手工消息断点的一个小例子

来源:转载

标 题:手工消息断点的一个小例子
作 者:syrhades
时 间:2010-04-04 15:00:39
链 接:http://bbs.pediy.com/showthread.php?t=110200


一直想对消息机制感兴趣 涉及 1。消息过程 2。消息记录断点 3。在调试的过程中捕捉消息 4。欺骗消息过程用一个小对话框来看看 代码 #include "stdafx.h"LRESULT CALLBACK PwdWindow(HWND, UINT, WPARAM, LPARAM);int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow) {MSG msg;WNDCLASSEX wcex;HWND hWnd = NULL;HWND hEdit = NULL; (void) memset( &wcex, 0x00, sizeof(WNDCLASSEX) ); wcex.cbSize = sizeof(WNDCLASSEX);wcex.style = CS_HREDRAW | CS_VREDRAW;wcex.lpfnWndProc = PwdWindow;wcex.hCursor = LoadCursor(NULL, IDC_ARROW);wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+2);wcex.lpszClassName = "@[email protected]"; RegisterClassEx(&wcex); hWnd = CreateWindow( "@[email protected]", " Type the password ...", WS_OVERLAPPED, GetSystemMetrics(SM_CXSCREEN)/2-100, GetSystemMetrics(SM_CYSCREEN)/2-75, 200, 150, NULL, NULL, NULL, NULL);if (!hWnd)return 0; CreateWindow("BUTTON", "OK", WS_CHILD | WS_VISIBLE | BS_TEXT, 10, 80, 70, 30, hWnd, (HMENU)10123, NULL, NULL);CreateWindow("BUTTON", "Cancel", WS_CHILD | WS_VISIBLE | BS_TEXT, 110, 80, 70, 30, hWnd, (HMENU)10456, NULL, NULL);hEdit = CreateWindow("EDIT", NULL, WS_CHILD | WS_VISIBLE | WS_BORDER | ES_PASSWORD | ES_AUTOHSCROLL, 10, 20, 170, 25, hWnd, (HMENU)10789, NULL, NULL); ShowWindow(hWnd, SW_SHOW);UpdateWindow(hWnd);SetFocus(hEdit); while ( GetMessage(&msg, NULL, 0, 0) ){TranslateMessage(&msg);DispatchMessage(&msg);} if ( (int)msg.wParam == 0 )exit(0); DestroyWindow(hWnd); return 0; } LRESULT CALLBACK PwdWindow(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) {int wmId = -1;char pwd[32]; switch (message){case WM_COMMAND:{ wmId = LOWORD(wParam); switch (wmId){case 10123:{(void) memset( pwd, 0x00, sizeof(pwd) );GetWindowText( GetDlgItem(hWnd, 10789), pwd, 32 );if ( strcmp( pwd, "123456" ) ){MessageBox( hWnd, "Sorry! Wrong password.", "Password", MB_ICONERROR );}else::MessageBoxA(hWnd, "Right password.", "Password",MB_OK);} break; case 10456:PostQuitMessage(0);break; default:break;}}break; default:return DefWindowProc(hWnd, message, wParam, lParam);}return 0; }GetMessage 取数据放入&msg TranslateMessage 取&msg 进行一下处理 DispatchMessage 取&msg发送给处理循环消息PwdWindow》》如图1 Msg结构为 tagMSG struc ; (sizeof=0x1C) 00000000 hwnd dd ? ; offset 00000004 message dd ? 00000008 wParam dd ? 0000000C lParam dd ? 00000010 time dd ? 00000014 pt POINT ? 0000001C tagMSG ends 我们实际操作验证一下 1)对DispatchMessageA 下条件记录断点 如图2 》》 dispatchMessageA log》》F9 log窗口观察生成很多记录 如下 Log data 地址 消息 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C1) wParam = 11 lParam = 1009EA 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0CC) hw = 1B097C ("CicMarshalWndMOKB") wParam = 0 lParam = 0 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_PAINT hw = 100AA8 (" Type the password ...") 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_PAINT hw = F0A0A ("OK") 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_PAINT hw = F0A22 ("Cancel") 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_PAINT hw = F0A94 (class="Edit") 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_TIMER hw = F0A60 ("M") ID = 1 Callback = 0 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 102. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 98. Y = 90. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 87. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 83. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 82. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 81. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 68. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 66. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 64. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 63. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 62. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 61. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 60. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 61. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 66. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 80. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 82. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 87. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 89. Y = 91. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 95. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 98. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 100. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 105. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 109. Y = 92. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 2. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 7. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 9. Y = 12. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 10. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 13. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 18. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 19. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 20. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 21. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 22. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 21. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 19. Y = 11. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 13. Y = 13. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A22 ("Cancel") Keys = 0 X = 2. Y = 14. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 103. Y = 94. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 94. Y = 94. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 88. Y = 94. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = 100AA8 (" Type the password ...") Keys = 0 X = 83. Y = 94. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 68. Y = 14. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 64. Y = 15. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 62. Y = 16. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 56. Y = 15. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 53. Y = 15. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 48. Y = 16. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 47. Y = 16. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_LBUTTONDOWN hw = F0A0A ("OK") Keys = MK_LBUTTON X = 46. Y = 16. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C1) wParam = 11 lParam = F0A0A 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0CC) hw = 1B097C ("CicMarshalWndMOKB") wParam = 0 lParam = 0 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 lParam = 28 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_LBUTTONUP hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16.》》观察到 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = MSG(C0C6) hw = 1B097C ("CicMarshalWndMOKB") wParam = F8 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_MOUSEMOVE hw = F0A0A ("OK") Keys = 0 X = 46. Y = 16. 77D196B8 COND: 77D196B8 CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858pMsg = WM_LBUTTONDOWN hw = F0A0A ("OK") Keys = MK_LBUTTONLog data, 条目 3 消息= pMsg = WM_LBUTTONUP hw = F0A0A ("OK") Keys = 0 X = 51. Y = 17. 0042D857 |. 50 |push eax ; /pMsg 0042D858 |. FF15 BC744900 |call dword ptr <&USER32.DispatchMessageA>] ; /DispatchMessageA [esp+4] 指向tagMSG 放系统中受到的消息 [[esp+4]+4] 含义为message 代码 因此将表达式改为[[esp+4]+4]再运行 Log中 >>图4 上图的00000202是不是很眼熟啊 对了,就是WM_LBUTTONUP2)最终改记录条件断点 >>图5 结果如下 》》图6 输入密码后按下ok键 断在 是user32领空 77D196B8 > 8BFF mov edi, edi ; ntdll.7C92E920 77D196BA 55 push ebp 77D196BB 8BEC mov ebp, esp 77D196BD 6A 01push 1 77D196BF FF75 08push dword ptr [ebp+8] 77D196C2 E8 2AF2FFFFcall 77D188F1 77D196C7 5D pop ebp 77D196C8 C2 0400 retn 4 堆栈内容为 0012FE50 0042D85E /CALL 到 DispatchMessageA 来自 pwddlgmo.0042D858 0012FE54 0012FEDC /pMsg = WM_LBUTTONUP hw = 120616 ("OK") Keys = 0 X = 55. Y = 17. 可以看到DispatchMessageA发送量WM_LBUTTONUP,句柄hw = 120616 ("OK")即ok按钮这个句柄值不固定,什么原因我就不说了。 有兴趣可以看看msg结构在内存中的情况怎么看呢 0012FE54 0012FEDC /pMsg = WM_LBUTTONUP hw = 120616 ("OK") Keys = 0 X = 55. Y = 17. 0012FEDC即msg结构在内存中得首地址 Dd 0012FEDC 》》图7 0012FEDC 00120616 . --》hwnd===120616 0012FEE0 00000202 .. --》message==202= WM_LBUTTONUP 0012FEE4 00000000 .... --》wParam 0012FEE8 00110037 7. . --》lParam 0012FEEC 01AEB9FD ? --》time 0012FEF0 000001E0 ?.. --》POINT4要返回代码 Alt+m对00400000到00498000下F2再按F9断在42c2f2 Jmp 42d8f0 0042D8F0 即消息处理函数的 后面我就不多说了 0042D8F0 /> /55 push ebp ; winmain 0042D8F1 |. 8BEC mov ebp, esp 0042D8F3 |. 83EC 6C sub esp, 6C 0042D8F6 |. A1 10304900 mov eax, dword ptr [493010] 0042D8FB |. 33C5 xor eax, ebp 0042D8FD |. 8945 FC mov dword ptr [ebp-4], eax 0042D900 |. 53 push ebx 0042D901 |. 56 push esi 0042D902 |. 57 push edi 0042D903 |. C745 F8 FFFFF>mov dword ptr [ebp-8], -1 0042D90A |. 8B45 0C mov eax, dword ptr [ebp+C] 0042D90D |. 8945 94 mov dword ptr [ebp-6C], eax 0042D910 |. 817D 94 11010>cmp dword ptr [ebp-6C], 111 0042D917 |. 74 05 je short 0042D91E 0042D919 |. E9 AE000000 jmp 0042D9CC 0042D91E |> 8B45 10 mov eax, dword ptr [ebp+10] 0042D921 |. 25 FFFF0000 and eax, 0FFFF 0042D926 |. 0FB7C8 movzx ecx, ax 0042D929 |. 894D F8 mov dword ptr [ebp-8], ecx 0042D92C |. 8B45 F8 mov eax, dword ptr [ebp-8] 0042D92F |. 8945 94 mov dword ptr [ebp-6C], eax 0042D932 |. 817D 94 8B270>cmp dword ptr [ebp-6C], 278B 0042D939 |. 74 0E je short 0042D949 0042D93B |. 817D 94 D8280>cmp dword ptr [ebp-6C], 28D8 0042D942 |. 74 7E je short 0042D9C2 0042D944 |. E9 81000000 jmp 0042D9CA 0042D949 |> 6A 20 push 20 0042D94B |. 6A 00 push 0 0042D94D |. 8D45 D8 lea eax, dword ptr [ebp-28] 0042D950 |. 50 push eax 0042D951 |. E8 F5DBFFFF call 0042B54B 0042D956 |. 83C4 0C add esp, 0C 0042D959 |. 6A 20 push 20 ; /Count = 20 (32.) 0042D95B |. 8D45 D8 lea eax, dword ptr [ebp-28] ; | 0042D95E |. 50 push eax ; |Buffer 0042D95F |. 68 252A0000 push 2A25 ; |/ControlID = 2A25 (10789.) 0042D964 |. 8B4D 08 mov ecx, dword ptr [ebp+8] ; || 0042D967 |. 51 push ecx ; ||hWnd 0042D968 |. FF15 84744900 call dword ptr [<&USER32.GetDlgItem>] ; |/GetDlgItem 0042D96E |. 50 push eax ; |hWnd 0042D96F |. FF15 88744900 call dword ptr [<&USER32.GetWindowTextA>] ; /GetWindowTextA 0042D975 |. 68 EC3D4800 push 00483DEC ; ASCII "123456" 0042D97A |. 8D45 D8 lea eax, dword ptr [ebp-28] 0042D97D |. 50 push eax 0042D97E |. E8 B7DDFFFF call 0042B73A 0042D983 |. 83C4 08 add esp, 8 0042D986 |. 85C0 test eax, eax 0042D988 |. 74 20 je short 0042D9AA 0042D98A |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL 0042D98C |. 68 E03D4800 push 00483DE0 ; |Title = "Password" 0042D991 |. 68 C43D4800 push 00483DC4 ; |Text = "Sorry! Wrong password." 0042D996 |. 8B45 08 mov eax, dword ptr [ebp+8] ; | 0042D999 |. 50 push eax ; |hOwner 0042D99A |. FF15 8C744900 call dword ptr [<&USER32.MessageBoxA>] ; /MessageBoxA 0042D9A0 |. 90 nop 0042D9A1 |. 00FF add bh, bh 0042D9A3 |. 15 90744900 adc eax, <&USER32.PostQuitMessage> 0042D9A8 |. EB 16 jmp short 0042D9C0 0042D9AA |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 0042D9AC |. 68 E03D4800 push 00483DE0 ; |Title = "Password" 0042D9B1 |. 68 B03D4800 push 00483DB0 ; |Text = "Right password." 0042D9B6 |. 8B45 08 mov eax, dword ptr [ebp+8] ; | 0042D9B9 |. 50 push eax ; |hOwner 0042D9BA |. FF15 8C744900 call dword ptr [<&USER32.MessageBoxA>] ; /MessageBoxA 0042D9C0 |> EB 08 jmp short 0042D9CA 0042D9C2 |> 6A 00 push 0 ; /ExitCode = 0 0042D9C4 |. FF15 90744900 call dword ptr [<&USER32.PostQuitMessage>] ; /PostQuitMessage 0042D9CA |> EB 18 jmp short 0042D9E4 0042D9CC |> 8B45 14 mov eax, dword ptr [ebp+14] 0042D9CF |. 50 push eax ; /lParam 0042D9D0 |. 8B4D 10 mov ecx, dword ptr [ebp+10] ; | 0042D9D3 |. 51 push ecx ; |wParam 0042D9D4 |. 8B55 0C mov edx, dword ptr [ebp+C] ; | 0042D9D7 |. 52 push edx ; |Message 0042D9D8 |. 8B45 08 mov eax, dword ptr [ebp+8] ; | 0042D9DB |. 50 push eax ; |hWnd 0042D9DC |. FF15 94744900 call dword ptr [<&USER32.DefWindowProcA>] ; /DefWindowProcA 0042D9E2 |. EB 02 jmp short 0042D9E6 0042D9E4 |> 33C0 xor eax, eax 0042D9E6 |> 5F pop edi 0042D9E7 |. 5E pop esi 0042D9E8 |. 5B pop ebx 0042D9E9 |. 8B4D FC mov ecx, dword ptr [ebp-4] 0042D9EC |. 33CD xor ecx, ebp 0042D9EE |. E8 C5D7FFFF call 0042B1B8 0042D9F3 |. 8BE5 mov esp, ebp 0042D9F5 |. 5D pop ebp 0042D9F6 /. C2 1000 retn 10doc文档 dispatchMessageA log2.doc----------------------------------------------------------------------------------- 欺骗消息过程 前面已经定位到msg的位置,只要我们在 DispatchMessage前重写msg 结构体,比如将code变为WM_CLOSE, 调整 tagMSG struc ; (sizeof=0x1C) 00000000 hwnd dd ? ; offset 00000004 message dd ? 00000008 wParam dd ? 0000000C lParam dd ? 00000010 time dd ? 00000014 pt POINT ? 0000001C tagMSG ends ,就可以达到我们关闭的要求,消息过程收到欺骗。 或者对此溢出攻击。


分享给朋友:
您可能感兴趣的文章:
随机阅读: