explorer.exe源代码分析之热键的注册和处理
PROCESS 898be270 SessionId: 0 Cid: 03d8 Peb: 7ffdf000 ParentCid: 039c
DirBase: 78611000 ObjectTable: e1861388 HandleCount: 269.
Image: explorer.exe
PROCESS 89424c18 SessionId: 0 Cid: 0398 Peb: 7ffdf000 ParentCid: 03d8
DirBase: 790d3000 ObjectTable: e178dd28 HandleCount: 15.
Image: notepad.exe
1: kd> .PROCESS /p 898be270
Implicit process is now 898be270
.cache forcedecodeuser done
1: kd> .reload /f
Connected to Windows Server 2003 3790 x86 compatible target at (Mon Nov 10 09:53:18.631 2025 (UTC + 8:00)), ptr64 FALSE
Loading Kernel Symbols
……….
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
……………………………………………..
…………………………..*** WARNING: Unable to verify timestamp for RDPDD.dll
Loading User Symbols
……
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
……………………………………………….
Loading unloaded module list
…….
************* Symbol Loading Error Summary **************
Module name Error
dmload The system cannot find the file specified
dmio The system cannot find the file specified
imapi The system cannot find the file specified
pcntpci5 The system cannot find the file specified
audstub The system cannot find the file specified
ptilink The system cannot find the file specified
update The system cannot find the file specified
afd The system cannot find the file specified
RDPDD Image header paged out
OLEAUT32 The system cannot find the file specified
CLBCatQ The system cannot find the file specified
COMRes The system cannot find the file specified
WSOCK32 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
1: kd> x win32k!gphkHashTable
bfa5fc38 win32k!gphkHashTable = struct tagHOTKEY *[128]
1: kd> dx -id 0,0,898be270 -r1 (*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38))
(*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38)) [Type: tagHOTKEY * [128]]
[0] : 0xe1597990 [Type: tagHOTKEY *]
[1] : 0x0 [Type: tagHOTKEY *]
[2] : 0x0 [Type: tagHOTKEY *]
[3] : 0x0 [Type: tagHOTKEY *]
[4] : 0x0 [Type: tagHOTKEY *]
[5] : 0x0 [Type: tagHOTKEY *]
[6] : 0x0 [Type: tagHOTKEY *]
[7] : 0x0 [Type: tagHOTKEY *]
[8] : 0x0 [Type: tagHOTKEY *]
[9] : 0xe2fd1948 [Type: tagHOTKEY *]
[10] : 0x0 [Type: tagHOTKEY *]
[11] : 0x0 [Type: tagHOTKEY *]
[12] : 0x0 [Type: tagHOTKEY *]
[13] : 0x0 [Type: tagHOTKEY *]
[14] : 0x0 [Type: tagHOTKEY *]
[15] : 0x0 [Type: tagHOTKEY *]
[16] : 0x0 [Type: tagHOTKEY *]
[17] : 0x0 [Type: tagHOTKEY *]
[18] : 0x0 [Type: tagHOTKEY *]
[19] : 0xe30c56a8 [Type: tagHOTKEY *]
[20] : 0x0 [Type: tagHOTKEY *]
[21] : 0x0 [Type: tagHOTKEY *]
[22] : 0x0 [Type: tagHOTKEY *]
[23] : 0x0 [Type: tagHOTKEY *]
[24] : 0x0 [Type: tagHOTKEY *]
[25] : 0x0 [Type: tagHOTKEY *]
[26] : 0x0 [Type: tagHOTKEY *]
[27] : 0xe16ff810 [Type: tagHOTKEY *]
[28] : 0x0 [Type: tagHOTKEY *]
[29] : 0x0 [Type: tagHOTKEY *]
[30] : 0x0 [Type: tagHOTKEY *]
[31] : 0x0 [Type: tagHOTKEY *]
[32] : 0x0 [Type: tagHOTKEY *]
[33] : 0x0 [Type: tagHOTKEY *]
[34] : 0x0 [Type: tagHOTKEY *]
[35] : 0x0 [Type: tagHOTKEY *]
[36] : 0x0 [Type: tagHOTKEY *]
[37] : 0x0 [Type: tagHOTKEY *]
[38] : 0x0 [Type: tagHOTKEY *]
[39] : 0x0 [Type: tagHOTKEY *]
[40] : 0x0 [Type: tagHOTKEY *]
[41] : 0x0 [Type: tagHOTKEY *]
[42] : 0x0 [Type: tagHOTKEY *]
[43] : 0x0 [Type: tagHOTKEY *]
[44] : 0x0 [Type: tagHOTKEY *]
[45] : 0x0 [Type: tagHOTKEY *]
[46] : 0xe13e8b48 [Type: tagHOTKEY *]
[47] : 0x0 [Type: tagHOTKEY *]
[48] : 0x0 [Type: tagHOTKEY *]
[49] : 0x0 [Type: tagHOTKEY *]
[50] : 0x0 [Type: tagHOTKEY *]
[51] : 0x0 [Type: tagHOTKEY *]
[52] : 0x0 [Type: tagHOTKEY *]
[53] : 0x0 [Type: tagHOTKEY *]
[54] : 0x0 [Type: tagHOTKEY *]
[55] : 0x0 [Type: tagHOTKEY *]
[56] : 0x0 [Type: tagHOTKEY *]
[57] : 0x0 [Type: tagHOTKEY *]
[58] : 0x0 [Type: tagHOTKEY *]
[59] : 0x0 [Type: tagHOTKEY *]
[60] : 0x0 [Type: tagHOTKEY *]
[61] : 0x0 [Type: tagHOTKEY *]
[62] : 0x0 [Type: tagHOTKEY *]
[63] : 0x0 [Type: tagHOTKEY *]
[64] : 0x0 [Type: tagHOTKEY *]
[65] : 0x0 [Type: tagHOTKEY *]
[66] : 0xe30c5678 [Type: tagHOTKEY *]
[67] : 0x0 [Type: tagHOTKEY *]
[68] : 0xe16fd760 [Type: tagHOTKEY *]
[69] : 0xe30c3f30 [Type: tagHOTKEY *]
[70] : 0xe2fd1978 [Type: tagHOTKEY *]
[71] : 0x0 [Type: tagHOTKEY *]
[72] : 0x0 [Type: tagHOTKEY *]
[73] : 0x0 [Type: tagHOTKEY *]
[74] : 0x0 [Type: tagHOTKEY *]
[75] : 0x0 [Type: tagHOTKEY *]
[76] : 0xe166f780 [Type: tagHOTKEY *]
[77] : 0xe30c3f60 [Type: tagHOTKEY *]
[78] : 0x0 [Type: tagHOTKEY *]
[79] : 0x0 [Type: tagHOTKEY *]
[80] : 0x0 [Type: tagHOTKEY *]
[81] : 0x0 [Type: tagHOTKEY *]
[82] : 0xe310a260 [Type: tagHOTKEY *]
[83] : 0x0 [Type: tagHOTKEY *]
[84] : 0x0 [Type: tagHOTKEY *]
[85] : 0xe16daca8 [Type: tagHOTKEY *]
[86] : 0x0 [Type: tagHOTKEY *]
[87] : 0x0 [Type: tagHOTKEY *]
[88] : 0x0 [Type: tagHOTKEY *]
[89] : 0x0 [Type: tagHOTKEY *]
[90] : 0x0 [Type: tagHOTKEY *]
[91] : 0x0 [Type: tagHOTKEY *]
[92] : 0x0 [Type: tagHOTKEY *]
[93] : 0x0 [Type: tagHOTKEY *]
[94] : 0x0 [Type: tagHOTKEY *]
[95] : 0x0 [Type: tagHOTKEY *]
[96] : 0x0 [Type: tagHOTKEY *]
[97] : 0x0 [Type: tagHOTKEY *]
[98] : 0x0 [Type: tagHOTKEY *]
[99] : 0x0 [Type: tagHOTKEY *]
[…] [Type: tagHOTKEY * [128]]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe2fd1948)
((win32k!tagHOTKEY *)0xe2fd1948) : 0xe2fd1948 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0xc [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x9 [Type: unsigned int]
[+0x010] id : 508 [Type: int]
[+0x014] phkNext : 0xe30c56d8 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagWND *)0xbc674d2c)
((win32k!tagWND *)0xbc674d2c) : 0xbc674d2c [Type: tagWND *]
[+0x000] head [Type: _THRDESKHEAD]
[+0x060] lpfnWndProc : 0x1024721 [Type: long (*)(tagWND *,unsigned int,unsigned int,long)]
1: kd> u 1024721
Explorer!CImpWndProc::s_WndProc [d:srv03rtmshellinccwndproc.cpp @ 8]:
01024721 6a08 push 8
01024723 6888580001 push offset Explorer!`string'+0x10 (01005888)
01024728 e8ffa10100 call Explorer!__SEH_prolog (0103e92c)
0102472d bb81000000 mov ebx,81h
01024732 395d0c cmp dword ptr [ebp+0Ch],ebx
01024735 7547 jne Explorer!CImpWndProc::s_WndProc+0x5d (0102477e)
01024737 8b4514 mov eax,dword ptr [ebp+14h]
0102473a 8b30 mov esi,dword ptr [eax]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagTHREADINFO *)0xe2ed86a8)
((win32k!tagTHREADINFO *)0xe2ed86a8) : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x000] pEThread : 0x898ffa88 [Type: _ETHREAD *]
1: kd> !thread 0x898ffa88
THREAD 898ffa88 Cid 03d8.041c Teb: 7ffdc000 Win32Thread: e2ed86a8 WAIT: (WrUserRequest) UserMode Non-Alertable
89554190 SynchronizationEvent
Not impersonating
DeviceMap e14c43b8
Owning Process 898be270 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274794556 Ticks: 2633 (0:00:00:41.140)
Context Switch Count 5293 IdealProcessor: 1 LargeStack
UserTime 00:00:31.171
KernelTime 00:00:48.500
Win32 Start Address SHLWAPI!WrapperThreadProc (0x77102747)
Stack Init b9991000 Current b9990c44 Base b9991000 Limit b998c000 Call 00000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 0 PagePriority 0
Kernel stack not resident.
ChildEBP RetAddr Args to Child
b9990c5c 80a440eb 898ffb28 898ffa88 89554190 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:srv03rtmase
toskei386ctxswap.asm @ 139]
b9990c94 80a35ea9 bf9e5f20 e2ed86a8 bf9e6390 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:srv03rtmase
toske hredsup.c @ 2000]
b9990cc8 bf802d1b 89554190 0000000d 00000001 nt!KeWaitForSingleObject+0x2d7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmase
toskewait.c @ 1161]
b9990d28 bf8aacda 000024ff 00000000 00000001 win32k!xxxSleepThread+0x31b (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelqueue.c @ 4775]
b9990d3c bf81880d 000024ff 00000000 b9990d58 win32k!xxxRealWaitMessageEx+0x10 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 157]
b9990d50 80afbcb2 804ecc4a 00000000 00000100 win32k!NtUserWaitMessage+0x1c (FPO: [0,0,0]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernel
tstubs.c @ 7101]
b9990d50 7ffe0304 804ecc4a 00000000 00000100 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b9990d64) (CONV: cdecl) [d:srv03rtmase
toskei386 rap.asm @ 1328]
00deff14 77d20be2 01025943 00000000 0105a650 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
00deff48 0102c3a0 00000000 00deffb8 771027d9 USER32!NtUserWaitMessage+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscoreumodedaytonaobji386usrstubs.c @
4795]
00deff54 771027d9 0105a650 00000000 00000000 Explorer!CTray::MainThreadProc+0x27 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmshellexplorer ray.cpp @ 1952]
00deffb8 77e41be7 00000000 00000000 00000000 SHLWAPI!WrapperThreadProc+0x92 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmshellshlwapiutil.cpp @ 288]
00deffec 00000000 77102747 0006fda8 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmasewin32clientsupport.c @ 533]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe2fd1948)
((win32k!tagHOTKEY *)0xe2fd1948) : 0xe2fd1948 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0xc [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x9 [Type: unsigned int]
[+0x010] id : 508 [Type: int]
[+0x014] phkNext : 0xe30c56d8 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c56d8)
((win32k!tagHOTKEY *)0xe30c56d8) : 0xe30c56d8 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x9 [Type: unsigned int]
[+0x010] id : 507 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
#define MOD_ALT 0x0001 /* ;Internal NT */
#define MOD_CONTROL 0x0002 /* ;Internal NT */
#define MOD_SHIFT 0x0004 /* ;Internal NT */
#define MOD_WIN 0x0008 /* ;Internal NT */
#define MOD_SAS 0x8000
VK_TAB 09 9 Tab键
D:123>grep “RegisterHotKey” -nr D:srv03rtmshell|grep -v “inary”
D:srv03rtmshell/explorer/desktop2/proglist.cpp:21:HRESULT Tray_RegisterHotKey(WORD wHotKey, LPCITEMIDLIST pidlParent, LPCITEMIDLIST pidl);
D:srv03rtmshell/explorer/desktop2/proglist.cpp:1266: Tray_RegisterHotKey(hd._wHotKey, pscut->ParentPidl(), pscut->RelativePidl());
D:srv03rtmshell/explorer/startmnu.cpp:750:HRESULT Tray_RegisterHotKey(WORD wHotkey, LPCITEMIDLIST pidlParent, LPCITEMIDLIST pidl)
D:srv03rtmshell/explorer/startmnu.cpp:765:Purpose: IShellHotKey::RegisterHotKey method
D:srv03rtmshell/explorer/startmnu.cpp:768:STDMETHODIMP CHotKey::RegisterHotKey(IShellFolder * psf, LPCITEMIDLIST pidlParent, LPCITEMIDLIST pidl)
D:srv03rtmshell/explorer/startmnu.cpp:776: hr = ::Tray_RegisterHotKey(wHotkey, pidlParent, pidl);
D:srv03rtmshell/explorer/startmnu.h:99: STDMETHODIMP RegisterHotKey(IShellFolder * psf, LPCITEMIDLIST pidlParent, LPCITEMIDLIST pidl);
D:srv03rtmshell/explorer/tray.cpp:4539: if (RegisterHotKey(hwnd, i, HIBYTE(wGHotkey), LOBYTE(wGHotkey)))
D:srv03rtmshell/explorer/tray.cpp:4555: if (RegisterHotKey(hwnd, i, HIBYTE(wGHotkey), LOBYTE(wGHotkey)))
D:srv03rtmshell/explorer/tray.cpp:8733: RegisterHotKey(_hwnd, i, HIWORD(GlobalKeylist[i – GHID_FIRST]), LOWORD(GlobalKeylist[i – GHID_FIRST]));
D:srv03rtmshell/published/inc/shlobj.w:8930: STDMETHOD(RegisterHotKey)(THIS_ IShellFolder * psf, LPCITEMIDLIST pidlParent, LPCITEMIDLIST pidl) PURE;
D:123>grep “MOD_CONTROL” -nr D:srv03rtmshell|grep -v “inary”
D:srv03rtmshell/explorer/tray.cpp:163: MAKELONG(TEXT('F'), MOD_CONTROL|MOD_WIN),
D:srv03rtmshell/explorer/tray.cpp:2004: nMod |= MOD_CONTROL;
D:srv03rtmshell/explorer/tray.cpp:4375: if (HIBYTE(wHK) & MOD_CONTROL)
D:srv03rtmshell/ext/shimgvw/prevctrl.cpp:318: dwMods |= 2; // KEYMOD_CONTROL
D:srv03rtmshell/ext/webvw/fldricon.cpp:988: grfModifiers |= 0x2; //KEYMOD_CONTROL;
D:srv03rtmshell/ext/webvw/thumbctl.cpp:282: grfModifiers |= 0x2; //KEYMOD_CONTROL;
D:srv03rtmshell/shell32/unicpp/dvoc.cpp:410: grfModifiers |= 0x2; //KEYMOD_CONTROL;
#define GHID_FIRST 500
enum
{
GHID_RUN = GHID_FIRST,
GHID_MINIMIZEALL,
GHID_UNMINIMIZEALL,
GHID_HELP,
GHID_EXPLORER,
GHID_FINDFILES,
GHID_FINDCOMPUTER,
GHID_TASKTAB, MAKELONG(VK_TAB, MOD_WIN),
GHID_TASKSHIFTTAB,
GHID_SYSPROPERTIES,
GHID_DESKTOP,
GHID_TRAYNOTIFY,
GHID_MAX
};
const DWORD GlobalKeylist[] =
{
MAKELONG(TEXT('R'), MOD_WIN),
MAKELONG(TEXT('M'), MOD_WIN),
MAKELONG(TEXT('M'), MOD_SHIFT|MOD_WIN),
MAKELONG(VK_F1,MOD_WIN),
MAKELONG(TEXT('E'),MOD_WIN),
MAKELONG(TEXT('F'),MOD_WIN),
MAKELONG(TEXT('F'), MOD_CONTROL|MOD_WIN),
MAKELONG(VK_TAB, MOD_WIN),
MAKELONG(VK_TAB, MOD_WIN|MOD_SHIFT),
MAKELONG(VK_PAUSE,MOD_WIN),
MAKELONG(TEXT('D'),MOD_WIN),
MAKELONG(TEXT('B'),MOD_WIN),
};
VK_TAB 09 9 Tab键 507 508
VK_PAUSE 13 19 Pause键 509
VK_B 42 66 B键 511
VK_D 44 68 D键 510
VK_E 45 69 E键 504
VK_F 46 70 F键 505 506
VK_M 4D 77 M键 501 502
VK_R 52 82 R键 500
VK_F1 70 112 F1键 503
VK_TAB 09 9 Tab键 507 508
MAKELONG(VK_TAB, MOD_WIN),
MAKELONG(VK_TAB, MOD_WIN|MOD_SHIFT),
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe2fd1948)
((win32k!tagHOTKEY *)0xe2fd1948) : 0xe2fd1948 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0xc [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x9 [Type: unsigned int]
[+0x010] id : 508 [Type: int]
[+0x014] phkNext : 0xe30c56d8 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c56d8)
((win32k!tagHOTKEY *)0xe30c56d8) : 0xe30c56d8 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x9 [Type: unsigned int]
[+0x010] id : 507 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_PAUSE 13 19 Pause键 509
MAKELONG(VK_PAUSE,MOD_WIN),
GHID_SYSPROPERTIES,
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c56a8)
((win32k!tagHOTKEY *)0xe30c56a8) : 0xe30c56a8 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x13 [Type: unsigned int]
[+0x010] id : 509 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_B 42 66 B键 511
MAKELONG(TEXT('B'),MOD_WIN),
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c5678)
((win32k!tagHOTKEY *)0xe30c5678) : 0xe30c5678 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x42 [Type: unsigned int]
[+0x010] id : 511 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_D 44 68 D键 510
MAKELONG(TEXT('D'),MOD_WIN),
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe16fd760)
((win32k!tagHOTKEY *)0xe16fd760) : 0xe16fd760 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x44 [Type: unsigned int]
[+0x010] id : 510 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_E 45 69 E键 504
MAKELONG(TEXT('E'),MOD_WIN),
GHID_EXPLORER,
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c3f30)
((win32k!tagHOTKEY *)0xe30c3f30) : 0xe30c3f30 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x45 [Type: unsigned int]
[+0x010] id : 504 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_F 46 70 F键 505 506
MAKELONG(TEXT('F'),MOD_WIN),
MAKELONG(TEXT('F'), MOD_CONTROL|MOD_WIN),
GHID_FINDFILES,
GHID_FINDCOMPUTER,
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe2fd1978)
((win32k!tagHOTKEY *)0xe2fd1978) : 0xe2fd1978 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0xa [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x46 [Type: unsigned int]
[+0x010] id : 506 [Type: int]
[+0x014] phkNext : 0xe30c5708 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c5708)
((win32k!tagHOTKEY *)0xe30c5708) : 0xe30c5708 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x46 [Type: unsigned int]
[+0x010] id : 505 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_M 4D 77 M键 501 502
MAKELONG(TEXT('M'), MOD_WIN),
MAKELONG(TEXT('M'), MOD_SHIFT|MOD_WIN),
GHID_MINIMIZEALL,
GHID_UNMINIMIZEALL,
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe30c3f60)
((win32k!tagHOTKEY *)0xe30c3f60) : 0xe30c3f60 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0xc [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x4d [Type: unsigned int]
[+0x010] id : 502 [Type: int]
[+0x014] phkNext : 0xe16378b0 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe16378b0)
((win32k!tagHOTKEY *)0xe16378b0) : 0xe16378b0 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x4d [Type: unsigned int]
[+0x010] id : 501 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_R 52 82 R键 500
MAKELONG(TEXT('R'), MOD_WIN),
GHID_RUN = GHID_FIRST,
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe310a260)
((win32k!tagHOTKEY *)0xe310a260) : 0xe310a260 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x52 [Type: unsigned int]
[+0x010] id : 500 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_F1 70 112 F1键 503
MAKELONG(VK_F1,MOD_WIN),
GHID_HELP,
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe1700810)
((win32k!tagHOTKEY *)0xe1700810) : 0xe1700810 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2ed86a8 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc674d2c [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x70 [Type: unsigned int]
[+0x010] id : 503 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_F12 7B 123 F12键
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe15ec710)
((win32k!tagHOTKEY *)0xe15ec710) : 0xe15ec710 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1647238 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0x1 [Type: tagWND *]
[+0x008] fsModifiers : 0x4 [Type: unsigned short] //#define MOD_SHIFT 0x0004
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x7b [Type: unsigned int]
[+0x010] id : -6 [Type: int]
[+0x014] phkNext : 0xe1652530 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagHOTKEY *)0xe1652530)
((win32k!tagHOTKEY *)0xe1652530) : 0xe1652530 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1647238 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0x1 [Type: tagWND *]
[+0x008] fsModifiers : 0x0 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x7b [Type: unsigned int]
[+0x010] id : -5 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_U 55 85 U键 winlogon
VK_L 4C 76 L键 winlogon
VK_Delete 2E 46 Del键 winlogon
VK_ESCAPE 1B 27 Esc键 winlogon
D:srv03rtmshell/explorer/tray.cpp:8733: RegisterHotKey(_hwnd, i, HIWORD(GlobalKeylist[i – GHID_FIRST]), LOWORD(GlobalKeylist[i – GHID_FIRST]));
热键的注册:
void CTray::_RegisterGlobalHotkeys()
{
int i;
// Are the Windows keys restricted?
DWORD dwRestricted = SHRestricted(REST_NOWINKEYS);
for (i = GHID_FIRST ; i < GHID_MAX; i++)
{
// If the Windows Keys are Not restricted or it's not a Windows key
if (!((HIWORD(GlobalKeylist[i – GHID_FIRST]) & MOD_WIN) && dwRestricted))
{
// Then register it.
RegisterHotKey(_hwnd, i, HIWORD(GlobalKeylist[i – GHID_FIRST]), LOWORD(GlobalKeylist[i – GHID_FIRST]));
}
}
}
D:123>grep “GHID_TASKTAB” -nr D:srv03rtmshell
D:srv03rtmshell/explorer/tray.cpp:147: GHID_TASKTAB,
D:srv03rtmshell/explorer/tray.cpp:8699: case GHID_TASKTAB:
D:srv03rtmshell/explorer/tray.cpp:8703: SendMessage(_hwndTasks, TBC_TASKTAB, wParam == GHID_TASKTAB ? 1 : -1, 0L);
热键的处理:
void CTray::_HandleGlobalHotkey(WPARAM wParam)
{
INSTRUMENT_HOTKEY(SHCNFI_GLOBALHOTKEY, wParam);
switch(wParam)
{
case GHID_RUN:
_RunDlg();
break;
case GHID_MINIMIZEALL:
if (_CanMinimizeAll())
_MinimizeAll(FALSE);
SetForegroundWindow(v_hwndDesktop);
break;
case GHID_UNMINIMIZEALL:
_RestoreWindowPositions(FALSE);
break;
case GHID_HELP:
_Command(IDM_HELPSEARCH);
break;
case GHID_DESKTOP:
_RaiseDesktop(!g_fDesktopRaised, TRUE);
break;
case GHID_TRAYNOTIFY:
SwitchToThisWindow(_hwnd, TRUE);
SetForegroundWindow(_hwnd);
_SetFocus(_hwndNotify);
break;
case GHID_EXPLORER:
_ShowFolder(_hwnd, CSIDL_DRIVES, COF_CREATENEWWINDOW | COF_EXPLORE);
break;
case GHID_FINDFILES:
if (!SHRestricted(REST_NOFIND))
_Command(FCIDM_FINDFILES);
break;
case GHID_FINDCOMPUTER:
if (!SHRestricted(REST_NOFIND))
_Command(FCIDM_FINDCOMPUTER);
break;
case GHID_TASKTAB:
case GHID_TASKSHIFTTAB:
if (GetForegroundWindow() != _hwnd)
SetForegroundWindow(_hwnd);
SendMessage(_hwndTasks, TBC_TASKTAB, wParam == GHID_TASKTAB ? 1 : -1, 0L);
break;
case GHID_SYSPROPERTIES:
#define IDS_SYSDMCPL 0x2334 // from shelldll
SHRunControlPanel(MAKEINTRESOURCE(IDS_SYSDMCPL), _hwnd);
break;
}
}
第一个例子:
D:123>grep “TBC_TASKTAB” -nr D:srv03rtmshell
D:srv03rtmshell/explorer/taskband.cpp:6109: case TBC_TASKTAB:
D:srv03rtmshell/explorer/tray.cpp:8703: SendMessage(_hwndTasks, TBC_TASKTAB, wParam == GHID_TASKTAB ? 1 : -1, 0L);
D:srv03rtmshell/inc/trayp.h:17:#define TBC_TASKTAB (WM_USER + 61)
LRESULT CTaskBand::v_WndProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
case TBC_TASKTAB:
{
_tb.SetFocus();
int iNewIndex = 0;
int iCurIndex = max(_tb.GetHotItem(), 0);
int iCount = _tb.GetButtonCount();
if (iCount >= 2)
{
iNewIndex = iCurIndex;
do
{
iNewIndex += (int)wParam; //iNewIndex += (int)wParam; //wParam参数用上了
if (iNewIndex >= iCount)
{
iNewIndex = 0;
}
if (iNewIndex < 0)
{
iNewIndex = iCount – 1;
}
} while (_IsHidden(iNewIndex));
}
_tb.SetHotItem(iNewIndex);
}
break;
第二个例子:
case GHID_MINIMIZEALL:
if (_CanMinimizeAll())
_MinimizeAll(FALSE);
SetForegroundWindow(v_hwndDesktop);
break;
1: kd> x shell32!v_hwndDesktop
1: kd> x explorer!v_hwndDesktop
0105a638 Explorer!v_hwndDesktop = 0x0004003c
1: kd> dx -id 0,0,898be270 -r1 ((Explorer!HWND__ *)0x4003c)
((Explorer!HWND__ *)0x4003c) : 0x4003c [Type: HWND__ *]
[+0x000] unused : Unable to read memory at Address 0x4003c
1: kd> x win32k!gsharei
1: kd> x win32k!gSharedInfo
bfa70580 win32k!gSharedInfo = struct tagSHAREDINFO
1: kd> dx -id 0,0,898be270 -r1 (*((win32k!tagSHAREDINFO *)0xbfa70580))
(*((win32k!tagSHAREDINFO *)0xbfa70580)) [Type: tagSHAREDINFO]
[+0x000] psi : 0xbc610c9c [Type: tagSERVERINFO *]
[+0x004] aheList : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x008] pDispInfo : 0xbc611c8c [Type: tagDISPLAYINFO *]
[+0x00c] ulSharedDelta : 0x0 [Type: unsigned int]
[+0x010] awmControl [Type: _WNDMSG [31]]
[+0x108] DefWindowMsgs [Type: _WNDMSG]
[+0x110] DefWindowSpecMsgs [Type: _WNDMSG]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!_HANDLEENTRY *)0xbc510000)
((win32k!_HANDLEENTRY *)0xbc510000) : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x000] phead : 0x0 [Type: _HEAD *]
[+0x004] pOwner : 0x0 [Type: void *]
[+0x008] bType : 0x0 [Type: unsigned char]
[+0x009] bFlags : 0x0 [Type: unsigned char]
[+0x00a] wUniq : 0x1 [Type: unsigned short]
[+0x00c] plr : 0x0 [Type: _LOCKRECORD *]
1: kd> dt win32k!_HANDLEENTRY 0xbc510000+3c0
+0x000 phead : 0xbc677d04 _HEAD
+0x004 pOwner : 0xe2f6c7d0 Void
+0x008 bType : 0x1 ''
+0x009 bFlags : 0 ''
+0x00a wUniq : 4
+0x00c plr : (null)
1: kd> dt win32k!wnd 0xbc677d04
+0x000 head : _THRDESKHEAD
+0x060 lpfnWndProc : 0x7742462d long SHELL32!CDesktopBrowser::DesktopWndProc+0
1: kd> u 7742462d
SHELL32!CDesktopBrowser::DesktopWndProc [d:srv03rtmshellshell32unicppdesktop.cpp @ 3146]:
7742462d 6a0c push 0Ch
7742462f 68e0742877 push offset SHELL32!`string'+0x28 (772874e0)
77424634 e83f230300 call SHELL32!__SEH_prolog (77456978)
77424639 33ff xor edi,edi
7742463b 57 push edi
7742463c 8b5d08 mov ebx,dword ptr [ebp+8]
7742463f 53 push ebx
77424640 ff1530202077 call dword ptr [SHELL32!_imp__GetWindowLongW (77202030)]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!_HEAD *)0xbc677d04)
((win32k!_HEAD *)0xbc677d04) : 0xbc677d04 [Type: _HEAD *]
[+0x000] h : 0x4003c [Type: void *]
[+0x004] cLockObj : 0x7 [Type: unsigned long]
1: kd> dx -id 0,0,898be270 -r1 (*((win32k!_THRDESKHEAD *)0xbc677d04))
(*((win32k!_THRDESKHEAD *)0xbc677d04)) [Type: _THRDESKHEAD]
[+0x000] h : 0x4003c [Type: void *]
[+0x004] cLockObj : 0x7 [Type: unsigned long]
[+0x008] pti : 0xe2f6c7d0 [Type: tagTHREADINFO *]
[+0x00c] rpdesk : 0x89789eb0 [Type: tagDESKTOP *]
[+0x010] pSelf : 0xbc677d04 : 0x3c [Type: unsigned char *]
1: kd> dx -id 0,0,898be270 -r1 ((win32k!tagTHREADINFO *)0xe2f6c7d0)
((win32k!tagTHREADINFO *)0xe2f6c7d0) : 0xe2f6c7d0 [Type: tagTHREADINFO *]
[+0x000] pEThread : 0x898d9c18 [Type: _ETHREAD *]
1: kd> !thread 0x898d9c18
THREAD 898d9c18 Cid 03d8.0238 Teb: 7ffde000 Win32Thread: e2f6c7d0 WAIT: (WrUserRequest) UserMode Non-Alertable
895a8198 SynchronizationEvent
Not impersonating
DeviceMap e14c43b8
Owning Process 898be270 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274790367 Ticks: 6822 (0:00:01:46.593)
Context Switch Count 2832 IdealProcessor: 1 LargeStack
UserTime 00:00:06.921
KernelTime 00:00:13.437
Win32 Start Address Explorer!ModuleEntry (0x0101ab15)
Stack Init b99b1000 Current b99b0c44 Base b99b1000 Limit b99ac000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 0 PagePriority 0
Kernel stack not resident.
ChildEBP RetAddr Args to Child
b99b0c5c 80a440eb 898d9cb8 898d9c18 895a8198 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:srv03rtmase
toskei386ctxswap.asm @ 139]
b99b0c94 80a35ea9 bf9e5f20 e2f6c7d0 bf9e6390 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:srv03rtmase
toske hredsup.c @ 2000]
b99b0cc8 bf802d1b 895a8198 0000000d 00000001 nt!KeWaitForSingleObject+0x2d7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmase
toskewait.c @ 1161]
b99b0d28 bf8aacda 000024ff 00000000 00000001 win32k!xxxSleepThread+0x31b (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelqueue.c @ 4775]
b99b0d3c bf81880d 000024ff 00000000 b99b0d58 win32k!xxxRealWaitMessageEx+0x10 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 157]
b99b0d50 80afbcb2 804ecc4a 00000000 00000100 win32k!NtUserWaitMessage+0x1c (FPO: [0,0,0]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernel
tstubs.c @ 7101]
b99b0d50 7ffe0304 804ecc4a 00000000 00000100 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b99b0d64) (CONV: cdecl) [d:srv03rtmase
toskei386 rap.asm @ 1328]
0006fef4 77d20be2 7742357b 77e46a87 000d8d68 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0006ff1c 0101aac1 000d8d68 7ffdf000 0006ffc0 USER32!NtUserWaitMessage+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscoreumodedaytonaobji386usrstubs.c @
4795]
0006ff5c 0101ab80 000d8d68 00000000 000205e2 Explorer!ExplorerWinMain+0x2c7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmshellexplorerinitcab.cpp @ 1955]
0006ffc0 77e62c34 00000000 00000000 7ffdf000 Explorer!ModuleEntry+0x6b (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmshellexplorerinitcab.cpp @ 1124]
0006fff0 00000000 0101ab15 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmasewin32clientsupport.c @ 580]
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...
