Using WM_COPYDATA

 http://www.flounder.com/wm_copydata.htm

 

have experienced several problems, not of my own creation, in using WM_COPYDATA. Now, when I need to use it, I use a mechanism that protects me against the sort of problems I experienced. This essay describes those techniques for creating programs that can reliably and with some assurances of security use WM_COPYDATA.

Introduction to WM_COPYDATA

The WM_COPYDATA message is used to send large blocks of data across process boundaries. It is defined as 

SendMessage(target, WM_COPYDATA, (WPARAM)sender, (LPARAM)&COPYDATASTRUCT)

The WPARAM is the handle of the sending window. The LPARAM is a pointer to a structure of the form

typedef struct tagCOPYDATASTRUCT { 
    ULONG_PTR dwData; 
    DWORD     cbData; 
    PVOID     lpData; 
} COPYDATASTRUCT, *PCOPYDATASTRUCT; 

Presumably the dwData member is a small integer that tells the receiving window how to interpret the data referenced by lpData. The cbData value tells how many bytes of data are being passed.

This message can only be sent via SendMessage, which means that it will hang indefinitely if the receiving thread is blocked, or via SendMessageTimeout, if you want reliability. However, it cannot be send via PostMessage.

The data specified appears in the receiver's address space, and is pointed to by a similar COPYDATASTRUCT seen by the receiver. The receiver can examine the dwData to determine what to do, and use at most cbData bytes of the data pointed to by the lpData pointer. The data is intact only as long as the message is being processed. When you return from the OnCopyData handler, the data will disappear from the receiver's address space, so you must not store a copy of the lpData pointer. Instead, if you need the data after the handler returns, you must, in the receiving process, copy the data to a place in the program where it will remain available.

WM_COPYDATA hazards

I don't trust WM_COPYDATA.

It is not that I don't trust it to work. Indeed, it is reliable. It is not that I don't trust it to actually deliver data. It does that, too.

What I don't trust, as the receiver, is the sender. Having the WPARAM value which tells me the sender window handle doesn't help much, because the sender window could be any window of an application, not just the main frame. I have actually been the victim of an incorrect WM_COPYDATA message. The programmer who was sending it had no idea how to find the desired target window, so instead, "cleverly" decided to broadcast the WM_COPYDATA message to all top-level windows, knowing that his window would eventually get it. Of course, mine did also.

Furthermore, sending a bogus WM_COPYDATA is something a malicious program might choose to do in order to cause other programs to crash. I want to be robust against this sort of attack.

Making WM_COPYDATA safe

What I do for security is create a GUID. In this case, I don't want the textual form, I want the binary form. I then place this GUID, which is a 128-bit value, in the first part of my data. When I code the receiver, I test the first 16 bytes of every WM_COPYDATA packet (and there must be at least 16 bytes in the WM_COPYDATA packet, or I ignore it). If the first 16 bytes of the message do not match the GUID, I simply return 0 and ignore the message. Since I started doing this, I have never been the victim of an erroneous WM_COPYDATA send to my application (even in the environment of rogue WM_COPYDATA messages).

Here's an example of the kind of message I send. In this case, I sent it to my own process, but it would work identically across process boundaries. Note the first 16 bytes are the GUID, which will be shown later. I have three other buttons, one to send a message that is too short, one to send a message with a bad GUID, and one to send a message with an unknown dwType.

 

//------没有转摘完,做个引子,用到的时候再去深究。

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
在Unity中,可以通过重写派生自UnityEngine.Windows.WindowsWindow类的自定义窗口脚本的WndProc方法来处理Windows消息。通过重写WndProc方法,您可以获取和处理各种Windows消息,包括WM_INPUT消息。 下面是一个示例代码,展示了如何在Unity中处理WM_INPUT消息: ```csharp using UnityEngine; using System; using System.Runtime.InteropServices; public class RawInputExample : MonoBehaviour { const int WM_INPUT = 0x00FF; protected override void WndProc(ref Message message) { if (message.Msg == WM_INPUT) { IntPtr hRawInput = message.LParam; uint dataSize = 0; // 获取原始输入数据的大小 GetRawInputData(hRawInput, RID_INPUT, IntPtr.Zero, ref dataSize, (uint)Marshal.SizeOf(typeof(RAWINPUTHEADER))); if (dataSize > 0) { IntPtr data = Marshal.AllocHGlobal((int)dataSize); // 获取原始输入数据 if (GetRawInputData(hRawInput, RID_INPUT, data, ref dataSize, (uint)Marshal.SizeOf(typeof(RAWINPUTHEADER))) == dataSize) { RAWINPUT rawInput = Marshal.PtrToStructure<RAWINPUT>(data); // 在这里处理原始输入数据 // 示例:检查输入设备类型是否为鼠标 if (rawInput.header.dwType == RIM_TYPEMOUSE) { RAWMOUSE mouseData = rawInput.mouse; // 在这里处理鼠标输入数据 int deltaX = mouseData.lLastX; int deltaY = mouseData.lLastY; Debug.Log("Mouse Delta: " + deltaX + ", " + deltaY); } } Marshal.FreeHGlobal(data); } base.WndProc(ref message); return; } base.WndProc(ref message); } [StructLayout(LayoutKind.Sequential)] struct RAWINPUTHEADER { public uint dwType; public uint dwSize; public IntPtr hDevice; public IntPtr wParam; } [StructLayout(LayoutKind.Explicit)] struct RAWINPUT { [FieldOffset(0)] public RAWINPUTHEADER header; [FieldOffset(16)] public RAWMOUSE mouse; // 其他输入设备类型的数据结构 } [StructLayout(LayoutKind.Sequential)] struct RAWMOUSE { public ushort usFlags; public uint ulButtons; public uint ulRawButtons; public int lLastX; public int lLastY; public uint ulExtraInformation; } const uint RIDEV_INPUTSINK = 0x00000100; const int RIM_TYPEMOUSE = 0x00000000; const int RID_INPUT = 0x10000003; [DllImport("user32.dll")] static extern uint GetRawInputData(IntPtr hRawInput, uint uiCommand, IntPtr pData, ref uint pcbSize, uint cbSizeHeader); [DllImport("user32.dll")] static extern bool RegisterRawInputDevices(RAWINPUTDEVICE[] pRawInputDevices, uint uiNumDevices, uint cbSize); [StructLayout(LayoutKind.Sequential)] struct RAWINPUTDEVICE { public ushort usUsagePage; public ushort usUsage; public uint dwFlags; public IntPtr hwndTarget; } void Start() { RAWINPUTDEVICE[] rawInputDevices = new RAWINPUTDEVICE[1]; rawInputDevices[0].usUsagePage = 0x01; // HID_USAGE_PAGE_GENERIC rawInputDevices[0].usUsage = 0x02; // HID_USAGE_GENERIC_MOUSE rawInputDevices[0].dwFlags = RIDEV_INPUTSINK; rawInputDevices[0].hwndTarget = this.Handle; if (!RegisterRawInputDevices(rawInputDevices, (uint)rawInputDevices.Length, (uint)Marshal.SizeOf(typeof(RAWINPUTDEVICE)))) { Debug.LogError("Failed to register raw input devices"); } } } ``` 上述示例代码中,重写了WndProc方法来处理Windows消息。在WndProc方法中,检查消息是否为WM_INPUT消息,并获取原始输入数据进行处理。示例代码中处理了鼠标输入数据,您可以根据实际需求进行相应的处理。 请注意,由于涉及到Windows API的调用,需要将上述代码放置在派生自UnityEngine.Windows.WindowsWindow类的自定义窗口脚本中,并确保脚本被正确添加到场景中。此外,还需要在Unity项目的Player Settings中启用"Allow 'unsafe' Code"选项。 希望这可以帮助您处理WM_INPUT消息并获取原始输入数据。如果有任何进一步的问题,请随时提问。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值