USER32!GetPropW函数分析之获取窗口属性
第一部分:
#ifdef UNICODE
FUNCLOG2(LOG_GENERAL, HANDLE, APIENTRY, GetPropW, HWND, hwnd, LPCTSTR, pString)
#else
FUNCLOG2(LOG_GENERAL, HANDLE, APIENTRY, GetPropA, HWND, hwnd, LPCTSTR, pString)
#endif // UNICODE
HANDLE APIENTRY GetProp(HWND hwnd, LPCTSTR pString)
{
PWND pwnd;
int iString;
if (IS_PTR(pString)) {
iString = (int)GlobalFindAtom(pString);
if (iString == 0)
return NULL;
} else
iString = PTR_TO_ID(pString);
pwnd = ValidateHwnd(hwnd);
if (pwnd == NULL)
return NULL;
return _GetProp(pwnd, (LPWSTR)UIntToPtr( iString ), FALSE);
}
第二部分:
1: kd> p
USER32!GetPropW+0xc:
001b:77cc7f19 ff750c push dword ptr [ebp+0Ch]
1: kd> p
USER32!GetPropW+0xf:
001b:77cc7f1c ff152413ca77 call dword ptr [USER32!_imp__GlobalFindAtomW (77ca1324)]
1: kd> p
USER32!GetPropW+0x15:
001b:77cc7f22 0fb7f0 movzx esi,ax
1: kd> r
eax=0000c01a
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000+8*1a
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : 0xe19a33f9 Void
+0x000 ObAttributes : 0xe19a33f9
+0x000 InfoTable : 0xe19a33f9 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0xe19a33f9
+0x004 GrantedAccess : 0
+0x004 GrantedAccessIndex : 0
+0x006 CreatorBackTraceIndex : 0
+0x004 NextFreeTableEntry : 0n0
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe19a3405))
(*((ntdll!unsigned short (*)[1])0xe19a3405)) [Type: unsigned short [1]]
[0] : 0x4100 [Type: unsigned short]
1: kd> dt ntdll!_RTL_ATOM_TABLE_ENTRY 0xe19a33f8
+0x000 HashLink : (null)
+0x004 HandleIndex : 0x1a
+0x006 Atom : 0xc01a
+0x008 ReferenceCount : 2
+0x00a Flags : 0 ''
+0x00b NameLength : 0x11 ''
+0x00c Name : [1] 0x43
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe19a3404))
(*((ntdll!unsigned short (*)[1])0xe19a3404)) [Type: unsigned short [1]]
[0] : 0x43 [Type: unsigned short]
1: kd> db 0xe19a3404
e19a3404 43 00 41 00 64 00 64 00-72 00 65 00 73 00 73 00 C.A.d.d.r.e.s.s.
e19a3414 42 00 61 00 6e 00 64 00-5f 00 54 00 68 00 69 00 B.a.n.d._.T.h.i.
e19a3424 73 00 00 00 08 08 05 0c-55 73 74 6b 88 76 8a bf s.......Ustk.v..
#define UIntToPtr( ui ) ((VOID *)(UINT_PTR)((unsigned int)ui))
第三部分:
HANDLE _GetProp(
PWND pwnd,
PCWSTR pszKey,
BOOL fInternal)
{
PPROP pprop;
/*
* A quick little optimization for that case where the window has no
* properties at all.
*/
if (pwnd->ppropList == NULL)
return NULL;
/*
* FindProp does all the work, including converting pszKey to an atom
* (if necessary) for property lookup.
*/
pprop = _FindProp(pwnd, pszKey, fInternal);
if (pprop == NULL)
return NULL;
return KHANDLE_TO_HANDLE(pprop->hData);
}
第四部分:
1: kd> dv
pwnd = 0x005fe3e4
pszKey = 0x0000c01a
fInternal = 0n0
1: kd> dx -id 0,0,896d1020 -r1 ((USER32!tagWND *)0x5fe3e4)
((USER32!tagWND *)0x5fe3e4) : 0x5fe3e4 [Type: tagWND *]
[+0x06c] ppropList : 0xbc67f494 [Type: tagPROPLIST *] //ppropList : 0xbc67f494
1: kd> dx -id 0,0,896d1020 -r1 ((USER32!tagPROPLIST *)0xbc67f494)
((USER32!tagPROPLIST *)0xbc67f494) : 0xbc67f494 [Type: tagPROPLIST *]
[+0x000] cEntries : 0x4 [Type: unsigned int]
[+0x004] iFirstFree : 0x4 [Type: unsigned int]
[+0x008] aprop [Type: tagPROP [1]]
1: kd> dx -id 0,0,896d1020 -r1 (*((USER32!tagPROP (*)[1])0xbc67f49c))
(*((USER32!tagPROP (*)[1])0xbc67f49c)) [Type: tagPROP [1]]
[0] [Type: tagPROP]
1: kd> dx -id 0,0,896d1020 -r1 (*((USER32!tagPROP *)0xbc67f49c))
(*((USER32!tagPROP *)0xbc67f49c)) [Type: tagPROP]
[+0x000] hData : 0xfd5a0 [Type: void *]
[+0x004] atomKey : 0xc021 [Type: unsigned short]
[+0x006] fs : 0x2 [Type: unsigned short]
1: kd> dt USER32!tagPROP 0xbc67f49c+8*1
+0x000 hData : 0x0000c00c Void
+0x004 atomKey : 0xa911
+0x006 fs : 0
1: kd> dd 0xbc67f49c
bc67f49c 000fd5a0 0002c021 0000c00c 0000a911
bc67f4ac 000fcc48 0002c01a 000fd5f0 0002c017
bc67f4bc 545f4855 004c4941 abababab abababab
1: kd> dt USER32!tagPROP 0xbc67f49c+8*2
+0x000 hData : 0x000fcc48 Void
+0x004 atomKey : 0xc01a
+0x006 fs : 2
1: kd> dt USER32!tagPROP 0xbc67f49c+8*3
+0x000 hData : 0x000fd5f0 Void
+0x004 atomKey : 0xc017
+0x006 fs : 2
1: kd> dt USER32!tagPROP 0xbc67f49c+8*4
+0x000 hData : 0x545f4855 Void
+0x004 atomKey : 0x4941
+0x006 fs : 0x4c
pprop = _FindProp(pwnd, pszKey, fInternal);
if (pprop == NULL)
return NULL;
1: kd> p
USER32!_GetProp+0x13:
001b:77cc7f60 e826000000 call USER32!_FindProp (77cc7f8b)
1: kd> p
USER32!_GetProp+0x18:
001b:77cc7f65 85c0 test eax,eax
1: kd> r
eax=005ff4ac ebx=77ca68a4 ecx=0000c01a edx=00000201 esi=0000c01a edi=0000060d
eip=77cc7f65 esp=013be0b8 ebp=013be0b8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!_GetProp+0x18:
001b:77cc7f65 85c0 test eax,eax
1: kd> dd 005ff4ac
005ff4ac 000fcc48
第五部分:
1: kd> dx -id 0,0,896d1020 -r1 (*((USER32!tagPROP *)0xbc67f49c))
(*((USER32!tagPROP *)0xbc67f49c)) [Type: tagPROP]
[+0x000] hData : 0xfd5a0 [Type: void *]
[+0x004] atomKey : 0xc021 [Type: unsigned short]
[+0x006] fs : 0x2 [Type: unsigned short]
1: kd> dt USER32!tagPROP 0xbc67f49c+8*1
+0x000 hData : 0x0000c00c Void
+0x004 atomKey : 0xa911
+0x006 fs : 0
1: kd> dt USER32!tagPROP 0xbc67f49c+8*2
+0x000 hData : 0x000fcc48 Void
+0x004 atomKey : 0xc01a
+0x006 fs : 2
1: kd> dt USER32!tagPROP 0xbc67f49c+8*3
+0x000 hData : 0x000fd5f0 Void
+0x004 atomKey : 0xc017
+0x006 fs : 2
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000+8*17
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : 0xe1865109 Void
+0x000 ObAttributes : 0xe1865109
+0x000 InfoTable : 0xe1865109 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0xe1865109
+0x004 GrantedAccess : 0
+0x004 GrantedAccessIndex : 0
+0x006 CreatorBackTraceIndex : 0
+0x004 NextFreeTableEntry : 0n0
1: kd> dt ntdll!_RTL_ATOM_TABLE_ENTRY 0xe1865108
+0x000 HashLink : (null)
+0x004 HandleIndex : 0x17
+0x006 Atom : 0xc017
+0x008 ReferenceCount : 2
+0x00a Flags : 0 ''
+0x00b NameLength : 0x12 ''
+0x00c Name : [1] 0x43
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe1865114))
(*((ntdll!unsigned short (*)[1])0xe1865114)) [Type: unsigned short [1]]
[0] : 0x43 [Type: unsigned short]
1: kd> db 0xe1865114
e1865114 43 00 41 00 64 00 64 00-72 00 65 00 73 00 73 00 C.A.d.d.r.e.s.s.
e1865124 43 00 6f 00 6d 00 62 00-6f 00 5f 00 54 00 68 00 C.o.m.b.o._.T.h.
e1865134 69 00 73 00 00 00 35 30-46 7d b2 b2 09 08 0b 0c i.s...50F}......
CAddressCombo_This
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000+8*21
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : 0xe18379d9 Void
+0x000 ObAttributes : 0xe18379d9
+0x000 InfoTable : 0xe18379d9 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0xe18379d9
+0x004 GrantedAccess : 0
+0x004 GrantedAccessIndex : 0
+0x006 CreatorBackTraceIndex : 0
+0x004 NextFreeTableEntry : 0n0
1: kd> dt ntdll!_RTL_ATOM_TABLE_ENTRY 0xe18379d8
+0x000 HashLink : 0xe1825758 _RTL_ATOM_TABLE_ENTRY
+0x004 HandleIndex : 0x21
+0x006 Atom : 0xc021
+0x008 ReferenceCount : 0x14
+0x00a Flags : 0 ''
+0x00b NameLength : 0xe ''
+0x00c Name : [1] 0x55
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe18379e4))
(*((ntdll!unsigned short (*)[1])0xe18379e4)) [Type: unsigned short [1]]
[0] : 0x55 [Type: unsigned short]
1: kd> db 0xe18379e4
e18379e4 55 00 78 00 53 00 75 00-62 00 63 00 6c 00 61 00 U.x.S.u.b.c.l.a.
e18379f4 73 00 73 00 49 00 6e 00-66 00 6f 00 00 00 00 00 s.s.I.n.f.o.....
e1837a04 00 00 00 00 08 08 01 00-55 73 71 75 01 08 06 0c ........Usqu....
UxSubclassInfo
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000+8*1a
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : 0xe19a33f9 Void
+0x000 ObAttributes : 0xe19a33f9
+0x000 InfoTable : 0xe19a33f9 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0xe19a33f9
+0x004 GrantedAccess : 0
+0x004 GrantedAccessIndex : 0
+0x006 CreatorBackTraceIndex : 0
+0x004 NextFreeTableEntry : 0n0
1: kd> dt ntdll!_RTL_ATOM_TABLE_ENTRY 0xe19a33f8
+0x000 HashLink : (null)
+0x004 HandleIndex : 0x1a
+0x006 Atom : 0xc01a
+0x008 ReferenceCount : 2
+0x00a Flags : 0 ''
+0x00b NameLength : 0x11 ''
+0x00c Name : [1] 0x43
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe19a3404))
(*((ntdll!unsigned short (*)[1])0xe19a3404)) [Type: unsigned short [1]]
[0] : 0x43 [Type: unsigned short]
1: kd> db 0xe19a3404
e19a3404 43 00 41 00 64 00 64 00-72 00 65 00 73 00 73 00 C.A.d.d.r.e.s.s.
e19a3414 42 00 61 00 6e 00 64 00-5f 00 54 00 68 00 69 00 B.a.n.d._.T.h.i.
e19a3424 73 00 00 00 08 08 05 0c-55 73 74 6b 88 76 8a bf s.......Ustk.v..
CAddressBand_This