走进Windows 2000 内部(一)

走进Windows 2000 内部(一)

       --Windows 源代码解读与发现

       拿到Windows2000的源代码有些日子了,业余时间就看看,总结出了一些东西.我先发表一些比较有实用价值的,希望能对大家的学习与工作有所帮助.如果大家觉得有必要,我会陆陆续续发表解读出来的一些东西与大家共同进步.

       这一次主要讲讲user32模块里的一些东西.

       首先,我们需要一个能访问内核内存的工具函数库.令我感到奇怪的是,user32大量的代码在Kernel Mode下运行.不过那是MS的事,先说说这个工具函数库.我用DDK构建的它.很简单.有两个功能地:读,写内核内存.

       为了不偏离主题,只列出最后的函数原形

BOOL WriteSysMemroy(PVOID pAddr , PVOID pBuff , DWORD dwLen);

BOOL ReadSysMemroy(PVOID pBuff , PVOID pAddr , DWORD dwLen);

 

1 关于THREADINFO

先列出这个结构的原形

 

// 大部分都有注释,它们的意意慢慢说

 

typedef struct tagTHREADINFO

{

       //W32THREAD;

    //PTL             ptl;                // Listhead for thread lock list

// W32THREAD 和 PTL 是我所不知道的结构,通过SoftICE的帮助,我知道了它们的大小,

//于是我弄了个东东来填充它

       PADDING(padding1 , 0x2c);                    

    PVOID               ppi;                // process info struct for this thread

                                                                      // type is PPROCESSINFO

       PVOID                  rpdesk;                            // type is PDESKTOP

    PDESKTOPINFO     pDeskInfo;          // Desktop info visible to client

                                                                      // type is PDESKTOPINFO

    PCLIENTINFO           pClientInfo;       // Client info stored in TEB

                                                                      // type is PCLIENTINFO

       DWORD           TIF_flags;          // TIF_ flags go here.

       PUNICODE_STRING pstrAppName;        // Application module name.

       PVOID           psmsSent;           // Most recent SMS this thread has sent

                                                                      // type is PSMS

    PVOID           psmsCurrent;        // Received SMS this thread is currently processing

                                                                      // type is PSMS

 

    PVOID           psmsReceiveList;    // SMSs to be processed

                                                                      // type is PSMS

       LONG            timeLast;           // Time, position, and ID of last message

    ULONG_PTR       idLast;

       int             cQuit;

    int             exitCode;

       HDESK           hdesk;              // Desktop handle

                                                                      // HDESK

    int             cPaintsReady;

    UINT            cTimersReady;

       PVOID                 pMenuState;                     // type is PMENUSTATE

       union {

        PVOID            ptdb;          // Win16Task Schedule data for WOW thread

                                                                      // type is PTDB

        PVOID                  pwinsta;        // Window station for SYSTEM thread

// type is PWINDOWSTATION

    };

       PVOID                         psiiList;       // thread DDEML instance list

                                                                      // type is PSVR_INSTANCE_INFO

    DWORD           dwExpWinVer;

    DWORD           dwCompatFlags;      // The Win 3.1 Compat flags

    DWORD           dwCompatFlags2;     // new DWORD to extend compat flags for NT5+ features

       PVOID           pqAttach;           // calculation variabled used in

                                                                      // type is PQ

       // zzzAttachThreadInput()

      

    PTHREADINFO     ptiSibling;         // pointer to sibling thread info

      

    PVOID               pmsd;                            // type is PMOVESIZEDATA

      

    DWORD           fsHooks;            // WHF_ Flags for which hooks are installed

                                                                     

    PHOOK           sphkCurrent;        // Hook this thread is currently processing

                                                                      // type is PHOOK

      

    PVOID                  pSBTrack;                     // type is PSBTRACK

      

    HANDLE          hEventQueueClient;

    PVOID            pEventQueueServer;  // type is PKEVENT

 

    PVOID                 PtiLink;            // Link to other threads on desktop

                                                                      // type is LIST_ENTRY

    int             iCursorLevel;       // keep track of each thread's level

   

       PADDING(padding2 , 4);

 

       POINT           ptLast;

      

    PWND            spwndDefaultIme;            // Default IME Window for this thread

                                                                      // type is PWND

 

    PVOID           spDefaultImc;                      // Default input context for this thread

                                                                      // type is PIMC

 

    HANDLE          hklPrev;                       // Previous active keyboard layout

// type is HKL

 

    int             cEnterCount;

      

    MLIST           mlPost;             // posted message list.

    USHORT          fsChangeBitsRemoved;// Bits removed during PeekMessage

    WCHAR           wchInjected;        // character from last VK_PACKET

    DWORD           fsReserveKeys;      // Keys that must be sent to the active

       // active console window.

    PVOID                  *apEvent;           // Wait array for xxxPollAndWaitForSingleObject

                                                                      // type is PKEVENT

    ACCESS_MASK     amdesk;             // Granted desktop access

 

    UINT            cWindows;           // Number of windows owned by this thread

    UINT            cVisWindows;        // Number of visible windows on this thread

      

    PHOOK           aphkStart[CWINHOOKS];   // Hooks registered for this thread

                                                                             // type is PHOOK

    BYTE                    cti;                        // Use this when no desktop is available

                                                                      // type is CLIENTTHREADINFO

      

       }THREADINFO ,* PTHREADINFO;

这个结构用来保存线程的一些信息,它怎么得到呢,请看下面的代码

PTHREADINFO WINAPI NtPtiCurrent(void)

{

      

       PTHREADINFO pti = NULL;

       __asm

       {

              mov eax,fs:[00000018h]

              mov eax,[eax+40h]

       mov pti , eax ; 现在pti 保存的就是当前线程的THREADINFO.

       }

       return  pti;

}

 

知道这个结构很重要,下面我就说一个这个结构的应用.

大家都知道Windows的消息Hook吧,下面这段代码可是让你的线程不被Hook,也就是让Hook失效

 

// 这个宏得到一个结构指针的成员地址

#define memaddr(p , s , m)          (PVOID) ( (DWORD ) p + offsetof(s , m) )

 

 

 

       PTHREADINFO pti = NtPtiCurrent();

      

       if (pti == NULL)

              return FALSE;

 

       DWORD TIF_flags;

 

       if (!ReadSysMemroy(

              &TIF_flags ,

              memaddr(pti , THREADINFO , TIF_flags) ,

              sizeof(TIF_flags))

              )

              return FALSE;

      

       TIF_flags |= 0x20000000;

 

       return WriteSysMemroy(

              memaddr(pti , THREADINFO , TIF_flags) ,

              &TIF_flags ,

              sizeof(TIF_flags)

              );

原理很简单,就是设了一个标志,告诉Windows Hook ,别来惹我

好了,先开个头,看看反响,如果可以的话,再接着说.