-
-
[求助]驱动中win32k!GetStyleWindow取Window Style
-
发表于: 2008-12-14 18:36
-
驱动中查看HWND对应的Window Style ,
WINDOWS未提供NtUserGetWindowLong导出.
通过内核跟踪找到win32k!GetStyleWindow,看了下2K代码里没有这个函数的原型。
win32k!GetStyleWindow的汇编码:
--------------------------------------------------
win32k!GetStyleWindow:
bf80195a 8bff mov edi,edi
bf80195c 55 push ebp
bf80195d 8bec mov ebp,esp
bf80195f 8b4508 mov eax,dword ptr [ebp+8] //第一个参数-句柄?
bf801962 85c0 test eax,eax //句柄为空退出
bf801964 741a je win32k!GetStyleWindow+0x26 (bf801980)
win32k!GetStyleWindow+0xc:
bf801966 8b4d0c mov ecx,dword ptr [ebp+0Ch] //第2个参数-index?
bf801969 8bd1 mov edx,ecx
bf80196b c1ea08 shr edx,8 //参数右移8位?
bf80196e 56 push esi
win32k!GetStyleWindow+0x15:
bf80196f 0fb6f2 movzx esi,dl
bf801972 844c0614 test byte ptr [esi+eax+14h],cl
bf801976 7507 jne win32k!GetStyleWindow+0x25 (bf80197f)
win32k!GetStyleWindow+0x1e:
bf801978 8b4034 mov eax,dword ptr [eax+34h] //<--返回值: [pHWND+34h]?
bf80197b 85c0 test eax,eax
bf80197d 75f0 jne win32k!GetStyleWindow+0x15 (bf80196f)
win32k!GetStyleWindow+0x25:
bf80197f 5e pop esi
win32k!GetStyleWindow+0x26:
bf801980 5d pop ebp
bf801981 c20800 ret 8 //2个参数
自己猜测的GetStyleWindow原型:
//返回值为Window Style?
ULONG GetStyleWindow
(
IN HWND hwnd ,
IN ULONG nIndex);
参考了网上其他大侠的方法:
PdwWindowType=(ULONG*)ValidateHwnd(hwnd)+0x20; //先取pWnd, 然后偏移0x20, 请教WND结构如何查看,dt -b _WND未果
if(MmIsAddressValid(PdwWindowType))
dwWindowType = *(PdwWindowType);
/*
* NOTE -- this structure has been sorted (roughly) in order of use
* of the fields. The x86 code set allows cheaper access to fields
* that are in the first 0x80 bytes of a structure. Please attempt
* to ensure that frequently-used fields are below this boundary.
* FritzS
*/
typedef struct tagWND { // wnd
THRDESKHEAD head;
WW; // WOW-USER common fields. Defined in wowuserp.h
// The presence of "state" at the start of this structure is assumed
// by the STATEOFFSET macro.
PWND spwndNext; // Handle to the next window
PWND spwndParent; // Backpointer to the parent window.
PWND spwndChild; // Handle to child
PWND spwndOwner; // Popup window owner field
RECT rcWindow; // Window outer rectangle
RECT rcClient; // Client rectangle
WNDPROC_PWND lpfnWndProc; // Can be WOW address or standard address
PCLS pcls; // Pointer to window class
KHRGN hrgnUpdate; // Accumulated paint region
PPROPLIST ppropList; // Pointer to property list
PSBINFO pSBInfo; // Words used for scrolling
PMENU spmenuSys; // Handle to system menu
PMENU spmenu; // Menu handle or ID
KHRGN hrgnClip; // Clipping region for this window
LARGE_UNICODE_STRING strName;
int cbwndExtra; // Extra bytes in window
PWND spwndLastActive; // Last active in owner/ownee list
KHIMC hImc; // Associated input context handle
KERNEL_ULONG_PTR dwUserData; // Reserved for random application data
} WND;
以上方法都没有得到window style,请大侠赐教~
WINDOWS未提供NtUserGetWindowLong导出.
通过内核跟踪找到win32k!GetStyleWindow,看了下2K代码里没有这个函数的原型。
win32k!GetStyleWindow的汇编码:
--------------------------------------------------
win32k!GetStyleWindow:
bf80195a 8bff mov edi,edi
bf80195c 55 push ebp
bf80195d 8bec mov ebp,esp
bf80195f 8b4508 mov eax,dword ptr [ebp+8] //第一个参数-句柄?
bf801962 85c0 test eax,eax //句柄为空退出
bf801964 741a je win32k!GetStyleWindow+0x26 (bf801980)
win32k!GetStyleWindow+0xc:
bf801966 8b4d0c mov ecx,dword ptr [ebp+0Ch] //第2个参数-index?
bf801969 8bd1 mov edx,ecx
bf80196b c1ea08 shr edx,8 //参数右移8位?
bf80196e 56 push esi
win32k!GetStyleWindow+0x15:
bf80196f 0fb6f2 movzx esi,dl
bf801972 844c0614 test byte ptr [esi+eax+14h],cl
bf801976 7507 jne win32k!GetStyleWindow+0x25 (bf80197f)
win32k!GetStyleWindow+0x1e:
bf801978 8b4034 mov eax,dword ptr [eax+34h] //<--返回值: [pHWND+34h]?
bf80197b 85c0 test eax,eax
bf80197d 75f0 jne win32k!GetStyleWindow+0x15 (bf80196f)
win32k!GetStyleWindow+0x25:
bf80197f 5e pop esi
win32k!GetStyleWindow+0x26:
bf801980 5d pop ebp
bf801981 c20800 ret 8 //2个参数
自己猜测的GetStyleWindow原型:
//返回值为Window Style?
ULONG GetStyleWindow
(
IN HWND hwnd ,
IN ULONG nIndex);
参考了网上其他大侠的方法:
PdwWindowType=(ULONG*)ValidateHwnd(hwnd)+0x20; //先取pWnd, 然后偏移0x20, 请教WND结构如何查看,dt -b _WND未果
if(MmIsAddressValid(PdwWindowType))
dwWindowType = *(PdwWindowType);
/*
* NOTE -- this structure has been sorted (roughly) in order of use
* of the fields. The x86 code set allows cheaper access to fields
* that are in the first 0x80 bytes of a structure. Please attempt
* to ensure that frequently-used fields are below this boundary.
* FritzS
*/
typedef struct tagWND { // wnd
THRDESKHEAD head;
WW; // WOW-USER common fields. Defined in wowuserp.h
// The presence of "state" at the start of this structure is assumed
// by the STATEOFFSET macro.
PWND spwndNext; // Handle to the next window
PWND spwndParent; // Backpointer to the parent window.
PWND spwndChild; // Handle to child
PWND spwndOwner; // Popup window owner field
RECT rcWindow; // Window outer rectangle
RECT rcClient; // Client rectangle
WNDPROC_PWND lpfnWndProc; // Can be WOW address or standard address
PCLS pcls; // Pointer to window class
KHRGN hrgnUpdate; // Accumulated paint region
PPROPLIST ppropList; // Pointer to property list
PSBINFO pSBInfo; // Words used for scrolling
PMENU spmenuSys; // Handle to system menu
PMENU spmenu; // Menu handle or ID
KHRGN hrgnClip; // Clipping region for this window
LARGE_UNICODE_STRING strName;
int cbwndExtra; // Extra bytes in window
PWND spwndLastActive; // Last active in owner/ownee list
KHIMC hImc; // Associated input context handle
KERNEL_ULONG_PTR dwUserData; // Reserved for random application data
} WND;
以上方法都没有得到window style,请大侠赐教~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
