NTSTATUS MyNtUserBuildHwndList(
   IN HDESK hdesk, 
	IN HWND hwndNext, 
	IN ULONG fEnumChildren, 
	IN DWORD idThread, 
	IN UINT cHwndMax, 
	OUT HWND *phwndFirst, 
	OUT ULONG* pcHwndNeeded)
{
	
	NTSTATUS status,status_GetClassName;
	int i=0;  //句柄总数
	UNICODE_STRING str; //存放窗口类名

	//++++++++++++++++++++++++++++++++++++++++++++++++++++++++
	PVOID Base=NULL;
	ULONG sz=sizeof(WCHAR)*80;
	NTSTATUS st=ZwAllocateVirtualMemory(NtCurrentProcess(),&Base,0,&sz,
		MEM_COMMIT, PAGE_READWRITE);
	KdPrint(("status= %08X  申请的地址= %08X  \n",st,Base));
	
	__try
	{
		KdPrint(("进入try块  \n"));
		ProbeForWrite(Base,4,4);
		ProbeForRead(Base,4,4);
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("出现异常 地址不可读写 \n"));
	}
	
	str.Buffer=(PWSTR)Base;  //参数3
	str.Length=sz;
	//+++++++++++++++++++++++++++++++++++++++

	status=Org_NtUserBuildHwndList(hdesk,hwndNext,fEnumChildren,
		idThread,cHwndMax,phwndFirst,pcHwndNeeded);  //调用原始函数

	if (status==STATUS_SUCCESS)
	{
		while (i < * pcHwndNeeded)
		{
  
			status_GetClassName=MyNtUserGetClassName(phwndFirst[i],TRUE,&str);
			
			if (NT_SUCCESS(status_GetClassName))
			{
				KdPrint(("获取 窗口类名 = %S \n",str.Buffer));
			}
			i++;
		}
	}

	SIZE_T size0=0;
	st=ZwFreeVirtualMemory(NtCurrentProcess(),&Base,&size0,MEM_RELEASE);
	if (!NT_SUCCESS(st))
	{
		KdPrint(("释放内存失败 \n"));
	}

   return status;
}

[课程]Android-CTF解题方法汇总！