本文深入探讨了Windows操作系统中桌面的内部结构与组成,揭示了包括DefaultDesktop在内的四个桌面的作用及相互关系,并解析了如何通过特定工具如SoftICE来观察这些桌面。
Who are most familiar with Windows? May be SoftICE, but not always.
This is a common scenario: When you Ctrl+D, and input "hwnd", it is "Unable to find a desktop Window".
How to resolve it ...
By TnTTOOLS, The Art OF Reverse Engineering.
The system setup a session for every logged-in user. win32k.sys is loaded to generate the 4 Desktop: Desktop, Default Desktop, Disconnect Desktop, Winlogon Desktop. Yes, 4, four, for, ...
Even Spy++ just think there is only one desktop.
Figure 1. Properties
-----------------------------------------------------------
ClassName: #32769
TID, Process: csrss.exe
Handle: 0x00010002, 0x00010004, 0x0001000c, 0x00010014
WndProc: win32k!_xxxDesktopWndProc
Module: win32k.sys
-----------------------------------------------------------
We can see their only difference is the handle value. Because these handle values are fixed. I guess that are hard coded.
Figure 2. Root
--------------------------------------------------------
Desktop, 10002
|
|---- Desktop, Default, 10014
|---- Dekstop, Disconnect, 10004
|---- Desktop, Winlogon, 1000c
--------------------------------------------------------
The root node of windows, controls is Desktop, Handle 10002.
Figure 3. Default Desktop and its children
----------------------------------------------------------------------------
Default Desktop
|
|-- Shell_TrayWnd 任务栏
| |--
| |--
|
|
|-- Progman
| |
| |-- SHELLDLL_DefView
| |
| |-- SysListView32, WindowName: FolderView
| |
| |
| SysHeader32
|
|-- ...
----------------------------------------------------------------------------
now, where is our familiar desktop? I know what you mean: the desktop full of a crusty picture and icons.
The desktop with the wallpaper is Default Desktop, in master of win32k.sys;
The desktop full with misc icons is SysListView32, named FolderView, in master of shell32.dll.
When Explorer.exe is loaded, its WinMain creates the two windows: the task bar and the desktop.Guess, what is this desktop? Just the named-FolderView desktop.
Are you confused? Now, loop loop back to the beginning of the article.
End Loop
Next
time, if you want to wander the object tree of windows in Softice, just input "Hwnd 10002".
This is a common scenario: When you Ctrl+D, and input "hwnd", it is "Unable to find a desktop Window".
How to resolve it ...
By TnTTOOLS, The Art OF Reverse Engineering.
The system setup a session for every logged-in user. win32k.sys is loaded to generate the 4 Desktop: Desktop, Default Desktop, Disconnect Desktop, Winlogon Desktop. Yes, 4, four, for, ...
Even Spy++ just think there is only one desktop.
Figure 1. Properties
-----------------------------------------------------------
ClassName: #32769
TID, Process: csrss.exe
Handle: 0x00010002, 0x00010004, 0x0001000c, 0x00010014
WndProc: win32k!_xxxDesktopWndProc
Module: win32k.sys
-----------------------------------------------------------
We can see their only difference is the handle value. Because these handle values are fixed. I guess that are hard coded.
Figure 2. Root
--------------------------------------------------------
Desktop, 10002
|
|---- Desktop, Default, 10014
|---- Dekstop, Disconnect, 10004
|---- Desktop, Winlogon, 1000c
--------------------------------------------------------
The root node of windows, controls is Desktop, Handle 10002.
Figure 3. Default Desktop and its children
----------------------------------------------------------------------------
Default Desktop
|
|-- Shell_TrayWnd 任务栏
| |--
| |--
|
|
|-- Progman
| |
| |-- SHELLDLL_DefView
| |
| |-- SysListView32, WindowName: FolderView
| |
| |
| SysHeader32
|
|-- ...
----------------------------------------------------------------------------
now, where is our familiar desktop? I know what you mean: the desktop full of a crusty picture and icons.
The desktop with the wallpaper is Default Desktop, in master of win32k.sys;
The desktop full with misc icons is SysListView32, named FolderView, in master of shell32.dll.
When Explorer.exe is loaded, its WinMain creates the two windows: the task bar and the desktop.Guess, what is this desktop? Just the named-FolderView desktop.
Are you confused? Now, loop loop back to the beginning of the article.
End Loop
Next
time, if you want to wander the object tree of windows in Softice, just input "Hwnd 10002".
扫一扫
1652
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
