PwdWindow(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
int wmId = -1;
char pwd[32];
switch (message)
{
case WM_COMMAND:
{
wmId = LOWORD(wParam);
switch (wmId)
{
case 10123:
{
(void) memset( pwd, 0x00, sizeof(pwd) );
GetWindowText( GetDlgItem(hWnd, 10789), pwd, 32 );
if ( strcmp( pwd, "123456" ) )
{
MessageBox( hWnd, "Sorry! Wrong password.", "Password", MB_ICONERROR );
}
else
::MessageBoxA(hWnd, "Right password.", "Password",MB_OK);
}
break;
case 10456:
PostQuitMessage(0);
break;
default:
break;
}
}
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
GetMessage 取数据放入&msg
TranslateMessage 取&msg 进行一下处理
DispatchMessage 取&msg发送给处理循环消息PwdWindow
》》如图1
Msg结构为
tagMSG struc ; (sizeof=0x1C)
00000000 hwnd dd ? ; offset
00000004 message dd ?
00000008 wParam dd ?
0000000C lParam dd ?
00000010 time dd ?
00000014 pt POINT ?
0000001C tagMSG ends
我们实际操作验证一下
1)对DispatchMessageA 下条件记录断点
如图2
》》
dispatchMessageA log
》》F9
log窗口观察生成很多记录
如下
Log data
地址 消息
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C1) wParam = 11 lParam = 1009EA
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0CC) hw = 1B097C ("CicMarshalWndMOKB") wParam = 0 lParam = 0
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = 100AA8 (" Type the password ...")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = F0A0A ("OK")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = F0A22 ("Cancel")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_PAINT hw = F0A94 (class="Edit")
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_TIMER hw = F0A60 ("M") ID = 1 Callback = 0
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 102. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 98. Y = 90.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 87. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 83. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 82. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 81. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 68. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 66. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 64. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 63. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 62. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 61. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 60. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 61. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 66. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 80. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 82. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 87. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 89. Y = 91.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 95. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 98. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 100. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 105. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 109. Y = 92.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 2. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 7. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 9. Y = 12.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 10. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 13. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 18. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 19. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 20. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 21. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 22. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 21. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 19. Y = 11.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 13. Y = 13.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 2. Y = 14.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 94. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 88. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 83. Y = 94.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 68. Y = 14.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 64. Y = 15.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 62. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 56. Y = 15.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 53. Y = 15.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 48. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 47. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_LBUTTONDOWN hw = F0A0A ("OK") Keys = MK_LBUTTON X = 46. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C1) wParam = 11 lParam = F0A0A
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0CC) hw = 1B097C ("CicMarshalWndMOKB") wParam = 0 lParam = 0
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_LBUTTONUP hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.
》》观察到
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.
77D196B8 COND:
77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
pMsg = WM_LBUTTONDOWN hw = F0A0A ("OK") Keys = MK_LBUTTON
Log data, 条目 3
消息= pMsg = WM_LBUTTONUP hw = F0A0A ("OK") Keys = 0 X = 51. Y = 17.
0042D857 |. 50 |push eax ; /pMsg
0042D858 |. FF15 BC744900 |call dword ptr <&USER32.DispatchMessageA>] ; \DispatchMessageA
[esp+4] 指向tagMSG 放系统中受到的消息 [[esp+4]+4] 含义为message 代码
因此将表达式改为[[esp+4]+4]再运行
Log中
>>图4
上图的00000202是不是很眼熟啊
对了,就是WM_LBUTTONUP
2)最终改记录条件断点
>>图5
结果如下
》》图6
输入密码后按下ok键
断在 是user32领空
77D196B8 > 8BFF mov edi, edi ; ntdll.7C92E920
77D196BA 55 push ebp
77D196BB 8BEC mov ebp, esp
77D196BD 6A 01 push 1
77D196BF FF75 08 push dword ptr [ebp+8]
77D196C2 E8 2AF2FFFF call 77D188F1
77D196C7 5D pop ebp
77D196C8 C2 0400 retn 4
堆栈内容为
0012FE50 0042D85E /CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858
0012FE54 0012FEDC \pMsg = WM_LBUTTONUP hw = 120616 ("OK") Keys = 0 X = 55. Y = 17.
可以看到DispatchMessageA发送量WM_LBUTTONUP,句柄hw = 120616 ("OK")即ok按钮这个句柄值不固定,什么原因我就不说了。
有兴趣可以看看msg结构在内存中的情况怎么看呢
0012FE54 0012FEDC \pMsg = WM_LBUTTONUP hw = 120616 ("OK") Keys = 0 X = 55. Y = 17.
0012FEDC即msg结构在内存中得首地址
Dd 0012FEDC
》》图7
0012FEDC 00120616 . --》hwnd===120616
0012FEE0 00000202 .. --》message==202= WM_LBUTTONUP
0012FEE4 00000000 .... --》wParam
0012FEE8 00110037 7. . --》lParam
0012FEEC 01AEB9FD ? --》time
0012FEF0 000001E0 ?.. --》POINT
4要返回代码
Alt+m对00400000到00498000下F2再按F9
断在42c2f2
Jmp 42d8f0
0042D8F0 即消息处理函数的
后面我就不多说了
0042D8F0 /> \55 push ebp ; winmain
0042D8F1 |. 8BEC mov ebp, esp
0042D8F3 |. 83EC 6C sub esp, 6C
0042D8F6 |. A1 10304900 mov eax, dword ptr [493010]
0042D8FB |. 33C5 xor eax, ebp
0042D8FD |. 8945 FC mov dword ptr [ebp-4], eax
0042D900 |. 53 push ebx
0042D901 |. 56 push esi
0042D902 |. 57 push edi
0042D903 |. C745 F8 FFFFF>mov dword ptr [ebp-8], -1
0042D90A |. 8B45 0C mov eax, dword ptr [ebp+C]
0042D90D |. 8945 94 mov dword ptr [ebp-6C], eax
0042D910 |. 817D 94 11010>cmp dword ptr [ebp-6C], 111
0042D917 |. 74 05 je short 0042D91E
0042D919 |. E9 AE000000 jmp 0042D9CC
0042D91E |> 8B45 10 mov eax, dword ptr [ebp+10]
0042D921 |. 25 FFFF0000 and eax, 0FFFF
0042D926 |. 0FB7C8 movzx ecx, ax
0042D929 |. 894D F8 mov dword ptr [ebp-8], ecx
0042D92C |. 8B45 F8 mov eax, dword ptr [ebp-8]
0042D92F |. 8945 94 mov dword ptr [ebp-6C], eax
0042D932 |. 817D 94 8B270>cmp dword ptr [ebp-6C], 278B
0042D939 |. 74 0E je short 0042D949
0042D93B |. 817D 94 D8280>cmp dword ptr [ebp-6C], 28D8
0042D942 |. 74 7E je short 0042D9C2
0042D944 |. E9 81000000 jmp 0042D9CA
0042D949 |> 6A 20 push 20
0042D94B |. 6A 00 push 0
0042D94D |. 8D45 D8 lea eax, dword ptr [ebp-28]
0042D950 |. 50 push eax
0042D951 |. E8 F5DBFFFF call 0042B54B
0042D956 |. 83C4 0C add esp, 0C
0042D959 |. 6A 20 push 20 ; /Count = 20 (32.)
0042D95B |. 8D45 D8 lea eax, dword ptr [ebp-28] ; |
0042D95E |. 50 push eax ; |Buffer
0042D95F |. 68 252A0000 push 2A25 ; |/ControlID = 2A25 (10789.)
0042D964 |. 8B4D 08 mov ecx, dword ptr [ebp+8] ; ||
0042D967 |. 51 push ecx ; ||hWnd
0042D968 |. FF15 84744900 call dword ptr [<&USER32.GetDlgItem>] ; |\GetDlgItem
0042D96E |. 50 push eax ; |hWnd
0042D96F |. FF15 88744900 call dword ptr [<&USER32.GetWindowTextA>] ; \GetWindowTextA
0042D975 |. 68 EC3D4800 push 00483DEC ; ASCII "123456"
0042D97A |. 8D45 D8 lea eax, dword ptr [ebp-28]
0042D97D |. 50 push eax
0042D97E |. E8 B7DDFFFF call 0042B73A
0042D983 |. 83C4 08 add esp, 8
0042D986 |. 85C0 test eax, eax
0042D988 |. 74 20 je short 0042D9AA
0042D98A |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0042D98C |. 68 E03D4800 push 00483DE0 ; |Title = "Password"
0042D991 |. 68 C43D4800 push 00483DC4 ; |Text = "Sorry! Wrong password."
0042D996 |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0042D999 |. 50 push eax ; |hOwner
0042D99A |. FF15 8C744900 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0042D9A0 |. 90 nop
0042D9A1 |. 00FF add bh, bh
0042D9A3 |. 15 90744900 adc eax, <&USER32.PostQuitMessage>
0042D9A8 |. EB 16 jmp short 0042D9C0
0042D9AA |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0042D9AC |. 68 E03D4800 push 00483DE0 ; |Title = "Password"
0042D9B1 |. 68 B03D4800 push 00483DB0 ; |Text = "Right password."
0042D9B6 |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0042D9B9 |. 50 push eax ; |hOwner
0042D9BA |. FF15 8C744900 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0042D9C0 |> EB 08 jmp short 0042D9CA
0042D9C2 |> 6A 00 push 0 ; /ExitCode = 0
0042D9C4 |. FF15 90744900 call dword ptr [<&USER32.PostQuitMessage>] ; \PostQuitMessage
0042D9CA |> EB 18 jmp short 0042D9E4
0042D9CC |> 8B45 14 mov eax, dword ptr [ebp+14]
0042D9CF |. 50 push eax ; /lParam
0042D9D0 |. 8B4D 10 mov ecx, dword ptr [ebp+10] ; |
0042D9D3 |. 51 push ecx ; |wParam
0042D9D4 |. 8B55 0C mov edx, dword ptr [ebp+C] ; |
0042D9D7 |. 52 push edx ; |Message
0042D9D8 |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0042D9DB |. 50 push eax ; |hWnd
0042D9DC |. FF15 94744900 call dword ptr [<&USER32.DefWindowProcA>] ; \DefWindowProcA
0042D9E2 |. EB 02 jmp short 0042D9E6
0042D9E4 |> 33C0 xor eax, eax
0042D9E6 |> 5F pop edi
0042D9E7 |. 5E pop esi
0042D9E8 |. 5B pop ebx
0042D9E9 |. 8B4D FC mov ecx, dword ptr [ebp-4]
0042D9EC |. 33CD xor ecx, ebp
0042D9EE |. E8 C5D7FFFF call 0042B1B8
0042D9F3 |. 8BE5 mov esp, ebp
0042D9F5 |. 5D pop ebp
0042D9F6 \. C2 1000 retn 10
doc文档
dispatchMessageA log2.doc
-----------------------------------------------------------------------------------
欺骗消息过程
前面已经定位到msg的位置,只要我们在 DispatchMessage前重写msg 结构体,比如将code变为WM_CLOSE,
调整
tagMSG struc ; (sizeof=0x1C)
00000000 hwnd dd ? ; offset
00000004 message dd ?
00000008 wParam dd ?
0000000C lParam dd ?
00000010 time dd ?
00000014 pt POINT ?
0000001C tagMSG ends
,就可以达到我们关闭的要求,消息过程收到欺骗。
或者对此溢出攻击。
-----------------------------------------------------------------------------------
本人承接工作,或加盟团队 有意者联系
qq:584401165
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
赞赏
他的文章
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
虚无
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
虚无
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
虚无
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
虚无
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
痞子辉
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
虚无
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
谁下载
kanxue
xingbing
wxjgeorge
tyzam
lanmao
computersfan
shell800
solo_lxy
Xacs
kdlpa
hb6106
sisess
et009
windtrace
droiyan
Emmus
lwyjdgv
shanpan
heedky
jit
hnzz
woliu
wsgtrsys
lenix
chimney
SpringB
lium
lingyu
ttoyy
xfhxwjx
浪流
Jemmy
whypro
llmll
天外笑心
caplee
无情刀
swqswq
Bewaar
RuShi
月之精灵
小龙人
benteng
petnt
jeffcjh
高阁逆风
greatyang
speedboy
lovehaohui
tkgs
dcbyan
虚无
yzwyq
pady
mwdir
上网鱼
cvcvxk
chuxue
trojanth
zmmkele
星辰
saya
gdzjy
ccmshuan
beancurdbb
CrAXk
yujinstone
stu
xiaozhao
gonzoa
布拉莫斯
denialme
zzage
xmhxp
fcwapp
jackieron
jijamw
zhangteng
yingyue
ficn
enfeeling
无味
exile
bridgeic
小猪wd
impqoved
profmit
toad
cpfgf
huawuduo
zhengjiong
lixupeng
peecehood
彩虹岛
playboysen
qiujz
pasta
loudy
yangyangc
看原图