winlogon登录对话框中USER32!SLEditWndProc函数分析之WM_CHAR消息是如何来的–重要
0: kd> g
Breakpoint 17 hit
eax=e1630530 ebx=00000000 ecx=00000101 edx=bc510000 esi=00040001 edi=e16fa0a8
eip=bf8ad0ba esp=f75d68c0 ebp=f75d693c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!PostInputMessage:
bf8ad0ba 55 push ebp
0: kd> dv
pq = 0xe1630530
pwnd = 0x00000000
message = 0x101
wParam = 0x33
lParam = 0n262145
time = 0xffec66bb
dwExtraInfo = 0
0: kd> bd 43
0: kd> be 43
0: kd> bl
38 d Enable Clear 77cdfedd [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1109] 0001 (0001) USER32!DialogBox2+0xe2
39 d Enable Clear 77cc06d3 [d:srv03rtmwindowscore
tuserclientcltxt.h @ 764] 0001 (0001) USER32!SendMessageW
40 d Enable Clear 771803ce [d:srv03rtmshellcomctl32v5subclass.c @ 1343] 0001 (0001) Comctl32!MasterSubclassProc
41 d Enable Clear 77cc2325 [d:srv03rtmwindowscore
tuserclienteditsl.c @ 2523] 0001 (0001) USER32!SLEditWndProc
42 d Enable Clear 77f5e0a3 [d:srv03rtmase
tos
tlsertl.c @ 535] 0001 (0001) ntdll!RtlRunEncodeUnicodeString+0x79
43 e Disable Clear 77cbe820 [d:srv03rtmwindowscore
tuserclient
tstubs.c @ 1207] 0001 (0001) USER32!TranslateMessage
44 d Enable Clear bf8108ee e 1 0001 (0001) win32k!NtUserTranslateMessage
0: kd> be 40
0: kd> be 40
0: kd> be 39
0: kd> dv
pq = 0xe1630530
pwnd = 0x00000000
message = 0x101
wParam = 0x33
lParam = 0n262145
time = 0xffec66bb
dwExtraInfo = 0
0: kd> g
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserWaitMessage, retval = 1
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ebc
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
Breakpoint 39 hit
eax=00000000 ebx=00000002 ecx=007d4124 edx=00000201 esi=0006f8f8 edi=00000087
eip=77cc06d3 esp=0006f8b0 ebp=0006f8dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!SendMessageW:
001b:77cc06d3 55 push ebp
1: kd> dv
hwnd = 0x000800ec
message = 0x87
wParam = 0x33
lParam = 0n456952
1: kd> kc
#
00 USER32!SendMessageW
01 USER32!IsDialogMessageW
02 USER32!DialogBox2
03 USER32!InternalDialogBox
04 USER32!DialogBoxIndirectParamAorW
05 USER32!DialogBoxParamW
06 USER32!DialogBoxParamW_wrapper
07 winlogon!Fusion_DialogBoxParam
08 winlogon!TimeoutDialogBoxParam
09 winlogon!WlxDialogBoxParam
0a MSGINA!WlxWkstaLockedSAS
0b winlogon!DoLockWksta
0c winlogon!DoScreenSaver
0d winlogon!LoggedonDlgProc
0e winlogon!RootDlgProc
0f USER32!InternalCallWinProc
10 USER32!UserCallDlgProcCheckWow
11 USER32!DefDlgProcWorker
12 USER32!DefDlgProcW
13 USER32!InternalCallWinProc
14 USER32!UserCallWinProcCheckWow
15 USER32!DispatchMessageWorker
16 USER32!DispatchMessageW
17 USER32!IsDialogMessageW
18 USER32!DialogBox2
19 USER32!InternalDialogBox
1a USER32!DialogBoxIndirectParamAorW
1b USER32!DialogBoxParamW
1c USER32!DialogBoxParamW_wrapper
1d winlogon!Fusion_DialogBoxParam
1e winlogon!TimeoutDialogBoxParam
1f winlogon!WlxDialogBoxParam
20 winlogon!BlockWaitForUserAction
21 winlogon!MainLoop
22 winlogon!WinMain
23 winlogon!WinMainCRTStartup
case WM_KEYDOWN:
code = (UINT)SendMessage(lpMsg->hwnd, WM_GETDLGCODE, lpMsg->wParam,
(LPARAM)lpMsg);
if (code & (DLGC_WANTALLKEYS | DLGC_WANTMESSAGE))
break;
switch (lpMsg->wParam) {
case VK_TAB:
1: kd> g
Breakpoint 40 hit
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=771803ce edi=0006f824
eip=771803ce esp=0006f7b0 ebp=0006f7d8 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
Comctl32!MasterSubclassProc:
001b:771803ce 6a20 push 20h
1: kd> kc
#
00 Comctl32!MasterSubclassProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!SendMessageWorker
04 USER32!SendMessageW
05 USER32!IsDialogMessageW
06 USER32!DialogBox2
07 USER32!InternalDialogBox
08 USER32!DialogBoxIndirectParamAorW
09 USER32!DialogBoxParamW
0a USER32!DialogBoxParamW_wrapper
0b winlogon!Fusion_DialogBoxParam
0c winlogon!TimeoutDialogBoxParam
0d winlogon!WlxDialogBoxParam
0e MSGINA!WlxWkstaLockedSAS
0f winlogon!DoLockWksta
10 winlogon!DoScreenSaver
11 winlogon!LoggedonDlgProc
12 winlogon!RootDlgProc
13 USER32!InternalCallWinProc
14 USER32!UserCallDlgProcCheckWow
15 USER32!DefDlgProcWorker
16 USER32!DefDlgProcW
17 USER32!InternalCallWinProc
18 USER32!UserCallWinProcCheckWow
19 USER32!DispatchMessageWorker
1a USER32!DispatchMessageW
1b USER32!IsDialogMessageW
1c USER32!DialogBox2
1d USER32!InternalDialogBox
1e USER32!DialogBoxIndirectParamAorW
1f USER32!DialogBoxParamW
20 USER32!DialogBoxParamW_wrapper
21 winlogon!Fusion_DialogBoxParam
22 winlogon!TimeoutDialogBoxParam
23 winlogon!WlxDialogBoxParam
24 winlogon!BlockWaitForUserAction
25 winlogon!MainLoop
26 winlogon!WinMain
27 winlogon!WinMainCRTStartup
1: kd> dv
hWnd = 0x000800ec
uMsg = 0x87
wParam = 0x33
lParam = 0n456952
Frame = struct _SUBCLASS_FRAME
pHeader = 0x007d3ef4
lResult = 0n456740
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
1: kd> ?0n456952
Evaluate expression: 456952 = 0006f8f8
1: kd> g
Breakpoint 45 hit
eax=00000089 ebx=00000002 ecx=004c0c9c edx=000800ec esi=0006f8f8 edi=00000087
eip=77cdb37e esp=0006f8c4 ebp=0006f8dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!IsDialogMessageW+0x297:
001b:77cdb37e a804 test al,4
case WM_KEYDOWN:
code = (UINT)SendMessage(lpMsg->hwnd, WM_GETDLGCODE, lpMsg->wParam,
(LPARAM)lpMsg);
if (code & (DLGC_WANTALLKEYS | DLGC_WANTMESSAGE))
break;
code =eax=00000089
#define DLGC_HASSETSEL 0x0008
#define DLGC_WANTARROWS 0x0001
#define DLGC_WANTCHARS 0x0080
/* dialog codes */
#define DLGC_WANTARROWS 0x0001
#define DLGC_WANTTAB 0x0002
#define DLGC_WANTALLKEYS 0x0004
#define DLGC_WANTMESSAGE 0x0004
#define DLGC_HASSETSEL 0x0008
#define DLGC_DEFPUSHBUTTON 0x0010
#define DLGC_UNDEFPUSHBUTTON 0x0020
#define DLGC_RADIOBUTTON 0x0040
#define DLGC_WANTCHARS 0x0080
#define DLGC_STATIC 0x0100
#define DLGC_BUTTON 0x2000
TranslateMessage(lpMsg);
DispatchMessage(lpMsg);
return TRUE;
}
1: kd> t
Breakpoint 43 hit
eax=00000089 ebx=00000002 ecx=00000008 edx=000800ec esi=0006f8f8 edi=00000087
eip=77cbe820 esp=0006f8bc ebp=0006f8dc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!TranslateMessage:
001b:77cbe820 55 push ebp
1: kd> kc
#
00 USER32!TranslateMessage
01 USER32!IsDialogMessageW
02 USER32!DialogBox2
03 USER32!InternalDialogBox
04 USER32!DialogBoxIndirectParamAorW
05 USER32!DialogBoxParamW
06 USER32!DialogBoxParamW_wrapper
07 winlogon!Fusion_DialogBoxParam
08 winlogon!TimeoutDialogBoxParam
09 winlogon!WlxDialogBoxParam
0a MSGINA!WlxWkstaLockedSAS
0b winlogon!DoLockWksta
0c winlogon!DoScreenSaver
0d winlogon!LoggedonDlgProc
0e winlogon!RootDlgProc
0f USER32!InternalCallWinProc
10 USER32!UserCallDlgProcCheckWow
11 USER32!DefDlgProcWorker
12 USER32!DefDlgProcW
13 USER32!InternalCallWinProc
14 USER32!UserCallWinProcCheckWow
15 USER32!DispatchMessageWorker
16 USER32!DispatchMessageW
17 USER32!IsDialogMessageW
18 USER32!DialogBox2
19 USER32!InternalDialogBox
1a USER32!DialogBoxIndirectParamAorW
1b USER32!DialogBoxParamW
1c USER32!DialogBoxParamW_wrapper
1d winlogon!Fusion_DialogBoxParam
1e winlogon!TimeoutDialogBoxParam
1f winlogon!WlxDialogBoxParam
20 winlogon!BlockWaitForUserAction
21 winlogon!MainLoop
22 winlogon!WinMain
23 winlogon!WinMainCRTStartup
1: kd> dv
pmsg = 0x0006f8f8 {msg=0x100 wp=0x33 lp=0x40001}
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQ *)0xe1630530)
((win32k!tagQ *)0xe1630530) : 0xe1630530 [Type: tagQ *]
[+0x000] mlInput [Type: tagMLIST]
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!tagMLIST *)0xe1630530))
(*((win32k!tagMLIST *)0xe1630530)) [Type: tagMLIST]
[+0x000] pqmsgRead : 0xe31096b8 [Type: tagQMSG *]
[+0x004] pqmsgWriteLast : 0xe31096b8 [Type: tagQMSG *]
[+0x008] cMsgs : 0x1 [Type: unsigned long]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQMSG *)0xe31096b8)
((win32k!tagQMSG *)0xe31096b8) : 0xe31096b8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x33 lp=0x40001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe1404c50 [Type: tagTHREADINFO *]
msg=0x100 wp=0x33 已经被取走。
1: kd> g
Breakpoint 44 hit
eax=89413020 ebx=bf8108ee ecx=00000000 edx=0006f89c esi=0006f8a4 edi=f75c6d58
eip=bf8108ee esp=f75c6d4c ebp=f75c6d64 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!NtUserTranslateMessage:
bf8108ee 6a28 push 28h
1: kd> kc
#
00 win32k!NtUserTranslateMessage
01 nt!_KiSystemService
02 SharedUserData!SystemCallStub
03 USER32!NtUserTranslateMessage
04 USER32!TranslateMessage
05 USER32!IsDialogMessageW
06 USER32!DialogBox2
07 USER32!InternalDialogBox
08 USER32!DialogBoxIndirectParamAorW
09 USER32!DialogBoxParamW
0a USER32!DialogBoxParamW_wrapper
0b winlogon!Fusion_DialogBoxParam
0c winlogon!TimeoutDialogBoxParam
0d winlogon!WlxDialogBoxParam
0e MSGINA!WlxWkstaLockedSAS
0f winlogon!DoLockWksta
10 winlogon!DoScreenSaver
11 winlogon!LoggedonDlgProc
12 winlogon!RootDlgProc
13 USER32!InternalCallWinProc
14 USER32!UserCallDlgProcCheckWow
15 USER32!DefDlgProcWorker
16 USER32!DefDlgProcW
17 USER32!InternalCallWinProc
18 USER32!UserCallWinProcCheckWow
19 USER32!DispatchMessageWorker
1a USER32!DispatchMessageW
1b USER32!IsDialogMessageW
1c USER32!DialogBox2
1d USER32!InternalDialogBox
1e USER32!DialogBoxIndirectParamAorW
1f USER32!DialogBoxParamW
20 USER32!DialogBoxParamW_wrapper
21 winlogon!Fusion_DialogBoxParam
22 winlogon!TimeoutDialogBoxParam
23 winlogon!WlxDialogBoxParam
24 winlogon!BlockWaitForUserAction
25 winlogon!MainLoop
26 winlogon!WinMain
27 winlogon!WinMainCRTStartup
1: kd> bd 44
1: kd> dv
lpMsg = 0x0006f8f8 {msg=0x100 wp=0x33 lp=0x40001}
flags = 0
msg = {msg=0x6f89c wp=0x0 lp=0x89413020}
nLocks_ = 0n-144937640
case WM_SYSKEYUP:
case WM_KEYDOWN:
case WM_KEYUP:
pti = PtiCurrent();
if ((pti->pMenuState != NULL) &&
(HW(pti->pMenuState->pGlobalPopupMenu->spwndPopupMenu) ==
pmsg->hwnd)) {
uiTMFlags |= TM_INMENUMODE;
} else {
uiTMFlags &= ~TM_INMENUMODE;
}
/*
* Don't change the contents of the passed in structure.
*/
lParam = pmsg->lParam;
/*
* For backward compatibility, mask the virtual key value.
*/
uVirKey = LOWORD(pmsg->wParam);
cChar = xxxInternalToUnicode(uVirKey, // virtual key code
HIWORD(lParam), // scan code, make/break bit
pti->pq->afKeyState,
awch, sizeof(awch)/sizeof(awch[0]),
uiTMFlags, &dwKeyFlags, NULL);
lParam |= (dwKeyFlags & ALTNUMPAD_BIT);
1: kd> p
eax=00000033 ebx=00040001 ecx=bc640008 edx=bc510000 esi=f75c6d10 edi=e1404c50
eip=bf8e366a esp=f75c6cc0 ebp=f75c6cf4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxTranslateMessage+0x7c:
bf8e366a 6a00 push 0
1: kd> p
eax=00000001 ebx=00040001 ecx=f75c6cd0 edx=00000033 esi=f75c6d10 edi=00000001
eip=bf8e368e esp=f75c6cc0 ebp=f75c6cf4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxTranslateMessage+0xa0:
bf8e368e 8b4508 mov eax,dword ptr [ebp+8] ss:0010:f75c6cfc=00000000
1: kd> dv
pmsg = 0x00000000
uiTMFlags = 0
fSysKey = 0n0
awch = unsigned short [16]
pwnd = 0x00000000
wMsgType = 0
dwKeyFlags = 0
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned short (*)[16])0xf75c6cd0))
(*((win32k!unsigned short (*)[16])0xf75c6cd0)) [Type: unsigned short [16]]
[0] : 0x33 [Type: unsigned short]
[1] : 0x0 [Type: unsigned short]
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x40 [Type: unsigned char]
[13] : 0x0 [Type: unsigned char]
0x33
0011 0011
1100 第12个,第3个是01 00 00 00
cChar = edi=00000001
1: kd> p
eax=00000000 ebx=00040001 ecx=f75c6cd0 edx=00000033 esi=f75c6d10 edi=00000001
eip=bf8e3698 esp=f75c6cc0 ebp=f75c6cf4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxTranslateMessage+0xaa:
bf8e3698 85ff test edi,edi
if (cChar > 0)
wMsgType = (fSysKey) ? (UINT)WM_SYSCHAR : (UINT)WM_CHAR; 关键代码:
else {
wMsgType = (fSysKey) ? (UINT)WM_SYSDEADCHAR : (UINT)WM_DEADCHAR;
cChar = -cChar; // want positive value
}
1: kd> dv fSysKey
fSysKey = 0n0
BOOL xxxTranslateMessage(
LPMSG pmsg,
UINT uiTMFlags)
{
PTHREADINFO pti;
UINT wMsgType;
int cChar;
BOOL fSysKey = FALSE;
DWORD dwKeyFlags;
LPARAM lParam;
UINT uVirKey;
PWND pwnd;
WCHAR awch[16];
WCHAR *pwch;
switch (pmsg->message) {
default:
return FALSE;
case WM_SYSKEYDOWN:
/*
* HACK carried over from Win3 code: system messages
* only get posted during KEYDOWN processing – so
* set fSysKey only for WM_SYSKEYDOWN.
*/
fSysKey = TRUE;
for (pwch = awch; cChar > 0; cChar–) {
/*
* If this is a multi-character posting, all but the last one
* should be marked as fake keystrokes for Console/VDM.
*/
_PostMessage(pwnd, wMsgType, (WPARAM)*pwch,
lParam | (cChar > 1 ? FAKE_KEYSTROKE : 0));
*pwch = 0; // zero out old character (why?)
pwch += 1;
}
1: kd> t
eax=00000033 ebx=00040001 ecx=bc640008 edx=bc510000 esi=f75c6cd0 edi=00000001
eip=bf80b2ef esp=f75c6cac ebp=f75c6cf4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!_PostMessage:
bf80b2ef 55 push ebp
1: kd> kc
#
00 win32k!_PostMessage
01 win32k!xxxTranslateMessage
02 win32k!NtUserTranslateMessage
03 nt!_KiSystemService
04 SharedUserData!SystemCallStub
05 USER32!NtUserTranslateMessage
06 USER32!TranslateMessage
07 USER32!IsDialogMessageW
08 USER32!DialogBox2
09 USER32!InternalDialogBox
0a USER32!DialogBoxIndirectParamAorW
0b USER32!DialogBoxParamW
0c USER32!DialogBoxParamW_wrapper
0d winlogon!Fusion_DialogBoxParam
0e winlogon!TimeoutDialogBoxParam
0f winlogon!WlxDialogBoxParam
10 MSGINA!WlxWkstaLockedSAS
11 winlogon!DoLockWksta
12 winlogon!DoScreenSaver
13 winlogon!LoggedonDlgProc
14 winlogon!RootDlgProc
15 USER32!InternalCallWinProc
16 USER32!UserCallDlgProcCheckWow
17 USER32!DefDlgProcWorker
18 USER32!DefDlgProcW
19 USER32!InternalCallWinProc
1a USER32!UserCallWinProcCheckWow
1b USER32!DispatchMessageWorker
1c USER32!DispatchMessageW
1d USER32!IsDialogMessageW
1e USER32!DialogBox2
1f USER32!InternalDialogBox
20 USER32!DialogBoxIndirectParamAorW
21 USER32!DialogBoxParamW
22 USER32!DialogBoxParamW_wrapper
23 winlogon!Fusion_DialogBoxParam
24 winlogon!TimeoutDialogBoxParam
25 winlogon!WlxDialogBoxParam
26 winlogon!BlockWaitForUserAction
27 winlogon!MainLoop
28 winlogon!WinMain
29 winlogon!WinMainCRTStartup
1: kd> dv
pwnd = 0xbc6449ac
message = 0x102
wParam = 0x33
lParam = 0n262145
tlpwnd = struct _TL
fRet = 0n8
fPwndUnlock = 0n-1134278228
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagWND *)0xbc6449ac)
((win32k!tagWND *)0xbc6449ac) : 0xbc6449ac [Type: tagWND *]
[+0x000] head [Type: _THRDESKHEAD]
[+0x014] state : 0x20000 [Type: unsigned long]
[+0x018] state2 : 0x80000310 [Type: unsigned long]
[+0x01c] ExStyle : 0xa04 [Type: unsigned long]
[+0x020] style : 0x500100a0 [Type: unsigned long]
[+0x024] hModule : 0x75080000 [Type: void *]
[+0x028] hMod16 : 0x0 [Type: unsigned short]
[+0x02a] fnid : 0x2a5 [Type: unsigned short]
[+0x02c] spwndNext : 0xbc644ab4 [Type: tagWND *]
[+0x030] spwndPrev : 0xbc644834 [Type: tagWND *]
[+0x034] spwndParent : 0xbc644124 [Type: tagWND *]
[+0x038] spwndChild : 0x0 [Type: tagWND *]
[+0x03c] spwndOwner : 0x0 [Type: tagWND *]
[+0x040] rcWindow : {LT(443, 361) RB(632, 381) [189 x 20]} [Type: tagRECT]
[+0x050] rcClient : {LT(445, 363) RB(630, 379) [185 x 16]} [Type: tagRECT]
[+0x060] lpfnWndProc : 0x771803ce [Type: long (*)(tagWND *,unsigned int,unsigned int,long)]
[+0x064] pcls : 0xbc64253c [Type: tagCLS *]
[+0x068] hrgnUpdate : 0x0 [Type: HRGN__ *]
[+0x06c] ppropList : 0xbc6456bc [Type: tagPROPLIST *]
[+0x070] pSBInfo : 0x0 [Type: tagSBINFO *]
[+0x074] spmenuSys : 0x0 [Type: tagMENU *]
[+0x078] spmenu : 0x7a2 [Type: tagMENU *]
[+0x07c] hrgnClip : 0x0 [Type: HRGN__ *]
[+0x080] strName [Type: _LARGE_UNICODE_STRING]
[+0x08c] cbwndExtra : 6 [Type: int]
[+0x090] spwndLastActive : 0x0 [Type: tagWND *]
[+0x094] hImc : 0x0 [Type: HIMC__ *]
[+0x098] dwUserData : 0x0 [Type: unsigned long]
[+0x09c] pActCtx : 0x0 [Type: _ACTIVATION_CONTEXT *]
1: kd> u 771803ce
Comctl32!MasterSubclassProc [d:srv03rtmshellcomctl32v5subclass.c @ 1343]:
771803ce 6a20 push 20h
771803d0 6818841477 push offset Comctl32!`string'+0x60 (77148418)
771803d5 e8ca300400 call Comctl32!__SEH_prolog (771c34a4)
771803da 33ff xor edi,edi
771803dc 897de4 mov dword ptr [ebp-1Ch],edi
771803df ff7508 push dword ptr [ebp+8]
771803e2 e8f5ebffff call Comctl32!IsWindowOnCurrentThread (7717efdc)
771803e7 85c0 test eax,eax
1: kd> g
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
Breakpoint 40 hit
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=771803ce edi=0006f814
eip=771803ce esp=0006f7a0 ebp=0006f7c8 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
Comctl32!MasterSubclassProc:
001b:771803ce 6a20 push 20h
1: kd> kc
#
00 Comctl32!MasterSubclassProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchMessageWorker
04 USER32!DispatchMessageW
05 USER32!IsDialogMessageW
06 USER32!DialogBox2
07 USER32!InternalDialogBox
08 USER32!DialogBoxIndirectParamAorW
09 USER32!DialogBoxParamW
0a USER32!DialogBoxParamW_wrapper
0b winlogon!Fusion_DialogBoxParam
0c winlogon!TimeoutDialogBoxParam
0d winlogon!WlxDialogBoxParam
0e MSGINA!WlxWkstaLockedSAS
0f winlogon!DoLockWksta
10 winlogon!DoScreenSaver
11 winlogon!LoggedonDlgProc
12 winlogon!RootDlgProc
13 USER32!InternalCallWinProc
14 USER32!UserCallDlgProcCheckWow
15 USER32!DefDlgProcWorker
16 USER32!DefDlgProcW
17 USER32!InternalCallWinProc
18 USER32!UserCallWinProcCheckWow
19 USER32!DispatchMessageWorker
1a USER32!DispatchMessageW
1b USER32!IsDialogMessageW
1c USER32!DialogBox2
1d USER32!InternalDialogBox
1e USER32!DialogBoxIndirectParamAorW
1f USER32!DialogBoxParamW
20 USER32!DialogBoxParamW_wrapper
21 winlogon!Fusion_DialogBoxParam
22 winlogon!TimeoutDialogBoxParam
23 winlogon!WlxDialogBoxParam
24 winlogon!BlockWaitForUserAction
25 winlogon!MainLoop
26 winlogon!WinMain
27 winlogon!WinMainCRTStartup
1: kd> dv
hWnd = 0x000800ec
uMsg = 0x100
wParam = 0x33
lParam = 0n262145
Frame = struct _SUBCLASS_FRAME
pHeader = 0x00000002
lResult = 0n456724
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
1: kd> g
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
Breakpoint 39 hit
eax=00000000 ebx=00000002 ecx=007d4124 edx=00000201 esi=0006f8f8 edi=007d4124
eip=77cc06d3 esp=0006f8b0 ebp=0006f8dc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
USER32!SendMessageW:
001b:77cc06d3 55 push ebp
1: kd> kc
#
00 USER32!SendMessageW
01 USER32!IsDialogMessageW
02 USER32!DialogBox2
03 USER32!InternalDialogBox
04 USER32!DialogBoxIndirectParamAorW
05 USER32!DialogBoxParamW
06 USER32!DialogBoxParamW_wrapper
07 winlogon!Fusion_DialogBoxParam
08 winlogon!TimeoutDialogBoxParam
09 winlogon!WlxDialogBoxParam
0a MSGINA!WlxWkstaLockedSAS
0b winlogon!DoLockWksta
0c winlogon!DoScreenSaver
0d winlogon!LoggedonDlgProc
0e winlogon!RootDlgProc
0f USER32!InternalCallWinProc
10 USER32!UserCallDlgProcCheckWow
11 USER32!DefDlgProcWorker
12 USER32!DefDlgProcW
13 USER32!InternalCallWinProc
14 USER32!UserCallWinProcCheckWow
15 USER32!DispatchMessageWorker
16 USER32!DispatchMessageW
17 USER32!IsDialogMessageW
18 USER32!DialogBox2
19 USER32!InternalDialogBox
1a USER32!DialogBoxIndirectParamAorW
1b USER32!DialogBoxParamW
1c USER32!DialogBoxParamW_wrapper
1d winlogon!Fusion_DialogBoxParam
1e winlogon!TimeoutDialogBoxParam
1f winlogon!WlxDialogBoxParam
20 winlogon!BlockWaitForUserAction
21 winlogon!MainLoop
22 winlogon!WinMain
23 winlogon!WinMainCRTStartup
1: kd> dv
hwnd = 0x000800ec
message = 0x87
wParam = 0x33
lParam = 0n456952
1: kd> ?0n456952
Evaluate expression: 456952 = 0006f8f8
1: kd> dt msg 6f8f8
winlogon!MSG
+0x000 hwnd : 0x000800ec HWND__
+0x004 message : 0x102
+0x008 wParam : 0x33
+0x00c lParam : 0n262145
+0x010 time : 0xffec6a54
+0x014 pt : tagPOINT
1: kd> g
Breakpoint 40 hit
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=771803ce edi=0006f824
eip=771803ce esp=0006f7b0 ebp=0006f7d8 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
Comctl32!MasterSubclassProc:
001b:771803ce 6a20 push 20h
1: kd> kc
#
00 Comctl32!MasterSubclassProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!SendMessageWorker
04 USER32!SendMessageW
05 USER32!IsDialogMessageW
06 USER32!DialogBox2
07 USER32!InternalDialogBox
08 USER32!DialogBoxIndirectParamAorW
09 USER32!DialogBoxParamW
0a USER32!DialogBoxParamW_wrapper
0b winlogon!Fusion_DialogBoxParam
0c winlogon!TimeoutDialogBoxParam
0d winlogon!WlxDialogBoxParam
0e MSGINA!WlxWkstaLockedSAS
0f winlogon!DoLockWksta
10 winlogon!DoScreenSaver
11 winlogon!LoggedonDlgProc
12 winlogon!RootDlgProc
13 USER32!InternalCallWinProc
14 USER32!UserCallDlgProcCheckWow
15 USER32!DefDlgProcWorker
16 USER32!DefDlgProcW
17 USER32!InternalCallWinProc
18 USER32!UserCallWinProcCheckWow
19 USER32!DispatchMessageWorker
1a USER32!DispatchMessageW
1b USER32!IsDialogMessageW
1c USER32!DialogBox2
1d USER32!InternalDialogBox
1e USER32!DialogBoxIndirectParamAorW
1f USER32!DialogBoxParamW
20 USER32!DialogBoxParamW_wrapper
21 winlogon!Fusion_DialogBoxParam
22 winlogon!TimeoutDialogBoxParam
23 winlogon!WlxDialogBoxParam
24 winlogon!BlockWaitForUserAction
25 winlogon!MainLoop
26 winlogon!WinMain
27 winlogon!WinMainCRTStartup
1: kd> dv
hWnd = 0x000800ec
uMsg = 0x87
wParam = 0x33
lParam = 0n456952
1: kd> g
Breakpoint 43 hit
eax=00000089 ebx=00000089 ecx=004c0c9c edx=000800ec esi=0006f8f8 edi=007d4124
eip=77cbe820 esp=0006f8bc ebp=0006f8dc iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
USER32!TranslateMessage:
001b:77cbe820 55 push ebp
1: kd> kc
#
00 USER32!TranslateMessage
01 USER32!IsDialogMessageW
02 USER32!DialogBox2
03 USER32!InternalDialogBox
04 USER32!DialogBoxIndirectParamAorW
05 USER32!DialogBoxParamW
06 USER32!DialogBoxParamW_wrapper
07 winlogon!Fusion_DialogBoxParam
08 winlogon!TimeoutDialogBoxParam
09 winlogon!WlxDialogBoxParam
0a MSGINA!WlxWkstaLockedSAS
0b winlogon!DoLockWksta
0c winlogon!DoScreenSaver
0d winlogon!LoggedonDlgProc
0e winlogon!RootDlgProc
0f USER32!InternalCallWinProc
10 USER32!UserCallDlgProcCheckWow
11 USER32!DefDlgProcWorker
12 USER32!DefDlgProcW
13 USER32!InternalCallWinProc
14 USER32!UserCallWinProcCheckWow
15 USER32!DispatchMessageWorker
16 USER32!DispatchMessageW
17 USER32!IsDialogMessageW
18 USER32!DialogBox2
19 USER32!InternalDialogBox
1a USER32!DialogBoxIndirectParamAorW
1b USER32!DialogBoxParamW
1c USER32!DialogBoxParamW_wrapper
1d winlogon!Fusion_DialogBoxParam
1e winlogon!TimeoutDialogBoxParam
1f winlogon!WlxDialogBoxParam
20 winlogon!BlockWaitForUserAction
21 winlogon!MainLoop
22 winlogon!WinMain
23 winlogon!WinMainCRTStartup
1: kd> dv
pmsg = 0x0006f8f8 {msg=0x102 wp=0x33 lp=0x40001}
1: kd> g
Breakpoint 40 hit
eax=c0000000 ebx=00000000 ecx=40000000 edx=00000000 esi=771803ce edi=0006f814
eip=771803ce esp=0006f7a0 ebp=0006f7c8 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a87
Comctl32!MasterSubclassProc:
001b:771803ce 6a20 push 20h
1: kd> kc
#
00 Comctl32!MasterSubclassProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchMessageWorker
04 USER32!DispatchMessageW
05 USER32!IsDialogMessageW
06 USER32!DialogBox2
07 USER32!InternalDialogBox
08 USER32!DialogBoxIndirectParamAorW
09 USER32!DialogBoxParamW
0a USER32!DialogBoxParamW_wrapper
0b winlogon!Fusion_DialogBoxParam
0c winlogon!TimeoutDialogBoxParam
0d winlogon!WlxDialogBoxParam
0e MSGINA!WlxWkstaLockedSAS
0f winlogon!DoLockWksta
10 winlogon!DoScreenSaver
11 winlogon!LoggedonDlgProc
12 winlogon!RootDlgProc
13 USER32!InternalCallWinProc
14 USER32!UserCallDlgProcCheckWow
15 USER32!DefDlgProcWorker
16 USER32!DefDlgProcW
17 USER32!InternalCallWinProc
18 USER32!UserCallWinProcCheckWow
19 USER32!DispatchMessageWorker
1a USER32!DispatchMessageW
1b USER32!IsDialogMessageW
1c USER32!DialogBox2
1d USER32!InternalDialogBox
1e USER32!DialogBoxIndirectParamAorW
1f USER32!DialogBoxParamW
20 USER32!DialogBoxParamW_wrapper
21 winlogon!Fusion_DialogBoxParam
22 winlogon!TimeoutDialogBoxParam
23 winlogon!WlxDialogBoxParam
24 winlogon!BlockWaitForUserAction
25 winlogon!MainLoop
26 winlogon!WinMain
27 winlogon!WinMainCRTStartup
1: kd> dv
hWnd = 0x000800ec
uMsg = 0x102
wParam = 0x33
lParam = 0n262145
Frame = struct _SUBCLASS_FRAME
pHeader = 0x00000002
lResult = 0n456724
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
szFile = unsigned short [41]
gAlwaysAssert = 0n0
1: kd> ?0n262145
Evaluate expression: 262145 = 00040001
1: kd> gu
eax=00000000 ebx=00000000 ecx=004c0c9c edx=00000002 esi=01233e04 edi=00000001
eip=77cce6e9 esp=0006f3cc ebp=0006f3e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!SLChar+0x21a:
001b:77cce6e9 53 push ebx
1: kd> dv
ped = 0x00000001
keyValue = 0x33
hwndSave = 0x000800ec
DBCSkey = 0n1
keyPress = 0x33
updateText = 0n1
InsertTextLen = 0n1
1: kd> kc
#
00 USER32!SLChar
01 USER32!SLEditWndProc
02 USER32!EditWndProc
03 USER32!EditWndProcWorker
04 USER32!EditWndProcW
05 USER32!InternalCallWinProc
06 USER32!UserCallWinProcCheckWow
07 USER32!CallWindowProcAorW
08 USER32!CallWindowProcW
09 USER32!CallWindowProcW_wrapper
0a Comctl32!CallOriginalWndProc
0b Comctl32!CallNextSubclassProc
0c Comctl32!DefSubclassProc
0d MSGINA!DisableEditSubClassProc
0e Comctl32!CallNextSubclassProc
0f Comctl32!MasterSubclassProc
10 USER32!InternalCallWinProc
11 USER32!UserCallWinProcCheckWow
12 USER32!DispatchMessageWorker
13 USER32!DispatchMessageW
14 USER32!IsDialogMessageW
15 USER32!DialogBox2
16 USER32!InternalDialogBox
17 USER32!DialogBoxIndirectParamAorW
18 USER32!DialogBoxParamW
19 USER32!DialogBoxParamW_wrapper
1a winlogon!Fusion_DialogBoxParam
1b winlogon!TimeoutDialogBoxParam
1c winlogon!WlxDialogBoxParam
1d MSGINA!WlxWkstaLockedSAS
1e winlogon!DoLockWksta
1f winlogon!DoScreenSaver
20 winlogon!LoggedonDlgProc
21 winlogon!RootDlgProc
22 USER32!InternalCallWinProc
23 USER32!UserCallDlgProcCheckWow
24 USER32!DefDlgProcWorker
25 USER32!DefDlgProcW
26 USER32!InternalCallWinProc
27 USER32!UserCallWinProcCheckWow
28 USER32!DispatchMessageWorker
29 USER32!DispatchMessageW
2a USER32!IsDialogMessageW
2b USER32!DialogBox2
2c USER32!InternalDialogBox
2d USER32!DialogBoxIndirectParamAorW
2e USER32!DialogBoxParamW
2f USER32!DialogBoxParamW_wrapper
30 winlogon!Fusion_DialogBoxParam
31 winlogon!TimeoutDialogBoxParam
32 winlogon!WlxDialogBoxParam
33 winlogon!BlockWaitForUserAction
34 winlogon!MainLoop
35 winlogon!WinMain
36 winlogon!WinMainCRTStartup
1: kd> g
456.460> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserSetTimer, retval = 7ebb
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] SfnHkINDWORD, retval = 0
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserCallMsgFilter, retval = 0
Breakpoint 43 hit
eax=ffffff00 ebx=00000002 ecx=007d4124 edx=00000201 esi=0006f8f8 edi=007d4124
eip=77cbe820 esp=0006f8bc ebp=0006f8dc iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286
USER32!TranslateMessage:
001b:77cbe820 55 push ebp
1: kd> dv
pmsg = 0x0006f8f8 {msg=0x101 wp=0x33 lp=0xc0040001}
1: kd> p
eax=affbe38a ebx=bf8108ee ecx=bc640008 edx=bc510000 esi=0006f914 edi=f75c6d2c
eip=bf8e35f9 esp=f75c6ccc ebp=f75c6cf4 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000296
win32k!xxxTranslateMessage+0xb:
bf8e35f9 8365d800 and dword ptr [ebp-28h],0 ss:0010:f75c6ccc=f75c6d38
1: kd> dv
pmsg = 0xf75c6d10 {msg=0x101 wp=0x33 lp=0xc0040001}
uiTMFlags = 0
fSysKey = 0n-144937672
cChar = xxxInternalToUnicode(uVirKey, // virtual key code
HIWORD(lParam), // scan code, make/break bit
pti->pq->afKeyState,
awch, sizeof(awch)/sizeof(awch[0]),
uiTMFlags, &dwKeyFlags, NULL);
1: kd> dv
pmsg = 0xf75c6d10 {msg=0x101 wp=0x33 lp=0xc0040001}
uiTMFlags = 0
fSysKey = 0n0
awch = unsigned short [16]
pwnd = 0x00000000
wMsgType = 0
dwKeyFlags = 0xf75c6d10
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned short (*)[16])0xf75c6cd0))
(*((win32k!unsigned short (*)[16])0xf75c6cd0)) [Type: unsigned short [16]]
[0] : 0x30 [Type: unsigned short]
[1] : 0x0 [Type: unsigned short]
[2] : 0x6d2c [Type: unsigned short]
[3] : 0xf75c [Type: unsigned short]
[4] : 0xf914 [Type: unsigned short]
[5] : 0x6 [Type: unsigned short]
[6] : 0x8ee [Type: unsigned short]
[7] : 0xbf81 [Type: unsigned short]
[8] : 0x6cf4 [Type: unsigned short]
[9] : 0xf75c [Type: unsigned short]
[10] : 0x0 [Type: unsigned short]
[11] : 0x0 [Type: unsigned short]
[12] : 0x35f1 [Type: unsigned short]
[13] : 0xbf8e [Type: unsigned short]
[14] : 0x8 [Type: unsigned short]
[15] : 0x0 [Type: unsigned short]
1: kd> p
eax=00000033 ebx=c0040001 ecx=bc640008 edx=bc510000 esi=f75c6d10 edi=e1404c50
eip=bf8e366a esp=f75c6cc0 ebp=f75c6cf4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxTranslateMessage+0x7c:
bf8e366a 6a00 push 0
1: kd> p
eax=00000000 ebx=c0040001 ecx=e13e6bb8 edx=f75c6cfc esi=f75c6d10 edi=00000000
eip=bf8e368e esp=f75c6cc0 ebp=f75c6cf4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxTranslateMessage+0xa0:
bf8e368e 8b4508 mov eax,dword ptr [ebp+8] ss:0010:f75c6cfc=00008000
暂无评论内容