[讨论]朝闻道，夕可死-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (4)
堀北真希雪币： 207 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 403 粉丝 0 关注私信	堀北真希 1 2 楼与用户交互在user32.dll 2006-5-22 12:07 0
softworm 雪币： 494 活跃值： (629) 能力值： ( LV9，RANK：1210 ) 在线值：发帖 66 回帖 1050 粉丝 13 关注私信	softworm 30 3 楼注册窗口类的时候,就知道回调函数是什么了 2006-5-22 12:36 0
thebutterfly 雪币： 291 活跃值： (213) 能力值： ( LV12，RANK：210 ) 在线值：发帖 10 回帖 548 粉丝 2 关注私信	thebutterfly 5 4 楼粗略流程, 不够准确, 期待各位大虾的详细分析 DispatchMessageA { _DispatchMessageWorker { ValidateHwnd 查找MessageTable UserCallWinProcCheckWow { RtlActivateActivationContextUnsafeFast BeginIfHookedUserApiHook InternalCallWinProc } } } 2006-5-22 13:07 0
dreaman 雪币： 1325 活跃值： (507) 能力值： ( LV12，RANK：450 ) 在线值：发帖 21 回帖 208 粉丝 12 关注私信	dreaman 11 5 楼关键在于HWND,所谓句柄,就是WINDOWS可以据此找到相关内部结构的东东下面是DispatchMessageWorker函数的开头部分: LRESULT DispatchMessageWorker( MSG pmsg, BOOL fAnsi) { PWND pwnd; WPARAM wParamSaved; LRESULT lRet; BOOL bDoDbcsMessaging = FALSE; / * Prevent apps from setting hi 16 bits so we can use them internally. / if (pmsg->message & RESERVED_MSG_BITS) { RIPERR1(ERROR_INVALID_PARAMETER, RIP_WARNING, "Invalid parameter \"pmsg->message\" (%ld) to DispatchMessageWorker", pmsg->message); return 0; } if (pmsg->hwnd != NULL) { pwnd = ValidateHwnd(pmsg->hwnd); if (pwnd == NULL) return 0; pmsg->hwnd = HWq(pwnd); // get full 32-bit HWND in case this came from WoW } else { pwnd = NULL; } 这里出现了一个新的结构PWND pwnd,并且可以从hwnd得到它 pwnd = ValidateHwnd(pmsg->hwnd); 下面是这个结构的内容: typedef struct tagWND PWND; typedef struct tagWND { // wnd THRDESKHEAD head; WW; // WOW-USER common fields. Defined in wowuserp.h // The presence of "state" at the start of this structure is assumed // by the STATEOFFSET macro. struct tagWND spwndNext; // Handle to the next window struct tagWND spwndParent; // Backpointer to the parent window. struct tagWND spwndChild; // Handle to child struct tagWND spwndOwner; // Popup window owner field RECT rcWindow; // Window outer rectangle RECT rcClient; // Client rectangle WNDPROC_PWND lpfnWndProc; // Can be WOW address or standard address PCLS pcls; // Pointer to window class int cbwndExtra; // Extra bytes in window HRGN hrgnUpdate; // Accumulated paint region struct tagWND spwndLastActive; // Last active in owner/ownee list PPROPLIST ppropList; // Pointer to property list PSBINFO pSBInfo; // Words used for scrolling struct tagMENU spmenuSys; // Handle to system menu struct tagMENU *spmenu; // Menu handle or ID LARGE_UNICODE_STRING strName; ULONG_PTR dwUserData; // Reserved for random application data HRGN hrgnClip; // Clipping region for this window HIMC hImc; // Associated input context handle } WND; 2006-5-22 13:33 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (4)
堀北真希雪币： 207 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 403 粉丝 0 关注私信	堀北真希 1 2 楼与用户交互在user32.dll 2006-5-22 12:07 0
softworm 雪币： 494 活跃值： (629) 能力值： ( LV9，RANK：1210 ) 在线值：发帖 66 回帖 1050 粉丝 13 关注私信	softworm 30 3 楼注册窗口类的时候,就知道回调函数是什么了 2006-5-22 12:36 0
thebutterfly 雪币： 291 活跃值： (213) 能力值： ( LV12，RANK：210 ) 在线值：发帖 10 回帖 548 粉丝 2 关注私信	thebutterfly 5 4 楼粗略流程, 不够准确, 期待各位大虾的详细分析 DispatchMessageA { _DispatchMessageWorker { ValidateHwnd 查找MessageTable UserCallWinProcCheckWow { RtlActivateActivationContextUnsafeFast BeginIfHookedUserApiHook InternalCallWinProc } } } 2006-5-22 13:07 0
dreaman 雪币： 1325 活跃值： (507) 能力值： ( LV12，RANK：450 ) 在线值：发帖 21 回帖 208 粉丝 12 关注私信	dreaman 11 5 楼关键在于HWND,所谓句柄,就是WINDOWS可以据此找到相关内部结构的东东下面是DispatchMessageWorker函数的开头部分: LRESULT DispatchMessageWorker( MSG pmsg, BOOL fAnsi) { PWND pwnd; WPARAM wParamSaved; LRESULT lRet; BOOL bDoDbcsMessaging = FALSE; / * Prevent apps from setting hi 16 bits so we can use them internally. / if (pmsg->message & RESERVED_MSG_BITS) { RIPERR1(ERROR_INVALID_PARAMETER, RIP_WARNING, "Invalid parameter \"pmsg->message\" (%ld) to DispatchMessageWorker", pmsg->message); return 0; } if (pmsg->hwnd != NULL) { pwnd = ValidateHwnd(pmsg->hwnd); if (pwnd == NULL) return 0; pmsg->hwnd = HWq(pwnd); // get full 32-bit HWND in case this came from WoW } else { pwnd = NULL; } 这里出现了一个新的结构PWND pwnd,并且可以从hwnd得到它 pwnd = ValidateHwnd(pmsg->hwnd); 下面是这个结构的内容: typedef struct tagWND PWND; typedef struct tagWND { // wnd THRDESKHEAD head; WW; // WOW-USER common fields. Defined in wowuserp.h // The presence of "state" at the start of this structure is assumed // by the STATEOFFSET macro. struct tagWND spwndNext; // Handle to the next window struct tagWND spwndParent; // Backpointer to the parent window. struct tagWND spwndChild; // Handle to child struct tagWND spwndOwner; // Popup window owner field RECT rcWindow; // Window outer rectangle RECT rcClient; // Client rectangle WNDPROC_PWND lpfnWndProc; // Can be WOW address or standard address PCLS pcls; // Pointer to window class int cbwndExtra; // Extra bytes in window HRGN hrgnUpdate; // Accumulated paint region struct tagWND spwndLastActive; // Last active in owner/ownee list PPROPLIST ppropList; // Pointer to property list PSBINFO pSBInfo; // Words used for scrolling struct tagMENU spmenuSys; // Handle to system menu struct tagMENU *spmenu; // Menu handle or ID LARGE_UNICODE_STRING strName; ULONG_PTR dwUserData; // Reserved for random application data HRGN hrgnClip; // Clipping region for this window HIMC hImc; // Associated input context handle } WND; 2006-5-22 13:33 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复