当前位置：首页 > news >正文

记事本源代码分析ALT+F4调试记录详细分析

news 2025/11/16 6:25:25

记事本源代码分析ALT+F4调试记录分析

0: kd> g
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserSystemParametersInfo, retval = 1
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] NtUserSetTimer, retval = fffe
Breakpoint 4 hit
eax=f75d69b0 ebx=e1418ab8 ecx=f75d00a4 edx=00000013 esi=00008000 edi=00000000
eip=bf8e8675 esp=f75d6994 ebp=f75d69c8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxProcessKeyEvent:
bf8e8675 55 push ebp
0: kd> dv
pke = 0xf75d69b0
ExtraInformation = 0
bInjected = 0n0
Vk = 0xb0 ''
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKE *)0xf75d69b0)
((win32k!tagKE *)0xf75d69b0) : 0xf75d69b0 [Type: tagKE *]
[+0x000] bScanCode : 0x38 [Type: unsigned char]
[+0x000] wchInjected : 0x7c38 [Type: unsigned short]
[+0x002] usFlaggedVk : 0xa4 [Type: unsigned short]// VK_ALT
[+0x004] dwTime : 0xffffffff [Type: unsigned long]
[+0x008] hDevice : 0x10063 [Type: void *]
[+0x00c] data [Type: _KEYBOARD_INPUT_DATA]

0: kd> g
Breakpoint 3 hit
eax=000000a4 ebx=00008000 ecx=ffee8015 edx=00000000 esi=f75d69b0 edi=00004000
eip=bf8e7974 esp=f75d6964 ebp=f75d6990 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxKeyEvent:
bf8e7974 55 push ebp
0: kd> dv
usFlaggedVk = 0xa4
wScanCode = 0x38
time = 0xffee8015
ExtraInfo = 0
hDevice = 0x00010063
pkei = 0xf75d69bc
bInjected = 0n0

56 38 a4 VK_LMENU

62 3E 73 F4

/*
* Is this a keyup or keydown event?
*/
message = fBreak ? WM_KEYUP : WM_KEYDOWN;message = 0x100

if ((VkHanded >= VK_LSHIFT) && (VkHanded <= VK_RMENU)) {
BYTE VkOtherHand = VkHanded ^ 1;

Vk = (BYTE)((VkHanded - VK_LSHIFT) / 2 + VK_SHIFT);
if (!fBreak || !TestAsyncKeyStateDown(VkOtherHand)) {
if ((gptiBlockInput == NULL) || (gptiBlockInput != ptiCurrent)) {
UpdateAsyncKeyState(gpqForeground, Vk, fBreak);
}
}
}

0: kd> dv
usFlaggedVk = 0xa4
wScanCode = 0x38

message = 0x100

0: kd> dv Vk
Vk = 0x12 ''

#define VK_MENU 0x12

/*
* If the ALT key is down and the CTRL key
* isn't, this is a WM_SYS* message.如果是ALT键则是系统键按下。
*/
if (TestAsyncKeyStateDown(VK_MENU) && !TestAsyncKeyStateDown(VK_CONTROL) && Vk != VK_JUNJA) {
// VK_JUNJA is ALT+'+'. Since all KOR VKs are not converted to IME hotkey IDs and
// should be passed directly to IME, KOR related VKs are not treated as SYSKEYDOWN.
message += (WM_SYSKEYDOWN - WM_KEYDOWN);
usExtraStuff |= 0x2000;

#define WM_KEYDOWN 0x0100
#define WM_KEYUP 0x0101

#define WM_CHAR 0x0102
#define WM_DEADCHAR 0x0103

#define WM_SYSKEYDOWN 0x0104

0: kd> dv
usFlaggedVk = 0xa4
wScanCode = 0x38

message = 0x104

usExtraStuff = 0x2000

lParam = MAKELONG(1, (wScanCode | usExtraStuff));

0: kd> t
eax=e1863210 ebx=00000000 ecx=00000104 edx=bc510000 esi=20380001 edi=e30a2578
eip=bf8ad0ba esp=f75d68e4 ebp=f75d6960 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!PostInputMessage:
bf8ad0ba 55 push ebp
0: kd> ba e1 win32k!PostInputMessage
breakpoint 17 redefined
0: kd> dv
pq = 0xe1863210
pwnd = 0x00000000
message = 0x104
wParam = 0x12
lParam = 0n540540929
time = 0xffee8015
dwExtraInfo = 0
0: kd> ?0n540540929
Evaluate expression: 540540929 = 20380001

1: kd> g
Breakpoint 4 hit
eax=f75d69b0 ebx=e1418ad0 ecx=f75d0073 edx=ffffffe2 esi=00008000 edi=00000000
eip=bf8e8675 esp=f75d6994 ebp=f75d69c8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxProcessKeyEvent:
bf8e8675 55 push ebp
0: kd> dv
pke = 0xf75d69b0
ExtraInformation = 0
bInjected = 0n0
Vk = 0xb0 ''
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKE *)0xf75d69b0)
((win32k!tagKE *)0xf75d69b0) : 0xf75d69b0 [Type: tagKE *]
[+0x000] bScanCode : 0x3e [Type: unsigned char]
[+0x000] wchInjected : 0x7c3e [Type: unsigned short]
[+0x002] usFlaggedVk : 0x73 [Type: unsigned short]
[+0x004] dwTime : 0xffee80e0 [Type: unsigned long]
[+0x008] hDevice : 0x10063 [Type: void *]
[+0x00c] data [Type: _KEYBOARD_INPUT_DATA]

62 3E 73 F4

0: kd> t
eax=00000073 ebx=00008000 ecx=ffee810f edx=00000000 esi=f75d69b0 edi=00004000
eip=bf8e7974 esp=f75d6964 ebp=f75d6990 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxKeyEvent:
bf8e7974 55 push ebp
0: kd> dv
usFlaggedVk = 0x73
wScanCode = 0x3e
time = 0xffee810f
ExtraInfo = 0
hDevice = 0x00010063
pkei = 0xf75d69bc
bInjected = 0n0
fSASHandled = 0n16384

0: kd> t
eax=e2ee8a60 ebx=e1863210 ecx=e1863210 edx=00000520 esi=e2ee8a60 edi=00000104
eip=bf8a4719 esp=f75d68b0 ebp=f75d68e0 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
win32k!StoreQMessage:
bf8a4719 55 push ebp
0: kd> dv
pqmsg = 0xe2ee8a60
pwnd = 0x00000000
message = 0x104
wParam = 0x73
lParam = 0n540934145
time = 0xffee810f
dwQEvent = 0
dwExtraInfo = 0
0: kd> ?0n540934145
Evaluate expression: 540934145 = 203e0001

0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe2ee8a60)
((win32k!tagQMSG *)0xe2ee8a60) : 0xe2ee8a60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe17ede60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x0 wp=0x0 lp=0x0} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0x0 [Type: tagTHREADINFO *]
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe17ede60)
((win32k!tagQMSG *)0xe17ede60) : 0xe17ede60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a60 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe30a2578 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x12 lp=0x20380004} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]

0: kd> gu
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.
eax=00000000 ebx=e1863210 ecx=00000109 edx=00000520 esi=e2ee8a60 edi=00000104
eip=bf8ad18e esp=f75d68d4 ebp=f75d68e0 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
win32k!PostInputMessage+0xd4:
bf8ad18e 56 push esi
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe2ee8a60)
((win32k!tagQMSG *)0xe2ee8a60) : 0xe2ee8a60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe17ede60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x73 lp=0x203e0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0x0 [Type: tagTHREADINFO *]

0: kd> g
Breakpoint 4 hit
eax=f75d69b0 ebx=e1418adc ecx=f75d0073 edx=ffffffe2 esi=00008000 edi=00000000
eip=bf8e8675 esp=f75d6994 ebp=f75d69c8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxProcessKeyEvent:
bf8e8675 55 push ebp
0: kd> dv
pke = 0xf75d69b0
ExtraInformation = 0
bInjected = 0n0
Vk = 0xb0 ''
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKE *)0xf75d69b0)
((win32k!tagKE *)0xf75d69b0) : 0xf75d69b0 [Type: tagKE *]
[+0x000] bScanCode : 0x3e [Type: unsigned char]
[+0x000] wchInjected : 0x7c3e [Type: unsigned short]
[+0x002] usFlaggedVk : 0x8073 [Type: unsigned short]
[+0x004] dwTime : 0xffee810f [Type: unsigned long]
[+0x008] hDevice : 0x10063 [Type: void *]
[+0x00c] data [Type: _KEYBOARD_INPUT_DATA]

0: kd> g
Breakpoint 0 hit
eax=e1863210 ebx=00000000 ecx=00000105 edx=bc510000 esi=203e0001 edi=e2ee8a60
eip=bf8ad0ba esp=f75d68e4 ebp=f75d6960 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!PostInputMessage:
bf8ad0ba 55 push ebp
0: kd> dv
pq = 0xe1863210
pwnd = 0x00000000
message = 0x105
wParam = 0x73
lParam = 0n540934145
time = 0xffee815d
dwExtraInfo = 0
0: kd> ?0n540934145
Evaluate expression: 540934145 = 203e0001

0: kd> gu
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.
eax=00000000 ebx=e1863210 ecx=00000109 edx=00000521 esi=e16fff58 edi=00000105
eip=bf8ad18e esp=f75d68d4 ebp=f75d68e0 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
win32k!PostInputMessage+0xd4:
bf8ad18e 56 push esi
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe16fff58)
((win32k!tagQMSG *)0xe16fff58) : 0xe16fff58 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe2ee8a60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x105 wp=0x73 lp=0x203e0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0x0 [Type: tagTHREADINFO *]

0: kd> g
Breakpoint 4 hit
eax=f75d69b0 ebx=e1418ae8 ecx=f75d00a4 edx=00000013 esi=00008000 edi=00000000
eip=bf8e8675 esp=f75d6994 ebp=f75d69c8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxProcessKeyEvent:
bf8e8675 55 push ebp
0: kd> dv
pke = 0xf75d69b0
ExtraInformation = 0
bInjected = 0n0
Vk = 0xb0 ''
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKE *)0xf75d69b0)
((win32k!tagKE *)0xf75d69b0) : 0xf75d69b0 [Type: tagKE *]
[+0x000] bScanCode : 0x38 [Type: unsigned char]
[+0x000] wchInjected : 0x7c38 [Type: unsigned short]
[+0x002] usFlaggedVk : 0x80a4 [Type: unsigned short]
[+0x004] dwTime : 0xffee815d [Type: unsigned long]
[+0x008] hDevice : 0x10063 [Type: void *]
[+0x00c] data [Type: _KEYBOARD_INPUT_DATA]

0: kd> dx -id 0,0,89413020 -r1 (*((win32k!tagMLIST *)0xe1863210))
(*((win32k!tagMLIST *)0xe1863210)) [Type: tagMLIST]
[+0x000] pqmsgRead : 0xe30a25b0 [Type: tagQMSG *]
[+0x004] pqmsgWriteLast : 0xe2ee8a28 [Type: tagQMSG *]
[+0x008] cMsgs : 0x9 [Type: unsigned long]
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe2ee8a28)
((win32k!tagQMSG *)0xe2ee8a28) : 0xe2ee8a28 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe16fff58 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x12 lp=0x380001} [Type: tagMSG] WM_KEYDOWN按下的时候是WM_SYSKEYDOWN
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe16fff58)
((win32k!tagQMSG *)0xe16fff58) : 0xe16fff58 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a28 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe2ee8a60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x105 wp=0x73 lp=0x203e0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe2ee8a60)
((win32k!tagQMSG *)0xe2ee8a60) : 0xe2ee8a60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe16fff58 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe17ede60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x73 lp=0x203e0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
0: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe17ede60)
((win32k!tagQMSG *)0xe17ede60) : 0xe17ede60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a60 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe30a2578 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x12 lp=0x20380004} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]

1: kd> kc
#
00 win32k!xxxSkipSysMsg
01 win32k!xxxScanSysQueue
02 win32k!xxxRealInternalGetMessage
03 win32k!NtUserGetMessage
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 USER32!NtUserGetMessage
07 USER32!GetMessageW_wrapper
08 notepad!WinMain
09 notepad!WinMainCRTStartup
0a kernel32!BaseProcessStart
1: kd> kv
# ChildEBP RetAddr Args to Child
00 ba486aa0 bf80a410 e17b5d68 ba486bc8 bf9ea2a4 win32k!xxxSkipSysMsg (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\input.c @ 3352]
01 ba486c44 bf8ad571 e17b5d68 ba486d08 00000000 win32k!xxxScanSysQueue+0xda8 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\input.c @ 4515]
02 ba486cdc bf897d7a ba486d08 00000000 00000000 win32k!xxxRealInternalGetMessage+0x3c3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\input.c @ 636]
03 ba486d40 80afbcb2 0006fefc 00000000 00000000 win32k!NtUserGetMessage+0x31 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 2118]
04 ba486d40 7ffe0304 0006fefc 00000000 00000000 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ ba486d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
05 0006fe90 77d204ac 77cd2cfb 0006fefc 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
06 0006feb4 77cfb090 0006fefc 00000000 00000000 USER32!NtUserGetMessage+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 3467]
07 0006fed8 010029f8 0006fefc 00000000 00000000 USER32!GetMessageW_wrapper+0x54 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\ntcftxt.h @ 282]
08 0006ff1c 0100725e 01000000 00000000 00092eda notepad!WinMain+0xe3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\shell\osshell\accesory\notepad\notepad.c @ 1525]
09 0006ffc0 77e62c34 00000000 00000000 7ffdf000 notepad!WinMainCRTStartup+0x182 (FPO: [Non-Fpo]) (CONV: cdecl) [d:\srv03rtm\base\crts\crtw32\dllstuff\crtexe.c @ 493]
0a 0006fff0 00000000 010070dc 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 580]

/* ** Main loop */

INT WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpAnsiCmdLine,
INT cmdShow)
{

while (GetMessage((LPMSG)&msg, (HWND)NULL, 0, 0))
{
//
// To handle IME status when active KL is changed.
//
if (msg.message == WM_INPUTLANGCHANGEREQUEST) {
//
// WM_INPUTLANGCHANGE will be *sent* to WndProc,
// so there's no chance to catch WM_INPUTLANGCHANGE from the frame window.
// Instead, we post the private message to check the active HKL later.
//
PostMessage(hwndNP, PWM_CHECK_HKL, 0, 0);
}

if (!hDlgFind || !IsDialogMessage(hDlgFind, &msg))
{
if (TranslateAccelerator(hwndNP, hAccel, (LPMSG)&msg) == 0)
{
TranslateMessage ((LPMSG)&msg);
DispatchMessage ((LPMSG)&msg);
}
}
}

1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe2f80648)
((win32k!tagQMSG *)0xe2f80648) : 0xe2f80648 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe13e6220 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe30a25b0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x0 wp=0x0 lp=0xbfa5fc0c} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0xc [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe13e6220)
((win32k!tagQMSG *)0xe13e6220) : 0xe13e6220 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe31096b8 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe2f80648 [Type: tagQMSG *]
[+0x008] msg : {msg=0x0 wp=0x0 lp=0xe307c5f8} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0xc [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe31096b8)
((win32k!tagQMSG *)0xe31096b8) : 0xe31096b8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe30a2578 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe13e6220 [Type: tagQMSG *]
[+0x008] msg : {msg=0x200 wp=0x0 lp=0x2470109} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe30a2578)
((win32k!tagQMSG *)0xe30a2578) : 0xe30a2578 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe17ede60 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe31096b8 [Type: tagQMSG *]
[+0x008] msg : {msg=0x201 wp=0x0 lp=0x2470109} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe17ede60)
((win32k!tagQMSG *)0xe17ede60) : 0xe17ede60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a60 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe30a2578 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x12 lp=0x20380004} [Type: tagMSG] lp=0x20380004
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe2ee8a60)
((win32k!tagQMSG *)0xe2ee8a60) : 0xe2ee8a60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe16fff58 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe17ede60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x73 lp=0x203e0001} [Type: tagMSG] lp=0x203e0001
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe16fff58)
((win32k!tagQMSG *)0xe16fff58) : 0xe16fff58 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a28 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe2ee8a60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x105 wp=0x73 lp=0x203e0001} [Type: tagMSG] lp=0x203e0001
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe2ee8a28)
((win32k!tagQMSG *)0xe2ee8a28) : 0xe2ee8a28 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe17ede28 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe16fff58 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x12 lp=0x380001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe17ede28)
((win32k!tagQMSG *)0xe17ede28) : 0xe17ede28 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe3064f60 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe2ee8a28 [Type: tagQMSG *]
[+0x008] msg : {msg=0x100 wp=0x11 lp=0x1d0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe3064f60)
((win32k!tagQMSG *)0xe3064f60) : 0xe3064f60 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe16fff20 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe17ede28 [Type: tagQMSG *]
[+0x008] msg : {msg=0x100 wp=0x5b lp=0x15b0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe16fff20)
((win32k!tagQMSG *)0xe16fff20) : 0xe16fff20 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2f0ade8 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe3064f60 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x5b lp=0x15b0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe2f0ade8)
((win32k!tagQMSG *)0xe2f0ade8) : 0xe2f0ade8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe17eddf0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe16fff20 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x11 lp=0x1d0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe17eddf0)
((win32k!tagQMSG *)0xe17eddf0) : 0xe17eddf0 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2f80610 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe2f0ade8 [Type: tagQMSG *]
[+0x008] msg : {msg=0x202 wp=0x0 lp=0x2470109} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xe2f80610)
((win32k!tagQMSG *)0xe2f80610) : 0xe2f80610 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe17eddf0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x200 wp=0x0 lp=0x2ff002c} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]

Breakpoint 12 hit
eax=ba486bc8 ebx=e17b5d68 ecx=e1863228 edx=bc510000 esi=00000004 edi=00000000
eip=bf808d6a esp=ba486aa4 ebp=ba486c44 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxSkipSysMsg:
bf808d6a 55 push ebp
1: kd> dv
pti = 0xe17b5d68
pqmsg = 0xba486bc8
fDown = 0n-1082094230
pqmsgT = 0xbf808d6a
vk = 0x00 ''
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xba486bc8)
((win32k!tagQMSG *)0xba486bc8) : 0xba486bc8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a60 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x12 lp=0x20380004} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]

Breakpoint 43 hit
eax=0006fefc ebx=0018007f ecx=bb40e64e edx=7ffe0304 esi=00000000 edi=77cfb03c
eip=77cbe820 esp=0006fee8 ebp=0006ff1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!TranslateMessage:
001b:77cbe820 55 push ebp
1: kd> dv
pmsg = 0x0006fefc {msg=0x104 wp=0x12 lp=0x20380004}

1: kd> g
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] _ReleaseDC, retval = 1
Breakpoint 8 hit
eax=ba486d10 ebx=bf8108ee ecx=bc670008 edx=bc510000 esi=0006ff18 edi=ba486d2c
eip=bf8e35ee esp=ba486cf8 ebp=ba486d48 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
win32k!xxxTranslateMessage:
bf8e35ee 55 push ebp
1: kd> dv
pmsg = 0xba486d10 {msg=0x104 wp=0x12 lp=0x20380004}
uiTMFlags = 0
fSysKey = 0n-1
awch = unsigned short [16]
pwnd = 0xffffffff
wMsgType = 0
dwKeyFlags = 0xba486d10

switch (pmsg->message) {

default:
return FALSE;

case WM_SYSKEYDOWN:
/*
* HACK carried over from Win3 code: system messages
* only get posted during KEYDOWN processing - so
* set fSysKey only for WM_SYSKEYDOWN.
*/
fSysKey = TRUE;
/*
* Fall thru...
*/

case WM_SYSKEYUP:
case WM_KEYDOWN:
case WM_KEYUP:
pti = PtiCurrent();

if ((pti->pMenuState != NULL) &&
(HW(pti->pMenuState->pGlobalPopupMenu->spwndPopupMenu) ==
pmsg->hwnd)) {
uiTMFlags |= TM_INMENUMODE;
} else {
uiTMFlags &= ~TM_INMENUMODE;
}

/*
* Don't change the contents of the passed in structure.
*/
lParam = pmsg->lParam;

/*
* For backward compatibility, mask the virtual key value.
*/
uVirKey = LOWORD(pmsg->wParam);

cChar = xxxInternalToUnicode(uVirKey, // virtual key code
HIWORD(lParam), // scan code, make/break bit
pti->pq->afKeyState,
awch, sizeof(awch)/sizeof(awch[0]),
uiTMFlags, &dwKeyFlags, NULL);
lParam |= (dwKeyFlags & ALTNUMPAD_BIT);

1: kd> p
eax=00000000 ebx=20380004 ecx=00000008 edx=00000010 esi=ba486d10 edi=00000000
eip=bf8e368e esp=ba486cc0 ebp=ba486cf4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxTranslateMessage+0xa0:
bf8e368e 8b4508 mov eax,dword ptr [ebp+8] ss:0010:ba486cfc=00000000

cChar=0

1: kd> t
eax=0006fefc ebx=0018007f ecx=0006fec0 edx=7ffe0304 esi=00000000 edi=77cfb03c
eip=77cc4007 esp=0006fee8 ebp=0006ff1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!DispatchMessageW:
001b:77cc4007 55 push ebp
1: kd> dv
lpMsg = 0x0006fefc {msg=0x104 wp=0x12 lp=0x20380004}

1: kd> x win32k!gSharedInfo
bfa70580 win32k!gSharedInfo = struct tagSHAREDINFO
1: kd> dx -id 0,0,89424c18 -r1 (*((win32k!tagSHAREDINFO *)0xbfa70580))
(*((win32k!tagSHAREDINFO *)0xbfa70580)) [Type: tagSHAREDINFO]
[+0x000] psi : 0xbc610c9c [Type: tagSERVERINFO *]
[+0x004] aheList : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x008] pDispInfo : 0xbc611c8c [Type: tagDISPLAYINFO *]
[+0x00c] ulSharedDelta : 0x0 [Type: unsigned int]
[+0x010] awmControl [Type: _WNDMSG [31]]
[+0x108] DefWindowMsgs [Type: _WNDMSG]
[+0x110] DefWindowSpecMsgs [Type: _WNDMSG]
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!_HANDLEENTRY *)0xbc510000)
((win32k!_HANDLEENTRY *)0xbc510000) : 0xbc510000 [Type: _HANDLEENTRY *]
[+0x000] phead : 0x0 [Type: _HEAD *]
[+0x004] pOwner : 0x0 [Type: void *]
[+0x008] bType : 0x0 [Type: unsigned char]
[+0x009] bFlags : 0x0 [Type: unsigned char]
[+0x00a] wUniq : 0x1 [Type: unsigned short]
[+0x00c] plr : 0x0 [Type: _LOCKRECORD *]
1: kd> dt win32k!_HANDLEENTRY 0xbc510000+dc0
+0x000 phead : 0xbc67f1e4 _HEAD
+0x004 pOwner : 0xe17b5d68 Void
+0x008 bType : 0x1 ''
+0x009 bFlags : 0 ''
+0x00a wUniq : 8
+0x00c plr : (null)
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!_HEAD *)0xbc67f1e4)
((win32k!_HEAD *)0xbc67f1e4) : 0xbc67f1e4 [Type: _HEAD *]
[+0x000] h : 0x800dc [Type: void *]
[+0x004] cLockObj : 0x8 [Type: unsigned long]
1: kd> dt win32k!wnd 0xbc67f1e4
+0x000 head : _THRDESKHEAD
+0x014 state : 0x20006
+0x018 state2 : 0x80000310
+0x01c ExStyle : 0xa00
+0x020 style : 0x50300104
+0x024 hModule : 0x01000000 Void
+0x028 hMod16 : 0
+0x02a fnid : 0
+0x02c spwndNext : 0xbc67f504 tagWND
+0x030 spwndPrev : (null)
+0x034 spwndParent : 0xbc67c38c tagWND
+0x038 spwndChild : (null)
+0x03c spwndOwner : (null)
+0x040 rcWindow : tagRECT
+0x050 rcClient : tagRECT
+0x060 lpfnWndProc : 0x6f64fcb4 long COMCTL32!Edit_WndProc+0 关键地方：
+0x064 pcls : 0xbc67f0c4 tagCLS
+0x068 hrgnUpdate : (null)
+0x06c ppropList : (null)
+0x070 pSBInfo : 0xbc67f2e4 tagSBINFO
+0x074 spmenuSys : (null)
+0x078 spmenu : 0x0000000f tagMENU
+0x07c hrgnClip : (null)
+0x080 strName : _LARGE_UNICODE_STRING
+0x08c cbwndExtra : 0n4
+0x090 spwndLastActive : (null)
+0x094 hImc : (null)
+0x098 dwUserData : 0
+0x09c pActCtx : (null)

/*
* if we have DBCS TrailingByte that should be sent, send it here..
*/
DISPATCH_DBCS_MESSAGE_IF_EXIST(pmsg->message,pmsg->wParam,bDoDbcsMessaging,DispatchMessage);

pmsg->wParam = wParamSaved;
return lRet;
}

1: kd> t
eax=005ef1f8 ebx=005ef1e4 ecx=00000001 edx=00000104 esi=0006fefc edi=0006ff04
eip=77cf2aae esp=0006fe70 ebp=0006fed4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!UserCallWinProcCheckWow:
001b:77cf2aae 6a40 push 40h
1: kd> dv
pActCtx = 0x00000000
pfn = 0x6f64fcb4
hwnd = 0x000800dc
msg = 0x104
wParam = 0x12
lParam = 0n540540932
pww = 0x005ef1f8
fEnableLiteHooks = 0n1
ActivationFrame = struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED
lRet = 0n1
fCallBack = 0n0
fInsideHook = 0n0
fOverride = 0n0
pvCookie = 0x77cbe602
1: kd> u 6f64fcb4
COMCTL32!Edit_WndProc [d:\srv03rtm\shell\comctl32\v6\edit.c @ 3911]:
6f64fcb4 55 push ebp
6f64fcb5 8bec mov ebp,esp
6f64fcb7 83ec14 sub esp,14h
6f64fcba 53 push ebx
6f64fcbb 56 push esi
6f64fcbc 57 push edi
6f64fcbd 8b3dd016616f mov edi,dword ptr [COMCTL32!_imp__GetWindowLongW (6f6116d0)]
6f64fcc3 33db xor ebx,ebx

参考：
0: kd> kc
#
00 win32k!xxxDWP_ProcessVirtKey
01 win32k!xxxRealDefWindowProc
02 win32k!xxxWrapRealDefWindowProc
03 win32k!NtUserfnDWORD
04 win32k!NtUserMessageCall
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 USER32!NtUserMessageCall
08 USER32!UserCallWinProcCheckWow
09 COMCTL32!EditML_WndProc
0a COMCTL32!Edit_WndProc
0b USER32!InternalCallWinProc
0c USER32!UserCallWinProcCheckWow
0d USER32!DispatchMessageWorker
0e USER32!DispatchMessageW
0f notepad!WinMain
10 notepad!WinMainCRTStartup
11 kernel32!BaseProcessStart
参考：

LRESULT
UserCallWinProcCheckWow(
PACTIVATION_CONTEXT pActCtx,
WNDPROC pfn,
HWND hwnd,
UINT msg,
WPARAM wParam,
LPARAM lParam,
PVOID pww,
BOOL fEnableLiteHooks)
{

lRet = (IsWOWProc(pfn) ? (*pfnWowWndProcEx)(hwnd, msg, wParam, lParam, PtrToUlong(pfn), KPVOID_TO_PVOID(pww)) :
InternalCallWinProc((WNDPROC)KPVOID_TO_PVOID(pfn), hwnd, msg, wParam, lParam));

1: kd> p
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=6f64fcb4 edi=0006fe40
eip=77cf2bf9 esp=0006fe00 ebp=0006fe6c iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
USER32!UserCallWinProcCheckWow+0x14b:
001b:77cf2bf9 56 push esi
1: kd> p
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=6f64fcb4 edi=0006fe40
eip=77cf2bfa esp=0006fdfc ebp=0006fe6c iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
USER32!UserCallWinProcCheckWow+0x14c:
001b:77cf2bfa e8c952ffff call USER32!InternalCallWinProc (77ce7ec8)

cPublicProc _InternalCallWinProc , 5

winproc equ [ebp + 8]
hwnd equ [ebp + 12]
message equ [ebp + 16]
wParam equ [ebp + 20]
lParam equ [ebp + 24]

StackGuard equ 0DCBAABCDh

push ebp
mov ebp, esp

push esi
push edi
push ebx

push StackGuard ; push guard on the stack
push esi ; push another DWORD on the stack
; so that bogus apps that treat &lParam
; as an LPPOINT don't corrupt the StackGuard

push lParam
push wParam
push message
push hwnd
call winproc

1: kd> p
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=6f64fcb4 edi=0006fe40
eip=77ce7ee0 esp=0006fdd0 ebp=0006fdf4 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
USER32!InternalCallWinProc+0x18:
001b:77ce7ee0 ff5508 call dword ptr [ebp+8] ss:0023:0006fdfc={COMCTL32!Edit_WndProc (6f64fcb4)}
1: kd> t
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=6f64fcb4 edi=0006fe40
eip=6f64fcb4 esp=0006fdcc ebp=0006fdf4 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
COMCTL32!Edit_WndProc:
001b:6f64fcb4 55 push ebp

1: kd> dv
hwnd = 0x000800dc
uMsg = 0x104
wParam = 0x12
lParam = 0n540540932
lResult = 0n1
pt = {x=0 y=1}
rc = {LT(2010065674, 2010065950) RB(0, 1) [-2010065674 x -2010065949]}
tme = struct tagTRACKMOUSEEVENT
hkl = 0x00000001

HandleEditMsg:
if (ped != NULL)
{
if (ped->fSingle)
{
lResult = EditSL_WndProc(ped, uMsg, wParam, lParam);
}
else
{
lResult = EditML_WndProc(ped, uMsg, wParam, lParam);
}
}

1: kd> kc
#
00 COMCTL32!Edit_WndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchMessageWorker
04 USER32!DispatchMessageW
05 notepad!WinMain
06 notepad!WinMainCRTStartup
07 kernel32!BaseProcessStart

case WM_SYSKEYDOWN:
if (((WORD)wParam == VK_BACK) && ((DWORD)lParam & SYS_ALTERNATE))
{
SendMessage(ped->hwnd, EM_UNDO, 0, 0L);
break;
}

goto PassToDefaultWindowProc;

default:
PassToDefaultWindowProc:
return DefWindowProc(ped->hwnd, message, wParam, lParam);
}

return TRUE;
}

1: kd> p
Breakpoint 13 hit
eax=800112b0 ebx=0000020c ecx=affbe38a edx=00000200 esi=bc67f1e4 edi=e1863210
eip=bf82e5b1 esp=ba486c20 ebp=ba486ca8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!xxxDWP_ProcessVirtKey:
bf82e5b1 55 push ebp
1: kd> kc
#
00 win32k!xxxDWP_ProcessVirtKey
01 win32k!xxxRealDefWindowProc
02 win32k!xxxWrapRealDefWindowProc
03 win32k!NtUserfnDWORD
04 win32k!NtUserMessageCall
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 USER32!NtUserMessageCall
08 USER32!IsWindowVisible
09 USER32!DefWindowProcW_wrapper
0a COMCTL32!EditML_WndProc
0b COMCTL32!Edit_WndProc
0c USER32!InternalCallWinProc
0d USER32!UserCallWinProcCheckWow
0e USER32!DispatchMessageWorker
0f USER32!DispatchMessageW
10 notepad!WinMain
11 notepad!WinMainCRTStartup
12 kernel32!BaseProcessStart

1: kd> kv 2
# ChildEBP RetAddr Args to Child
00 ba486c1c bf8f9ad5 00000012 bf9daf44 bf9daf68 win32k!xxxDWP_ProcessVirtKey (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\dwp.c @ 239]
01 ba486ca8 bf8a1521 bc67f1e4 00000104 00000012 win32k!xxxRealDefWindowProc+0xaf9 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\dwp.c @ 1864]
windbg> .open -a ffffffffbf8f9ad5

message = 0x104
wParam = 0x12
lParam = 0n540540932

1: kd> ?0n540540932
Evaluate expression: 540540932 = 20380004

#define SYS_ALTERNATE 0x20000000

LRESULT xxxRealDefWindowProc(
PWND pwnd,
UINT message,
WPARAM wParam,
LPARAM lParam)
{

case WM_SYSKEYDOWN:
{
PTHREADINFO pti = PtiCurrent();

/*
* Is the ALT key down?
*/
if (HIWORD(lParam) & SYS_ALTERNATE) {
/*
* Toggle QF_FMENUSTATUS iff this is NOT a repeat KEYDOWN
* message; Only if the prev key state was 0, then this is the
* first KEYDOWN message and then we consider toggling menu
* status; Fix for Bugs #4531 & #4566 --SANKAR-- 10-02-89.
*/
if ((HIWORD(lParam) & SYS_PREVKEYSTATE) == 0) {

/*
* Don't have to lock pwndActive because it's
* processing this key.
*/
if ((wParam == VK_MENU) &&
!(pti->pq->QF_flags & QF_FMENUSTATUS)) {
pti->pq->QF_flags |= QF_FMENUSTATUS;
xxxDrawMenuBarUnderlines(pwnd, TRUE);
} else {
pti->pq->QF_flags &= ~(QF_FMENUSTATUS|QF_FMENUSTATUSBREAK);
}
}

pti->pq->QF_flags &= ~QF_FF10STATUS;

xxxDWP_ProcessVirtKey((UINT)wParam);//wParam = 0x12

1: kd> g
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
Breakpoint 12 hit
eax=ba486bc8 ebx=e17b5d68 ecx=e1863200 edx=bc510000 esi=0000001c edi=00000000
eip=bf808d6a esp=ba486aa4 ebp=ba486c44 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxSkipSysMsg:
bf808d6a 55 push ebp
1: kd> dv
pti = 0xe17b5d68
pqmsg = 0xba486bc8
fDown = 0n-1082094230
pqmsgT = 0xbf808d6a
vk = 0x00 ''
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xba486bc8)
((win32k!tagQMSG *)0xba486bc8) : 0xba486bc8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe16fff58 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x104 wp=0x73 lp=0x203e0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]

1: kd> g
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] fnDWORD, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
Breakpoint 4 hit
eax=00000001 ebx=0018007f ecx=0006fec0 edx=7ffe0304 esi=00000000 edi=77cfb03c
eip=010029e5 esp=0006fef0 ebp=0006ff1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
notepad!WinMain+0xd0:
001b:010029e5 8d45e0 lea eax,[ebp-20h]
1: kd> t
eax=0006fefc ebx=0018007f ecx=0006fec0 edx=7ffe0304 esi=00000000 edi=77cfb03c
eip=77cc4007 esp=0006fee8 ebp=0006ff1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!DispatchMessageW:
001b:77cc4007 55 push ebp
1: kd> dv
lpMsg = 0x0006fefc {msg=0x104 wp=0x73 lp=0x203e0001}

1: kd> g
Breakpoint 16 hit
eax=000000d9 ebx=00000000 ecx=fffffff5 edx=00000081 esi=00097fa0 edi=77cc444f
eip=6f68bb46 esp=0006fd94 ebp=0006fdc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
COMCTL32!EditML_WndProc:
001b:6f68bb46 6a7c push 7Ch
1: kd> dv
ped = 0x00097fa0
message = 0x104
wParam = 0x73
lParam = 0n540934145

1: kd> ?0n540934145
Evaluate expression: 540934145 = 203e0001

1: kd> kc
#
00 win32k!xxxRealDefWindowProc
01 win32k!xxxWrapRealDefWindowProc
02 win32k!NtUserfnDWORD
03 win32k!NtUserMessageCall
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 USER32!NtUserMessageCall
07 USER32!IsWindowVisible
08 USER32!DefWindowProcW_wrapper
09 COMCTL32!EditML_WndProc
0a COMCTL32!Edit_WndProc
0b USER32!InternalCallWinProc
0c USER32!UserCallWinProcCheckWow
0d USER32!DispatchMessageWorker
0e USER32!DispatchMessageW
0f notepad!WinMain
10 notepad!WinMainCRTStartup
11 kernel32!BaseProcessStart
1: kd> bd 14
1: kd> dv
pwnd = 0xbc67f1e4
message = 0x104
wParam = 0x73
lParam = 0n540934145
1: kd> ?0n540934145
Evaluate expression: 540934145 = 203e0001 带着ALT标记呢。

case WM_SYSKEYDOWN:
{
PTHREADINFO pti = PtiCurrent();

1: kd> t
eax=e1863210 ebx=0000020c ecx=00000106 edx=00000128 esi=bc67f1e4 edi=e1863210
eip=bf82e5b1 esp=ba486c20 ebp=ba486ca8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxDWP_ProcessVirtKey:
bf82e5b1 55 push ebp
1: kd> dv
wKey = 0x73
pti = 0x00000008
tlpwndActive = struct _TL
__pobj_ = 0xbf82e5b1

1: kd> dv
wKey = 0x73
pti = 0xe17b5d68
tlpwndActive = struct _TL
__pobj_ = 0xbc67c38c
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagTHREADINFO *)0xe17b5d68)
((win32k!tagTHREADINFO *)0xe17b5d68) : 0xe17b5d68 [Type: tagTHREADINFO *]
[+0x000] pEThread : 0x89617da0 [Type: _ETHREAD *]
[+0x004] RefCount : 0x1 [Type: unsigned long]
[+0x008] ptlW32 : 0x0 [Type: _TL *]
[+0x00c] pgdiDcattr : 0x8e0740 [Type: void *]
[+0x010] pgdiBrushAttr : 0x0 [Type: void *]
[+0x014] pUMPDObjs : 0x0 [Type: void *]
[+0x018] pUMPDHeap : 0x0 [Type: void *]
[+0x01c] pUMPDObj : 0x0 [Type: void *]
[+0x020] GdiTmpAllocList [Type: _LIST_ENTRY]
[+0x028] ptl : 0xba486d14 [Type: _TL *]
[+0x02c] ppi : 0xe2f79018 [Type: tagPROCESSINFO *]
[+0x030] pq : 0xe1863210 [Type: tagQ *]

1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQ *)0xe1863210)
((win32k!tagQ *)0xe1863210) : 0xe1863210 [Type: tagQ *]
[+0x000] mlInput [Type: tagMLIST]
[+0x00c] ptiSysLock : 0xe17b5d68 [Type: tagTHREADINFO *]
[+0x010] idSysLock : 0x1 [Type: unsigned long]
[+0x014] idSysPeek : 0x0 [Type: unsigned long]
[+0x018] ptiMouse : 0xe17b5d68 [Type: tagTHREADINFO *]
[+0x01c] ptiKeyboard : 0xe17b5d68 [Type: tagTHREADINFO *]
[+0x020] spwndCapture : 0xbc67f1e4 [Type: tagWND *]
[+0x024] spwndFocus : 0xbc67f1e4 [Type: tagWND *]
[+0x028] spwndActive : 0xbc67c38c [Type: tagWND *]

1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagWND *)0xbc67c38c)
((win32k!tagWND *)0xbc67c38c) : 0xbc67c38c [Type: tagWND *]
[+0x000] head [Type: _THRDESKHEAD]

[+0x060] lpfnWndProc : 0x10033c9 [Type: long (*)(tagWND *,unsigned int,unsigned int,long)]

1: kd> u 10033c9
notepad!NPWndProc [d:\srv03rtm\shell\osshell\accesory\notepad\notepad.c @ 1164]:
010033c9 55 push ebp
010033ca 8bec mov ebp,esp
010033cc 51 push ecx
010033cd 51 push ecx
010033ce 56 push esi
010033cf 8b750c mov esi,dword ptr [ebp+0Ch]
010033d2 83fe1c cmp esi,1Ch
010033d5 57 push edi

void xxxDWP_ProcessVirtKey(
UINT wKey)
{
PTHREADINFO pti;
TL tlpwndActive;

pti = PtiCurrent();
if (pti->pq->spwndActive == NULL)
return;

switch (wKey) {

case VK_F4:
if (TestCF(pti->pq->spwndActive, CFNOCLOSE))
break;

/*
* Don't change the focus if the child window has it.
*/
if (pti->pq->spwndFocus == NULL ||
GetTopLevelWindow(pti->pq->spwndFocus) !=
pti->pq->spwndActive) {
ThreadLockAlwaysWithPti(pti, pti->pq->spwndActive, &tlpwndActive);
xxxSetFocus(pti->pq->spwndActive);
ThreadUnlock(&tlpwndActive);
}
_PostMessage(pti->pq->spwndActive, WM_SYSCOMMAND, SC_CLOSE, 0L);
break;

这里是向notepad!NPWndProc窗口过程发送消息WM_SYSCOMMAND
参考：
1: kd> kc
#
00 win32k!xxxSysCommand
01 win32k!xxxRealDefWindowProc
02 win32k!xxxWrapRealDefWindowProc
03 win32k!NtUserfnDWORD
04 win32k!NtUserMessageCall
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 USER32!NtUserMessageCall
08 USER32!RealDefWindowProcW
09 USER32!DefWindowProcW
0a USER32!DefWindowProcW_wrapper
0b notepad!NPWndProc
0c USER32!InternalCallWinProc
0d USER32!UserCallWinProcCheckWow
0e USER32!DispatchMessageWorker
0f USER32!DispatchMessageW
10 notepad!WinMain
11 notepad!WinMainCRTStartup
12 kernel32!BaseProcessStart
参考：

bp notepad!NPWndProc

1: kd> g
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] NtUserGetMessage, retval = 1
Breakpoint 43 hit
eax=0006fefc ebx=0018007f ecx=bb40e64e edx=7ffe0304 esi=00000000 edi=77cfb03c
eip=77cbe820 esp=0006fee8 ebp=0006ff1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!TranslateMessage:
001b:77cbe820 55 push ebp
1: kd> dv
pmsg = 0x0006fefc {msg=0x112 wp=0xf060 lp=0x0}
1: kd> g
Breakpoint 4 hit
eax=00000000 ebx=0018007f ecx=0006fefc edx=7ffe0304 esi=00000000 edi=77cfb03c
eip=010029e5 esp=0006fef0 ebp=0006ff1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
notepad!WinMain+0xd0:
001b:010029e5 8d45e0 lea eax,[ebp-20h]
1: kd> dv
hInstance = 0x01000000
hPrevInstance = 0x00000000
lpAnsiCmdLine = 0x00092eda ""
cmdShow = 0n1
msg = {msg=0x112 wp=0xf060 lp=0x0}
lpfnRegisterPenApp = 0x00000000

WM_SYSCOMMAND = $0112 //当用户选择窗口菜单的一条命令或当用户选择最大化或最小化时那个窗口会收到此消息

#define SC_CLOSE 0xF060

1: kd> kc
#
00 notepad!NPWndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchMessageWorker
04 USER32!DispatchMessageW
05 notepad!WinMain
06 notepad!WinMainCRTStartup
07 kernel32!BaseProcessStart
1: kd> dv
hwnd = 0x00070078
message = 0x112
wParam = 0xf060
lParam = 0n0
iParts = int [2]

1: kd> bd 14
1: kd> kc
#
00 win32k!xxxRealDefWindowProc
01 win32k!xxxWrapRealDefWindowProc
02 win32k!NtUserfnDWORD
03 win32k!NtUserMessageCall
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 USER32!NtUserMessageCall
07 COMCTL32!EditML_WndProc
08 USER32!InternalCallWinProc
09 USER32!UserCallWinProcCheckWow
0a USER32!DispatchMessageWorker
0b USER32!DispatchMessageW
0c notepad!WinMain
0d notepad!WinMainCRTStartup
0e kernel32!BaseProcessStart
1: kd> dv
pwnd = 0xbc67c38c
message = 0x112
wParam = 0xf060
lParam = 0n0

1: kd> t
eax=00000000 ebx=0000020c ecx=00000106 edx=00000128 esi=bc67c38c edi=bf9daf44
eip=bf83e3fe esp=ba486c18 ebp=ba486ca8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxSysCommand:
bf83e3fe 55 push ebp
1: kd> kc
#
00 win32k!xxxSysCommand
01 win32k!xxxRealDefWindowProc
02 win32k!xxxWrapRealDefWindowProc
03 win32k!NtUserfnDWORD
04 win32k!NtUserMessageCall
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 USER32!NtUserMessageCall
08 COMCTL32!EditML_WndProc
09 USER32!InternalCallWinProc
0a USER32!UserCallWinProcCheckWow
0b USER32!DispatchMessageWorker
0c USER32!DispatchMessageW
0d notepad!WinMain
0e notepad!WinMainCRTStartup
0f kernel32!BaseProcessStart
1: kd> dv
pwnd = 0xbc67c38c
cmd = 0xf060
lParam = 0n0
tlpwnd = struct _TL

case WM_SYSCOMMAND:
xxxSysCommand(pwnd, (UINT)wParam, lParam);
break;

case SC_CLOSE:
xxxSendMessage(pwnd, WM_CLOSE, 0L, 0L);
return;

1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagWND *)0xbc67c38c)
((win32k!tagWND *)0xbc67c38c) : 0xbc67c38c [Type: tagWND *]
[+0x000] head [Type: _THRDESKHEAD]
[+0x014] state : 0x40020049 [Type: unsigned long]
[+0x018] state2 : 0x80000300 [Type: unsigned long]
[+0x01c] ExStyle : 0x910 [Type: unsigned long]
[+0x020] style : 0x14cf0000 [Type: unsigned long]

1: kd> g
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x398.f8 notepad.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
Breakpoint 12 hit
eax=ba486bc8 ebx=e17b5d68 ecx=e18632c0 edx=bc510000 esi=0000001c edi=00000001
eip=bf808d6a esp=ba486aa4 ebp=ba486c44 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxSkipSysMsg:
bf808d6a 55 push ebp
1: kd> dv
pti = 0xe17b5d68
pqmsg = 0xba486bc8
fDown = 0n-1082094230
pqmsgT = 0xbf808d6a
vk = 0x00 ''
1: kd> dx -id 0,0,89424c18 -r1 ((win32k!tagQMSG *)0xba486bc8)
((win32k!tagQMSG *)0xba486bc8) : 0xba486bc8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2ee8a28 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x105 wp=0x73 lp=0x203e0001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe17b5d68 [Type: tagTHREADINFO *]