--Windows 源代码解读与发现

拿到 Windows2000 的源代码有些日子了 , 业余时间就看看 , 总结出了一些东西 . 我先发表一些比较有实用价值的 , 希望能对大家的学习与工作有所帮助 . 如果大家觉得有必要 , 我会陆陆续续发表解读出来的一些东西与大家共同进步 .

这一次主要讲讲 user32 模块里的一些东西 .

首先 , 我们需要一个能访问内核内存的工具函数库 . 令我感到奇怪的是 ,user32 大量的代码在 Kernel Mode 下运行 . 不过那是 MS 的事 , 先说说这个工具函数库 . 我用 DDK 构建的它 . 很简单 . 有两个功能地 : 读 , 写内核内存 .

为了不偏离主题 , 只列出最后的函数原形

BOOL WriteSysMemroy(PVOID pAddr , PVOID pBuff , DWORD dwLen);

BOOL ReadSysMemroy(PVOID pBuff , PVOID pAddr , DWORD dwLen);

1 关于 THREADINFO

先列出这个结构的原形

// 大部分都有注释 , 它们的意意慢慢说

typedef struct tagTHREADINFO

{

//W32THREAD;

//PTL ptl; // Listhead for thread lock list

// W32THREAD 和 PTL 是我所不知道的结构 , 通过 SoftICE 的帮助 , 我知道了它们的大小 ,

// 于是我弄了个东东来填充它

PADDING(padding1 , 0x2c);

PVOID ppi; // process info struct for this thread

// type is PPROCESSINFO

PVOID rpdesk; // type is PDESKTOP

PDESKTOPINFO pDeskInfo; // Desktop info visible to client

// type is PDESKTOPINFO

PCLIENTINFO pClientInfo; // Client info stored in TEB

// type is PCLIENTINFO

DWORD TIF_flags; // TIF_ flags go here.

PUNICODE_STRING pstrAppName; // Application module name.

PVOID psmsSent; // Most recent SMS this thread has sent

// type is PSMS

PVOID psmsCurrent; // Received SMS this thread is currently processing

// type is PSMS

PVOID psmsReceiveList; // SMSs to be processed

// type is PSMS

LONG timeLast; // Time, position, and ID of last message

ULONG_PTR idLast;

int cQuit;

int exitCode;

HDESK hdesk; // Desktop handle

// HDESK

int cPaintsReady;

UINT cTimersReady;

PVOID pMenuState; // type is PMENUSTATE

union {

PVOID ptdb; // Win16Task Schedule data for WOW thread

// type is PTDB

PVOID pwinsta; // Window station for SYSTEM thread

// type is PWINDOWSTATION

};

PVOID psiiList; // thread DDEML instance list

// type is PSVR_INSTANCE_INFO

DWORD dwExpWinVer;

DWORD dwCompatFlags; // The Win 3.1 Compat flags

DWORD dwCompatFlags2; // new DWORD to extend compat flags for NT5+ features

PVOID pqAttach; // calculation variabled used in

// type is PQ

// zzzAttachThreadInput()

PTHREADINFO ptiSibling; // pointer to sibling thread info

PVOID pmsd; // type is PMOVESIZEDATA

DWORD fsHooks; // WHF_ Flags for which hooks are installed

PHOOK sphkCurrent; // Hook this thread is currently processing

// type is PHOOK

PVOID pSBTrack; // type is PSBTRACK

HANDLE hEventQueueClient;

PVOID pEventQueueServer; // type is PKEVENT

PVOID PtiLink; // Link to other threads on desktop

// type is LIST_ENTRY

int iCursorLevel; // keep track of each thread's level

PADDING(padding2 , 4);

POINT ptLast;

PWND spwndDefaultIme; // Default IME Window for this thread

// type is PWND

PVOID spDefaultImc; // Default input context for this thread

// type is PIMC

HANDLE hklPrev; // Previous active keyboard layout

// type is HKL

int cEnterCount;

MLIST mlPost; // posted message list.

USHORT fsChangeBitsRemoved;// Bits removed during PeekMessage

WCHAR wchInjected; // character from last VK_PACKET

DWORD fsReserveKeys; // Keys that must be sent to the active

// active console window.

PVOID *apEvent; // Wait array for xxxPollAndWaitForSingleObject

// type is PKEVENT

ACCESS_MASK amdesk; // Granted desktop access

UINT cWindows; // Number of windows owned by this thread

UINT cVisWindows; // Number of visible windows on this thread

PHOOK aphkStart[CWINHOOKS]; // Hooks registered for this thread

// type is PHOOK

BYTE cti; // Use this when no desktop is available

// type is CLIENTTHREADINFO

}THREADINFO ,* PTHREADINFO;

这个结构用来保存线程的一些信息 , 它怎么得到呢 , 请看下面的代码

PTHREADINFO WINAPI NtPtiCurrent(void)

{

PTHREADINFO pti = NULL;

__asm

{

mov eax,fs:[00000018h]

mov eax,[eax+40h]

mov pti , eax ; 现在 pti 保存的就是当前线程的 THREADINFO.

}

return pti;

}

知道这个结构很重要 , 下面我就说一个这个结构的应用 .

大家都知道 Windows 的消息 Hook 吧 , 下面这段代码可是让你的线程不被 Hook, 也就是让 Hook 失效

// 这个宏得到一个结构指针的成员地址

#define memaddr(p , s , m) (PVOID) ( (DWORD ) p + offsetof(s , m) )

PTHREADINFO pti = NtPtiCurrent();

if (pti == NULL)

return FALSE;

DWORD TIF_flags;

if (!ReadSysMemroy(

&TIF_flags ,

memaddr(pti , THREADINFO , TIF_flags) ,

sizeof(TIF_flags))

)

return FALSE;

TIF_flags |= 0x20000000;

return WriteSysMemroy(

memaddr(pti , THREADINFO , TIF_flags) ,

&TIF_flags ,

sizeof(TIF_flags)

);

原理很简单 , 就是设了一个标志 , 告诉 Windows Hook , 别来惹我

好了 , 先开个头 , 看看反响 , 如果可以的话 , 再接着说 .