如题,逆向MFC程序的关键点在于其消息映射表的识别,就用python编写一个识别插件来识别MFC的消息映射,首先手动找到消息映射入口点(可从某些函数作为切入点),这个是逆向MFC程序、甚至逆向的基本功,不会就再去练习吧,不要老来问.
本文是使用的默认MFC程序,因此从DoDragDrop函数作为切入点查找消息映射入口,没使用插件之前是这样的.
.rdata:00557BC8 unk_557BC8 db 7Bh ; { ; DATA XREF: .rdata:00557FBCo
.rdata:00557BC9 db 0
.rdata:00557BCA db 0
.rdata:00557BCB db 0
.rdata:00557BCC db 0
.rdata:00557BCD db 0
.rdata:00557BCE db 0
.rdata:00557BCF db 0
.rdata:00557BD0 db 0
.rdata:00557BD1 db 0
.rdata:00557BD2 db 0
.rdata:00557BD3 db 0
.rdata:00557BD4 db 0
.rdata:00557BD5 db 0
.rdata:00557BD6 db 0
.rdata:00557BD7 db 0
.rdata:00557BD8 db 27h ; '
.rdata:00557BD9 db 0
.rdata:00557BDA db 0
.rdata:00557BDB db 0
.rdata:00557BDC dd offset sub_438BA6
.rdata:00557BE0 db 0
.rdata:00557BE1 db 2
.rdata:00557BE2 db 0
.rdata:00557BE3 db 0
.rdata:00557BE4 db 0
.rdata:00557BE5 db 0
.rdata:00557BE6 db 0
.rdata:00557BE7 db 0
.rdata:00557BE8 db 0
.rdata:00557BE9 db 0
.rdata:00557BEA db 0
.rdata:00557BEB db 0
.rdata:00557BEC db 0
.rdata:00557BED db 0
.rdata:00557BEE db 0
.rdata:00557BEF db 0
.rdata:00557BF0 db 36h ; 6
.rdata:00557BF1 db 0
.rdata:00557BF2 db 0
.rdata:00557BF3 db 0
.rdata:00557BF4 dd offset sub_43A3A3
.rdata:00557BF8 db 1Fh
.rdata:00557BF9 db 0
.rdata:00557BFA db 0
.rdata:00557BFB db 0
.rdata:00557BFC db 0
.rdata:00557BFD db 0
.rdata:00557BFE db 0
.rdata:00557BFF db 0
.rdata:00557C00 db 0
.rdata:00557C01 db 0
.rdata:00557C02 db 0
.rdata:00557C03 db 0
.rdata:00557C04 db 0
.rdata:00557C05 db 0
.rdata:00557C06 db 0
.rdata:00557C07 db 0
.rdata:00557C08 db 13h
.rdata:00557C09 db 0
.rdata:00557C0A db 0
.rdata:00557C0B db 0
.rdata:00557C0C dd offset sub_4386AC
.rdata:00557C10 db 15h
.rdata:00557C11 db 0
.rdata:00557C12 db 0
.rdata:00557C13 db 0
.rdata:00557C14 db 0
.rdata:00557C15 db 0
.rdata:00557C16 db 0
.rdata:00557C17 db 0
.rdata:00557C18 db 0
.rdata:00557C19 db 0
.rdata:00557C1A db 0
.rdata:00557C1B db 0
.rdata:00557C1C db 0
.rdata:00557C1D db 0
.rdata:00557C1E db 0
.rdata:00557C1F db 0
.rdata:00557C20 db 13h
.rdata:00557C21 db 0
.rdata:00557C22 db 0
.rdata:00557C23 db 0
.rdata:00557C24 dd offset sub_43AE0F
.rdata:00557C28 db 1
.rdata:00557C29 db 0
.rdata:00557C2A db 0
.rdata:00557C2B db 0
.rdata:00557C2C db 0
.rdata:00557C2D db 0
.rdata:00557C2E db 0
.rdata:00557C2F db 0
.rdata:00557C30 db 0
.rdata:00557C31 db 0
.rdata:00557C32 db 0
.rdata:00557C33 db 0
.rdata:00557C34 db 0
.rdata:00557C35 db 0
.rdata:00557C36 db 0
.rdata:00557C37 db 0
.rdata:00557C38 db 0Dh
.rdata:00557C39 db 0
.rdata:00557C3A db 0
.rdata:00557C3B db 0
.rdata:00557C3C dd offset sub_438EA2
.rdata:00557C40 db 2
.rdata:00557C41 db 0
.rdata:00557C42 db 0
.rdata:00557C43 db 0
.rdata:00557C44 db 0
.rdata:00557C45 db 0
.rdata:00557C46 db 0
.rdata:00557C47 db 0
.rdata:00557C48 db 0
.rdata:00557C49 db 0
.rdata:00557C4A db 0
.rdata:00557C4B db 0
.rdata:00557C4C db 0
.rdata:00557C4D db 0
.rdata:00557C4E db 0
.rdata:00557C4F db 0
.rdata:00557C50 db 13h
.rdata:00557C51 db 0
.rdata:00557C52 db 0
.rdata:00557C53 db 0
.rdata:00557C54 dd offset sub_439119
.rdata:00557C58 db 1
.rdata:00557C59 db 2
.rdata:00557C5A db 0
.rdata:00557C5B db 0
.rdata:00557C5C db 0
.rdata:00557C5D db 0
.rdata:00557C5E db 0
.rdata:00557C5F db 0
.rdata:00557C60 db 0
.rdata:00557C61 db 0
.rdata:00557C62 db 0
.rdata:00557C63 db 0
.rdata:00557C64 db 0
.rdata:00557C65 db 0
.rdata:00557C66 db 0
.rdata:00557C67 db 0
.rdata:00557C68 db 36h ; 6
.rdata:00557C69 db 0
.rdata:00557C6A db 0
.rdata:00557C6B db 0
.rdata:00557C6C dd offset sub_43981F
.rdata:00557C70 db 2
.rdata:00557C71 db 2
.rdata:00557C72 db 0
.rdata:00557C73 db 0
.rdata:00557C74 db 0
.rdata:00557C75 db 0
.rdata:00557C76 db 0
.rdata:00557C77 db 0
.rdata:00557C78 db 0
.rdata:00557C79 db 0
.rdata:00557C7A db 0
.rdata:00557C7B db 0
.rdata:00557C7C db 0
.rdata:00557C7D db 0
.rdata:00557C7E db 0
.rdata:00557C7F db 0
.rdata:00557C80 db 36h ; 6
.rdata:00557C81 db 0
.rdata:00557C82 db 0
.rdata:00557C83 db 0
.rdata:00557C84 dd offset sub_439EE1
.rdata:00557C88 db 47h ; G
.rdata:00557C89 db 0
.rdata:00557C8A db 0
.rdata:00557C8B db 0
.rdata:00557C8C db 0
.rdata:00557C8D db 0
.rdata:00557C8E db 0
.rdata:00557C8F db 0
.rdata:00557C90 db 0
.rdata:00557C91 db 0
.rdata:00557C92 db 0
.rdata:00557C93 db 0
.rdata:00557C94 db 0
.rdata:00557C95 db 0
.rdata:00557C96 db 0
.rdata:00557C97 db 0
.rdata:00557C98 db 34h ; 4
.rdata:00557C99 db 0
.rdata:00557C9A db 0
.rdata:00557C9B db 0
.rdata:00557C9C dd offset sub_43B7DA
.rdata:00557CA0 db 19h
.rdata:00557CA1 db 0
.rdata:00557CA2 db 0
.rdata:00557CA3 db 0
.rdata:00557CA4 db 0
.rdata:00557CA5 db 0
.rdata:00557CA6 db 0
.rdata:00557CA7 db 0
.rdata:00557CA8 db 0
.rdata:00557CA9 db 0
.rdata:00557CAA db 0
.rdata:00557CAB db 0
.rdata:00557CAC db 0
.rdata:00557CAD db 0
.rdata:00557CAE db 0
.rdata:00557CAF db 0
.rdata:00557CB0 db 8
.rdata:00557CB1 db 0
.rdata:00557CB2 db 0
.rdata:00557CB3 db 0
.rdata:00557CB4 dd offset sub_439012
.rdata:00557CB8 db 20h
.rdata:00557CB9 db 0
.rdata:00557CBA db 0
.rdata:00557CBB db 0
.rdata:00557CBC db 0
.rdata:00557CBD db 0
.rdata:00557CBE db 0
.rdata:00557CBF db 0
.rdata:00557CC0 db 0
.rdata:00557CC1 db 0
.rdata:00557CC2 db 0
.rdata:00557CC3 db 0
.rdata:00557CC4 db 0
.rdata:00557CC5 db 0
.rdata:00557CC6 db 0
.rdata:00557CC7 db 0
.rdata:00557CC8 db 5
.rdata:00557CC9 db 0
.rdata:00557CCA db 0
.rdata:00557CCB db 0
.rdata:00557CCC dd offset sub_43AA50
.rdata:00557CD0 db 5
.rdata:00557CD1 db 0
.rdata:00557CD2 db 0
.rdata:00557CD3 db 0
.rdata:00557CD4 db 0
.rdata:00557CD5 db 0
.rdata:00557CD6 db 0
.rdata:00557CD7 db 0
.rdata:00557CD8 db 0
.rdata:00557CD9 db 0
.rdata:00557CDA db 0
.rdata:00557CDB db 0
.rdata:00557CDC db 0
.rdata:00557CDD db 0
.rdata:00557CDE db 0
.rdata:00557CDF db 0
.rdata:00557CE0 db 1Ah
.rdata:00557CE1 db 0
.rdata:00557CE2 db 0
.rdata:00557CE3 db 0
.rdata:00557CE4 dd offset sub_43AD3D
.rdata:00557CE8 db 3
.rdata:00557CE9 db 2
.rdata:00557CEA db 0
.rdata:00557CEB db 0
.rdata:00557CEC db 0
.rdata:00557CED db 0
.rdata:00557CEE db 0
.rdata:00557CEF db 0
.rdata:00557CF0 db 0
.rdata:00557CF1 db 0
.rdata:00557CF2 db 0
.rdata:00557CF3 db 0
.rdata:00557CF4 db 0
.rdata:00557CF5 db 0
.rdata:00557CF6 db 0
.rdata:00557CF7 db 0
.rdata:00557CF8 db 36h ; 6
.rdata:00557CF9 db 0
.rdata:00557CFA db 0
.rdata:00557CFB db 0
.rdata:00557CFC dd offset sub_43978E
使用了编写的插件之后是这样的,注意:使用插件的时候光标停留在入口处.
.rdata:00557BC8 BEGIN_MESSAGE_MAP AFX_MSGMAP_ENTRY <7Bh, 0, 0, 0, 27h, offset WM_CONTEXTMENU>
.rdata:00557BC8 ; DATA XREF: .rdata:00557FBCo
.rdata:00557BC8 ; WM_CONTEXTMENU
.rdata:00557BE0 AFX_MSGMAP_ENTRY <200h, 0, 0, 0, 36h, offset WM_MOUSEFIRST> ; WM_MOUSEFIRST
.rdata:00557BF8 AFX_MSGMAP_ENTRY <1Fh, 0, 0, 0, 13h, offset WM_CANCELMODE> ; WM_CANCELMODE
.rdata:00557C10 AFX_MSGMAP_ENTRY <15h, 0, 0, 0, 13h, offset WM_SYSCOLORCHANGE> ; WM_SYSCOLORCHANGE
.rdata:00557C28 AFX_MSGMAP_ENTRY <1, 0, 0, 0, 0Dh, offset WM_CREATE> ; WM_CREATE
.rdata:00557C40 AFX_MSGMAP_ENTRY <2, 0, 0, 0, 13h, offset WM_DESTROY> ; WM_DESTROY
.rdata:00557C58 AFX_MSGMAP_ENTRY <201h, 0, 0, 0, 36h, offset WM_LBUTTONDOWN> ; WM_LBUTTONDOWN
.rdata:00557C70 AFX_MSGMAP_ENTRY <202h, 0, 0, 0, 36h, offset WM_LBUTTONUP> ; WM_LBUTTONUP
.rdata:00557C88 AFX_MSGMAP_ENTRY <47h, 0, 0, 0, 34h, offset WM_WINDOWPOSCHANGED> ; WM_WINDOWPOSCHANGED
.rdata:00557CA0 AFX_MSGMAP_ENTRY <19h, 0, 0, 0, 8, offset sub_439012>
.rdata:00557CB8 AFX_MSGMAP_ENTRY <20h, 0, 0, 0, 5, offset WM_SETCURSOR> ; WM_SETCURSOR
.rdata:00557CD0 AFX_MSGMAP_ENTRY <5, 0, 0, 0, 1Ah, offset WM_SIZE> ; WM_SIZE
.rdata:00557CE8 AFX_MSGMAP_ENTRY <203h, 0, 0, 0, 36h, offset WM_LBUTTONDBLCLK> ; WM_LBUTTONDBLCLK
.rdata:00557D00 AFX_MSGMAP_ENTRY <83h, 0, 0, 0, 33h, offset WM_NCCALCSIZE> ; WM_NCCALCSIZE
.rdata:00557D18 AFX_MSGMAP_ENTRY <85h, 0, 0, 0, 13h, offset WM_NCPAINT> ; WM_NCPAINT
.rdata:00557D30 AFX_MSGMAP_ENTRY <7, 0, 0, 0, 24h, offset WM_SETFOCUS> ; WM_SETFOCUS
.rdata:00557D48 AFX_MSGMAP_ENTRY <46h, 0, 0, 0, 34h, offset WM_WINDOWPOSCHANGING> ; WM_WINDOWPOSCHANGING
.rdata:00557D60 AFX_MSGMAP_ENTRY <14h, 0, 0, 0, 1, offset WM_ERASEBKGND> ; WM_ERASEBKGND
.rdata:00557D78 AFX_MSGMAP_ENTRY <8, 0, 0, 0, 24h, offset WM_KILLFOCUS> ; WM_KILLFOCUS
.rdata:00557D90 AFX_MSGMAP_ENTRY <1Ah, 0, 0, 0, 2Eh, offset WM_WININICHANGE> ; WM_WININICHANGE
.rdata:00557DA8 AFX_MSGMAP_ENTRY <18h, 0, 0, 0, 16h, offset WM_SHOWWINDOW> ; WM_SHOWWINDOW
.rdata:00557DC0 AFX_MSGMAP_ENTRY <84h, 0, 0, 0, 47h, offset WM_NCHITTEST> ; WM_NCHITTEST
.rdata:00557DD8 AFX_MSGMAP_ENTRY <204h, 0, 0, 0, 36h, offset WM_RBUTTONDOWN> ; WM_RBUTTONDOWN
.rdata:00557DF0 AFX_MSGMAP_ENTRY <2A3h, 0, 0, 0, 13h, offset WM_MOUSELEAVE> ; WM_MOUSELEAVE
.rdata:00557E08 AFX_MSGMAP_ENTRY <111h, 0, 4211h, 4211h, 3Ah, offset WM_COMMAND> ; WM_COMMAND
.rdata:00557E20 AFX_MSGMAP_ENTRY <111h, 0, 4210h, 4210h, 3Ah, offset sub_43B1ED> ; WM_COMMAND
.rdata:00557E38 AFX_MSGMAP_ENTRY <111h, 0, 4212h, 4212h, 3Ah, offset sub_43B210> ; WM_COMMAND
.rdata:00557E50 AFX_MSGMAP_ENTRY <111h, 0, 4214h, 4214h, 3Ah, offset sub_43B2D2> ; WM_COMMAND
.rdata:00557E68 AFX_MSGMAP_ENTRY <111h, 0, 4215h, 4215h, 3Ah, offset sub_43B543> ; WM_COMMAND
.rdata:00557E80 AFX_MSGMAP_ENTRY <111h, 0, 4213h, 4213h, 3Ah, offset sub_43B5DC> ; WM_COMMAND
.rdata:00557E98 AFX_MSGMAP_ENTRY <111h, 0, 420Eh, 420Eh, 3Ah, offset sub_43B48C> ; WM_COMMAND
.rdata:00557EB0 AFX_MSGMAP_ENTRY <111h, 0, 420Fh, 420Fh, 3Ah, offset sub_438DFF> ; WM_COMMAND
.rdata:00557EC8 AFX_MSGMAP_ENTRY <111h, 0, 4216h, 4216h, 3Ah, offset sub_43B3B5> ; WM_COMMAND
.rdata:00557EE0 AFX_MSGMAP_ENTRY <366h, 0, 0, 0, 0Eh, offset sub_439695>
.rdata:00557EF8 AFX_MSGMAP_ENTRY <418h, 0, 0, 0, 0Eh, offset sub_4395F2>
.rdata:00557F10 AFX_MSGMAP_ENTRY <41Dh, 0, 0, 0, 0Eh, offset sub_43963E>
.rdata:00557F28 AFX_MSGMAP_ENTRY <417h, 0, 0, 0, 0Eh, offset sub_4395B9>
.rdata:00557F40 AFX_MSGMAP_ENTRY <44Bh, 0, 0, 0, 0Eh, offset sub_4395FB>
.rdata:00557F58 AFX_MSGMAP_ENTRY <0C000h, 0, 0, 0, 5AC84Ch, offset sub_43A8FE>
.rdata:00557F70 AFX_MSGMAP_ENTRY <0C000h, 0, 0, 0, 5ADA5Ch, offset sub_43B702>
.rdata:00557F88 AFX_MSGMAP_ENTRY <4Eh, 0FDEEh, 0, 0FFFFh, 41h, offset WM_NOTIFY> ; WM_NOTIFY
python for ida插件的编写;首先,你得会python才能继续看完本文.
ida头文件声明
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from idaapi import *
from idautils import *
from idc import *
操作系统的判断
class PlatformOS:
def IsOSX(self):
return (idaapi.cvar.inf.filetype==f_MACHO)
def IsWin(self):
return (idaapi.cvar.inf.filetype==f_PE)
def IsX86(self):
return ((idaapi.ph.flag & idaapi.PR_USE32) and idaapi.cvar.inf.is_32bit())
def IsX64(self):
return ((idaapi.ph.flag & idaapi.PR_USE64) and idaapi.cvar.inf.is_64bit())
def IsMIPS(self):
return (idaapi.ph.id==PLFM_MIPS)
def IsARM(self):
return (idaapi.ph.id==PLFM_ARM)
消息的识别
class ReverseMFC(PlatformOS):
def __init__(self):
self.screen_ea = ScreenEA()
self.os_type_support = PlatformOS.IsWin(self)
def MakeMessageName(self,address,message):
if message==0x0000:
MakeComm(address, "WM_NULL")
MakeNameEx(idc.Dword(address+20),"WM_NULL",SN_NOWARN)
elif message==0x0001:
MakeComm(address, "WM_CREATE")
MakeNameEx(idc.Dword(address+20),"WM_CREATE",SN_NOWARN)
elif message==0x0002:
MakeComm(address, "WM_DESTROY")
MakeNameEx(idc.Dword(address+20),"WM_DESTROY",SN_NOWARN)
elif message==0x0003:
MakeComm(address, "WM_MOVE")
MakeNameEx(idc.Dword(address+20),"WM_MOVE",SN_NOWARN)
elif message==0x0005:
MakeComm(address, "WM_SIZE")
MakeNameEx(idc.Dword(address+20),"WM_SIZE",SN_NOWARN)
elif message==0x0006:
MakeComm(address, "WM_ACTIVATE")
MakeNameEx(idc.Dword(address+20),"WM_ACTIVATE",SN_NOWARN)
elif message==0x0007:
MakeComm(address, "WM_SETFOCUS")
MakeNameEx(idc.Dword(address+20),"WM_SETFOCUS",SN_NOWARN)
elif message==0x0008:
MakeComm(address, "WM_KILLFOCUS")
MakeNameEx(idc.Dword(address+20),"WM_KILLFOCUS",SN_NOWARN)
elif message==0x000A:
MakeComm(address, "WM_ENABLE")
MakeNameEx(idc.Dword(address+20),"WM_ENABLE",SN_NOWARN)
elif message==0x000B:
MakeComm(address, "WM_SETREDRAW")
MakeNameEx(idc.Dword(address+20),"WM_SETREDRAW",SN_NOWARN)
elif message==0x000C:
MakeComm(address, "WM_SETTEXT")
MakeNameEx(idc.Dword(address+20),"WM_SETTEXT",SN_NOWARN)
elif message==0x000D:
MakeComm(address, "WM_GETTEXT")
MakeNameEx(idc.Dword(address+20),"WM_GETTEXT",SN_NOWARN)
elif message==0x000E:
MakeComm(address, "WM_GETTEXTLENGTH")
MakeNameEx(idc.Dword(address+20),"WM_GETTEXTLENGTH",SN_NOWARN)
elif message==0x000F:
MakeComm(address, "WM_PAINT")
MakeNameEx(idc.Dword(address+20),"WM_PAINT",SN_NOWARN)
elif message==0x0010:
MakeComm(address, "WM_CLOSE")
MakeNameEx(idc.Dword(address+20),"WM_CLOSE",SN_NOWARN)
elif message==0x0011:
MakeComm(address, "WM_QUERYENDSESSION")
MakeNameEx(idc.Dword(address+20),"WM_QUERYENDSESSION",SN_NOWARN)
elif message==0x0013:
MakeComm(address, "WM_QUERYOPEN")
MakeNameEx(idc.Dword(address+20),"WM_QUERYOPEN",SN_NOWARN)
elif message==0x0016:
MakeComm(address, "WM_ENDSESSION")
MakeNameEx(idc.Dword(address+20),"WM_ENDSESSION",SN_NOWARN)
elif message==0x0012:
MakeComm(address, "WM_QUIT")
MakeNameEx(idc.Dword(address+20),"WM_QUIT",SN_NOWARN)
elif message==0x0014:
MakeComm(address, "WM_ERASEBKGND")
MakeNameEx(idc.Dword(address+20),"WM_ERASEBKGND",SN_NOWARN)
elif message==0x0015:
MakeComm(address, "WM_SYSCOLORCHANGE")
MakeNameEx(idc.Dword(address+20),"WM_SYSCOLORCHANGE",SN_NOWARN)
elif message==0x0018:
MakeComm(address, "WM_SHOWWINDOW")
MakeNameEx(idc.Dword(address+20),"WM_SHOWWINDOW",SN_NOWARN)
elif message==0x001A:
MakeComm(address, "WM_WININICHANGE")
MakeNameEx(idc.Dword(address+20),"WM_WININICHANGE",SN_NOWARN)
elif message==0x001B:
MakeComm(address, "WM_DEVMODECHANGE")
MakeNameEx(idc.Dword(address+20),"WM_DEVMODECHANGE",SN_NOWARN)
elif message==0x001C:
MakeComm(address, "WM_ACTIVATEAPP")
MakeNameEx(idc.Dword(address+20),"WM_ACTIVATEAPP",SN_NOWARN)
elif message==0x001D:
MakeComm(address, "WM_FONTCHANGE")
MakeNameEx(idc.Dword(address+20),"WM_FONTCHANGE",SN_NOWARN)
elif message==0x001E:
MakeComm(address, "WM_TIMECHANGE")
MakeNameEx(idc.Dword(address+20),"WM_TIMECHANGE",SN_NOWARN)
elif message==0x001F:
MakeComm(address, "WM_CANCELMODE")
MakeNameEx(idc.Dword(address+20),"WM_CANCELMODE",SN_NOWARN)
elif message==0x0020:
MakeComm(address, "WM_SETCURSOR")
MakeNameEx(idc.Dword(address+20),"WM_SETCURSOR",SN_NOWARN)
elif message==0x0021:
MakeComm(address, "WM_MOUSEACTIVATE")
MakeNameEx(idc.Dword(address+20),"WM_MOUSEACTIVATE",SN_NOWARN)
elif message==0x0022:
MakeComm(address, "WM_CHILDACTIVATE")
MakeNameEx(idc.Dword(address+20),"WM_CHILDACTIVATE",SN_NOWARN)
elif message==0x0023:
MakeComm(address, "WM_QUEUESYNC")
MakeNameEx(idc.Dword(address+20),"WM_QUEUESYNC",SN_NOWARN)
elif message==0x0024:
MakeComm(address, "WM_GETMINMAXINFO")
MakeNameEx(idc.Dword(address+20),"WM_GETMINMAXINFO",SN_NOWARN)
elif message==0x0026:
MakeComm(address, "WM_PAINTICON")
MakeNameEx(idc.Dword(address+20),"WM_PAINTICON",SN_NOWARN)
elif message==0x0027:
MakeComm(address, "WM_ICONERASEBKGND")
MakeNameEx(idc.Dword(address+20),"WM_ICONERASEBKGND",SN_NOWARN)
elif message==0x0028:
MakeComm(address, "WM_NEXTDLGCTL")
MakeNameEx(idc.Dword(address+20),"WM_NEXTDLGCTL",SN_NOWARN)
elif message==0x002A:
MakeComm(address, "WM_SPOOLERSTATUS")
MakeNameEx(idc.Dword(address+20),"WM_SPOOLERSTATUS",SN_NOWARN)
elif message==0x002B:
MakeComm(address, "WM_DRAWITEM")
MakeNameEx(idc.Dword(address+20),"WM_DRAWITEM",SN_NOWARN)
elif message==0x002C:
MakeComm(address, "WM_MEASUREITEM")
MakeNameEx(idc.Dword(address+20),"WM_MEASUREITEM",SN_NOWARN)
elif message==0x002D:
MakeComm(address, "WM_DELETEITEM")
MakeNameEx(idc.Dword(address+20),"WM_DELETEITEM",SN_NOWARN)
elif message==0x002E:
MakeComm(address, "WM_VKEYTOITEM")
MakeNameEx(idc.Dword(address+20),"WM_VKEYTOITEM",SN_NOWARN)
elif message==0x002F:
MakeComm(address, "WM_CHARTOITEM")
MakeNameEx(idc.Dword(address+20),"WM_CHARTOITEM",SN_NOWARN)
elif message==0x0030:
MakeComm(address, "WM_SETFONT")
MakeNameEx(idc.Dword(address+20),"WM_SETFONT",SN_NOWARN)
elif message==0x0031:
MakeComm(address, "WM_GETFONT")
MakeNameEx(idc.Dword(address+20),"WM_GETFONT",SN_NOWARN)
elif message==0x0032:
MakeComm(address, "WM_SETHOTKEY")
MakeNameEx(idc.Dword(address+20),"WM_SETHOTKEY",SN_NOWARN)
elif message==0x0033:
MakeComm(address, "WM_GETHOTKEY")
MakeNameEx(idc.Dword(address+20),"WM_GETHOTKEY",SN_NOWARN)
elif message==0x0037:
MakeComm(address, "WM_QUERYDRAGICON")
MakeNameEx(idc.Dword(address+20),"WM_QUERYDRAGICON",SN_NOWARN)
elif message==0x0039:
MakeComm(address, "WM_COMPAREITEM")
MakeNameEx(idc.Dword(address+20),"WM_COMPAREITEM",SN_NOWARN)
elif message==0x003D:
MakeComm(address, "WM_GETOBJECT")
MakeNameEx(idc.Dword(address+20),"WM_GETOBJECT",SN_NOWARN)
elif message==0x0041:
MakeComm(address, "WM_COMPACTING")
MakeNameEx(idc.Dword(address+20),"WM_COMPACTING",SN_NOWARN)
elif message==0x0044:
MakeComm(address, "WM_COMMNOTIFY")
MakeNameEx(idc.Dword(address+20),"WM_COMMNOTIFY",SN_NOWARN)
elif message==0x0046:
MakeComm(address, "WM_WINDOWPOSCHANGING")
MakeNameEx(idc.Dword(address+20),"WM_WINDOWPOSCHANGING",SN_NOWARN)
elif message==0x0047:
MakeComm(address, "WM_WINDOWPOSCHANGED")
MakeNameEx(idc.Dword(address+20),"WM_WINDOWPOSCHANGED",SN_NOWARN)
elif message==0x0048:
MakeComm(address, "WM_POWER")
MakeNameEx(idc.Dword(address+20),"WM_POWER",SN_NOWARN)
elif message==0x004A:
MakeComm(address, "WM_COPYDATA")
MakeNameEx(idc.Dword(address+20),"WM_COPYDATA",SN_NOWARN)
elif message==0x004B:
MakeComm(address, "WM_CANCELJOURNAL")
MakeNameEx(idc.Dword(address+20),"WM_CANCELJOURNAL",SN_NOWARN)
elif message==0x004E:
MakeComm(address, "WM_NOTIFY")
MakeNameEx(idc.Dword(address+20),"WM_NOTIFY",SN_NOWARN)
elif message==0x0050:
MakeComm(address, "WM_INPUTLANGCHANGEREQUEST")
MakeNameEx(idc.Dword(address+20),"WM_INPUTLANGCHANGEREQUEST",SN_NOWARN)
elif message==0x0051:
MakeComm(address, "WM_INPUTLANGCHANGE")
MakeNameEx(idc.Dword(address+20),"WM_INPUTLANGCHANGE",SN_NOWARN)
elif message==0x0052:
MakeComm(address, "WM_TCARD")
MakeNameEx(idc.Dword(address+20),"WM_TCARD",SN_NOWARN)
elif message==0x0053:
MakeComm(address, "WM_HELP")
MakeNameEx(idc.Dword(address+20),"WM_HELP",SN_NOWARN)
elif message==0x0054:
MakeComm(address, "WM_USERCHANGED")
MakeNameEx(idc.Dword(address+20),"WM_USERCHANGED",SN_NOWARN)
elif message==0x0055:
MakeComm(address, "WM_NOTIFYFORMAT")
MakeNameEx(idc.Dword(address+20),"WM_NOTIFYFORMAT",SN_NOWARN)
elif message==0x007B:
MakeComm(address, "WM_CONTEXTMENU")
MakeNameEx(idc.Dword(address+20),"WM_CONTEXTMENU",SN_NOWARN)
elif message==0x007C:
MakeComm(address, "WM_STYLECHANGING")
MakeNameEx(idc.Dword(address+20),"WM_STYLECHANGING",SN_NOWARN)
elif message==0x007D:
MakeComm(address, "WM_STYLECHANGED")
MakeNameEx(idc.Dword(address+20),"WM_STYLECHANGED",SN_NOWARN)
elif message==0x007E:
MakeComm(address, "WM_DISPLAYCHANGE")
MakeNameEx(idc.Dword(address+20),"WM_DISPLAYCHANGE",SN_NOWARN)
elif message==0x007F:
MakeComm(address, "WM_GETICON")
MakeNameEx(idc.Dword(address+20),"WM_GETICON",SN_NOWARN)
elif message==0x0080:
MakeComm(address, "WM_SETICON")
MakeNameEx(idc.Dword(address+20),"WM_SETICON",SN_NOWARN)
elif message==0x0081:
MakeComm(address, "WM_NCCREATE")
MakeNameEx(idc.Dword(address+20),"WM_NCCREATE",SN_NOWARN)
elif message==0x0082:
MakeComm(address, "WM_NCDESTROY")
MakeNameEx(idc.Dword(address+20),"WM_NCDESTROY",SN_NOWARN)
elif message==0x0083:
MakeComm(address, "WM_NCCALCSIZE")
MakeNameEx(idc.Dword(address+20),"WM_NCCALCSIZE",SN_NOWARN)
elif message==0x0084:
MakeComm(address, "WM_NCHITTEST")
MakeNameEx(idc.Dword(address+20),"WM_NCHITTEST",SN_NOWARN)
elif message==0x0085:
MakeComm(address, "WM_NCPAINT")
MakeNameEx(idc.Dword(address+20),"WM_NCPAINT",SN_NOWARN)
elif message==0x0086:
MakeComm(address, "WM_NCACTIVATE")
MakeNameEx(idc.Dword(address+20),"WM_NCACTIVATE",SN_NOWARN)
elif message==0x0087:
MakeComm(address, "WM_GETDLGCODE")
MakeNameEx(idc.Dword(address+20),"WM_GETDLGCODE",SN_NOWARN)
elif message==0x0088:
MakeComm(address, "WM_SYNCPAINT")
MakeNameEx(idc.Dword(address+20),"WM_SYNCPAINT",SN_NOWARN)
elif message==0x00A0:
MakeComm(address, "WM_NCMOUSEMOVE")
MakeNameEx(idc.Dword(address+20),"WM_NCMOUSEMOVE",SN_NOWARN)
elif message==0x00A1:
MakeComm(address, "WM_NCLBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_NCLBUTTONDOWN",SN_NOWARN)
elif message==0x00A2:
MakeComm(address, "WM_NCLBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_NCLBUTTONUP",SN_NOWARN)
elif message==0x00A3:
MakeComm(address, "WM_NCLBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_NCLBUTTONDBLCLK",SN_NOWARN)
elif message==0x00A4:
MakeComm(address, "WM_NCRBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_NCRBUTTONDOWN",SN_NOWARN)
elif message==0x00A5:
MakeComm(address, "WM_NCRBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_NCRBUTTONUP",SN_NOWARN)
elif message==0x00A6:
MakeComm(address, "WM_NCRBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_NCRBUTTONDBLCLK",SN_NOWARN)
elif message==0x00A7:
MakeComm(address, "WM_NCMBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_NCMBUTTONDOWN",SN_NOWARN)
elif message==0x00A8:
MakeComm(address, "WM_NCMBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_NCMBUTTONUP",SN_NOWARN)
elif message==0x00A9:
MakeComm(address, "WM_NCMBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_NCMBUTTONDBLCLK",SN_NOWARN)
elif message==0x00AB:
MakeComm(address, "WM_NCXBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_NCXBUTTONDOWN",SN_NOWARN)
elif message==0x00AC:
MakeComm(address, "WM_NCXBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_NCXBUTTONUP",SN_NOWARN)
elif message==0x00AD:
MakeComm(address, "WM_NCXBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_NCXBUTTONDBLCLK",SN_NOWARN)
elif message==0x00FE:
MakeComm(address, "WM_INPUT_DEVICE_CHANGE")
MakeNameEx(idc.Dword(address+20),"WM_INPUT_DEVICE_CHANGE",SN_NOWARN)
elif message==0x00FF:
MakeComm(address, "WM_INPUT")
MakeNameEx(idc.Dword(address+20),"WM_INPUT",SN_NOWARN)
elif message==0x0100:
MakeComm(address, "WM_KEYFIRST")
MakeNameEx(idc.Dword(address+20),"WM_KEYFIRST",SN_NOWARN)
elif message==0x0100:
MakeComm(address, "WM_KEYDOWN")
MakeNameEx(idc.Dword(address+20),"WM_KEYDOWN",SN_NOWARN)
elif message==0x0101:
MakeComm(address, "WM_KEYUP")
MakeNameEx(idc.Dword(address+20),"WM_KEYUP",SN_NOWARN)
elif message==0x0102:
MakeComm(address, "WM_CHAR")
MakeNameEx(idc.Dword(address+20),"WM_CHAR",SN_NOWARN)
elif message==0x0103:
MakeComm(address, "WM_DEADCHAR")
MakeNameEx(idc.Dword(address+20),"WM_DEADCHAR",SN_NOWARN)
elif message==0x0104:
MakeComm(address, "WM_SYSKEYDOWN")
MakeNameEx(idc.Dword(address+20),"WM_SYSKEYDOWN",SN_NOWARN)
elif message==0x0105:
MakeComm(address, "WM_SYSKEYUP")
MakeNameEx(idc.Dword(address+20),"WM_SYSKEYUP",SN_NOWARN)
elif message==0x0106:
MakeComm(address, "WM_SYSCHAR")
MakeNameEx(idc.Dword(address+20),"WM_SYSCHAR",SN_NOWARN)
elif message==0x0107:
MakeComm(address, "WM_SYSDEADCHAR")
MakeNameEx(idc.Dword(address+20),"WM_SYSDEADCHAR",SN_NOWARN)
elif message==0x0109:
MakeComm(address, "WM_UNICHAR")
MakeNameEx(idc.Dword(address+20),"WM_UNICHAR",SN_NOWARN)
elif message==0x0109:
MakeComm(address, "WM_KEYLAST")
MakeNameEx(idc.Dword(address+20),"WM_KEYLAST",SN_NOWARN)
elif message==0x0108:
MakeComm(address, "WM_KEYLAST")
MakeNameEx(idc.Dword(address+20),"WM_KEYLAST",SN_NOWARN)
elif message==0x010D:
MakeComm(address, "WM_IME_STARTCOMPOSITION")
MakeNameEx(idc.Dword(address+20),"WM_IME_STARTCOMPOSITION",SN_NOWARN)
elif message==0x010E:
MakeComm(address, "WM_IME_ENDCOMPOSITION")
MakeNameEx(idc.Dword(address+20),"WM_IME_ENDCOMPOSITION",SN_NOWARN)
elif message==0x010F:
MakeComm(address, "WM_IME_COMPOSITION")
MakeNameEx(idc.Dword(address+20),"WM_IME_COMPOSITION",SN_NOWARN)
elif message==0x010F:
MakeComm(address, "WM_IME_KEYLAST")
MakeNameEx(idc.Dword(address+20),"WM_IME_KEYLAST",SN_NOWARN)
elif message==0x0110:
MakeComm(address, "WM_INITDIALOG")
MakeNameEx(idc.Dword(address+20),"WM_INITDIALOG",SN_NOWARN)
elif message==0x0111:
MakeComm(address, "WM_COMMAND")
MakeNameEx(idc.Dword(address+20),"WM_COMMAND",SN_NOWARN)
elif message==0x0112:
MakeComm(address, "WM_SYSCOMMAND")
MakeNameEx(idc.Dword(address+20),"WM_SYSCOMMAND",SN_NOWARN)
elif message==0x0113:
MakeComm(address, "WM_TIMER")
MakeNameEx(idc.Dword(address+20),"WM_TIMER",SN_NOWARN)
elif message==0x0114:
MakeComm(address, "WM_HSCROLL")
MakeNameEx(idc.Dword(address+20),"WM_HSCROLL",SN_NOWARN)
elif message==0x0115:
MakeComm(address, "WM_VSCROLL")
MakeNameEx(idc.Dword(address+20),"WM_VSCROLL",SN_NOWARN)
elif message==0x0116:
MakeComm(address, "WM_INITMENU")
MakeNameEx(idc.Dword(address+20),"WM_INITMENU",SN_NOWARN)
elif message==0x0117:
MakeComm(address, "WM_INITMENUPOPUP")
MakeNameEx(idc.Dword(address+20),"WM_INITMENUPOPUP",SN_NOWARN)
elif message==0x0119:
MakeComm(address, "WM_GESTURE")
MakeNameEx(idc.Dword(address+20),"WM_GESTURE",SN_NOWARN)
elif message==0x011A:
MakeComm(address, "WM_GESTURENOTIFY")
MakeNameEx(idc.Dword(address+20),"WM_GESTURENOTIFY",SN_NOWARN)
elif message==0x011F:
MakeComm(address, "WM_MENUSELECT")
MakeNameEx(idc.Dword(address+20),"WM_MENUSELECT",SN_NOWARN)
elif message==0x0120:
MakeComm(address, "WM_MENUCHAR")
MakeNameEx(idc.Dword(address+20),"WM_MENUCHAR",SN_NOWARN)
elif message==0x0121:
MakeComm(address, "WM_ENTERIDLE")
MakeNameEx(idc.Dword(address+20),"WM_ENTERIDLE",SN_NOWARN)
elif message==0x0122:
MakeComm(address, "WM_MENURBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_MENURBUTTONUP",SN_NOWARN)
elif message==0x0123:
MakeComm(address, "WM_MENUDRAG")
MakeNameEx(idc.Dword(address+20),"WM_MENUDRAG",SN_NOWARN)
elif message==0x0124:
MakeComm(address, "WM_MENUGETOBJECT")
MakeNameEx(idc.Dword(address+20),"WM_MENUGETOBJECT",SN_NOWARN)
elif message==0x0125:
MakeComm(address, "WM_UNINITMENUPOPUP")
MakeNameEx(idc.Dword(address+20),"WM_UNINITMENUPOPUP",SN_NOWARN)
elif message==0x0126:
MakeComm(address, "WM_MENUCOMMAND")
MakeNameEx(idc.Dword(address+20),"WM_MENUCOMMAND",SN_NOWARN)
elif message==0x0127:
MakeComm(address, "WM_CHANGEUISTATE")
MakeNameEx(idc.Dword(address+20),"WM_CHANGEUISTATE",SN_NOWARN)
elif message==0x0128:
MakeComm(address, "WM_UPDATEUISTATE")
MakeNameEx(idc.Dword(address+20),"WM_UPDATEUISTATE",SN_NOWARN)
elif message==0x0129:
MakeComm(address, "WM_QUERYUISTATE")
MakeNameEx(idc.Dword(address+20),"WM_QUERYUISTATE",SN_NOWARN)
elif message==0x0132:
MakeComm(address, "WM_CTLCOLORMSGBOX")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLORMSGBOX",SN_NOWARN)
elif message==0x0133:
MakeComm(address, "WM_CTLCOLOREDIT")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLOREDIT",SN_NOWARN)
elif message==0x0134:
MakeComm(address, "WM_CTLCOLORLISTBOX")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLORLISTBOX",SN_NOWARN)
elif message==0x0135:
MakeComm(address, "WM_CTLCOLORBTN")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLORBTN",SN_NOWARN)
elif message==0x0136:
MakeComm(address, "WM_CTLCOLORDLG")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLORDLG",SN_NOWARN)
elif message==0x0137:
MakeComm(address, "WM_CTLCOLORSCROLLBAR")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLORSCROLLBAR",SN_NOWARN)
elif message==0x0138:
MakeComm(address, "WM_CTLCOLORSTATIC")
MakeNameEx(idc.Dword(address+20),"WM_CTLCOLORSTATIC",SN_NOWARN)
elif message==0x0200:
MakeComm(address, "WM_MOUSEFIRST")
MakeNameEx(idc.Dword(address+20),"WM_MOUSEFIRST",SN_NOWARN)
elif message==0x0200:
MakeComm(address, "WM_MOUSEMOVE")
MakeNameEx(idc.Dword(address+20),"WM_MOUSEMOVE",SN_NOWARN)
elif message==0x0201:
MakeComm(address, "WM_LBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_LBUTTONDOWN",SN_NOWARN)
elif message==0x0202:
MakeComm(address, "WM_LBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_LBUTTONUP",SN_NOWARN)
elif message==0x0203:
MakeComm(address, "WM_LBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_LBUTTONDBLCLK",SN_NOWARN)
elif message==0x0204:
MakeComm(address, "WM_RBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_RBUTTONDOWN",SN_NOWARN)
elif message==0x0205:
MakeComm(address, "WM_RBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_RBUTTONUP",SN_NOWARN)
elif message==0x0206:
MakeComm(address, "WM_RBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_RBUTTONDBLCLK",SN_NOWARN)
elif message==0x0207:
MakeComm(address, "WM_MBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_MBUTTONDOWN",SN_NOWARN)
elif message==0x0208:
MakeComm(address, "WM_MBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_MBUTTONUP",SN_NOWARN)
elif message==0x0209:
MakeComm(address, "WM_MBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_MBUTTONDBLCLK",SN_NOWARN)
elif message==0x020A:
MakeComm(address, "WM_MOUSEWHEEL")
MakeNameEx(idc.Dword(address+20),"WM_MOUSEWHEEL",SN_NOWARN)
elif message==0x020B:
MakeComm(address, "WM_XBUTTONDOWN")
MakeNameEx(idc.Dword(address+20),"WM_XBUTTONDOWN",SN_NOWARN)
elif message==0x020C:
MakeComm(address, "WM_XBUTTONUP")
MakeNameEx(idc.Dword(address+20),"WM_XBUTTONUP",SN_NOWARN)
elif message==0x020D:
MakeComm(address, "WM_XBUTTONDBLCLK")
MakeNameEx(idc.Dword(address+20),"WM_XBUTTONDBLCLK",SN_NOWARN)
elif message==0x020E:
MakeComm(address, "WM_MOUSEHWHEEL")
MakeNameEx(idc.Dword(address+20),"WM_MOUSEHWHEEL",SN_NOWARN)
elif message==0x020E:
MakeComm(address, "WM_MOUSELAST")
MakeNameEx(idc.Dword(address+20),"WM_MOUSELAST",SN_NOWARN)
elif message==0x020D:
MakeComm(address, "WM_MOUSELAST")
MakeNameEx(idc.Dword(address+20),"WM_MOUSELAST",SN_NOWARN)
elif message==0x020A:
MakeComm(address, "WM_MOUSELAST")
MakeNameEx(idc.Dword(address+20),"WM_MOUSELAST",SN_NOWARN)
elif message==0x0209:
MakeComm(address, "WM_MOUSELAST")
MakeNameEx(idc.Dword(address+20),"WM_MOUSELAST",SN_NOWARN)
elif message==0x0210:
MakeComm(address, "WM_PARENTNOTIFY")
MakeNameEx(idc.Dword(address+20),"WM_PARENTNOTIFY",SN_NOWARN)
elif message==0x0211:
MakeComm(address, "WM_ENTERMENULOOP")
MakeNameEx(idc.Dword(address+20),"WM_ENTERMENULOOP",SN_NOWARN)
elif message==0x0212:
MakeComm(address, "WM_EXITMENULOOP")
MakeNameEx(idc.Dword(address+20),"WM_EXITMENULOOP",SN_NOWARN)
elif message==0x0213:
MakeComm(address, "WM_NEXTMENU")
MakeNameEx(idc.Dword(address+20),"WM_NEXTMENU",SN_NOWARN)
elif message==0x0214:
MakeComm(address, "WM_SIZING")
MakeNameEx(idc.Dword(address+20),"WM_SIZING",SN_NOWARN)
elif message==0x0215:
MakeComm(address, "WM_CAPTURECHANGED")
MakeNameEx(idc.Dword(address+20),"WM_CAPTURECHANGED",SN_NOWARN)
elif message==0x0216:
MakeComm(address, "WM_MOVING")
MakeNameEx(idc.Dword(address+20),"WM_MOVING",SN_NOWARN)
elif message==0x0218:
MakeComm(address, "WM_POWERBROADCAST")
MakeNameEx(idc.Dword(address+20),"WM_POWERBROADCAST",SN_NOWARN)
elif message==0x0219:
MakeComm(address, "WM_DEVICECHANGE")
MakeNameEx(idc.Dword(address+20),"WM_DEVICECHANGE",SN_NOWARN)
elif message==0x0220:
MakeComm(address, "WM_MDICREATE")
MakeNameEx(idc.Dword(address+20),"WM_MDICREATE",SN_NOWARN)
elif message==0x0221:
MakeComm(address, "WM_MDIDESTROY")
MakeNameEx(idc.Dword(address+20),"WM_MDIDESTROY",SN_NOWARN)
elif message==0x0222:
MakeComm(address, "WM_MDIACTIVATE")
MakeNameEx(idc.Dword(address+20),"WM_MDIACTIVATE",SN_NOWARN)
elif message==0x0223:
MakeComm(address, "WM_MDIRESTORE")
MakeNameEx(idc.Dword(address+20),"WM_MDIRESTORE",SN_NOWARN)
elif message==0x0224:
MakeComm(address, "WM_MDINEXT")
MakeNameEx(idc.Dword(address+20),"WM_MDINEXT",SN_NOWARN)
elif message==0x0225:
MakeComm(address, "WM_MDIMAXIMIZE")
MakeNameEx(idc.Dword(address+20),"WM_MDIMAXIMIZE",SN_NOWARN)
elif message==0x0226:
MakeComm(address, "WM_MDITILE")
MakeNameEx(idc.Dword(address+20),"WM_MDITILE",SN_NOWARN)
elif message==0x0227:
MakeComm(address, "WM_MDICASCADE")
MakeNameEx(idc.Dword(address+20),"WM_MDICASCADE",SN_NOWARN)
elif message==0x0228:
MakeComm(address, "WM_MDIICONARRANGE")
MakeNameEx(idc.Dword(address+20),"WM_MDIICONARRANGE",SN_NOWARN)
elif message==0x0229:
MakeComm(address, "WM_MDIGETACTIVE")
MakeNameEx(idc.Dword(address+20),"WM_MDIGETACTIVE",SN_NOWARN)
elif message==0x0230:
MakeComm(address, "WM_MDISETMENU")
MakeNameEx(idc.Dword(address+20),"WM_MDISETMENU",SN_NOWARN)
elif message==0x0231:
MakeComm(address, "WM_ENTERSIZEMOVE")
MakeNameEx(idc.Dword(address+20),"WM_ENTERSIZEMOVE",SN_NOWARN)
elif message==0x0232:
MakeComm(address, "WM_EXITSIZEMOVE")
MakeNameEx(idc.Dword(address+20),"WM_EXITSIZEMOVE",SN_NOWARN)
elif message==0x0233:
MakeComm(address, "WM_DROPFILES")
MakeNameEx(idc.Dword(address+20),"WM_DROPFILES",SN_NOWARN)
elif message==0x0234:
MakeComm(address, "WM_MDIREFRESHMENU")
MakeNameEx(idc.Dword(address+20),"WM_MDIREFRESHMENU",SN_NOWARN)
elif message==0x238:
MakeComm(address, "WM_POINTERDEVICECHANGE")
MakeNameEx(idc.Dword(address+20),"WM_POINTERDEVICECHANGE",SN_NOWARN)
elif message==0x239:
MakeComm(address, "WM_POINTERDEVICEINRANGE")
MakeNameEx(idc.Dword(address+20),"WM_POINTERDEVICEINRANGE",SN_NOWARN)
elif message==0x23A:
MakeComm(address, "WM_POINTERDEVICEOUTOFRANGE")
MakeNameEx(idc.Dword(address+20),"WM_POINTERDEVICEOUTOFRANGE",SN_NOWARN)
elif message==0x0240:
MakeComm(address, "WM_TOUCH")
MakeNameEx(idc.Dword(address+20),"WM_TOUCH",SN_NOWARN)
elif message==0x0241:
MakeComm(address, "WM_NCPOINTERUPDATE")
MakeNameEx(idc.Dword(address+20),"WM_NCPOINTERUPDATE",SN_NOWARN)
elif message==0x0242:
MakeComm(address, "WM_NCPOINTERDOWN")
MakeNameEx(idc.Dword(address+20),"WM_NCPOINTERDOWN",SN_NOWARN)
elif message==0x0243:
MakeComm(address, "WM_NCPOINTERUP")
MakeNameEx(idc.Dword(address+20),"WM_NCPOINTERUP",SN_NOWARN)
elif message==0x0245:
MakeComm(address, "WM_POINTERUPDATE")
MakeNameEx(idc.Dword(address+20),"WM_POINTERUPDATE",SN_NOWARN)
elif message==0x0246:
MakeComm(address, "WM_POINTERDOWN")
MakeNameEx(idc.Dword(address+20),"WM_POINTERDOWN",SN_NOWARN)
elif message==0x0247:
MakeComm(address, "WM_POINTERUP")
MakeNameEx(idc.Dword(address+20),"WM_POINTERUP",SN_NOWARN)
elif message==0x0249:
MakeComm(address, "WM_POINTERENTER")
MakeNameEx(idc.Dword(address+20),"WM_POINTERENTER",SN_NOWARN)
elif message==0x024A:
MakeComm(address, "WM_POINTERLEAVE")
MakeNameEx(idc.Dword(address+20),"WM_POINTERLEAVE",SN_NOWARN)
elif message==0x024B:
MakeComm(address, "WM_POINTERACTIVATE")
MakeNameEx(idc.Dword(address+20),"WM_POINTERACTIVATE",SN_NOWARN)
elif message==0x024C:
MakeComm(address, "WM_POINTERCAPTURECHANGED")
MakeNameEx(idc.Dword(address+20),"WM_POINTERCAPTURECHANGED",SN_NOWARN)
elif message==0x024D:
MakeComm(address, "WM_TOUCHHITTESTING")
MakeNameEx(idc.Dword(address+20),"WM_TOUCHHITTESTING",SN_NOWARN)
elif message==0x024E:
MakeComm(address, "WM_POINTERWHEEL")
MakeNameEx(idc.Dword(address+20),"WM_POINTERWHEEL",SN_NOWARN)
elif message==0x024F:
MakeComm(address, "WM_POINTERHWHEEL")
MakeNameEx(idc.Dword(address+20),"WM_POINTERHWHEEL",SN_NOWARN)
elif message==0x0281:
MakeComm(address, "WM_IME_SETCONTEXT")
MakeNameEx(idc.Dword(address+20),"WM_IME_SETCONTEXT",SN_NOWARN)
elif message==0x0282:
MakeComm(address, "WM_IME_NOTIFY")
MakeNameEx(idc.Dword(address+20),"WM_IME_NOTIFY",SN_NOWARN)
elif message==0x0283:
MakeComm(address, "WM_IME_CONTROL")
MakeNameEx(idc.Dword(address+20),"WM_IME_CONTROL",SN_NOWARN)
elif message==0x0284:
MakeComm(address, "WM_IME_COMPOSITIONFULL")
MakeNameEx(idc.Dword(address+20),"WM_IME_COMPOSITIONFULL",SN_NOWARN)
elif message==0x0285:
MakeComm(address, "WM_IME_SELECT")
MakeNameEx(idc.Dword(address+20),"WM_IME_SELECT",SN_NOWARN)
elif message==0x0286:
MakeComm(address, "WM_IME_CHAR")
MakeNameEx(idc.Dword(address+20),"WM_IME_CHAR",SN_NOWARN)
elif message==0x0288:
MakeComm(address, "WM_IME_REQUEST")
MakeNameEx(idc.Dword(address+20),"WM_IME_REQUEST",SN_NOWARN)
elif message==0x0290:
MakeComm(address, "WM_IME_KEYDOWN")
MakeNameEx(idc.Dword(address+20),"WM_IME_KEYDOWN",SN_NOWARN)
elif message==0x0291:
MakeComm(address, "WM_IME_KEYUP")
MakeNameEx(idc.Dword(address+20),"WM_IME_KEYUP",SN_NOWARN)
elif message==0x02A1:
MakeComm(address, "WM_MOUSEHOVER")
MakeNameEx(idc.Dword(address+20),"WM_MOUSEHOVER",SN_NOWARN)
elif message==0x02A3:
MakeComm(address, "WM_MOUSELEAVE")
MakeNameEx(idc.Dword(address+20),"WM_MOUSELEAVE",SN_NOWARN)
elif message==0x02A0:
MakeComm(address, "WM_NCMOUSEHOVER")
MakeNameEx(idc.Dword(address+20),"WM_NCMOUSEHOVER",SN_NOWARN)
elif message==0x02A2:
MakeComm(address, "WM_NCMOUSELEAVE")
MakeNameEx(idc.Dword(address+20),"WM_NCMOUSELEAVE",SN_NOWARN)
elif message==0x02B1:
MakeComm(address, "WM_WTSSESSION_CHANGE")
MakeNameEx(idc.Dword(address+20),"WM_WTSSESSION_CHANGE",SN_NOWARN)
elif message==0x02c0:
MakeComm(address, "WM_TABLET_FIRST")
MakeNameEx(idc.Dword(address+20),"WM_TABLET_FIRST",SN_NOWARN)
elif message==0x02df:
MakeComm(address, "WM_TABLET_LAST")
MakeNameEx(idc.Dword(address+20),"WM_TABLET_LAST",SN_NOWARN)
elif message==0x02E0:
MakeComm(address, "WM_DPICHANGED")
MakeNameEx(idc.Dword(address+20),"WM_DPICHANGED",SN_NOWARN)
elif message==0x0300:
MakeComm(address, "WM_CUT")
MakeNameEx(idc.Dword(address+20),"WM_CUT",SN_NOWARN)
elif message==0x0301:
MakeComm(address, "WM_COPY")
MakeNameEx(idc.Dword(address+20),"WM_COPY",SN_NOWARN)
elif message==0x0302:
MakeComm(address, "WM_PASTE")
MakeNameEx(idc.Dword(address+20),"WM_PASTE",SN_NOWARN)
elif message==0x0303:
MakeComm(address, "WM_CLEAR")
MakeNameEx(idc.Dword(address+20),"WM_CLEAR",SN_NOWARN)
elif message==0x0304:
MakeComm(address, "WM_UNDO")
MakeNameEx(idc.Dword(address+20),"WM_UNDO",SN_NOWARN)
elif message==0x0305:
MakeComm(address, "WM_RENDERFORMAT")
MakeNameEx(idc.Dword(address+20),"WM_RENDERFORMAT",SN_NOWARN)
elif message==0x0306:
MakeComm(address, "WM_RENDERALLFORMATS")
MakeNameEx(idc.Dword(address+20),"WM_RENDERALLFORMATS",SN_NOWARN)
elif message==0x0307:
MakeComm(address, "WM_DESTROYCLIPBOARD")
MakeNameEx(idc.Dword(address+20),"WM_DESTROYCLIPBOARD",SN_NOWARN)
elif message==0x0308:
MakeComm(address, "WM_DRAWCLIPBOARD")
MakeNameEx(idc.Dword(address+20),"WM_DRAWCLIPBOARD",SN_NOWARN)
elif message==0x0309:
MakeComm(address, "WM_PAINTCLIPBOARD")
MakeNameEx(idc.Dword(address+20),"WM_PAINTCLIPBOARD",SN_NOWARN)
elif message==0x030A:
MakeComm(address, "WM_VSCROLLCLIPBOARD")
MakeNameEx(idc.Dword(address+20),"WM_VSCROLLCLIPBOARD",SN_NOWARN)
elif message==0x030B:
MakeComm(address, "WM_SIZECLIPBOARD")
MakeNameEx(idc.Dword(address+20),"WM_SIZECLIPBOARD",SN_NOWARN)
elif message==0x030C:
MakeComm(address, "WM_ASKCBFORMATNAME")
MakeNameEx(idc.Dword(address+20),"WM_ASKCBFORMATNAME",SN_NOWARN)
elif message==0x030D:
MakeComm(address, "WM_CHANGECBCHAIN")
MakeNameEx(idc.Dword(address+20),"WM_CHANGECBCHAIN",SN_NOWARN)
elif message==0x030E:
MakeComm(address, "WM_HSCROLLCLIPBOARD")
MakeNameEx(idc.Dword(address+20),"WM_HSCROLLCLIPBOARD",SN_NOWARN)
elif message==0x030F:
MakeComm(address, "WM_QUERYNEWPALETTE")
MakeNameEx(idc.Dword(address+20),"WM_QUERYNEWPALETTE",SN_NOWARN)
elif message==0x0310:
MakeComm(address, "WM_PALETTEISCHANGING")
MakeNameEx(idc.Dword(address+20),"WM_PALETTEISCHANGING",SN_NOWARN)
elif message==0x0311:
MakeComm(address, "WM_PALETTECHANGED")
MakeNameEx(idc.Dword(address+20),"WM_PALETTECHANGED",SN_NOWARN)
elif message==0x0312:
MakeComm(address, "WM_HOTKEY")
MakeNameEx(idc.Dword(address+20),"WM_HOTKEY",SN_NOWARN)
elif message==0x0317:
MakeComm(address, "WM_PRINT")
MakeNameEx(idc.Dword(address+20),"WM_PRINT",SN_NOWARN)
elif message==0x0318:
MakeComm(address, "WM_PRINTCLIENT")
MakeNameEx(idc.Dword(address+20),"WM_PRINTCLIENT",SN_NOWARN)
elif message==0x0319:
MakeComm(address, "WM_APPCOMMAND")
MakeNameEx(idc.Dword(address+20),"WM_APPCOMMAND",SN_NOWARN)
elif message==0x031A:
MakeComm(address, "WM_THEMECHANGED")
MakeNameEx(idc.Dword(address+20),"WM_THEMECHANGED",SN_NOWARN)
elif message==0x031D:
MakeComm(address, "WM_CLIPBOARDUPDATE")
MakeNameEx(idc.Dword(address+20),"WM_CLIPBOARDUPDATE",SN_NOWARN)
elif message==0x031E:
MakeComm(address, "WM_DWMCOMPOSITIONCHANGED")
MakeNameEx(idc.Dword(address+20),"WM_DWMCOMPOSITIONCHANGED",SN_NOWARN)
elif message==0x031F:
MakeComm(address, "WM_DWMNCRENDERINGCHANGED")
MakeNameEx(idc.Dword(address+20),"WM_DWMNCRENDERINGCHANGED",SN_NOWARN)
elif message==0x0320:
MakeComm(address, "WM_DWMCOLORIZATIONCOLORCHANGED")
MakeNameEx(idc.Dword(address+20),"WM_DWMCOLORIZATIONCOLORCHANGED",SN_NOWARN)
elif message==0x0321:
MakeComm(address, "WM_DWMWINDOWMAXIMIZEDCHANGE")
MakeNameEx(idc.Dword(address+20),"WM_DWMWINDOWMAXIMIZEDCHANGE",SN_NOWARN)
elif message==0x0323:
MakeComm(address, "WM_DWMSENDICONICTHUMBNAIL")
MakeNameEx(idc.Dword(address+20),"WM_DWMSENDICONICTHUMBNAIL",SN_NOWARN)
elif message==0x0326:
MakeComm(address, "WM_DWMSENDICONICLIVEPREVIEWBITMAP")
MakeNameEx(idc.Dword(address+20),"WM_DWMSENDICONICLIVEPREVIEWBITMAP",SN_NOWARN)
elif message==0x033F:
MakeComm(address, "WM_GETTITLEBARINFOEX")
MakeNameEx(idc.Dword(address+20),"WM_GETTITLEBARINFOEX",SN_NOWARN)
elif message==0x0358:
MakeComm(address, "WM_HANDHELDFIRST")
MakeNameEx(idc.Dword(address+20),"WM_HANDHELDFIRST",SN_NOWARN)
elif message==0x035F:
MakeComm(address, "WM_HANDHELDLAST")
MakeNameEx(idc.Dword(address+20),"WM_HANDHELDLAST",SN_NOWARN)
elif message==0x0360:
MakeComm(address, "WM_AFXFIRST")
MakeNameEx(idc.Dword(address+20),"WM_AFXFIRST",SN_NOWARN)
elif message==0x037F:
MakeComm(address, "WM_AFXLAST")
MakeNameEx(idc.Dword(address+20),"WM_AFXLAST",SN_NOWARN)
elif message==0x0380:
MakeComm(address, "WM_PENWINFIRST")
MakeNameEx(idc.Dword(address+20),"WM_PENWINFIRST",SN_NOWARN)
elif message==0x038F:
MakeComm(address, "WM_PENWINLAST")
MakeNameEx(idc.Dword(address+20),"WM_PENWINLAST",SN_NOWARN)
elif message==0x8000:
MakeComm(address, "WM_APP")
MakeNameEx(idc.Dword(address+20),"WM_APP",SN_NOWARN)
elif message==0x0400:
MakeComm(address, "WM_USER")
MakeNameEx(idc.Dword(address+20),"WM_USER",SN_NOWARN)
def AFX_MSGMAP_ENTRY(self,address):
idStruct = idc.AddStrucEx(-1,"AFX_MSGMAP_ENTRY",0)
if idStruct == 0:
return
if idc.AddStrucMember(idStruct, "nMessage", 0, FF_DWRD|FF_DATA, -1, 4) != 0:
idc.Warning("\n1\n")
idc.DelStruc(idStruct)
return
if idc.AddStrucMember(idStruct, "nCode", 4, FF_DWRD|FF_DATA, -1, 4) != 0:
idc.Warning("\n2\n")
idc.DelStruc(idStruct)
return
if idc.AddStrucMember(idStruct, "nID", 8, FF_DWRD|FF_DATA, -1, 4) != 0:
idc.Warning("\n3\n")
idc.DelStruc(idStruct)
return
if idc.AddStrucMember(idStruct, "nLastID", 12, FF_DWRD|FF_DATA, -1, 4) != 0:
idc.Warning("\n4\n")
idc.DelStruc(idStruct)
return
if idc.AddStrucMember(idStruct, "nSignature", 16, FF_DWRD|FF_DATA, -1, 4) != 0:
idc.Warning("\n5\n")
idc.DelStruc(idStruct)
return
if idc.AddStrucMember(idStruct, "pFunction", 20, FF_DWRD|FF_0OFF, -1, 4) != 0:
idc.Warning("\n6\n")
idc.DelStruc(idStruct)
return
def BEGIN_MESSAGE_MAP(self):
id_struct = idc.GetStrucIdByName("AFX_MSGMAP_ENTRY");
if idc.GetStrucSize(id_struct)==0:
self.AFX_MSGMAP_ENTRY(self.screen_ea)
MakeNameEx(self.screen_ea,"BEGIN_MESSAGE_MAP",SN_NOWARN)
afx_msgmap_entry_size = idc.GetStrucSize(idc.GetStrucIdByName("AFX_MSGMAP_ENTRY"))
while idc.Dword(self.screen_ea) != 0:
if MakeStructEx(self.screen_ea, afx_msgmap_entry_size, "AFX_MSGMAP_ENTRY") == 0:
break
self.MakeMessageName(self.screen_ea,idc.Dword(self.screen_ea))
self.screen_ea = self.screen_ea + afx_msgmap_entry_size
python入口点
def Main(reverse_mfc):
if reverse_mfc.os_type_support==True:
reverse_mfc.BEGIN_MESSAGE_MAP()
if __name__ == "__main__":
print '======================================================================================================'
print 'idb:\r\n\t%s\r\n\t%s' % (idc.GetIdbPath(),idc.GetInputMD5())
print '======================================================================================================'
idaapi.analyze_area(idc.MinEA(), idc.MaxEA())
Main(ReverseMFC())
idaapi.analyze_area(idc.MinEA(), idc.MaxEA())
其中,MakeMessageName函数是通过解析winuser.h文件得来,由python自动生成.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
reverse_mfc = open('reverse_mfc.py', 'w+')
def MakeMessageProc():
winuser = open('winuser.rh', 'rb')
for line in winuser:
if (cmp(line[0:11],"#define WM_"[0:11]))!=0:
continue
line = line.strip()
line = line.split(" ")
message = ''
id = ''
for index in line:
if (not index) or (cmp(index[0:7],"#define"[0:7])==0):
continue
if not message:
message = index
continue
if not id:
id = index
continue
if "0x" in id:
if message=='WM_NULL':
reverse_mfc.write("\tif message=="+id+":\n")
else:
reverse_mfc.write("\telif message=="+id+":\n")
reverse_mfc.write("\t\tMakeComm(address, \""+message+"\")\n")
reverse_mfc.write("\t\tMakeNameEx(idc.Dword(address+20),\""+message+"\",SN_NOWARN)\n")
def MakeFunctionDeclare():
reverse_mfc.write("#!/usr/bin/env python\n# -*- coding: utf-8 -*-\ndef MakeMessageName(self,address,message):\n")
if __name__ == "__main__":
MakeFunctionDeclare()
MakeMessageProc()
goodbye.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
