winlogon源代码分析之win32k!xxxScanSysQueue函数对Tab键的处理时KEY_UP的情况两次对qwnd进行了赋值
while (TRUE) {
ULONG_PTR idSysPeek;
DUMPSUBPATHTAKEN(pathTaken, 0xf0);
/*
* Store idSysPeek in a local which forces pq to be reloaded
* in case it changed during the xxx call (the compiler can
* evaluate the LValue at any time)
*/
idSysPeek = (ULONG_PTR)xxxGetNextSysMsg(ptiCurrent,
(PQMSG)ptiCurrent->pq->idSysPeek, &qmsg);
CheckPtiSysPeek(3, ptiCurrent->pq, idSysPeek);
1: kd> g
Breakpoint 23 hit
eax=e16a1150 ebx=e1401a68 ecx=00000000 edx=00000000 esi=e16a1150 edi=bf9eb880
eip=bf80982a esp=f75b6aac ebp=f75b6c40 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
win32k!xxxScanSysQueue+0x1c2:
bf80982a 56 push esi
1: kd> dv
ptiCurrent = 0xe1401a68
lpMsg = 0xf75b6d04 {msg=0x1 wp=0x1 lp=0x80000004}
pwndFilter = 0x00000000
msgMinFilter = 0
msgMaxFilter = 0xffffffff
flags = 1
1: kd> dx -id 0,0,894d43e0 -r1 (*((win32k!tagMLIST *)0xe13d2de0))
(*((win32k!tagMLIST *)0xe13d2de0)) [Type: tagMLIST]
+0x000\] pqmsgRead : 0xe16a1150 \[Type: tagQMSG \*
+0x004\] pqmsgWriteLast : 0xe164d4c0 \[Type: tagQMSG \*
+0x008\] cMsgs : 0x6 \[Type: unsigned long
1: kd> dx -id 0,0,894d43e0 -r1 ((win32k!tagQMSG *)0xe16a1150)
((win32k!tagQMSG *)0xe16a1150) : 0xe16a1150 [Type: tagQMSG *]
+0x000\] pqmsgNext : 0xe17c2528 \[Type: tagQMSG \*
+0x004\] pqmsgPrev : 0x0 \[Type: tagQMSG \*
+0x008\] msg : {msg=0x101 wp=0x9 lp=0xf0001} \[Type: tagMSG
+0x024\] ExtraInfo : 0 \[Type: long
+0x028\] dwQEvent : 0x0 \[Type: unsigned long
+0x02c\] pti : 0xe1401a68 \[Type: tagTHREADINFO \*
1: kd> dv qmsg
qmsg = struct tagQMSG
1: kd> dx -id 0,0,894d43e0 -r1 (*((win32k!tagQMSG *)0xf75b6bc4))
(*((win32k!tagQMSG *)0xf75b6bc4)) [Type: tagQMSG]
+0x000\] pqmsgNext : 0xe17c2528 \[Type: tagQMSG \*
+0x004\] pqmsgPrev : 0x0 \[Type: tagQMSG \*
+0x008\] msg : {msg=0x101 wp=0x9 lp=0xf0001} \[Type: tagMSG
+0x024\] ExtraInfo : 0 \[Type: long
+0x028\] dwQEvent : 0x0 \[Type: unsigned long
+0x02c\] pti : 0xe1401a68 \[Type: tagTHREADINFO \*
switch (message = qmsg.msg.message) {
case WM_SYSKEYUP:
case WM_KEYUP:
wParam = qmsg.msg.wParam & 0xFF;
if (wParam == VK_PACKET) {
qmsg.msg.wParam = wParam;
}
if (
#ifdef CUAS_ENABLE
!(bMSCTF) &&
#endif // CUAS_ENABLE
!fDown && fRemove && gLangToggle[0].bVkey) {
BOOL bDropToggle = FALSE;
DWORD dwDirection = 0;
PKL pkl;
PTHREADINFO ptiToggle;
BOOL bArabicSwitchPresent = FALSE;
LCID lcid;
ZwQueryDefaultLocale(FALSE, &lcid);
pwnd = ptiCurrent->pq->spwndFocus;
if (pwnd == NULL) {
pwnd = ptiCurrent->pq->spwndActive;
if (!pwnd) {
goto NoLayoutSwitch;
}
}
case WM_CHAR:
wParam = qmsg.msg.wParam & 0xFF;
/*
* Assign the input to the focus window. If there is no focus
* window, assign it to the active window as a SYS message.
*/
pwnd = ptiCurrent->pq->spwndFocus;
1: kd> gu
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.
eax=00000001 ebx=bf9ebb00 ecx=bf80b2d4 edx=e15ec10c esi=e1401a68 edi=bf9ea2a4
eip=bf8ad571 esp=f75b6c64 ebp=f75b6cd8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxRealInternalGetMessage+0x3c3:
bf8ad571 85c0 test eax,eax
1: kd> dv lpMsg
lpMsg = 0xf75b6d04 {msg=0x101 wp=0x9 lp=0xc00f0001}
1: kd> dx -id 0,0,894d43e0 -r1 ((win32k!tagMSG *)0xf75b6d04)
((win32k!tagMSG *)0xf75b6d04) : 0xf75b6d04 : {msg=0x101 wp=0x9 lp=0xc00f0001} [Type: tagMSG *]
\
1: kd> dx -id 0,0,894d43e0 -r1 -nv (*((win32k!tagMSG *)0xf75b6d04))
(*((win32k!tagMSG *)0xf75b6d04)) : {msg=0x101 wp=0x9 lp=0xc00f0001} [Type: tagMSG]
+0x000\] hwnd : 0x10048 \[Type: HWND__ \*
+0x004\] message : 0x101 \[Type: unsigned int
+0x008\] wParam : 0x9 \[Type: unsigned int
+0x00c\] lParam : -1072758783 \[Type: long
+0x010\] time : 0xffce231c \[Type: unsigned long
+0x014\] pt \[Type: tagPOINT
1: kd> x win32k!gSharedInfo
bfa70580 win32k!gSharedInfo = struct tagSHAREDINFO
1: kd> dx -id 0,0,894d43e0 -r1 (*((win32k!tagSHAREDINFO *)0xbfa70580))
(*((win32k!tagSHAREDINFO *)0xbfa70580)) [Type: tagSHAREDINFO]
+0x000\] psi : 0xbc610c9c \[Type: tagSERVERINFO \*
+0x004\] aheList : 0xbc510000 \[Type: _HANDLEENTRY \*
+0x008\] pDispInfo : 0xbc611c8c \[Type: tagDISPLAYINFO \*
+0x00c\] ulSharedDelta : 0x0 \[Type: unsigned int
+0x010\] awmControl \[Type: _WNDMSG \[31\]
+0x108\] DefWindowMsgs \[Type: _WNDMSG
+0x110\] DefWindowSpecMsgs \[Type: _WNDMSG
1: kd> dx -id 0,0,894d43e0 -r1 ((win32k!_HANDLEENTRY *)0xbc510000)
((win32k!_HANDLEENTRY *)0xbc510000) : 0xbc510000 [Type: _HANDLEENTRY *]
+0x000\] phead : 0x0 \[Type: _HEAD \*
+0x004\] pOwner : 0x0 \[Type: void \*
+0x008\] bType : 0x0 \[Type: unsigned char
+0x009\] bFlags : 0x0 \[Type: unsigned char
+0x00a\] wUniq : 0x1 \[Type: unsigned short
+0x00c\] plr : 0x0 \[Type: _LOCKRECORD \*
1: kd> win32k!_HANDLEENTRY 0xbc510000+480
^ Syntax error in 'win32k!_HANDLEENTRY 0xbc510000+480'
1: kd> dt win32k!_HANDLEENTRY 0xbc510000+480
+0x000 phead : 0xbc6455e4 _HEAD
+0x004 pOwner : 0xe1401a68 Void
+0x008 bType : 0x1 ''
+0x009 bFlags : 0 ''
+0x00a wUniq : 1
+0x00c plr : (null)
1: kd> dt win32k!wnd 0xbc6455e4
+0x080 strName : _LARGE_UNICODE_STRING
+0x08c cbwndExtra : 0n4
+0x090 spwndLastActive : (null)
+0x094 hImc : (null)
+0x098 dwUserData : 0
+0x09c pActCtx : (null)
1: kd> dx -id 0,0,894d43e0 -r1 (*((win32k!_LARGE_UNICODE_STRING *)0xbc645664))
(*((win32k!_LARGE_UNICODE_STRING *)0xbc645664)) [Type: _LARGE_UNICODE_STRING]
+0x000\] Length : 0x4 \[Type: unsigned long
+0x004 (30: 0)\] MaximumLength : 0x6 \[Type: unsigned long
+0x004 (31:31)\] bAnsi : 0x0 \[Type: unsigned long
+0x008\] Buffer : 0xbc6456e4 : 0x4f \[Type: unsigned short \*
1: kd> db 0xbc6456e4
bc6456e4 4f 00 4b 00 00 00 55 48-5f 54 41 49 4c 00 ab ab O.K...UH_TAIL...
bc6456f4 ab ab ab ab ab ab 00 00-00 00 00 00 00 00 00 00 ................
bc645704 00 00 00 00 21 00 0d 00-00 07 1e 00 55 48 5f 48 ....!.......UH_H
bc645714 45 41 44 00 da da da da-05 00 01 00 74 28 a7 bf EAD.........t(..
bc645724 a6 00 00 00 c8 01 00 00-20 58 64 bc b0 56 64 bc ........ Xd..Vd.
bc645734 45 f1 8a bf 57 3c 81 bf-0c 74 8d bf b9 d4 89 bf E...W<...t......
bc645744 b2 bc af 80 00 00 00 00-4a 00 01 00 03 00 00 00 ........J.......
bc645754 68 1a 40 e1 c0 ad 5c 89-4c 57 64 bc 00 00 02 00 h.@...\.LWd.....
1: kd> g
Breakpoint 44 hit
eax=0006e49c ebx=00000000 ecx=0006e420 edx=7ffe0304 esi=007d4c2c edi=00000001
eip=77cdb0e7 esp=0006e484 ebp=0006e4bc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
USER32!IsDialogMessageW:
001b:77cdb0e7 55 push ebp
1: kd> dv
hwndDlg = 0x00010046
lpMsg = 0x0006e49c {msg=0x101 wp=0x9 lp=0xc00f0001}
hwnd2 = 0x00010046
langID = 0xfedd
pwndDlg = 0x0006e49c
pwnd = 0x0006e49c
fBack = 0n451772
pbutn = 0x00010046
1: kd> dx -id 0,0,894d43e0 -r1 ((USER32!tagMSG *)0x6e49c)
((USER32!tagMSG *)0x6e49c) : 0x6e49c : {msg=0x101 wp=0x9 lp=0xc00f0001} [Type: tagMSG *]
\
1: kd> dx -id 0,0,894d43e0 -r1 -nv (*((USER32!tagMSG *)0x6e49c))
(*((USER32!tagMSG *)0x6e49c)) : {msg=0x101 wp=0x9 lp=0xc00f0001} [Type: tagMSG]
[+0x000] hwnd : 0x10048 [Type: HWND__ *]
+0x004\] message : 0x101 \[Type: unsigned int
+0x008\] wParam : 0x9 \[Type: unsigned int
+0x00c\] lParam : -1072758783 \[Type: long
+0x010\] time : 0xffce231c \[Type: unsigned long
+0x014\] pt \[Type: tagPOINT
1: kd> g
Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=105f1d1c ecx=80ae0dfa edx=00000029 esi=89906bcc edi=89906968
eip=80b004ad esp=f78e6bd0 ebp=f78e6be4 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292
nt!KiInterruptDispatch+0x14d:
80b004ad cc int 3
0: kd> g
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=e17c2528 ebx=e1401a68 ecx=00000000 edx=00000000 esi=e17c2528 edi=bf9eb880
eip=bf80982a esp=f75b6aac ebp=f75b6c40 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
win32k!xxxScanSysQueue+0x1c2:
bf80982a 56 push esi