xxxDoHotKeyStuff函数分析之和winlogon!SASCreate函数和winlogon!SASWndProc函数和全局变量win32k!gphkHashTable的关系
xxxDoHotKeyStuff函数分析之和winlogon!SASCreate函数和winlogon!SASWndProc函数和全局变量win32k!gphkHashTable的关系==winlogon源代码分析之热键机制
D:123>grep “RegisterHotKey” -nr D:srv03rtmdssecuritygina|grep -v “Binary”
D:srv03rtmdssecuritygina/testgina/testgina.c:298: RegisterHotKey(hMainWindow, 0, MOD_CONTROL, VK_DELETE);
D:srv03rtmdssecuritygina/testgina/testgina.c:299: RegisterHotKey(hMainWindow, 1, MOD_CONTROL, VK_ADD);
D:srv03rtmdssecuritygina/winlogon/sas.c:501: if (!RegisterHotKey(hwnd, 0, MOD_SAS | MOD_CONTROL | MOD_ALT, VK_DELETE)) {
D:srv03rtmdssecuritygina/winlogon/sas.c:514: RegisterHotKey(hwnd, 1, MOD_CONTROL | MOD_ALT | MOD_SHIFT, VK_DELETE);
D:srv03rtmdssecuritygina/winlogon/sas.c:521: if (!RegisterHotKey(hwnd, 2, MOD_CONTROL | MOD_ALT, VK_TAB)) {
D:srv03rtmdssecuritygina/winlogon/sas.c:531: if (!RegisterHotKey(hwnd, 3, MOD_CONTROL | MOD_ALT | MOD_SHIFT, VK_TAB)) {
D:srv03rtmdssecuritygina/winlogon/sas.c:544: if (!RegisterHotKey(hwnd, 4, MOD_CONTROL | MOD_SHIFT, VK_ESCAPE)) {
D:srv03rtmdssecuritygina/winlogon/sas.c:551: if (!RegisterHotKey(hwnd, 5, MOD_WIN, 'L')) {
D:srv03rtmdssecuritygina/winlogon/sas.c:557: if (!RegisterHotKey(hwnd, 6, MOD_WIN, 'U')) {
BOOL SASCreate(
HWND hwnd)
{
// Register the SAS unless we are told not to.
if (GetProfileInt( APPNAME_WINLOGON, VARNAME_AUTOLOGON, 0 ) != 2) {
if (!RegisterHotKey(hwnd, 0, MOD_SAS | MOD_CONTROL | MOD_ALT, VK_DELETE)) {
DebugLog((DEB_ERROR, “failed to register SAS”));
return(FALSE); // Fail creation
}
}
#if DBG
//
// C+A+D + Shift causes a quick reboot
//
RegisterHotKey(hwnd, 1, MOD_CONTROL | MOD_ALT | MOD_SHIFT, VK_DELETE);
//
// (Ctrl+Alt+Tab) will switch between desktops
//
if (GetProfileInt( APPNAME_WINLOGON, VARNAME_ENABLEDESKTOPSWITCHING, 0 ) != 0) {
if (!RegisterHotKey(hwnd, 2, MOD_CONTROL | MOD_ALT, VK_TAB)) {
DebugLog((DEB_ERROR, “failed to register desktop switch SAS”));
bRegisteredDesktopSwitching = FALSE;
} else {
bRegisteredDesktopSwitching = TRUE;
}
}
if (WinlogonInfoLevel & DEB_COOL_SWITCH) {
if (!RegisterHotKey(hwnd, 3, MOD_CONTROL | MOD_ALT | MOD_SHIFT, VK_TAB)) {
DebugLog((DEB_ERROR, “failed to register breakpoint SAS”));
bRegisteredWinlogonBreakpoint = FALSE;
} else {
bRegisteredWinlogonBreakpoint = TRUE;
}
}
#endif
//
// (Ctrl+Shift+Esc) will start taskmgr
//
if (!RegisterHotKey(hwnd, 4, MOD_CONTROL | MOD_SHIFT, VK_ESCAPE)) {
DebugLog((DEB_ERROR, “failed to register taskmgr hotkey”));
bRegisteredTaskmgr = FALSE;
} else {
bRegisteredTaskmgr = TRUE;
}
if (!RegisterHotKey(hwnd, 5, MOD_WIN, 'L')) {
bRegisteredLockWorkstation = FALSE;
} else {
bRegisteredLockWorkstation = TRUE;
}
if (!RegisterHotKey(hwnd, 6, MOD_WIN, 'U')) {
bRegisteredUtilMan = FALSE;
} else {
bRegisteredUtilMan = TRUE;
}
return(TRUE);
}
#define MOD_ALT 0x0001 /* ;Internal NT */
#define MOD_CONTROL 0x0002 /* ;Internal NT */
#define MOD_SHIFT 0x0004 /* ;Internal NT */
#define MOD_WIN 0x0008 /* ;Internal NT */
#define MOD_SAS 0x8000
LRESULT SASWndProc(
HWND hwnd,
UINT message,
WPARAM wParam,
LPARAM lParam)
{
WCHAR szDesktop[MAX_PATH];
PTERMINAL pTerm = (PTERMINAL)GetWindowLongPtr(hwnd, GWLP_USERDATA);
HANDLE hThread;
DWORD dwCode;
WINSTATIONINFORMATION InfoData;
ULONG Length;
if (SASRunningSetup) {
// only handle WM_LOGONNOTIFY:LOGON_ACCESSNOTIFY, WM_HOTKEY:6,
// pass everything else to DefWindowProcW
if (message == WM_LOGONNOTIFY) {
if (wParam != LOGON_ACCESSNOTIFY)
return DefWindowProcW(hwnd, message, wParam, lParam);
} else if (message == WM_HOTKEY) {
if (wParam != 6)
return DefWindowProcW(hwnd, message, wParam, lParam);
} else {
return DefWindowProcW(hwnd, message, wParam, lParam);
}
}
switch (message)
{
case WM_CREATE:
if (!SASCreate(hwnd))
{
return(TRUE); // Fail creation
}
return(FALSE); // Continue creating window
case WM_DESTROY:
DebugLog(( DEB_TRACE, “SAS Window Shutting down?
“));
SASDestroy(hwnd);
return(0);
case WM_HOTKEY:
if (g_fWaitForLockWksMsgFromWin32k)
return 0;
#if DBG
if (wParam == 1)
{
QuickReboot();
return(0);
}
if (wParam == 2)
{
switch (pTerm->pWinStaWinlogon->ActiveDesktop)
{
case Desktop_Winlogon:
SetActiveDesktop(pTerm, Desktop_Application);
break;
case Desktop_Application:
SetActiveDesktop(pTerm, Desktop_Winlogon);
break;
}
return(0);
}
if (wParam == 3)
{
DebugBreak();
return(0);
}
#endif
if (wParam == 4)
{
WCHAR szTaskMgr[] = L”taskmgr.exe”;
DWORD val;
wsprintfW (szDesktop, L”%s\%s”, pTerm->pWinStaWinlogon->lpWinstaName,
APPLICATION_DESKTOP_NAME);
DebugLog((DEB_TRACE, “Starting taskmgr.exe.
“));
if ( pTerm->UserLoggedOn &&
!IsLocked( pTerm->WinlogonState ))
{
DWORD val = 0;
if (!sub_1043104(978, &val) && val) {
StartApplication(pTerm,
szDesktop,
pTerm->pWinStaWinlogon->UserProcessData.pEnvironment,
szTaskMgr);
}
}
return(0);
}
if (wParam == 5)
{
if (!ShellIsFriendlyUIActive() || !IsDxgExclusiveModeActive()) {
return SendMessageW(hwnd, WM_LOGONNOTIFY, LOGON_LOCKWORKSTATION, 0);
}
return(0);
}
if (wParam == 6)
{
return SendMessageW(hwnd, WM_LOGONNOTIFY, LOGON_ACCESSNOTIFY, 6);
}
CADNotify(pTerm, WLX_SAS_TYPE_CTRL_ALT_DEL);
return(0);
第三部分:
id=0的情况:
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe13e8b48)
((win32k!tagHOTKEY *)0xe13e8b48) : 0xe13e8b48 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x7 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int]
[+0x010] id : 1 [Type: int]
[+0x014] phkNext : 0xe166f558 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe166f558)
((win32k!tagHOTKEY *)0xe166f558) : 0xe166f558 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x3 [Type: unsigned short]
[+0x00a] wFlags : 0x8000 [Type: unsigned short] //对于cad来说wFlags=0x8000
[+0x00c] vk : 0x2e [Type: unsigned int]
[+0x010] id : 0 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
BOOL _RegisterHotKey(
PWND pwnd,
int id,
UINT fsModifiers,
UINT vk)
{
PHOTKEY phk;
BOOL fKeysExist, bSAS;
PTHREADINFO ptiCurrent;
WORD wFlags;
wFlags = fsModifiers & MOD_SAS; //对于cad来说wFlags=0x8000
fsModifiers &= ~MOD_SAS;
ptiCurrent = PtiCurrent();
/*
* Blow it off if the caller is not the windowstation init thread
* and doesn't have the proper access rights
*/
if (PsGetCurrentProcess() != gpepCSRSS) {
if (grpWinStaList && !CheckWinstaWriteAttributesAccess()) {
return FALSE;
}
}
/*
* If VK_PACKET is specified, just bail out, since VK_PACKET is
* not a real keyboard input.
*/
if (vk == VK_PACKET) {
return FALSE;
}
/*
* If this is the SAS check that winlogon is the one registering it.
*/
if ((wFlags & MOD_SAS) != 0 && PsGetCurrentProcessId() == gpidLogon) {
bSAS = TRUE;
} else {
bSAS = FALSE;
}
/*
* Can't register hotkey for a window of another queue.
*/
if (pwnd != PWND_FOCUS && pwnd != PWND_INPUTOWNER) {
if (GETPTI(pwnd) != ptiCurrent) {
RIPERR1(ERROR_WINDOW_OF_OTHER_THREAD,
RIP_WARNING,
“hwnd 0x%x belongs to a different thread”,
HWq(pwnd));
return FALSE;
}
}
phk = FindHotKey(ptiCurrent, pwnd, id, fsModifiers, vk, FALSE, &fKeysExist);
/*
* If the keys have already been registered, return FALSE.
*/
if (fKeysExist) {
RIPERR0(ERROR_HOTKEY_ALREADY_REGISTERED,
RIP_WARNING,
“Hotkey already exists”);
return FALSE;
}
if (phk == NULL) {
/*
* This hotkey doesn't exist yet.
*/
phk = (PHOTKEY)UserAllocPool(sizeof(HOTKEY), TAG_HOTKEY);
if (phk == NULL) {
return FALSE;
}
phk->pti = ptiCurrent;
if (pwnd != PWND_FOCUS && pwnd != PWND_INPUTOWNER) {
phk->spwnd = NULL;
Lock(&phk->spwnd, pwnd);
} else {
phk->spwnd = pwnd;
}
phk->fsModifiers = (WORD)fsModifiers;
phk->wFlags = wFlags; //对于cad来说wFlags=0x8000
phk->vk = vk;
phk->id = id;
1: kd> x win32k!gvkSAS
bfa70ef8 win32k!gvkSAS = 0x2e
1: kd> x win32k!gfsSASModifiers
bfa70f00 win32k!gfsSASModifiers = 3
id=1的情况:
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe13e8b48)
((win32k!tagHOTKEY *)0xe13e8b48) : 0xe13e8b48 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x7 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int]
[+0x010] id : 1 [Type: int]
[+0x014] phkNext : 0xe166f558 [Type: tagHOTKEY *]
#if DBG
if (wParam == 1)
{
QuickReboot();
return(0);
}
D:123>grep “QuickReboot” -nr D:srv03rtmdssecuritygina|grep -v “Binary”
D:srv03rtmdssecuritygina/winlogon/sas.c:88:void QuickReboot(void)
D:srv03rtmdssecuritygina/winlogon/sas.c:1260: QuickReboot();
#if DBG
void QuickReboot(void)
{
EnablePrivilege(SE_SHUTDOWN_PRIVILEGE, TRUE);
NtShutdownSystem(TRUE);
}
#endif
id=0的情况和id=1的情况都是vk_del键0x2e=0n46,所以会出现一个键有两种情况组合成链表的情况:
1: kd> x win32k!gphkHashTable
bfa5fc38 win32k!gphkHashTable = struct tagHOTKEY *[128]
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38))
(*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38)) [Type: tagHOTKEY * [128]]
[46] : 0xe13e8b48 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe13e8b48)
((win32k!tagHOTKEY *)0xe13e8b48) : 0xe13e8b48 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x7 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int] // [+0x00c] vk : 0x2e
[+0x010] id : 1 [Type: int]
[+0x014] phkNext : 0xe166f558 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe166f558)
((win32k!tagHOTKEY *)0xe166f558) : 0xe166f558 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x3 [Type: unsigned short]
[+0x00a] wFlags : 0x8000 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int] // [+0x00c] vk : 0x2e
[+0x010] id : 0 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
id=2和id=3的情况:
D:123>grep “APPNAME_WINLOGON” -nr D:srv03rtmdssecuritygina|grep -v “Binary”
D:srv03rtmdssecuritygina/winlogon/sas.c:500: if (GetProfileInt( APPNAME_WINLOGON, VARNAME_AUTOLOGON, 0 ) != 2) {
D:srv03rtmdssecuritygina/winlogon/sas.c:520: if (GetProfileInt( APPNAME_WINLOGON, VARNAME_ENABLEDESKTOPSWITCHING, 0 ) != 0) {
D:srv03rtmdssecuritygina/winlogon/setup.c:609: WriteProfileString( APPNAME_WINLOGON, VARNAME_AUTOLOGON, NULL );
D:srv03rtmdssecuritygina/winlogon/setup.h:24:#define APPNAME_WINLOGON TEXT(“Winlogon”)
D:srv03rtmdssecuritygina/winlogon/winlogon.c:1609: (VOID) WriteProfileString( APPNAME_WINLOGON, WINSTATIONS_DISABLED, TEXT(“0”) );
D:123>grep “VARNAME_ENABLEDESKTOPSWITCHING” -nr D:srv03rtmdssecuritygina|grep -v “Binary”
D:srv03rtmdssecuritygina/winlogon/sas.c:520: if (GetProfileInt( APPNAME_WINLOGON, VARNAME_ENABLEDESKTOPSWITCHING, 0 ) != 0) {
D:srv03rtmdssecuritygina/winlogon/setup.h:28:#define VARNAME_ENABLEDESKTOPSWITCHING TEXT(“EnableDesktopSwitching”)
1: kd> x winlogon!bRegisteredDesktopSwitching
01058104 winlogon!bRegisteredDesktopSwitching = 0n0
#define DEB_COOL_SWITCH 0x00000100
1: kd> x winlogon!WinlogonInfoLevel //后来改的,winlogon!winmain下断点就修改的话可以注册热键成功
01054040 winlogon!WinlogonInfoLevel = 0xfffff
1: kd> x winlogon!bRegisteredWinlogonBreakpoint
01058100 winlogon!bRegisteredWinlogonBreakpoint = 0n0
id=4的情况:
1: kd> x win32k!gphkHashTable
bfa5fc38 win32k!gphkHashTable = struct tagHOTKEY *[128]
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38))
(*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38)) [Type: tagHOTKEY * [128]]
[27] : 0xe16ff810 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe16ff810)
((win32k!tagHOTKEY *)0xe16ff810) : 0xe16ff810 [Type: tagHOTKEY *]
[+0x000] pti : 0xe2f6c7d0 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc677d04 [Type: tagWND *]
[+0x008] fsModifiers : 0x2 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x1b [Type: unsigned int]
[+0x010] id : 61744 [Type: int]
[+0x014] phkNext : 0xe16e0ad0 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe16e0ad0)
((win32k!tagHOTKEY *)0xe16e0ad0) : 0xe16e0ad0 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x6 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x1b [Type: unsigned int]
[+0x010] id : 4 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
VK_ESCAPE 1B 27 Ese键 [+0x010] id : 4
对应CTRL+ALT+ESC
if (wParam == 4)
{
WCHAR szTaskMgr[] = L”taskmgr.exe”;
DWORD val;
wsprintfW (szDesktop, L”%s\%s”, pTerm->pWinStaWinlogon->lpWinstaName,
APPLICATION_DESKTOP_NAME);
DebugLog((DEB_TRACE, “Starting taskmgr.exe.
“));
if ( pTerm->UserLoggedOn &&
!IsLocked( pTerm->WinlogonState ))
{
DWORD val = 0;
if (!sub_1043104(978, &val) && val) {
StartApplication(pTerm,
szDesktop,
pTerm->pWinStaWinlogon->UserProcessData.pEnvironment,
szTaskMgr);
}
}
return(0);
}
id=5的情况:
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe166f780)
((win32k!tagHOTKEY *)0xe166f780) : 0xe166f780 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x4c [Type: unsigned int]
[+0x010] id : 5 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
if (wParam == 5)
{
if (!ShellIsFriendlyUIActive() || !IsDxgExclusiveModeActive()) {
return SendMessageW(hwnd, WM_LOGONNOTIFY, LOGON_LOCKWORKSTATION, 0);
}
return(0);
}
LRESULT SASWndProc(
HWND hwnd,
UINT message,
WPARAM wParam,
LPARAM lParam)
{
case LOGON_LOCKWORKSTATION:
g_fWaitForLockWksMsgFromWin32k = FALSE;
if (pTerm->UserLoggedOn &&
pTerm->Gina.pWlxIsLockOk(pTerm->Gina.pGinaContext) &&
(!IsLocked(pTerm->WinlogonState)) &&
(pTerm->WinlogonState == Winsta_LoggedOnUser || pTerm->WinlogonState == Winsta_LoggedOn_SAS) &&
NeedsLockWorkstation(lParam)) {
DWORD esi = 0;
ShellSwitchWhenInteractiveReady(2, 0);
if (ShellIsFriendlyUIActive() && ShellIsMultipleUsersEnabled()) {
HANDLE h;
h = ImpersonateUser(&pTerm->pWinStaWinlogon->UserProcessData, 0);
if (h) {
if (!ShellSwitchUser(1)) {
g_fWaitForSwitchUser = TRUE;
esi = 1;
}
StopImpersonating(h);
}
}
if (esi)
break;
ShellStatusHostEnd(0);
if (pTerm->ScreenSaverActive) {
pTerm->field_1484 = TRUE;
SendSasToTopWindow(pTerm, 3);
break;
}
if (pTerm->WinlogonState == Winsta_LoggedOn_SAS) {
SendSasToTopWindow(pTerm, 0);
}
SetActiveDesktop(pTerm, Desktop_Winlogon);
if (DoLockWksta (pTerm, FALSE) == 4) {
SASRouter(pTerm, 4);
return FALSE;
}
}
break;
id=6的情况:
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe16daca8)
((win32k!tagHOTKEY *)0xe16daca8) : 0xe16daca8 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short] #define MOD_WIN 0x0008
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x55 [Type: unsigned int]
[+0x010] id : 6 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
1: kd> x winlogon!bRegisteredUtilMan
010580f4 winlogon!bRegisteredUtilMan = 0n1
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe16daca8)
((win32k!tagHOTKEY *)0xe16daca8) : 0xe16daca8 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x8 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x55 [Type: unsigned int]
[+0x010] id : 6 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
if (wParam == 6)
{
return SendMessageW(hwnd, WM_LOGONNOTIFY, LOGON_ACCESSNOTIFY, 6);
}
case LOGON_ACCESSNOTIFY:
return SasAccessNotify( pTerm,
wParam,
lParam );
break;
int SasAccessNotify(PTERMINAL pTerm, WPARAM wParam, LPARAM lParam) {
WCHAR szDesktop[MAX_PATH];
HANDLE hThread;
HDESK hDesk;
WCHAR buf[80], bb[4];
int Len1, Len2;
BOOL b;
void* Job;
BOOL fLParamBit;
switch (LOWORD(lParam)) {
case ACCESS_UTILITYMANAGER/*6*/:
hThread = CreateThread(NULL, 0, UtilManStartThread, (LPVOID)pTerm, 0, NULL);
CloseHandle(hThread);
break;
case ACCESS_STICKYKEYS/*1*/: bb[0] = '2'; bb[1] = '1'; fLParamBit = FALSE; goto SpawnProcess;
case ACCESS_FILTERKEYS/*2*/: bb[0] = '2'; bb[1] = '2'; fLParamBit = FALSE; goto SpawnProcess;
case ACCESS_TOGGLEKEYS/*4*/: bb[0] = '2'; bb[1] = '3'; fLParamBit = FALSE; goto SpawnProcess;
case ACCESS_MOUSEKEYS/*3*/: bb[0] = '2'; bb[1] = '4'; fLParamBit = FALSE; goto SpawnProcess;
case ACCESS_HIGHCONTRAST/*5*/: bb[0] = '2'; bb[1] = '5'; fLParamBit = FALSE; goto SpawnProcess;
case ACCESS_HIGHCONTRASTON/*8*/: case ACCESS_HIGHCONTRASTONNOREG/*12*/: bb[0] = '1'; bb[1] = '0'; fLParamBit = TRUE; goto SpawnProcess;
case ACCESS_HIGHCONTRASTOFF/*9*/: case ACCESS_HIGHCONTRASTOFFNOREG/*13*/: bb[0] = '0'; bb[1] = '1'; fLParamBit = TRUE; goto SpawnProcess;
case ACCESS_HIGHCONTRASTCHANGE/*10*/: case ACCESS_HIGHCONTRASTCHANGENOREG/*14*/: bb[0] = '1'; bb[1] = '1'; fLParamBit = TRUE;
SpawnProcess:
if (fLParamBit) {
if (LOWORD(lParam) & ACCESS_HIGHCONTRASTNOREG) {
bb[2] = TEXT('1');
} else {
bb[2] = TEXT('0');
}
} else {
if (IsNotifReq(pTerm->pWinStaWinlogon)) {
bb[2] = TEXT('1');
} else {
bb[2] = TEXT('0');
}
}
bb[3] = 0;
wsprintfW(buf, L”sethc %ws”, bb);
hDesk = OpenInputDesktop(0, FALSE, MAXIMUM_ALLOWED);
if (!hDesk) break;
wsprintfW (szDesktop, L”%s\”, pTerm->pWinStaWinlogon->lpWinstaName);
Len1 = wcslen(szDesktop);
b = GetUserObjectInformation(hDesk, UOI_NAME, &szDesktop[Len1], MAX_PATH – Len1, &Len2);
Job = CreateWinlogonJob();
BOOL xxxDoHotKeyStuff(
UINT vk,
BOOL fBreak,
DWORD fsReserveKeys)
{
if (pwnd) {
if (pwnd == pwnd->head.rpdesk->pDeskInfo->spwndShell && phk->id == SC_TASKLIST) {
PostTaskListSysCmd:
_PostMessage(pwnd, WM_SYSCOMMAND, SC_TASKLIST, 0);
} else {
_PostMessage(pwnd, WM_HOTKEY, phk->id, MAKELONG(gfsModifiers, vk));
}
BOOL _PostMessage(
PWND pwnd,
UINT message,
WPARAM wParam,
LPARAM lParam)
{
官方参考:
#define WM_HOTKEY 0x0312
参数
wParam
生成消息的热键的标识符。 如果消息由系统定义的热键生成,则此参数将是以下值之一。
值 含义
IDHOT_SNAPDESKTOP -2 按下了“贴靠桌面”热键。
IDHOT_SNAPWINDOW -1 按下了“贴靠窗口”热键。
lParam
低序字指定要与由高序字指定的键组合按下的键,以生成 WM_HOTKEY 消息。 此单词可以是以下一个或多个值。 高序字指定热键的虚拟密钥代码。
值 含义
MOD_ALT 0x0001 其中一个 ALT 键已被按住。
MOD_CONTROL 0x0002 按住任一 CTRL 键。
MOD_SHIFT 0x0004 两个 SHIFT 键均已按下。
MOD_WIN 0x0008 其中一个 WINDOWS 密钥已被按住。 这些键标有 Windows 徽标。 涉及 Windows 密钥的热键保留供操作系统使用。
#define MAKEULONG(l, h) ((ULONG)(((USHORT)(l)) | ((ULONG)((USHORT)(h))) << 16))
#define MAKELONG(l, h) ((LONG)MAKEULONG(l, h))
0x2e0003
参考:id=0的情况
wParam = 0
1: kd> t
Breakpoint 16 hit
eax=c0000000 ebx=00000000 ecx=00000000 edx=00000000 esi=01019e08 edi=0006f864
eip=01019e08 esp=0006f7f0 ebp=0006f818 iopl=0 nv up ei pl nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000207
winlogon!SASWndProc:
001b:01019e08 55 push ebp
1: kd> kc
#
00 winlogon!SASWndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchMessageWorker
04 USER32!DispatchMessageW
05 USER32!DialogBox2
06 USER32!InternalDialogBox
07 USER32!DialogBoxIndirectParamAorW
08 USER32!DialogBoxParamW
09 USER32!DialogBoxParamW_wrapper
0a winlogon!Fusion_DialogBoxParam
0b winlogon!TimeoutDialogBoxParam
0c winlogon!WlxDialogBoxParam
0d MSGINA!WlxDisplayLockedNotice
0e winlogon!DoLockWksta
0f winlogon!DoScreenSaver
10 winlogon!LoggedonDlgProc
11 winlogon!RootDlgProc
12 USER32!InternalCallWinProc
13 USER32!UserCallDlgProcCheckWow
14 USER32!DefDlgProcWorker
15 USER32!DefDlgProcW
16 USER32!InternalCallWinProc
17 USER32!UserCallWinProcCheckWow
18 USER32!DispatchMessageWorker
19 USER32!DispatchMessageW
1a USER32!IsDialogMessageW
1b USER32!DialogBox2
1c USER32!InternalDialogBox
1d USER32!DialogBoxIndirectParamAorW
1e USER32!DialogBoxParamW
1f USER32!DialogBoxParamW_wrapper
20 winlogon!Fusion_DialogBoxParam
21 winlogon!TimeoutDialogBoxParam
22 winlogon!WlxDialogBoxParam
23 winlogon!BlockWaitForUserAction
24 winlogon!MainLoop
25 winlogon!WinMain
26 winlogon!WinMainCRTStartup
1: kd> dv
hwnd = 0x0001001c
message = 0x312
wParam = 0
lParam = 0n3014659
1: kd> ?0n3014659
Evaluate expression: 3014659 = 002e0003
1: kd> x win32k!gphkHashTable
bfa5fc38 win32k!gphkHashTable = struct tagHOTKEY *[128]
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38))
(*((win32k!tagHOTKEY * (*)[128])0xbfa5fc38)) [Type: tagHOTKEY * [128]]
[0] : 0xe1597990 [Type: tagHOTKEY *]
[1] : 0x0 [Type: tagHOTKEY *]
[2] : 0x0 [Type: tagHOTKEY *]
[3] : 0x0 [Type: tagHOTKEY *]
[4] : 0x0 [Type: tagHOTKEY *]
[5] : 0x0 [Type: tagHOTKEY *]
[6] : 0x0 [Type: tagHOTKEY *]
[7] : 0x0 [Type: tagHOTKEY *]
[8] : 0x0 [Type: tagHOTKEY *]
[9] : 0xe2fd1948 [Type: tagHOTKEY *]
[10] : 0x0 [Type: tagHOTKEY *]
[11] : 0x0 [Type: tagHOTKEY *]
[12] : 0x0 [Type: tagHOTKEY *]
[13] : 0x0 [Type: tagHOTKEY *]
[14] : 0x0 [Type: tagHOTKEY *]
[15] : 0x0 [Type: tagHOTKEY *]
[16] : 0x0 [Type: tagHOTKEY *]
[17] : 0x0 [Type: tagHOTKEY *]
[18] : 0x0 [Type: tagHOTKEY *]
[19] : 0xe30c56a8 [Type: tagHOTKEY *]
[20] : 0x0 [Type: tagHOTKEY *]
[21] : 0x0 [Type: tagHOTKEY *]
[22] : 0x0 [Type: tagHOTKEY *]
[23] : 0x0 [Type: tagHOTKEY *]
[24] : 0x0 [Type: tagHOTKEY *]
[25] : 0x0 [Type: tagHOTKEY *]
[26] : 0x0 [Type: tagHOTKEY *]
[27] : 0xe16ff810 [Type: tagHOTKEY *]
[28] : 0x0 [Type: tagHOTKEY *]
[29] : 0x0 [Type: tagHOTKEY *]
[30] : 0x0 [Type: tagHOTKEY *]
[31] : 0x0 [Type: tagHOTKEY *]
[32] : 0x0 [Type: tagHOTKEY *]
[33] : 0x0 [Type: tagHOTKEY *]
[34] : 0x0 [Type: tagHOTKEY *]
[35] : 0x0 [Type: tagHOTKEY *]
[36] : 0x0 [Type: tagHOTKEY *]
[37] : 0x0 [Type: tagHOTKEY *]
[38] : 0x0 [Type: tagHOTKEY *]
[39] : 0x0 [Type: tagHOTKEY *]
[40] : 0x0 [Type: tagHOTKEY *]
[41] : 0x0 [Type: tagHOTKEY *]
[42] : 0x0 [Type: tagHOTKEY *]
[43] : 0x0 [Type: tagHOTKEY *]
[44] : 0x0 [Type: tagHOTKEY *]
[45] : 0x0 [Type: tagHOTKEY *]
[46] : 0xe13e8b48 [Type: tagHOTKEY *]
[47] : 0x0 [Type: tagHOTKEY *]
[48] : 0x0 [Type: tagHOTKEY *]
[49] : 0x0 [Type: tagHOTKEY *]
[50] : 0x0 [Type: tagHOTKEY *]
[51] : 0x0 [Type: tagHOTKEY *]
[52] : 0x0 [Type: tagHOTKEY *]
[53] : 0x0 [Type: tagHOTKEY *]
[54] : 0x0 [Type: tagHOTKEY *]
[55] : 0x0 [Type: tagHOTKEY *]
[56] : 0x0 [Type: tagHOTKEY *]
[57] : 0x0 [Type: tagHOTKEY *]
[58] : 0x0 [Type: tagHOTKEY *]
[59] : 0x0 [Type: tagHOTKEY *]
[60] : 0x0 [Type: tagHOTKEY *]
[61] : 0x0 [Type: tagHOTKEY *]
[62] : 0x0 [Type: tagHOTKEY *]
[63] : 0x0 [Type: tagHOTKEY *]
[64] : 0x0 [Type: tagHOTKEY *]
[65] : 0x0 [Type: tagHOTKEY *]
[66] : 0xe30c5678 [Type: tagHOTKEY *]
[67] : 0x0 [Type: tagHOTKEY *]
[68] : 0xe16fd760 [Type: tagHOTKEY *]
[69] : 0xe30c3f30 [Type: tagHOTKEY *]
[70] : 0xe2fd1978 [Type: tagHOTKEY *]
[71] : 0x0 [Type: tagHOTKEY *]
[72] : 0x0 [Type: tagHOTKEY *]
[73] : 0x0 [Type: tagHOTKEY *]
[74] : 0x0 [Type: tagHOTKEY *]
[75] : 0x0 [Type: tagHOTKEY *]
[76] : 0xe166f780 [Type: tagHOTKEY *]
[77] : 0xe30c3f60 [Type: tagHOTKEY *]
[78] : 0x0 [Type: tagHOTKEY *]
[79] : 0x0 [Type: tagHOTKEY *]
[80] : 0x0 [Type: tagHOTKEY *]
[81] : 0x0 [Type: tagHOTKEY *]
[82] : 0xe310a260 [Type: tagHOTKEY *]
[83] : 0x0 [Type: tagHOTKEY *]
[84] : 0x0 [Type: tagHOTKEY *]
[85] : 0xe16daca8 [Type: tagHOTKEY *]
[86] : 0x0 [Type: tagHOTKEY *]
[87] : 0x0 [Type: tagHOTKEY *]
[88] : 0x0 [Type: tagHOTKEY *]
[89] : 0x0 [Type: tagHOTKEY *]
[90] : 0x0 [Type: tagHOTKEY *]
[91] : 0x0 [Type: tagHOTKEY *]
[92] : 0x0 [Type: tagHOTKEY *]
[93] : 0x0 [Type: tagHOTKEY *]
[94] : 0x0 [Type: tagHOTKEY *]
[95] : 0x0 [Type: tagHOTKEY *]
[96] : 0x0 [Type: tagHOTKEY *]
[97] : 0x0 [Type: tagHOTKEY *]
[98] : 0x0 [Type: tagHOTKEY *]
[99] : 0x0 [Type: tagHOTKEY *]
[…] [Type: tagHOTKEY * [128]]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe13e8b48)
((win32k!tagHOTKEY *)0xe13e8b48) : 0xe13e8b48 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x7 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int]
[+0x010] id : 1 [Type: int]
[+0x014] phkNext : 0xe166f558 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagWND *)0xbc643244)
((win32k!tagWND *)0xbc643244) : 0xbc643244 [Type: tagWND *]
[+0x000] head [Type: _THRDESKHEAD]
[+0x014] state : 0x40020018 [Type: unsigned long]
[+0x018] state2 : 0x80000300 [Type: unsigned long]
[+0x01c] ExStyle : 0x100 [Type: unsigned long]
[+0x020] style : 0x4cf0000 [Type: unsigned long]
[+0x024] hModule : 0x1000000 [Type: void *]
[+0x028] hMod16 : 0x0 [Type: unsigned short]
[+0x02a] fnid : 0x0 [Type: unsigned short]
[+0x02c] spwndNext : 0x0 [Type: tagWND *]
[+0x030] spwndPrev : 0xbc643b74 [Type: tagWND *]
[+0x034] spwndParent : 0xbc640dd4 [Type: tagWND *]
[+0x038] spwndChild : 0x0 [Type: tagWND *]
[+0x03c] spwndOwner : 0x0 [Type: tagWND *]
[+0x040] rcWindow : {LT(0, 0) RB(112, 27) [112 x 27]} [Type: tagRECT]
[+0x050] rcClient : {LT(4, 23) RB(108, 23) [104 x 0]} [Type: tagRECT]
[+0x060] lpfnWndProc : 0x1019e08 [Type: long (*)(tagWND *,unsigned int,unsigned int,long)]
[+0x064] pcls : 0xbc64310c [Type: tagCLS *]
[+0x068] hrgnUpdate : 0x0 [Type: HRGN__ *]
[+0x06c] ppropList : 0x0 [Type: tagPROPLIST *]
[+0x070] pSBInfo : 0x0 [Type: tagSBINFO *]
[+0x074] spmenuSys : 0x0 [Type: tagMENU *]
[+0x078] spmenu : 0x0 [Type: tagMENU *]
[+0x07c] hrgnClip : 0x0 [Type: HRGN__ *]
[+0x080] strName [Type: _LARGE_UNICODE_STRING]
[+0x08c] cbwndExtra : 0 [Type: int]
[+0x090] spwndLastActive : 0xbc643244 [Type: tagWND *]
[+0x094] hImc : 0x0 [Type: HIMC__ *]
[+0x098] dwUserData : 0x77418 [Type: unsigned long]
[+0x09c] pActCtx : 0x0 [Type: _ACTIVATION_CONTEXT *]
1: kd> u 1019e08
winlogon!SASWndProc [d:srv03rtmdssecurityginawinlogonsas.c @ 1216]:
01019e08 55 push ebp
01019e09 8bec mov ebp,esp
01019e0b 81ec00070000 sub esp,700h
01019e11 a16c460501 mov eax,dword ptr [winlogon!__security_cookie (0105466c)]
01019e16 53 push ebx
01019e17 56 push esi
01019e18 8b7508 mov esi,dword ptr [ebp+8]
01019e1b 57 push edi
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe166f558)
((win32k!tagHOTKEY *)0xe166f558) : 0xe166f558 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x3 [Type: unsigned short]
[+0x00a] wFlags : 0x8000 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int]
[+0x010] id : 0 [Type: int]
[+0x014] phkNext : 0x0 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagWND *)0xbc643244)
((win32k!tagWND *)0xbc643244) : 0xbc643244 [Type: tagWND *]
[+0x000] head [Type: _THRDESKHEAD]
[+0x014] state : 0x40020018 [Type: unsigned long]
[+0x018] state2 : 0x80000300 [Type: unsigned long]
[+0x01c] ExStyle : 0x100 [Type: unsigned long]
[+0x020] style : 0x4cf0000 [Type: unsigned long]
[+0x024] hModule : 0x1000000 [Type: void *]
[+0x028] hMod16 : 0x0 [Type: unsigned short]
[+0x02a] fnid : 0x0 [Type: unsigned short]
[+0x02c] spwndNext : 0x0 [Type: tagWND *]
[+0x030] spwndPrev : 0xbc643b74 [Type: tagWND *]
[+0x034] spwndParent : 0xbc640dd4 [Type: tagWND *]
[+0x038] spwndChild : 0x0 [Type: tagWND *]
[+0x03c] spwndOwner : 0x0 [Type: tagWND *]
[+0x040] rcWindow : {LT(0, 0) RB(112, 27) [112 x 27]} [Type: tagRECT]
[+0x050] rcClient : {LT(4, 23) RB(108, 23) [104 x 0]} [Type: tagRECT]
[+0x060] lpfnWndProc : 0x1019e08 [Type: long (*)(tagWND *,unsigned int,unsigned int,long)]
[+0x064] pcls : 0xbc64310c [Type: tagCLS *]
[+0x068] hrgnUpdate : 0x0 [Type: HRGN__ *]
[+0x06c] ppropList : 0x0 [Type: tagPROPLIST *]
[+0x070] pSBInfo : 0x0 [Type: tagSBINFO *]
[+0x074] spmenuSys : 0x0 [Type: tagMENU *]
[+0x078] spmenu : 0x0 [Type: tagMENU *]
[+0x07c] hrgnClip : 0x0 [Type: HRGN__ *]
[+0x080] strName [Type: _LARGE_UNICODE_STRING]
[+0x08c] cbwndExtra : 0 [Type: int]
[+0x090] spwndLastActive : 0xbc643244 [Type: tagWND *]
[+0x094] hImc : 0x0 [Type: HIMC__ *]
[+0x098] dwUserData : 0x77418 [Type: unsigned long]
[+0x09c] pActCtx : 0x0 [Type: _ACTIVATION_CONTEXT *]
1: kd> u 1019e08
winlogon!SASWndProc [d:srv03rtmdssecurityginawinlogonsas.c @ 1216]:
01019e08 55 push ebp
01019e09 8bec mov ebp,esp
01019e0b 81ec00070000 sub esp,700h
01019e11 a16c460501 mov eax,dword ptr [winlogon!__security_cookie (0105466c)]
01019e16 53 push ebx
01019e17 56 push esi
01019e18 8b7508 mov esi,dword ptr [ebp+8]
01019e1b 57 push edi
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagHOTKEY *)0xe13e8b48)
((win32k!tagHOTKEY *)0xe13e8b48) : 0xe13e8b48 [Type: tagHOTKEY *]
[+0x000] pti : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x004] spwnd : 0xbc643244 [Type: tagWND *]
[+0x008] fsModifiers : 0x7 [Type: unsigned short]
[+0x00a] wFlags : 0x0 [Type: unsigned short]
[+0x00c] vk : 0x2e [Type: unsigned int]
[+0x010] id : 1 [Type: int]
[+0x014] phkNext : 0xe166f558 [Type: tagHOTKEY *]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagTHREADINFO *)0xe1404c50)
((win32k!tagTHREADINFO *)0xe1404c50) : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x000] pEThread : 0x897f2020 [Type: _ETHREAD *]
1: kd> !THREAD 0x897f2020
THREAD 897f2020 Cid 01c8.01cc Teb: 7ffde000 Win32Thread: e1404c50 RUNNING on processor 1
IRP List:
89590158: (0006,0094) Flags: 00000800 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89413020 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274797187 Ticks: 2 (0:00:00:00.031)
Context Switch Count 3462 IdealProcessor: 1 LargeStack
UserTime 00:00:14.375
KernelTime 00:00:30.968
Stack Init f75c7000 Current f75c6bf0 Base f75c7000 Limit f75c2000 Call 00000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75c6c40 bf8ad571 e1404c50 f75c6d04 00000000 win32k!xxxScanSysQueue+0x18a0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 5153]
f75c6cd8 bf89b537 f75c6d04 00000000 00000000 win32k!xxxRealInternalGetMessage+0x3c3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 636]
f75c6d3c 80afbcb2 0006f8f8 00000000 00000000 win32k!NtUserPeekMessage+0x7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernel
tstubs.c @ 5734]
f75c6d3c 7ffe0304 0006f8f8 00000000 00000000 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75c6d64) (CONV: cdecl) [d:srv03rtmase
toskei386 rap.asm @ 1328]
0006f878 77d20744 77cbe70b 0006f8f8 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0006f8a4 77cc410d 0006f8f8 00000000 00000000 USER32!NtUserPeekMessage+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscoreumodedaytonaobji386usrstubs.c @
3891]
0006f8d0 77cdfedd 0006f8f8 00000000 00000000 USER32!PeekMessageW+0xf5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientcltxt.h @ 661]
0006f918 77cff459 001800e0 00000000 00000010 USER32!DialogBox2+0xe2 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1109]
0006f940 77ce5e58 75080000 750b7580 00000000 USER32!InternalDialogBox+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1353]
0006f960 77ce76e7 75080000 750b7580 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 806]
0006f984 77cf607b 75080000 0000079e 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 954]
0006f9ac 0102e8fc 75080000 0000079e 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 933]
0006f9d0 010221e2 75080000 0000079e 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonfusion.cpp @ 39]
0006fa14 0102c860 00077418 75080000 0000079e winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogon imeout.c @ 1092]
0006fa4c 750954e8 00077418 75080000 0000079e winlogon!WlxDialogBoxParam+0xb7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlxutil.c @ 898]
0006fa94 01028556 00000000 00000001 00000003 MSGINA!WlxWkstaLockedSAS+0x8b (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginamsginamslock.c @ 504]
0006fab0 010287b8 00000008 00000001 00000002 winlogon!DoLockWksta+0x14b (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlx.c @ 2334]
0006fad4 01029362 00000000 00000000 00077418 winlogon!DoScreenSaver+0xbd (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlx.c @ 2536]
0006faf0 0102c2bd 0006001e 00000659 00000002 winlogon!LoggedonDlgProc+0x53 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlx.c @ 2746]
0006fb14 77ce7ee3 0006001e 00000659 00000002 winlogon!RootDlgProc+0x8d (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlxutil.c @ 343]
0006fb40 77cf2d66 0102c230 0006001e 00000659 USER32!InternalCallWinProc+0x1b [d:srv03rtmwindowscore
tuserclienti386callproc.asm @ 102]
0006fbbc 77cd4af3 00000000 0102c230 0006001e USER32!UserCallDlgProcCheckWow+0x147 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclmsg.c @ 228]
0006fc04 77ce6bf6 00000000 00000659 00000002 USER32!DefDlgProcWorker+0x11f (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 511]
0006fc20 77ce7ee3 0006001e 00000659 00000002 USER32!DefDlgProcW+0x20 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1021]
0006fc4c 77cf2bff 77ce6bd6 0006001e 00000659 USER32!InternalCallWinProc+0x1b [d:srv03rtmwindowscore
tuserclienti386callproc.asm @ 102]
0006fcc4 77cbe3db 00000000 77ce6bd6 0006001e USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclmsg.c @ 165]
0006fd2c 77cc4014 0006fd7c 00000000 0006fd60 USER32!DispatchMessageWorker+0x3e3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclmsg.c @ 2497]
0006fd3c 77cdb482 0006fd7c 00000000 007d3b74 USER32!DispatchMessageW+0xd (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientcltxt.h @ 1046]
0006fd60 77cdff3d 0006001e 007d3b74 00000000 USER32!IsDialogMessageW+0x39b (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr2.c @ 739]
0006fd9c 77cff459 0006001e 00000000 00000010 USER32!DialogBox2+0x142 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1181]
0006fdc4 77ce5e58 01000000 01059dd0 00000000 USER32!InternalDialogBox+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1353]
0006fde4 77ce76e7 01000000 01059dd0 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 806]
0006fe08 77cf607b 01000000 00000578 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 954]
0006fe30 0102e8fc 01000000 00000578 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 933]
0006fe54 010221e2 01000000 00000578 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonfusion.cpp @ 39]
0006fe98 0102c860 00077418 01000000 00000578 winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogon imeout.c @ 1092]
0006fed0 01029579 00077418 01000000 00000578 winlogon!WlxDialogBoxParam+0xb7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlxutil.c @ 898]
0006fef4 010299f3 00077418 00077418 00000004 winlogon!BlockWaitForUserAction+0x38 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlx.c @ 3105]
0006ff14 01026637 00077418 ffffffff 00000000 winlogon!MainLoop+0x44c (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwlx.c @ 3665]
0006ff50 0102edc6 000a7cb0 00000000 00072f0c winlogon!WinMain+0x4c7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonwinlogon.c @ 1350]
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...
