Entering Windows 2000 (1)
- New Windows source code interpretation and discovery
The source code to get the Windows2000 has some days, and the spare time will look at some things. I first published some more practical value, I hope to help everyone's study and work. If you feel necessary, I will continue to make an interpretation of some things that have been interpreted.
This time mainly tells something in the USER32 module.
First, we need a tool function library that can access the kernel memory. Let me feel strange that the USER32 is running under Kernel Mode. But that is MS, let me talk about this tool function library. I use DDK build It is very simple. There are two functional: read, write kernel memory.
In order not to deviate from the subject, only the last function is protected.
Bool WriteSysmemroy (PVOID PADDR, PVOID PBUFF, DWORD DWLEN);
Bool Readsysmemroy (PVOID PBUFF, PVOID PADDR, DWORD DWLEN);
1 About ThreadInfo
List the original shape of this structure first
// Most of the comments, their meaning is slow
Typedef struct tagthreadinfo
{
// w32thread;
// ptl ptl; // listhead for thread Lock List
// w32thread and PTL are the structure I don't know, through Softice, I know their size,
// So I got a stuff to fill it
Padding (padding1, 0x2c);
Pvoid PPI; // Process Info Struct for this Thread
// Type is PPRocessInfo
PVOID RPDESK; // Type is PDESKTOP
PDESKTOPINFO PDSIINFO; // Desktop Info Visible To Client
// Type is PDESKTOPInfo
PClientInfo PClientInfo; // Client Info Stored in Tec
// Type is PClientInfo
DWORD TIF_FLAGS; // TIF_ Flags Go Here.
Punicode_string pstrappname; // Application Module Name.
Pvoid psmssent; // Most Recent SMS this Thread Has Sent
// Type IS PSMS
Pvoid psmscurrent; // received SMS this Thread is currently processing
// Type IS PSMS
Pvoid psmsreceivelist; // smss to be processed
// Type IS PSMS
Long Timelast; // Time, Position, and ID of Last Message
Ulong_ptr idlast;
Int Cquit;
Int exitcode;
HDesk HDesk; // Desktop Handle
// hdesk
INT CPAINTSREADY;
Uint ctimersready; pvoid pmenustate; // type is pmenustate
Union {
Pvoid PTDB; // Win16Task Schedule Data for Wow Thread
// Type is PTDB
PVOID PWINSTA; // Window Station for System Thread
// Type is PWindowStation
}
Pvoid psiilist; // thread ddeml instance list
// Type is psvr_instance_info
DWORD DWEXPWINVER;
DWORD dwcompatflags; // the win 3.1 compat flags
DWORD dwcompatflags2; // new dword to extend Compat Flags for NT5 Features
Pvoid Pqattach; // Calculation Variabled Used in
// Type is PQ
// zzzattachthreadinput ()
PthreadInfo Ptisibling; // Pointer to Sibling Thread Info
Pvoid pmsd; // type is pmovesizedata
DWORD fshooks; // WHF_ Flags for Which Hooks Are Installed
Phook sphkcurrent; // hook this thread is currently processing
// Type is PHOOK
Pvoid psbtrack; // type is psbtrack
Handle HEVENTQUECLIENT;
PVOID PEVENTQUESERVER; // Type Is Pkevent
Pvoid ptilink; // link to other threads on desktop
// Type is list_ENTRY
Int iCursorlevel; // Keep Track of Each Thread's Level
Padding (Padding2, 4);
Point PTLAST;
PWnd spwnddefaultime; // default IME Window for this Thread
// Type IS PWND
PVOID SPDEFAULTIMC; // DEFAULT INPUT Context for this Thread
// Type IS PIMC
Handle HKLPREV; // Previous Active Keyboard Layout
// Type is hklint centercount;
Mlist mlpost; // posted message list.
Ushort fschangebitsremoved; // bits removed during peekmessage
Wchar wchinjected; // character from last vk_packet
DWORD fsreservekeys; // keys That Must Be Sent to the Active
// Active Console Window.
PVOID * APEVENT; // Wait Array for xxxpollandwaitforsingleObject
// Type is PKEVENT
Access_mask amdesk; // granted Desktop Access
Uint cwindows; // number of windows OWNED by this thread
Uint cviswindows; // number of visible windows on this thread
Phook Aphkstart [CWINHOOKS]; // Hooks Registered for this Thread
// Type is PHOOK
Byte cti; // use this when no desktop is available
// Type IS ClientthreadInfo
ThreadInfo, * pthreadinfo;
This structure is used to save some information about the thread, how did it get it, please see the following code.
PthreadInfo WinApi NTPTICURRENT (VOID)
{
PthreadInfo PTI = NULL;
__ASM
{
Mov Eax, FS: [00000018H]
Mov Eax, [EAX 40H]
MOV PTI, EAX; now PTI is saved is the threadInfo of the current thread.
}
Return PTI;
}
I know this structure is very important. I will say this structure.
Everyone knows Windows's message hook, the following code can make your thread are not hook, that is, let hook fail
// This macro gets a member address of a structural pointer
#define Memaddr (P, S, M) (PVOID) ((DWORD) P OffsetOf (S, M))
PthreadInfo PTI = NTPTICURRENT ();
IF (pti == null)
Return False;
DWORD TIF_FLAGS;
IF (! Readsysmemroy)
& Tif_flags,
Memaddr (PTI, ThreadInfo, Tif_Flags),
Sizeof (tif_flags))
)
Return False;
TiF_flags | = 0x20000000;
Return Writesysmemroy
Memaddr (PTI, ThreadInfo, Tif_Flags),
& Tif_flags,
Sizeof (tif_flags)
);
The principle is very simple, that is, set a sign, telling Windows Hook, don't mess with me.
