又是系统热键分析,静静的夜里分析起来,比打麻将时间过得快...
typedef struct tagHOTKEY {
W32THREAD pti; <-- W32THREAD
PWND spwnd;
WORD fsModifiers; // MOD_SHIFT, MOD_ALT, MOD_CONTROL, MOD_WIN
WORD wFlags; // MOD_SAS
UINT vk;
int id;
struct tagHOTKEY *phkNext;
} HOTKEY, *PHOTKEY;
lkd> x /t /v /q /d win32k!gphkFirst
pub global bf9b0bd8 0 @!"win32k!gphkFirst" =
lkd> dd /c 6 dwo(win32k!gphkFirst) L6
e10687d8 e29749b0 bbe68840 00000006 000000c0 0000c01a e2e8c8f8
lkd> dd /c 6 e2e8c8f8 L6
e2e8c8f8 e29749b0 bbe68840 00000003 0000004a 0000000c e2f4cab8
lkd> dd /c 6 e2f4cab8 L6
e2f4cab8 e29749b0 bbe68840 00000003 000000bd 0000000b e28d4d20
lkd> dd /c 6 e28d4d20 L6
e28d4d20 e29749b0 bbe68840 00000003 0000004e 0000000a e2f30e98
lkd> dt -v win32k!_W32THREAD
struct _W32THREAD, 10 elements, 0x28 bytes
+0x000 pEThread : Ptr32 to struct _ETHREAD, 0 elements, 0x0 bytes
lkd> dt -v nt!_ETHREAD
struct _ETHREAD, 55 elements, 0x260 bytes
+0x000 Tcb : struct _KTHREAD, 74 elements, 0x1c0 bytes
...
+0x220 ThreadsProcess : Ptr32 to struct _EPROCESS, 107 elements, 0x260 bytes
^^^^^^^^^^^^^^^^^
+0x224 StartAddress : Ptr32 to Void
...
lkd> dt -v nt!_EPROCESS
struct _EPROCESS, 107 elements, 0x260 bytes
+0x000 Pcb : struct _KPROCESS, 29 elements, 0x6c bytes
...
+0x174 ImageFileName : [16] UChar
^^^^^^^^^^^^^^^^
+0x184 JobLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
...
lkd> dd win32k!gphkFirst L1 <--- 指向 gphkFirst
bf9b0bd8 e10687d8
lkd> dd e10687d8 L1 <--- 指向 W32THREAD
e10687d8 e29749b0
lkd> dd e29749b0 L1 <--- 指向 _ETHREAD
e29749b0 85d64990
lkd> dd 85d64990+0x220 L1 <--- 指向 _EPROCESS
85d64bb0 86e1db30
lkd> da 86e1db30+174 <--- 指向 _EPROCESS 的 _EPROCESS->ImageFileName
86e1dca4 "explorer.exe"
为了取进程名既然跳了5次...