这段时间要做一个线程窗口枚举以此来判断这个县城是否有窗口,网上查阅了一些资料,说win32thread这个结构包含的线程的窗口列表信息也有人给出了实例代码:
//------------------------------------------------------------
//
// BuildHwndList--Enum Thread Windows(SoftICE hwnd Command)
// Only test on Windows 2000 Server Build 2195 Chinese Edition
// Build 2195(Free)!Programmed By WebCrazy
// (tsu00@263.net ) on 11-25-2000!
// Welcome to http://webcrazy.yeah.net to get more information
//
//------------------------------------------------------------
#define WIN32THREAD_OFFSET 0x124
#define HWNDLIST_OFFSET 0xb8
#define HWNDHANDLE_OFFSET 0x0
#define HWNDNEXT_OFFSET 0x2c
#define HWNDPARENT_OFFSET 0x30
#define HWNDRECT_OFFSET 0x3c
#define HWNDPROC_OFFSET 0x5c
//RECT:copied from windef.h
typedef struct tagRECT
{
LONG left;
LONG top;
LONG right;
LONG bottom;
} RECT, *PRECT;
typedef struct tagHWNDRECT{
RECT WindowRect;
RECT ClientRect;
}HWNDRECT,*PHWNDRECT;
void BuildHwndList(void *kteb)
{
PVOID Win32Thread;
PVOID HwndList;
PHWNDRECT pHwndRect;
if(((USHORT)NtBuildNumber)!=2195){
DbgPrint("Only test on Windows 2000 Server Build 2195! ");
return;
}
Win32Thread=(PVOID)(*(PULONG)((char *)kteb+WIN32THREAD_OFFSET));
if(!Win32Thread){
DbgPrint("kteb:%08X isn't a win32 thread! ",kteb);
return;
}
HwndList=(PVOID)(*(PULONG)((char *)Win32Thread+HWNDLIST_OFFSET));
if(!HwndList){
DbgPrint("kteb:%08X isn't a hwnd list! ",kteb);
return;
}
DbgPrint("@kteb %08X first HwndList at %08X ",kteb,HwndList);
DbgPrint("HwndList HWND PARENT Window Proc Window(Client) Rect ");
DbgPrint("-------- -------- -------- ----------- ------------------- ");
do{
pHwndRect=(PHWNDRECT)((char *)HwndList+HWNDRECT_OFFSET);
DbgPrint("%08X %08X %08X %08X %d,%d,%d,%d(%d,%d,%d,%d) ",
HwndList,
*(PULONG)((char *)HwndList+HWNDHANDLE_OFFSET),
*(PULONG)(*(PULONG)((char *)HwndList+HWNDPARENT_OFFSET)),
*(PULONG)((char *)HwndList+HWNDPROC_OFFSET),
pHwndRect->WindowRect.left,pHwndRect->WindowRect.top,
pHwndRect->WindowRect.right,pHwndRect->WindowRect.bottom,
pHwndRect->ClientRect.left,pHwndRect->ClientRect.top,
pHwndRect->ClientRect.right,pHwndRect->ClientRect.bottom);
HwndList=(PVOID)(*(PULONG)((char *)HwndList+HWNDNEXT_OFFSET));
}while(HwndList);
}
运行一个实例,输出内容大概如下:
@kteb FF7BB020 first HwndList at A0312DA8
HwndList HWND PARENT Window Proc Window(Client) Rect
-------- -------- -------- ----------- -------------------
A0312DA8 0001002A 0001000C 77DFF0DF 0,0,0,0(0,0,0,0)
A0310D50 00010022 0001000C 775331C4 0,0,112,27(4,23,108,23)
A03176B8 0002004A 0001000C 77DFF0DF 0,0,0,0(0,0,0,0)
A031A500 00010082 0001000C 76621AC6 44,44,812,581(48,67,808,577)
A0318FA8 00010062 0001000C 775676F4 0,0,1024,768(0,0,1024,768)
原文链接:http://www.hackbase.com/lib/2005-11-13/12808.html
我试图自己通过windbg查找窗口的偏移,但是我用dt _w32thread得到的是下面的结果
kd> dt _w32thread
win32k!_W32THREAD
+0x000 pEThread : Ptr32 _ETHREAD
+0x004 RefCount : Uint4B
+0x008 ptlW32 : Ptr32 _TL
+0x00c pgdiDcattr : Ptr32 Void
+0x010 pgdiBrushAttr : Ptr32 Void
+0x014 pUMPDObjs : Ptr32 Void
+0x018 pUMPDHeap : Ptr32 Void
+0x01c dwEngAcquireCount : Uint4B
+0x020 pSemTable : Ptr32 Void
+0x024 pUMPDObj : Ptr32 Void
上面的结构只有40字节长度后来我有查看了reactos里面关于这个的定义,发现这个结构在一个叫threadinfo的结构里面定义如下:
typedef struct _THREADINFO
{
/* 000 */ W32THREAD;
/* 028 */ PTL ptl;
/* 02c */ PPROCESSINFO ppi;
/* 030 */ PQ pq; //Input Queue (Messages from mouse, keyboard and SendInput)
/* 034 */ PKL spklActive;
/* 038 */ PCLIENTTHREADINFO pcti;
/* 03c */ PDESKTOP rpdesk;
/* 040 */ PDESKTOPINFO pDeskInfo;
/* 044 */ PCLIENTINFO pClientInfo;
/* 048 */ ULONG TIF_flags;
/* 04c */ PUNICODE_STRING pstrAppName;
/* 050 */ PSMS psmsSent; //Send Message Queue
/* 054 */ PSMS psmsCurrent;
/* 058 */ PSMS psmsReceiveList;
/* 05c */ LONG timeLast;
/* 060 */ ULONG_PTR idLast;
union
{
/* 064 */ INT cQuit;
/* 064 */ INT exitCode;
};
/* 068 */ HDESK hdesk;
/* 06c */ INT cPaintsReady;
/* 070 */ UINT cTimersReady;
/* 074 */ PMENUSTATE pMenuState;
union
{
/* 078 */ PTDB ptdb;
/* 078 */ PWINDOWSTATION pwinsta;
};
/* 07c */ PSVR_INSTANCE_INFO psiiList;
/* 080 */ ULONG dwExpWinVer;
/* 084 */ ULONG dwCompatFlags;
/* 088 */ ULONG dwCompatFlags2;
/* 08c */ PQ pqAttach;
/* 090 */ PTHREADINFO ptiSibling;
/* 094 */ PMOVESIZEDATA pmsd;
/* 098 */ ULONG fsHooks;
/* 09c */ PHOOK sphkCurrent;
/* 0a0 */ PSBTRACK pSBTrack;
/* 0a4 */ HANDLE hEventQueueClient;
/* 0a8 */ PKEVENT pEventQueueServer;
/* 0ac */ LIST_ENTRY PtiLink; // list member in DESKTOP.PtiList
/* 0b4 */ INT iCursorLevel;
/* 0b8 */ POINT ptLast; // int b[2];
/* 0c0 */ PWND spwndDefaultIme;
/* 0c4 */ PIMC spDefaultImc;
/* 0c8 */ HKL hklPrev;
/* 0cc */ INT cEnterCount;
/* 0d0 */ MLIST mlPost; //Post Message Queue
/* 0dc */ USHORT fsChangeBitsRemoved;
/* 0de */ WCHAR wchInjected;
/* 0e0 */ ULONG fsReserveKeys;
/* 0e4 */ PKEVENT *apEvent;
/* 0e8 */ ACCESS_MASK amdesk;
/* 0ec */ UINT cWindows;
/* 0f0 */ UINT cVisWindows;
/* 0f4 */ PHOOK aphkStart[CWINHOOKS];
/* 134 */ CLIENTTHREADINFO cti; // Used only when no Desktop or pcti NULL.
} THREADINFO, *PTHREADINFO; // W32ThreadSize == 0x14C Xp Size.
但是我看了这个结构 貌似0xb8也不是我要寻找的窗口列表,我用windbg也找不到结构把这个上面的threadinfo结构打印出来,请教各位大牛 如何查找窗口列表的偏移,谢谢 !^_^
[课程]Android-CTF解题方法汇总!
好复杂,
好长的代码
