winlogon里面的USER32!DialogBox2函数分析及调试记录和win32k!dialog结构和win32k!WND结构的关系及win32k!WND结构中的fnid==重要
winlogon里面的USER32!DialogBox2函数分析及调试记录和win32k!dialog结构和win32k!WND结构的关系及win32k!WND结构中的fnid
第一部分:
0: kd> p
eax=001800e0 ebx=00000000 ecx=bbe70000 edx=00000200 esi=00000000 edi=00000000
eip=77cff44e esp=0006f930 ebp=0006f940 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!InternalDialogBox+0xfd:
001b:77cff44e 56 push esi
0: kd> t
eax=001800e0 ebx=00000000 ecx=bbe70000 edx=00000200 esi=00000000 edi=00000000
eip=77cdfdfb esp=0006f91c ebp=0006f940 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!DialogBox2:
001b:77cdfdfb 55 push ebp
0: kd> kc
#
00 USER32!DialogBox2
01 USER32!InternalDialogBox
02 USER32!DialogBoxIndirectParamAorW
03 USER32!DialogBoxParamW
04 USER32!DialogBoxParamW_wrapper
05 winlogon!Fusion_DialogBoxParam
06 winlogon!TimeoutDialogBoxParam
07 winlogon!WlxDialogBoxParam
08 MSGINA!WlxWkstaLockedSAS
09 winlogon!DoLockWksta
0a winlogon!DoScreenSaver
0b winlogon!LoggedonDlgProc
0c winlogon!RootDlgProc
0d USER32!InternalCallWinProc
0e USER32!UserCallDlgProcCheckWow
0f USER32!DefDlgProcWorker
10 USER32!DefDlgProcW
11 USER32!InternalCallWinProc
12 USER32!UserCallWinProcCheckWow
13 USER32!DispatchMessageWorker
14 USER32!DispatchMessageW
15 USER32!IsDialogMessageW
16 USER32!DialogBox2
17 USER32!InternalDialogBox
18 USER32!DialogBoxIndirectParamAorW
19 USER32!DialogBoxParamW
1a USER32!DialogBoxParamW_wrapper
1b winlogon!Fusion_DialogBoxParam
1c winlogon!TimeoutDialogBoxParam
1d winlogon!WlxDialogBoxParam
1e winlogon!BlockWaitForUserAction
1f winlogon!MainLoop
20 winlogon!WinMain
21 winlogon!WinMainCRTStartup
0: kd> dv
hwnd = 0x001800e0
hwndOwner = 0x00000000
fDisabled = 0n0
fOwnerIsActiveWindow = 0n0
fShown = 0n0
fSentIdleMessage = 0n1963458560
msg = {msg=0x90000 wp=0x1a1001d lp=0x77cc00e7}
0: kd> x win32k!gSharedInfo
bfa70580 win32k!gSharedInfo = struct tagSHAREDINFO
0: kd> dx -id 0,0,89413020 -r1 (*((win32k!tagSHAREDINFO *)0xbfa70580))
(*((win32k!tagSHAREDINFO *)0xbfa70580)) [Type: tagSHAREDINFO]
[+0x000] psi : 0xbc610c9c [Type: tagSERVERINFO *]
[+0x004] aheList : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x008] pDispInfo : 0xbc611c8c [Type: tagDISPLAYINFO *]
[+0x00c] ulSharedDelta : 0x0 [Type: unsigned int]
[+0x010] awmControl [Type: _WNDMSG [31]]
[+0x108] DefWindowMsgs [Type: _WNDMSG]
[+0x110] DefWindowSpecMsgs [Type: _WNDMSG]
0: kd> dx -id 0,0,89413020 -r1 ((win32k!_HANDLEENTRY *)0xbc510000)
((win32k!_HANDLEENTRY *)0xbc510000) : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x000] phead : 0x0 [Type: _HEAD *]
[+0x004] pOwner : 0x0 [Type: void *]
[+0x008] bType : 0x0 [Type: unsigned char]
[+0x009] bFlags : 0x0 [Type: unsigned char]
[+0x00a] wUniq : 0x1 [Type: unsigned short]
[+0x00c] plr : 0x0 [Type: _LOCKRECORD *]
0: kd> dt win32k!_HANDLEENTRY 0xbc510000+e00
+0x000 phead : 0xbc644124 _HEAD
+0x004 pOwner : 0xe1404c50 Void
+0x008 bType : 0x1 ''
+0x009 bFlags : 0 ''
+0x00a wUniq : 0x18
+0x00c plr : (null)
0: kd> dx -id 0,0,89413020 -r1 ((win32k!_HEAD *)0xbc644124)
((win32k!_HEAD *)0xbc644124) : 0xbc644124 [Type: _HEAD *]
[+0x000] h : 0x1800e0 [Type: void *]
[+0x004] cLockObj : 0x12 [Type: unsigned long]
0: kd> dt win32k!wnd 0xbc644124
+0x000 head : _THRDESKHEAD
+0x014 state : 0x304c8
+0x018 state2 : 0x80000300
+0x01c ExStyle : 0x10901
+0x020 style : 0x94c000cc
+0x024 hModule : 0x75080000 Void
+0x028 hMod16 : 0
+0x02a fnid : 0x2a4
+0x02c spwndNext : 0xbc644d2c tagWND
+0x030 spwndPrev : (null)
+0x034 spwndParent : 0xbc640dd4 tagWND
+0x038 spwndChild : 0xbc644244 tagWND
+0x03c spwndOwner : (null)
+0x040 rcWindow : tagRECT
+0x050 rcClient : tagRECT
+0x060 lpfnWndProc : 0x77ce6bd6 long USER32!DefDlgProcW+0
参考:
0006f934 77cff432 00000000 0006f968 77cff459 USER32!NtUserWaitMessage+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscoreumodedaytonaobji386usrstubs.c @
4795]
0006f968 77ce5e58 75080000 750b73e8 00000000 USER32!InternalDialogBox+0xe1 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1339]
参考:
if (hwndOwner && fWantIdleMsgs && !fSentIdleMessage) {
fSentIdleMessage = TRUE;
SendMessage(hwndOwner, WM_ENTERIDLE, MSGF_DIALOGBOX, (LPARAM)hwnd);
} else {
if ((RevalidateHwnd(hwnd)==NULL) || (pwnd->fnid & FNID_STATUS_BITS))
break;
NtUserWaitMessage();
}
}
第二部分:
if (hwnd) {
pwnd = ValidateHwnd(hwnd);
0: kd> p
eax=001800e0 ebx=00000000 ecx=001800e0 edx=00000200 esi=00000000 edi=00000000
eip=77cdfe0f esp=0006f8f0 ebp=0006f918 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!DialogBox2+0x14:
001b:77cdfe0f e8c5e1fdff call USER32!ValidateHwnd (77cbdfd9)
0: kd> p
eax=007d4124 ebx=00000000 ecx=00000001 edx=00000201 esi=007d4124 edi=00000000
eip=77cdfe16 esp=0006f8f0 ebp=0006f918 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
USER32!DialogBox2+0x1b:
001b:77cdfe16 eb02 jmp USER32!DialogBox2+0x1f (77cdfe1a)
eax=007d4124
0: kd> !pte 007d4124
VA 007d4124
PDE at C0300004 PTE at C0001F50
contains 7AB67867 contains 7A29F025
pfn 7ab67 —DA–UWEV pfn 7a29f —-A–UREV
0: kd> !pte 0xbc644124
VA bc644124
PDE at C0300BC4 PTE at C02F1910
contains 7B17F863 contains 7A29F863
pfn 7b17f —DA–KWEV pfn 7a29f —DA–KWEV
/*
* Set the 'parent disabled' flag for EndDialog().
* convert BOOL to definite bit 0 or 1
*/
PDLG(pwnd)->fDisabled = !!fDisabled;
fShown = TestWF(pwnd, WFVISIBLE);
#define STATEOFFSET (FIELD_OFFSET(WND, state))
#define TestWF(hwnd, flag) (*(((KPBYTE)(hwnd)) + STATEOFFSET + (int)HIBYTE(flag)) & LOBYTE(flag))
/* Dialog Styles */
#define DS_ABSALIGN 0x01L
#define DS_SYSMODAL 0x02L
#define DS_LOCALEDIT 0x20L /* Edit items get Local storage. */
#define DS_SETFONT 0x40L /* User specified font for Dlg controls */
#define DS_MODALFRAME 0x80L /* Can be combined with WS_CAPTION */
#define DS_NOIDLEMSG 0x100L /* WM_ENTERIDLE message will not be sent */
/*
* Should the WM_ENTERIDLE messages be sent?
*/
fWantIdleMsgs = !(pwnd->style & DS_NOIDLEMSG);
0: kd> dt win32k!wnd 0xbc644124
+0x000 head : _THRDESKHEAD
+0x014 state : 0x304c8
+0x018 state2 : 0x80000300
+0x01c ExStyle : 0x10901
+0x020 style : 0x94c000cc
#define DS_NOIDLEMSG 0x100L /* WM_ENTERIDLE message will not be sent */
第三部分:
while (PDLG(pwnd) && (!PDLG(pwnd)->fEnd)) {
if (!PeekMessage(&msg, NULL, 0, 0, PM_REMOVE)) {
ShowIt:
if (!fShown) {
fShown = TRUE;
0: kd> p
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
eax=00000001 ebx=00000000 ecx=0006f87c edx=7ffe0304 esi=007d4124 edi=00000001
eip=77cdfee5 esp=0006f8ec ebp=0006f918 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!DialogBox2+0xea:
001b:77cdfee5 837de412 cmp dword ptr [ebp-1Ch],12h ss:0023:0006f8fc=00000005
0: kd> dv
hwnd = 0x001800e0
hwndOwner = 0x00000000
fDisabled = 0n16
fOwnerIsActiveWindow = 0n0
fShown = 0n16
fSentIdleMessage = 0n0
msg = {msg=0x5 wp=0x0 lp=0x0}
} else {
/*
* We got a real message. Reset fSentIdleMessage so that we send
* one next time things are calm.
*/
fSentIdleMessage = FALSE;
if (msg.message == WM_QUIT) {
PostQuitMessage((int)msg.wParam);
break;
}
/*
* If pwnd is a message box, allow Ctrl-C and Ctrl-Ins
* to copy its content to the clipboard.
* Fall through in case hooking apps look for these keys.
*/
if (TestWF(pwnd, WFMSGBOX)) {
if ( (msg.message == WM_CHAR && LOBYTE(msg.wParam) == 3) ||
(msg.message == WM_KEYDOWN && LOBYTE(msg.wParam) == VK_INSERT && GetKeyState(VK_CONTROL) < 0)) {
/*
* Send the WM_COPY message and let the original message fall through
* as some apps might want it
*/
SendMessage(hwnd, WM_COPY, 0, 0);
}
}
TestWF(pwnd, WFMSGBOX)
#define TestWF(hwnd, flag) (*(((KPBYTE)(hwnd)) + STATEOFFSET + (int)HIBYTE(flag)) & LOBYTE(flag))
#define WFMSGBOX 0x0020 // used to maintain count of msg boxes on screen
0: kd> dt win32k!wnd 0xbc644124
+0x000 head : _THRDESKHEAD
+0x014 state : 0x304c8
+0x018 state2 : 0x80000300
1100 1000
0010 0000
第四部分:
0: kd> bp user32!NtUserWaitMessage
0: kd> t
eax=0006f8f8 ebx=00000000 ecx=0006f87c edx=7ffe0304 esi=007d4124 edi=00000001
eip=77cdb0e7 esp=0006f8e0 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!IsDialogMessageW:
001b:77cdb0e7 55 push ebp
0: kd> kc
#
00 USER32!IsDialogMessageW
01 USER32!DialogBox2
02 USER32!InternalDialogBox
03 USER32!DialogBoxIndirectParamAorW
04 USER32!DialogBoxParamW
05 USER32!DialogBoxParamW_wrapper
06 winlogon!Fusion_DialogBoxParam
07 winlogon!TimeoutDialogBoxParam
08 winlogon!WlxDialogBoxParam
09 MSGINA!WlxWkstaLockedSAS
0a winlogon!DoLockWksta
0b winlogon!DoScreenSaver
0c winlogon!LoggedonDlgProc
0d winlogon!RootDlgProc
0e USER32!InternalCallWinProc
0f USER32!UserCallDlgProcCheckWow
10 USER32!DefDlgProcWorker
11 USER32!DefDlgProcW
12 USER32!InternalCallWinProc
13 USER32!UserCallWinProcCheckWow
14 USER32!DispatchMessageWorker
15 USER32!DispatchMessageW
16 USER32!IsDialogMessageW
17 USER32!DialogBox2
18 USER32!InternalDialogBox
19 USER32!DialogBoxIndirectParamAorW
1a USER32!DialogBoxParamW
1b USER32!DialogBoxParamW_wrapper
1c winlogon!Fusion_DialogBoxParam
1d winlogon!TimeoutDialogBoxParam
1e winlogon!WlxDialogBoxParam
1f winlogon!BlockWaitForUserAction
20 winlogon!MainLoop
21 winlogon!WinMain
22 winlogon!WinMainCRTStartup
0: kd> dv
hwndDlg = 0x001800e0
lpMsg = 0x0006f8f8 {msg=0x5 wp=0x0 lp=0x0}
hwnd2 = 0x001800e0
langID = 0xfedd
pwndDlg = 0x0006f8f8
pwnd = 0x0006f8f8
fBack = 0n456984
pbutn = 0x001800e0
IsDialogMessage并不是象它的名字那样用来检查对话框消息的,而是用来解释或转换消
息的,更贴切的名字应该是TranslateDialogMessage IsDialogMessage解释非模态对话框消息。
你可以将它看成是对话框中专门内建的解释消息的加速键表。实际上,IsDialogMessage
不是对话框专用的-你可以在任何有控制的窗口中使用它来实现与在对话框中一样的键盘行为。
但是因为它的第一个参数是对话框的HWND,所以实际上你必须应用中的每一个非模态对话框都调
用这个函数. 消息是给对话框窗口
WM_LBUTTONDOWN
WM_SYSCHAR
WM_CHAR
WM_SYSKEYDOWN
WM_KEYDOWN
VK_LEFT
VK_UP
VK_RIGHT
VK_DOWN
VK_EXECUTE
VK_RETURN
VK_ESCAPE
VK_CANCEL
{IMSG_DWORD, FALSE, FALSE}, // WM_INPUT 0x00FF
{IMSG_DWORD, FALSE, FALSE}, // WM_KEYDOWN 0x0100
{IMSG_DWORD, FALSE, FALSE}, // WM_KEYUP 0x0101
{IMSG_INWPARAMDBCSCHAR, TRUE, FALSE}, // WM_CHAR 0x0102
{IMSG_INWPARAMCHAR, TRUE, FALSE}, // WM_DEADCHAR 0x0103
{IMSG_DWORD, FALSE, FALSE}, // WM_SYSKEYDOWN 0x0104
{IMSG_DWORD, FALSE, FALSE}, // WM_SYSKEYUP 0x0105
{IMSG_INWPARAMCHAR, TRUE, FALSE}, // WM_SYSCHAR 0x0106
{IMSG_INWPARAMCHAR, TRUE, FALSE}, // WM_SYSDEADCHAR 0x0107
0: kd> p
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
eax=00000000 ebx=00000000 ecx=0006f884 edx=7ffe0304 esi=0006f8f8 edi=007d4124
eip=77cdb193 esp=0006f8c8 ebp=0006f8dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!IsDialogMessageW+0xac:
001b:77cdb193 0f85e3040000 jne USER32!IsDialogMessageW+0x595 (77cdb67c) [br=0]
D:srv03rtmwindowscore/ntuser/inc/user.h:3104:#define PDLG(pwnd) (((PDIALOG)pwnd)->pdlg)
typedef struct _DIALOG {
WND wnd;
KERNEL_LRESULT resultWP; /* window proc result — DWL_MSGRESULT (+0) */
PDLG pdlg;
KERNEL_LONG_PTR unused; /* DWL_USER (+8) */
BYTE reserved[DLGWINDOWEXTRA – sizeof(KERNEL_LRESULT) – sizeof(PDLG) – sizeof(KERNEL_LONG_PTR)];
} DIALOG, * KPTR_MODIFIER PDIALOG;
0: kd> dt win32k!wnd 0xbc644124
+0x000 head : _THRDESKHEAD
+0x014 state : 0x304c8
+0x018 state2 : 0x80000300
+0x01c ExStyle : 0x10901
+0x020 style : 0x94c000cc
+0x024 hModule : 0x75080000 Void
+0x028 hMod16 : 0
+0x02a fnid : 0x2a4 //#define FNID_DIALOG 0x000002A4
+0x02c spwndNext : 0xbc644d2c tagWND
+0x030 spwndPrev : (null)
+0x034 spwndParent : 0xbc640dd4 tagWND
+0x038 spwndChild : 0xbc644244 tagWND
+0x03c spwndOwner : (null)
+0x040 rcWindow : tagRECT
+0x050 rcClient : tagRECT
+0x060 lpfnWndProc : 0x77ce6bd6 long USER32!DefDlgProcW+0
0: kd> dt win32k!dialog 0xbc644124
+0x000 wnd : tagWND
+0x0a0 resultWP : 0n0
+0x0a4 pdlg : 0x01230408 _DLG
+0x0a8 unused : 0n488472
+0x0ac reserved : [18] “”
0: kd> dx -id 0,0,89413020 -r1 ((win32k!_DLG *)0x1230408)
((win32k!_DLG *)0x1230408) : 0x1230408 [Type: _DLG *]
[+0x000] lpfnDlg : 0x102c230 [Type: int (*)(HWND__ *,unsigned int,unsigned int,long)]
[+0x004] flags : 0x0 [Type: unsigned long]
[+0x008] cxChar : 6 [Type: int]
[+0x00c] cyChar : 13 [Type: int]
[+0x010] hwndFocusSave : 0x0 [Type: HWND__ *]
[+0x014 ( 0: 0)] fEnd : 0x0 [Type: unsigned int]
[+0x014 ( 1: 1)] fDisabled : 0x0 [Type: unsigned int]
[+0x018] result : 1 [Type: int]
[+0x01c] hData : 0x0 [Type: void *]
[+0x020] hUserFont : 0xe0a028d [Type: HFONT__ *]
0: kd> u 102c230
winlogon!RootDlgProc [d:srv03rtmdssecurityginawinlogonwlxutil.c @ 286]:
0102c230 55 push ebp
0102c231 8bec mov ebp,esp
0102c233 817d0c10010000 cmp dword ptr [ebp+0Ch],110h
0102c23a 53 push ebx
0102c23b 8b5d08 mov ebx,dword ptr [ebp+8]
0102c23e 56 push esi
0102c23f 57 push edi
0102c240 752a jne winlogon!RootDlgProc+0x3c (0102c26c)
0: kd> dx -id 0,0,89413020 -r1 -nv (*((USER32!tagMSG *)0x6f8f8))
(*((USER32!tagMSG *)0x6f8f8)) : {msg=0x5 wp=0x0 lp=0x0} [Type: tagMSG]
[+0x000] hwnd : 0xd00d6 [Type: HWND__ *]
[+0x004] message : 0x5 [Type: unsigned int]
[+0x008] wParam : 0x0 [Type: unsigned int]
[+0x00c] lParam : 0 [Type: long]
[+0x010] time : 0xffeb233e [Type: unsigned long]
[+0x014] pt [Type: tagPOINT]
0: kd> dt win32k!gSharedInfo
+0x000 psi : 0xbc610c9c tagSERVERINFO
+0x004 aheList : 0xbc510000 _HANDLEENTRY
+0x008 pDispInfo : 0xbc611c8c tagDISPLAYINFO
+0x00c ulSharedDelta : 0
+0x010 awmControl : [31] _WNDMSG
+0x108 DefWindowMsgs : _WNDMSG
+0x110 DefWindowSpecMsgs : _WNDMSG
0: kd> dx -id 0,0,89413020 -r1 ((win32k!_HANDLEENTRY *)0xbc510000)
((win32k!_HANDLEENTRY *)0xbc510000) : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x000] phead : 0x0 [Type: _HEAD *]
[+0x004] pOwner : 0x0 [Type: void *]
[+0x008] bType : 0x0 [Type: unsigned char]
[+0x009] bFlags : 0x0 [Type: unsigned char]
[+0x00a] wUniq : 0x1 [Type: unsigned short]
[+0x00c] plr : 0x0 [Type: _LOCKRECORD *]
0: kd> dt 0xbc510000+d60
Symbol not found at address bc510d60.
0: kd> dt win32k!_HANDLEENTRY 0xbc510000+d60
+0x000 phead : 0xbc644d2c _HEAD
+0x004 pOwner : 0xe1404c50 Void
+0x008 bType : 0x1 ''
+0x009 bFlags : 0 ''
+0x00a wUniq : 0xd
+0x00c plr : (null)
0: kd> dx -id 0,0,89413020 -r1 (*((win32k!tagWND *)0xbc644d2c))
(*((win32k!tagWND *)0xbc644d2c)) [Type: tagWND]
[+0x000] head [Type: _THRDESKHEAD]
[+0x014] state : 0x0 [Type: unsigned long]
[+0x018] state2 : 0x80000300 [Type: unsigned long]
[+0x01c] ExStyle : 0x80 [Type: unsigned long]
[+0x020] style : 0x44808043 [Type: unsigned long]
[+0x024] hModule : 0x75080000 [Type: void *]
[+0x028] hMod16 : 0x0 [Type: unsigned short]
[+0x02a] fnid : 0x2a6 [Type: unsigned short] // #define FNID_LISTBOX 0x000002A6
[+0x02c] spwndNext : 0xbc643b74 [Type: tagWND *]
[+0x030] spwndPrev : 0xbc644124 [Type: tagWND *]
[+0x034] spwndParent : 0xbc640dd4 [Type: tagWND *]
[+0x038] spwndChild : 0x0 [Type: tagWND *]
[+0x03c] spwndOwner : 0x0 [Type: tagWND *]
[+0x040] rcWindow : {LT(0, 21) RB(189, 231) [189 x 210]} [Type: tagRECT]
[+0x050] rcClient : {LT(1, 22) RB(188, 230) [187 x 208]} [Type: tagRECT]
[+0x060] lpfnWndProc : 0x77cd921a [Type: long (*)(tagWND *,unsigned int,unsigned int,long)]
[+0x064] pcls : 0xbc6422f4 [Type: tagCLS *]
[+0x068] hrgnUpdate : 0x0 [Type: HRGN__ *]
[+0x06c] ppropList : 0x0 [Type: tagPROPLIST *]
[+0x070] pSBInfo : 0xbc644e2c [Type: tagSBINFO *]
[+0x074] spmenuSys : 0x0 [Type: tagMENU *]
[+0x078] spmenu : 0x3e8 [Type: tagMENU *]
[+0x07c] hrgnClip : 0x0 [Type: HRGN__ *]
[+0x080] strName [Type: _LARGE_UNICODE_STRING]
[+0x08c] cbwndExtra : 4 [Type: int]
[+0x090] spwndLastActive : 0x0 [Type: tagWND *]
[+0x094] hImc : 0x0 [Type: HIMC__ *]
[+0x098] dwUserData : 0x0 [Type: unsigned long]
[+0x09c] pActCtx : 0x0 [Type: _ACTIVATION_CONTEXT *]
0: kd> u 77cd921a
USER32!ComboListBoxWndProcW [d:srv03rtmwindowscore
tuserclientlb1.c @ 779]:
77cd921a 55 push ebp
77cd921b 8bec mov ebp,esp
77cd921d 8b4d08 mov ecx,dword ptr [ebp+8]
77cd9220 56 push esi
77cd9221 e8b34dfeff call USER32!ValidateHwnd (77cbdfd9)
77cd9226 8bf0 mov esi,eax
77cd9228 85f6 test esi,esi
77cd922a 7449 je USER32!ComboListBoxWndProcW+0x5b (77cd9275)
#define FNID_START 0x0000029A
#define FNID_WNDPROCSTART 0x0000029A
#define FNID_SCROLLBAR 0x0000029A // xxxSBWndProc;
#define FNID_ICONTITLE 0x0000029B // xxxDefWindowProc;
#define FNID_MENU 0x0000029C // xxxMenuWindowProc;
#define FNID_DESKTOP 0x0000029D // xxxDesktopWndProc;
#define FNID_DEFWINDOWPROC 0x0000029E // xxxDefWindowProc;
#define FNID_MESSAGEWND 0x0000029F // xxxDefWindowProc;
#define FNID_SWITCH 0x000002A0 // xxxSwitchWndProc
#define FNID_WNDPROCEND 0x000002A0 // see PatchThreadWindows
#define FNID_CONTROLSTART 0x000002A1
#define FNID_BUTTON 0x000002A1 // No server side proc
#define FNID_COMBOBOX 0x000002A2 // No server side proc
#define FNID_COMBOLISTBOX 0x000002A3 // No server side proc
#define FNID_DIALOG 0x000002A4 // No server side proc
#define FNID_EDIT 0x000002A5 // No server side proc
#define FNID_LISTBOX 0x000002A6 // No server side proc #define FNID_LISTBOX 0x000002A6
#define FNID_MDICLIENT 0x000002A7 // No server side proc
#define FNID_STATIC 0x000002A8 // No server side proc
第五部分:
while (PDLG(pwnd) && (!PDLG(pwnd)->fEnd)) {
if (!PeekMessage(&msg, NULL, 0, 0, PM_REMOVE)) {
0: kd> p
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7edd
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
eax=00000001 ebx=00000000 ecx=0006f87c edx=7ffe0304 esi=007d4124 edi=00000001
eip=77cdfee5 esp=0006f8ec ebp=0006f918 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!DialogBox2+0xea:
001b:77cdfee5 837de412 cmp dword ptr [ebp-1Ch],12h ss:0023:0006f8fc=00000100
0: kd> dv
hwnd = 0x001800e0
hwndOwner = 0x00000000
fDisabled = 0n16
fOwnerIsActiveWindow = 0n0
fShown = 0n16
fSentIdleMessage = 0n0
msg = {msg=0x100 wp=0x11 lp=0x1d0001}
第六部分:
0: kd> p
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
eax=00000001 ebx=00000000 ecx=77cbe448 edx=000800ec esi=007d4124 edi=00000001
eip=77cdff53 esp=0006f8ec ebp=0006f918 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!DialogBox2+0x158:
001b:77cdff53 395d10 cmp dword ptr [ebp+10h],ebx ss:0023:0006f928=00000010
0: kd> g
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7edc
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7edb
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7eda
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ed9
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ed8
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ed7
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ed6
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ed5
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1 NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 0
Breakpoint 35 hit
eax=007d4124 ebx=00000000 ecx=bbe70000 edx=00000200 esi=007d4124 edi=00000001
eip=77d20bd6 esp=0006f8e8 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!NtUserWaitMessage:
001b:77d20bd6 b84a120000 mov eax,124Ah
0: kd> kc
#
00 USER32!NtUserWaitMessage
01 USER32!InternalDialogBox
02 USER32!DialogBoxIndirectParamAorW
03 USER32!DialogBoxParamW
04 USER32!DialogBoxParamW_wrapper
05 winlogon!Fusion_DialogBoxParam
06 winlogon!TimeoutDialogBoxParam
07 winlogon!WlxDialogBoxParam
08 MSGINA!WlxWkstaLockedSAS
09 winlogon!DoLockWksta
0a winlogon!DoScreenSaver
0b winlogon!LoggedonDlgProc
0c winlogon!RootDlgProc
0d USER32!InternalCallWinProc
0e USER32!UserCallDlgProcCheckWow
0f USER32!DefDlgProcWorker
10 USER32!DefDlgProcW
11 USER32!InternalCallWinProc
12 USER32!UserCallWinProcCheckWow
13 USER32!DispatchMessageWorker
14 USER32!DispatchMessageW
15 USER32!IsDialogMessageW
16 USER32!DialogBox2
17 USER32!InternalDialogBox
18 USER32!DialogBoxIndirectParamAorW
19 USER32!DialogBoxParamW
1a USER32!DialogBoxParamW_wrapper
1b winlogon!Fusion_DialogBoxParam
1c winlogon!TimeoutDialogBoxParam
1d winlogon!WlxDialogBoxParam
1e winlogon!BlockWaitForUserAction
1f winlogon!MainLoop
20 winlogon!WinMain
21 winlogon!WinMainCRTStartup
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...
