走进Windows 2000 内部(一)
--Windows 源代码解读与发现
拿到Windows2000的源代码有些日子了,业余时间就看看,总结出了一些东西.我先发表一些比较有实用价值的,希望能对大家的学习与工作有所帮助.如果大家觉得有必要,我会陆陆续续发表解读出来的一些东西与大家共同进步.
这一次主要讲讲user32模块里的一些东西.
首先,我们需要一个能访问内核内存的工具函数库.令我感到奇怪的是,user32大量的代码在Kernel Mode下运行.不过那是MS的事,先说说这个工具函数库.我用DDK构建的它.很简单.有两个功能地:读,写内核内存.
为了不偏离主题,只列出最后的函数原形
BOOL WriteSysMemroy(PVOID pAddr , PVOID pBuff , DWORD dwLen);
BOOL ReadSysMemroy(PVOID pBuff , PVOID pAddr , DWORD dwLen);
1 关于THREADINFO
先列出这个结构的原形
// 大部分都有注释,它们的意意慢慢说
typedef struct tagTHREADINFO
{
//W32THREAD;
//PTL ptl; // Listhead for thread lock list
// W32THREAD 和 PTL 是我所不知道的结构,通过SoftICE的帮助,我知道了它们的大小,
//于是我弄了个东东来填充它
PADDING(padding1 , 0x2c);
PVOID ppi; // process info struct for this thread
// type is PPROCESSINFO
PVOID rpdesk; // type is PDESKTOP
PDESKTOPINFO pDeskInfo; // Desktop info visible to client
// type is PDESKTOPINFO
PCLIENTINFO pClientInfo; // Client info stored in TEB
// type is PCLIENTINFO
DWORD TIF_flags; // TIF_ flags go here.
PUNICODE_STRING pstrAppName; // Application module name.
PVOID psmsSent; // Most recent SMS this thread has sent
// type is PSMS
PVOID psmsCurrent; // Received SMS this thread is currently processing
// type is PSMS
PVOID psmsReceiveList; // SMSs to be processed
// type is PSMS
LONG timeLast; // Time, position, and ID of last message
ULONG_PTR idLast;
int cQuit;
int exitCode;
HDESK hdesk; // Desktop handle
// HDESK
int cPaintsReady;
UINT cTimersReady;
PVOID pMenuState; // type is PMENUSTATE
union {
PVOID ptdb; // Win16Task Schedule data for WOW thread
// type is PTDB
PVOID pwinsta; // Window station for SYSTEM thread
// type is PWINDOWSTATION
};
PVOID psiiList; // thread DDEML instance list
// type is PSVR_INSTANCE_INFO
DWORD dwExpWinVer;
DWORD dwCompatFlags; // The Win 3.1 Compat flags
DWORD dwCompatFlags2; // new DWORD to extend compat flags for NT5+ features
PVOID pqAttach; // calculation variabled used in
// type is PQ
// zzzAttachThreadInput()
PTHREADINFO ptiSibling; // pointer to sibling thread info
PVOID pmsd; // type is PMOVESIZEDATA
DWORD fsHooks; // WHF_ Flags for which hooks are installed
PHOOK sphkCurrent; // Hook this thread is currently processing
// type is PHOOK
PVOID pSBTrack; // type is PSBTRACK
HANDLE hEventQueueClient;
PVOID pEventQueueServer; // type is PKEVENT
PVOID PtiLink; // Link to other threads on desktop
// type is LIST_ENTRY
int iCursorLevel; // keep track of each thread's level
PADDING(padding2 , 4);
POINT ptLast;
PWND spwndDefaultIme; // Default IME Window for this thread
// type is PWND
PVOID spDefaultImc; // Default input context for this thread
// type is PIMC
HANDLE hklPrev; // Previous active keyboard layout
// type is HKL
int cEnterCount;
MLIST mlPost; // posted message list.
USHORT fsChangeBitsRemoved;// Bits removed during PeekMessage
WCHAR wchInjected; // character from last VK_PACKET
DWORD fsReserveKeys; // Keys that must be sent to the active
// active console window.
PVOID *apEvent; // Wait array for xxxPollAndWaitForSingleObject
// type is PKEVENT
ACCESS_MASK amdesk; // Granted desktop access
UINT cWindows; // Number of windows owned by this thread
UINT cVisWindows; // Number of visible windows on this thread
PHOOK aphkStart[CWINHOOKS]; // Hooks registered for this thread
// type is PHOOK
BYTE cti; // Use this when no desktop is available
// type is CLIENTTHREADINFO
}THREADINFO ,* PTHREADINFO;
这个结构用来保存线程的一些信息,它怎么得到呢,请看下面的代码
PTHREADINFO WINAPI NtPtiCurrent(void)
{
PTHREADINFO pti = NULL;
__asm
{
mov eax,fs:[00000018h]
mov eax,[eax+40h]
mov pti , eax ; 现在pti 保存的就是当前线程的THREADINFO.
}
return pti;
}
知道这个结构很重要,下面我就说一个这个结构的应用.
大家都知道Windows的消息Hook吧,下面这段代码可是让你的线程不被Hook,也就是让Hook失效
// 这个宏得到一个结构指针的成员地址
#define memaddr(p , s , m) (PVOID) ( (DWORD ) p + offsetof(s , m) )
PTHREADINFO pti = NtPtiCurrent();
if (pti == NULL)
return FALSE;
DWORD TIF_flags;
if (!ReadSysMemroy(
&TIF_flags ,
memaddr(pti , THREADINFO , TIF_flags) ,
sizeof(TIF_flags))
)
return FALSE;
TIF_flags |= 0x20000000;
return WriteSysMemroy(
memaddr(pti , THREADINFO , TIF_flags) ,
&TIF_flags ,
sizeof(TIF_flags)
);
原理很简单,就是设了一个标志,告诉Windows Hook ,别来惹我
好了,先开个头,看看反响,如果可以的话,再接着说.
本文地址:http://com.8s8s.com/it/it1055.htm