WinXP SP2 USER32.DLL CallWindowProc(...)

最新推荐文章于 2017-05-06 15:53:23 发布
最新推荐文章于 2017-05-06 15:53:23 发布
阅读量3.1k 收藏 1
点赞数
分类专栏: Windows xp 源代码阅读 文章标签: user struct c winapi byte table
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/norsd/article/details/1007583
版权

<script type="text/javascript"> </script>

    CallWindowProc  被设定为一个宏, 分为CallWindowProcA 和 CallWindowProcW。
    在A和W这两个函数中,都简单的调用了CallWindowProcAorW(...)这个函数。其原型为:LRESULT WINAPI CallWindowProcAorW( WNDPROC pfn,  HWND hwnd, UINT message,  WPARAM wParam, LPARAM lParam,BOOL bAnsi);      其中A函数设置bAnsi为1,W函数设置bAnsi为0。
    下面开始分析CallWindowProcAorW(...)这个函数。

LRESULT WINAPI CallWindowProcAorW(
        WNDPROC pfn, 
       HWND hwnd,
       UINT message, 
       WPARAM wParam,
      LPARAM lParam,
      BOOL bAnsi)
{
                PCALLPROCDATA   pCPD;
                 /*
                 mov     edi, edi
                 push    ebp
                 mov     ebp, esp
                 */

                 /*
                 push    esi
                 mov     esi, [ebp+lpPrevWndFunc] ; esi = lpPrevWndFunc;
                 test    esi, esi        ; lpPrevWndFunc == NULL?
                 jz      loc_77D41251    ;   goto 77D41251:  XOR EAX, EAX ; RET;
                */
                if (pfn == NULL)
                {
                        return 0L;
               }

                 /*
                 mov     eax, 0FFFF0000h ; eax = CPDHANDLE_HI
                 mov     ecx, esi        ; ecx = lpPrevWndFunc;
                 and     ecx, eax
                 cmp     ecx, eax        ;  (HIWORD)(lpPrevWndFunc) == 0xFFFF?
                 push    edi
                 mov     edi, [ebp+msg]
                 jz      loc_77D1E909    ;    goto 77D1E909
                 */
                if( ISCPDTAG(pfn) )
                {
                          /*
                         77D1E909:
                         mov     dl, 7           ; #define TYPE_CALLPROC       7
                         mov     ecx, esi        ; ecx = lpPrevWndFunc
                         call    HMValidateHandleNoRip
                         test    eax, eax        ;  retValue == NULL?
                         jz      loc_77D2879D    ;    return;  77d2879D是函数ret的代码段。
                          */
                        if( pCPD = HMValidateHandleNoRip((HANDLE)pfn, TYPE_CALLPROC) )
                        {
                                    /*
                                    77D1E91A:
                                    cmp     edi, 400h ;   msg>=WM_USER? /* 还记得吗在这里,edi就是msg了*/
                                    jnb     short loc_77D1E933; goto 77D1E933
                                    xor     ecx, ecx
                                    mov     cl, ds:byte_77D114E8[edi]; MessageTable[message]
                                    test    cl, 40h;       cl - 1000000 !=0?   等价于 test  CL[06], 1
                                                           ;       因为在MsgTbl中只有当bThunkMessage为真时,
                                                           ;       iFunction 的值才可能为非零。所以 test  cl,40h 等价于 单单测试7th bit。
                                                           ;       bThunkMessage为0?
                                    jnz     loc_77D2877B; goto 77D2877B
                                    jmp     loc_77D1E933; 实际程序并无此句,因上句jnz xxx后面就是E933了
                                    */
                                    if ((message >= WM_USER) ||
                                         MessageTable[message].bThunkMessage==1)   /* NorSD: XP's sc is dif from 2K*/
                                         /*
                                         MessageTable 是一个静态全局变量数组。每个大小1BYTE。
                                         因为使用了位域,有3个变量
                                         */
                                    {
                                              /*
                                              77D1E933:
                                              mov     esi, [eax+18h]       ;  pfn = esi = pCPD->pfnClientPrevious;
                                              jmp     loc_77D1C614     ;   cotinue;
                                              */
                                             pfn = (WNDPROC)pCPD->pfnClientPrevious;
                                    }
                                    else
                                    {
                                              /*
                                              77D2877B:
                                              push    [ebp+bAnsi]  
                                              and     ecx, 3Fh        ;FNID_CALLWINDOWPROC
                                              push    2B3h            ;
                                              push    esi             ; pfn
                                              push    [ebp+hMem_lParam]
                                              push    dword ptr [ebp+WideCharStr_wParam]
                                              push    edi             ; msg
                                              push    [ebp+hWnd]
                                              call    ds:off_77D118E8[ecx*4]
                                              jmp     loc_77D1C63F  ; return;
                                              */
                                              /*  client / usercli.h
                                              #define CsSendMessage(hwnd, msg, wParam, lParam, xParam, pfn, bAnsi) /
                                                            (((msg) >= WM_USER) ? /
                                                           NtUserMessageCall(hwnd, msg, wParam, lParam, xParam, pfn, bAnsi) : /
                                                           gapfnScSendMessage[MessageTable[msg].iFunction]/
                                                                 (hwnd, msg, wParam, lParam, xParam, pfn, bAnsi))
                                              */
                                               return CsSendMessage(
                                                                  hwnd, message, wParam, lParam,
                                                                  (ULONG_PTR)pfn,FNID_CALLWINDOWPROC, bAnsi);
                                             
                                    }
                        }
                        else
                        {
                        /*loc_77D2879D:*/
                                    return  0;
                        }
                }
                 return CALLPROC_WOWCHECK(pfn, hwnd, message, wParam, lParam);
}                 


.text:77D1C614
.text:77D1C614 loc_77D1C614:                           ; CODE XREF: CallWindowProcAorW_C5EE+2348j
.text:77D1C614                 mov     ecx, [ebp+hWnd] ; ecx = hWnd
.text:77D1C617                 call    sub_77D184D0
.text:77D1C61C                 test    eax, eax        ; eax == NULL?
.text:77D1C61E                 jz      loc_77D287A4    ; if true
.text:77D1C61E                                         ;    eax = 0;
.text:77D1C61E                                         ;    goto 77D1C62A;
.text:77D1C624                 mov     eax, [eax+9Ch]  ; else
.text:77D1C624                                         ;    eax = *(retValue+0x9C)
.text:77D1C62A
.text:77D1C62A loc_77D1C62A:                           ; CODE XREF: CallWindowProcAorW_C5EE+C1B8j
.text:77D1C62A                 push    0
.text:77D1C62C                 push    0
.text:77D1C62E                 push    [ebp+hMem_lParam] ; 0x0013 FA4C
.text:77D1C631                 push    dword ptr [ebp+WideCharStr_wParam] ; 0x0000 0000
.text:77D1C634                 push    edi             ; msg 0x0000 104D
.text:77D1C635                 push    [ebp+hWnd]
.text:77D1C638                 push    esi             ; 0x771D 0491
.text:77D1C639                 push    eax             ; 0
.text:77D1C63A                 call    sub_77D1875F
.text:77D1C63F
.text:77D1C63F loc_77D1C63F:                           ; CODE XREF: CallWindowProcAorW_C5EE+C1AAj
.text:77D1C63F                                         ; CallWindowProcAorW_C5EE+C1B1j
.text:77D1C63F                 pop     edi
.text:77D1C640
.text:77D1C640 loc_77D1C640:                           ; CODE XREF: CallWindowProcAorW_C5EE+24C65j
.text:77D1C640                 pop     esi
.text:77D1C641                 pop     ebp
.text:77D1C642                 retn    18h

.text:77D1C642 CallWindowProcAorW_C5EE endp

/* user.h*/
typedef struct tagMSG_TABLE_ENTRY {
    BYTE iFunction:6;
    BYTE bThunkMessage:1;
    BYTE bSyncOnlyMessage:1;
} MSG_TABLE_ENTRY;

extern CONST MSG_TABLE_ENTRY MessageTable[ ];

/*
0  1  2  3  4  5                   6                                 7
    iFunction         bThunkMessage     bSyncOnlyMessage
*/


typedef struct _CALLPROCDATA {
    PROCDESKHEAD                 head;
    PCALLPROCDATA                spcpdNext;
    KERNEL_ULONG_PTR             pfnClientPrevious;
    WORD                         wType;
} CALLPROCDATA;


typedef struct _PROCDESKHEAD {
    PROCOBJHEAD;
    DESKHEAD;
} PROCDESKHEAD, *PPROCDESKHEAD;

typedef struct _PROCOBJHEAD {
    HEAD;
    DWORD hTaskWow;
} PROCOBJHEAD, *PPROCOBJHEAD;


typedef struct _DESKHEAD {
    PDESKTOP rpdesk;
    KPBYTE   pSelf;
} DESKHEAD, *PDESKHEAD;

typedef struct _HEAD {
    KHANDLE h;
    DWORD   cLockObj;
} HEAD, *PHEAD;

end here

norsd
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CallWindowProc
09-23
How To Use CALLWINDOWPROC to Call VB function--->> Tips&Tricks; This file came from Planet-Source-Code.com...the home millions of lines of source code You can view comments on this code/and or vote on it
user32.dll说明
08-06
### user32.dll概述 `user32.dll`是Windows操作系统中的一个重要动态链接库(Dynamic Link Library),包含了大量与用户界面交互相关的API函数。这些函数主要用于处理窗口管理、鼠标和键盘事件、菜单操作等任务。...
callwindowproc
10-30 473
      函数功能:该函数CallWindowProc将消息信息传送给指定的窗口过程。    函数原型:LRESULT CallWindowProc(WNDPROC lpPrevWndFunc,HWND hWnd.UINT Msg,WPARAM wParam,LPARAMIParam);    参数:    lpPrevWndFunc:指向前一个窗口过程的指针。如果该值是通过调用GetWindo
CallWindowProc与DefWindowProc的区别
08-21 5466
LRESULT CallWindowProc(WNDPROC lpPrevWndFunc,HWND hWnd.UINT Msg,WPARAM wParam,LPARAMIParam); 函数功能, CallWindowProc将指定消息信息传送给指定的窗口过程. lpPre
CallWindowProc与setwindowlong用法
求知者
11-07 2104
该函数CallWindowProc将消息信息传送给指定的窗口过程。 函数原型: LRESULT CallWindowProc(WNDPROC lpPrevWndFunc,HWND hWnd.UINT Msg,WPARAM wParam,LPARAMIParam); 参数: lpPrevWndFunc:参数主要是指向你要调用的函数句柄 hWnd:指向接收消息的窗口过程的句柄。 M
user32.dll中函数列表
11-23
### user32.dll中函数列表解析 #### 一、概述 `user32.dll`是Windows操作系统中的一个重要组件,属于用户界面(User Interface)部分的核心动态链接库(DLL)。它包含了大量与用户交互相关的API函数,例如窗口管理...
mfc.rar_MFC类库_WIN32API.M
09-23
例如,MFC的窗口类最终会调用CreateWindowEx来创建窗口,消息处理函数也是通过CallWindowProc间接调用Win32 API实现的。开发者可以在需要时直接调用Win32 API,以获取更多的控制权。 四、Win32API简介 Win32 API是...
易语言源码动态调整输入法.rar
02-16
在动态调整输入法的场景下,可能需要用到如`LoadLibrary`、`GetProcAddress`和`CallWindowProc`等API,用于加载输入法相关动态链接库,获取函数指针并执行操作。 2. **输入法接口**:易语言可能提供了一些与输入法...
屏蔽超级列表框滚动条例程.rar
03-12
return CallWindowProc((WNDPROC)GetWindowLongPtr(hWnd, GWLP_WNDPROC), hWnd, message, wParam, lParam); } } ``` 在创建超级列表框时,使用`SetWindowLongPtr`函数将窗口过程替换为我们的自定义处理函数: ``...
易语言最快的逐字分割
07-15
易语言最快的逐字分割源码,最快的逐字分割,CallWindowProcA
易语言API执行子程序
07-20
易语言API执行子程序源码,CallWindowProcA,CallWindowProcA1
CallWindowProc与setwindowlong 用法
热门推荐
Steven Lei的博客
03-09 1万+
<br />该函数CallWindowProc将消息信息传送给指定的窗口过程。<br /><br />    函数原型:LRESULT CallWindowProc(WNDPROC lpPrevWndFunc,HWND hWnd.UINT Msg,WPARAM wParam,LPARAMIParam);<br /><br />    参数:<br /><br />    lpPrevWndFunc:参数主要是指向你要调用的函数句柄<br /><br />    hWnd:指向接收消息的窗口过程的句柄。<br
回调函数WindowProc函数
rongwenbin的专栏
08-09 1691
LRESULT 的定义 typedef LONG_PTR LRESULT LONG_PTR 的定义 #if defined(_WIN64) typedef __int64 LONG_PTR; #else typedef long LONG_PTR; CALLBACK的定义 #define CALLBACK __stdcall 于是乎,LRESULT CALLBACK WindowProc(.
让你的文本框 “聪明” 一点
冬天的蚊子
02-04 1202
近来在设计一个热键设置程序中我学会了使用Setwindowlong和Callwindowproc这两个Api函数,有了它我们就可以处理你的窗口或控件所接收到的任何消息.由于前一段时间我看过一篇介绍QQ密码监视盗取法的文章,使我想到是不是可以用这两个函数来进行密码保护呢,经过一番尝试终于成功了,现在拿出来与大家分享。    几乎所有的监视程序都是通过向你密码的文本框发送一条WM_GETTEXT消息来
CWnd::WindowProc的理解
oldmtn的专栏
11-15 5954
先帖一段源代码 LRESULT CWnd::WindowProc(UINT message, WPARAM wParam, LPARAM lParam) { // OnWndMsg does most of the work, except for DefWindowProc call LRESULT lResult = 0; if (!OnWndMsg(message, wParam
SDK与MFC消息相关
weixin_30867015的博客
05-15 162
11. 用Win32 API编程时,window procedure比较明显,那就是程序员自定义window procedure,但Win32提供了一个API函数DefWindowProc(),缺省的处理要交给它。 2. 用MFC,window procedure会复杂一些,先看静态的,就是MFC预注册过的那些类,一句话,MFC替你打点好了window procedure的事。2.1 最抽象的...
windbg调试窗口过程WindowProc(winxp 32bit)
lixiangminghate的专栏
05-06 1762
ollydbg在调试窗口程序方面做得很便捷,虽然windbg在这方面不如od,但通过命令的组合也能达到类似的效果。我借winxpcalc.exe为例来谈谈如何用windbg调试窗口过程。     od在查找窗口过程(WindowProc)时相当方便,几步操作就够了,但windbg需要通过断点和函数堆栈来搜索这个用户定义的回调函数。该回调函数由RegisterClass(Ex)注册: Regi
Paul Caton的cCallFunc2.cls 的源代码
最新发布
06-08
以下是cCallFunc2.cls的源代码: ``` VERSION 1.0 CLASS BEGIN MultiUse = -1 'True END Attribute VB_Name = "cCallFunc2" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = True Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Option Explicit Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Private Const CC_FASTCALL As Long = 0 Private Const CC_CDECL As Long = 1 Private Const CC_STDCALL As Long = 2 Private hLib As Long Private m_pFunc As Long Private m_nCallConv As Long Public Property Get CallConv() As Long CallConv = m_nCallConv End Property Public Property Let CallConv(ByVal nCallConv As Long) m_nCallConv = nCallConv End Property Public Sub LoadLibrary(ByVal sLibName As String) hLib = LoadLibrary(sLibName) End Sub Public Sub FreeLibrary() FreeLibrary hLib End Sub Public Function GetFuncAddr(ByVal sFuncName As String) As Long Dim s As String * 256 s = sFuncName GetFuncAddr = GetProcAddress(hLib, s) m_pFunc = GetFuncAddr End Function Public Function CallFunc(ParamArray Params()) As Long Dim nParamCount As Long nParamCount = UBound(Params) + 1 Select Case m_nCallConv Case CC_FASTCALL Call CallFuncFast(m_pFunc, nParamCount, Params(0), Params(1), Params(2), Params(3)) Case CC_CDECL Call CallFuncCDecl(m_pFunc, nParamCount, Params(0), Params(1), Params(2), Params(3), Params(4), Params(5), Params(6), Params(7)) Case CC_STDCALL Call CallFuncStdCall(m_pFunc, nParamCount, Params(0), Params(1), Params(2), Params(3), Params(4), Params(5), Params(6), Params(7)) End Select CallFunc = Params(0) End Function Private Sub CallFuncFast(ByVal pFunc As Long, ByVal nParamCount As Long, ParamArray Params()) Dim nRegCount As Long Dim nStackCount As Long Dim nParamIndex As Long Dim nArgIndex As Long ' Determine number of arguments that can be passed in registers nRegCount = IIf(nParamCount > 0, 1, 0) + IIf(nParamCount > 1, 1, 0) + IIf(nParamCount > 2, 1, 0) + IIf(nParamCount > 3, 1, 0) ' Push arguments onto stack nStackCount = nParamCount - nRegCount For nParamIndex = nRegCount To nParamCount - 1 CopyMemory ByVal VarPtr(Params(nParamIndex)), ByVal VarPtr(nArgIndex), 4 nArgIndex = nArgIndex + 4 Next nParamIndex ' Call function Select Case nRegCount Case 0 CallWindowProc pFunc, 0, 0, 0, 0 Case 1 CallWindowProc pFunc, 0, Params(0), 0, 0 Case 2 CallWindowProc pFunc, 0, Params(0), Params(1), 0 Case 3 CallWindowProc pFunc, 0, Params(0), Params(1), Params(2) Case 4 CopyMemory ByVal VarPtr(Params(0)), ByVal VarPtr(0), 4 CopyMemory ByVal VarPtr(Params(1)), ByVal VarPtr(4), 4 CopyMemory ByVal VarPtr(Params(2)), ByVal VarPtr(8), 4 CopyMemory ByVal VarPtr(Params(3)), ByVal VarPtr(12), 4 CallWindowProc pFunc, 0, Params(0), Params(1), Params(2) End Select End Sub Private Sub CallFuncCDecl(ByVal pFunc As Long, ByVal nParamCount As Long, ParamArray Params()) Dim nParamIndex As Long Dim nArgIndex As Long ' Push arguments onto stack For nParamIndex = 0 To nParamCount - 1 CopyMemory ByVal VarPtr(Params(nParamIndex)), ByVal VarPtr(nArgIndex), 4 nArgIndex = nArgIndex + 4 Next nParamIndex ' Call function CallWindowProc pFunc, 0, Params(0), Params(1), Params(2), Params(3), Params(4), Params(5), Params(6), Params(7) End Sub Private Sub CallFuncStdCall(ByVal pFunc As Long, ByVal nParamCount As Long, ParamArray Params()) Dim nParamIndex As Long Dim nArgIndex As Long ' Push arguments onto stack For nParamIndex = nParamCount - 1 To 0 Step -1 CopyMemory ByVal VarPtr(Params(nParamIndex)), ByVal VarPtr(nArgIndex), 4 nArgIndex = nArgIndex + 4 Next nParamIndex ' Call function CallWindowProc pFunc, 0, Params(0), Params(1), Params(2), Params(3), Params(4), Params(5), Params(6), Params(7) End Sub ``` 请注意,这只是一个简单的示例,cCallFunc2.cls的实现方式可能会因DLL函数调用约定的不同而有所不同。建议您查阅更多的资料来了解如何使用这个类来动态调用DLL函数。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值