Entering Windows 2000 (2)
- New Windows source code interpretation and discovery
2 Dynamic Thread Local Storage (TLS)
TEB (Thread Environment Block Thread Environment Block) is another more important data structure related to thread information, now I only know part of its information. However, there is no relationship. With Softice, I still found information related to TLS. In the current TEB, 0x00000E10 is the current thread TLS table, its size is 0x40.
The following section shows how to use this information to operate TLS.
Pvoid getcurrentteb ()
{
PTEB PTEB = NULL;
__ASM
{
Mov Eax, FS: [00000018H]
MOV PTEB, EAX
}
Return PTEB;
}
// Get the TLS value
PVOID WINAPI MyTLsget (DWORD DWINDEX)
{
IF (dwindex> = 0x40)
Return False;
DWORD * PTLS = (DWORD *) getcurrentteb ();
PTLS = (DWORD *) ((Byte *) PTLS 0xE10);
Return (PVOID) PTLS [dwindex];
}
// Set the TLS value
Bool WinApi MyTlsset (DWORD DWINDEX, PVOID PVALUE)
{
IF (dwindex> = 0x40)
Return False;
DWORD * PTLS = (DWORD *) getcurrentteb ();
PTLS = (DWORD *) ((Byte *) PTLS 0xE10);
PTLS [dwindex] = (dword) PVALUE;
Return True;
}
3 Hotkey (hotkey)
There is no doubt that this information is more useful than the above. Because Win32 does not provide a direct operation of HotKey.
Inside, this management is implemented through a simple linked list, see the following data structure:
Typedef struct taghotkey {
PthreadInfo pti; // Related thread information, this structure said
PWnd spwnd; // associated window
Word fsmodifier; // mod_shift, mod_alt, mod_control, mod_win
Word wflags; // MOD_SAS
Uint vk; // virtual key
INT ID; // id
Struct taghotkey * phknext; // Support the pointer to the list
Hotkey, * photkey;
Plus the annotation is clear. The system maintains a such linked list. When there is a keyboard interrupt, the list will be queried. When the query match, the window specified by the message line will be sent.
The current problem is to find the entry of the list. This entrance is a global variable. Using Softice I found its address in memory. However, this value may be different in different versions of Windows. I am using Windows 2000 Professional SP4 (the internal version is 2195). Even if the version is the same, if you set your system into 3GB (but in this release, don't do any benefits, advise you not to do this.), This address will still be different, now I have not found a good way to solve it. this problem.
The following code demonstrates some operations of Hotkey
/ / Define the address of the entry pointer
#define hotkey_list_head (Photkey *) (0xA01826C4)
Typedef photkey hhotkey;
Typedef struct taghotKeyInfo
{
Hwnd hwnd;
Word fsmodifier; // mod_shift, mod_alt, mod_control, mod_win
Uint vk;
Int ID;
} HotKeyInfo, * photkeyinfo;
// Get the entrance address
Hhotkey WinApi NtgetFirstHotKey ()
{
Photkey phk = NULL;
IF (! Readsysmemroy (& phk, Hotkey_List_Head, Sizeof (phk)))
Return NULL;
Return phk;
}
// Get the next entry
Hhotkey WinApi NtgetNextKey (Hhotkey Hhotkey)
{
Photkey phk = NULL;
IF (! Readsysmemroy (& phk,
Memaddr (Hhotkey, Hotkey, PhkNext),
Sizeof (phk))
)
Return NULL;
Return phk;
}
// Get complete HotKeyInfo
Bool WinApi NtgetHotKeyInfo (HOTKEY HHOTKEY, HotKeyInfo * HKI)
{
Hotkey HK;
IF (! Readsysmemroy (& HK, HHOTKEY, SIZEOF (HK)))
Return False;
HWND HWND = NULL;
// WND information is not available yet, but hwnd can read directly at this structure 0x0
IF (! Readsysmemroy (& HWnd, Memaddr (HK.SPWND, WND, Head.toh.Head.h), Sizeof (HWnd)))
HWND = NULL;
HKI-> hwnd = hwnd;
HKI-> ID = hk.id;
HKI-> fsmodifiers = hk.fsmodifier;
HKI-> vk = hk.vk;
Return True;
}
// Search by information
Photkey FindhotKey (HotKeyInfo * Phki, Bool Bcheckk)
{
HotKeyInfo HKI;
Photkey pHK;
PHK = NTGETFIRSTHOTKEY ();
While (pHK)
{
IF (! NTGETHOTKEYINFO (PHK, & HKI))
Break;
IF (bCheckk)
{
IF (hki.vk == phki-> vk && hki.fsmodifiers == phki-> fsmodifier)
Return phk;
}
Else
{
IF (hki.hwnd == phki-> hwnd && hki.id == phki-> id)
Return phk;
}
PHK = NTGETNEXTHOTKEY (PHK);
}
Return NULL;
}
/ / Set HotKey Information
Bool WinApi NtSethTKeyInfo (HotKeyInfo * Phki)
{
Photkey phk = findhotkey (phki, true);
IF (phk)
Return False;
phk = findhotkey; if (! pHK)
Return False ;;
Hotkey HK;
IF (! Readsysmemroy (& HK, PHK, SIZEOF (HK)))
Return False;
HK.FSMODIFIERS = Phki-> fsmodifier;
HK.VK = phki-> vk;
Return WriteSysmemroy (PhK, & HK, SIZEOF (HK);
}
