-
-
[原创]获取系统热键链表windbg脚本 GetHotkeys windbg script
-
-
[原创]获取系统热键链表windbg脚本 GetHotkeys windbg script
$$
$$ =========================================================
$$ GET_HOTKEYS.TXT
$$
$$ Displays all register hotkeys
$$
$$ Compatibility: Win32 XP SP3.
$$
$$ Example: $$><myscripts\GET_HOTKEYS.TXT
$$
$$ =========================================================
$$
!dskheap;
.printf "\n"
.printf "+--+--------+--------+----------------------+--------+--------+--------+--------+--------+----------------+\n"
.printf "|No|ETHREAD |PWND |HotKey | (hex)ID| (dec)ID|phkNext |EPROCESS|(dec)PID| ImageFileName|\n"
r $t0=1
r $t1=dwo( win32k!gphkFirst )
.printf "+--+--------+--------+----------------------+--------+--------+--------+--------+--------+----------------+\n"
.while( @$t1>0 )
{
.printf "|%2d",@$t0;
.printf "|%08X|",@$t1; $$ ETHREAD
.printf "%08X|",dwo( @$t1+0n4 ); $$ PWND
r $t2=low( dwo( @$t1+0n8 ) ); $$ Modif
.if( @$t2&8 ){.printf "Win."} .else{.printf "...."}
.if( @$t2&2 ){.printf "Ctrl."} .else{.printf "....."}
.if( @$t2&1 ){.printf "Alt."} .else{.printf "...."}
.if( @$t2&4 ){.printf "Shift."} .else{.printf "......"}
.if( dwo( @$t1+0n12 )>=0n33 and dwo( @$t1+0n12 )<=0n122 )
{.if(dwo( @$t1+0n12 )==0n46){.printf "Del|"}
.else{.printf "%-3c|",dwo( @$t1+0n12 )}} .else{ $$ VK;
.if( dwo( @$t1+0n12 )==0n09 ) {.printf "Tab|"} .else{
.if( dwo( @$t1+0n12 )==0n27 ) {.printf "Esc|"} .else{
.if( dwo( @$t1+0n12 )==0n19 ) {.printf "Brk|"} .else{
.if( dwo( @$t1+0n12 )==0n123 ) {.printf "F12|"} .else{
.if( dwo( @$t1+0n12 )>=0n189 ) {.printf " |"} .else{
.if( dwo( @$t1+0n12 )==0n0 ) {.printf " |"} .else{
.printf " %3d|",dwo( @$t1+0n12 )}}}}}}}
.printf "%8X|%8d|",dwo ( @$t1+0n16 ),dwo( @$t1+0n16 ); $$ HOTKEY_ID
.printf "%08X|",dwo( @$t1+0n20 ); $$ phkNext
.printf "%08X|",dwo( dwo( @$t1 ) )+0x220; $$ EPROCESS
.printf "%8d|",poi( poi( dwo ( dwo( @$t1 ) )+0x220 )+0x84 ); $$ PID
.printf "%16ma|\n",poi( dwo( dwo( @$t1 ) )+0x220 )+0x174; $$ ImageFileName
r $t1=dwo( @$t1+0n20 );
r $t0=@$t0+1;
}
.printf "+--+--------+--------+----------------------+--------+--------+--------+--------+--------+----------------+\n"
在本地内核调试输入lkd> $$><myscripts\GET_HOTKEYS.TXT
运行结果
+--+--------+--------+----------------------+--------+--------+--------+--------+--------+----------------+
|No|ETHREAD |PWND |HotKey | (hex)ID| (dec)ID|phkNext |EPROCESS|(dec)PID| ImageFileName|
+--+--------+--------+----------------------+--------+--------+--------+--------+--------+----------------+
| 1|E10C7400|BBE68848|....Ctrl.....Shift. | C01A| 49178|E138F188|85A86B50| 976| explorer.exe|
| 2|E138F188|BBE68848|....Ctrl.Alt.......J | 3| 3|E147F918|85A86B50| 976| explorer.exe|
| 3|E147F918|BBE68848|....Ctrl.Alt....... | 2| 2|E15B1198|85A86B50| 976| explorer.exe|
| 4|E15B1198|BBE68848|....Ctrl.Alt.......D | 1| 1|E10BD648|85A86B50| 976| explorer.exe|
| 5|E10BD648|BBE68848|....Ctrl.Alt.......I | 0| 0|E2AD95C8|85A86B50| 976| explorer.exe|
| 6|E2AD95C8|BBE6A058|....Ctrl...........Esc| F130| 61744|E1A1FEE8|85A7B7C0| 976| explorer.exe|
| 7|E1A1FEE8|BBE68848|Win................B | 1FF| 511|E27DC0C8|85A86B50| 976| explorer.exe|
| 8|E27DC0C8|BBE68848|Win................D | 1FE| 510|E1165208|85A86B50| 976| explorer.exe|
| 9|E1165208|BBE68848|Win................Brk| 1FD| 509|E10A32A0|85A86B50| 976| explorer.exe|
|10|E10A32A0|BBE68848|Win..........Shift.Tab| 1FC| 508|E2B9A810|85A86B50| 976| explorer.exe|
|11|E2B9A810|BBE68848|Win................Tab| 1FB| 507|E27DC0E8|85A86B50| 976| explorer.exe|
|12|E27DC0E8|BBE68848|Win.Ctrl...........F | 1FA| 506|E1165228|85A86B50| 976| explorer.exe|
|13|E1165228|BBE68848|Win................F | 1F9| 505|E1CE1698|85A86B50| 976| explorer.exe|
|14|E1CE1698|BBE68848|Win................E | 1F8| 504|E10D3850|85A86B50| 976| explorer.exe|
|15|E10D3850|BBE68848|Win................p | 1F7| 503|E1A726C8|85A86B50| 976| explorer.exe|
|16|E1A726C8|BBE68848|Win..........Shift.M | 1F6| 502|E19D1638|85A86B50| 976| explorer.exe|
|17|E19D1638|BBE68848|Win................M | 1F5| 501|E1CE16B8|85A86B50| 976| explorer.exe|
|18|E1CE16B8|BBE68848|Win................R | 1F4| 500|E19BFA68|85A86B50| 976| explorer.exe|
|19|E19BFA68|BBE326C0|Win................U | 6| 6|E1F483B0|86BF0668| 572| winlogon.exe|
|20|E1F483B0|BBE326C0|Win................L | 5| 5|E19D4350|86BF0668| 572| winlogon.exe|
|21|E19D4350|BBE326C0|....Ctrl.....Shift.Esc| 4| 4|E198B740|86BF0668| 572| winlogon.exe|
|22|E198B740|BBE326C0|....Ctrl.Alt.......Del| 0| 0|E1CDCC18|86BF0668| 572| winlogon.exe|
|23|E1CDCC18|00000001|.............Shift.F12|FFFFFFFA| -6|E19C4928|86BBFFC0| 548| csrss.exe|
|24|E19C4928|00000001|...................F12|FFFFFFFB| -5|E19CE070|86BBFFC0| 548| csrss.exe|
|25|E19CE070|00000001|Win................ |FFFFFFF9| -7|00000000|86BBFFC0| 548| csrss.exe|
+--+--------+--------+----------------------+--------+--------+--------+--------+--------+----------------+
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
