winlogon源代码分析之win32k!xxxScanSysQueue函数对WM_LBUTTONDOWN消息的处理点击Logon Help对话框编辑区第四段

BOOL xxxScanSysQueue(

PTHREADINFO ptiCurrent,

LPMSG lpMsg,

PWND pwndFilter,

UINT msgMinFilter,

UINT msgMaxFilter,

DWORD flags,

DWORD fsReason)

{

/*

* Eat the message from the input queue (and set the keystate

* table).

*/

PATHTAKEN2(0x80000);

if (fRemove) {

xxxSkipSysMsg(ptiCurrent, &qmsg);

}

1: kd> dx -id 0,0,894d43e0 -r1 ((win32k!tagQ *)0xe13d2de0)

((win32k!tagQ *)0xe13d2de0) : 0xe13d2de0 [Type: tagQ *]

+0x000\] mlInput \[Type: tagMLIST

+0x00c\] ptiSysLock : 0xe1401a68 \[Type: tagTHREADINFO \*

+0x010\] idSysLock : 0x1 \[Type: unsigned long

+0x014\] idSysPeek : 0x0 \[Type: unsigned long

+0x018\] ptiMouse : 0xe1401a68 \[Type: tagTHREADINFO \*

+0x01c\] ptiKeyboard : 0xe1401a68 \[Type: tagTHREADINFO \*

+0x020\] spwndCapture : 0x0 \[Type: tagWND \*

+0x024\] spwndFocus : 0xbc6455e4 \[Type: tagWND \*

+0x028\] spwndActive : 0xbc644c2c \[Type: tagWND \*

+0x02c\] spwndActivePrev : 0xbc643aac \[Type: tagWND \*

lParam = MAKELONG((short)pt.x, (short)pt.y);//lParam表示位置

1: kd> dv lParam

lParam = 0n3145869

1: kd> ?0n3145869

Evaluate expression: 3145869 = 0030008d

1: kd> ?0030

Evaluate expression: 48 = 00000030

1: kd> ?008d

Evaluate expression: 141 = 0000008d

/*

* Calculate virtual key state bitmask for wParam.

*/

if (message >= WM_MOUSEFIRST) {

/*

* This is a USER mouse message. Calculate the bit mask for the

* virtual key state.

*/

wParam = GetMouseKeyFlags(ptiCurrent->pq);

PATHTAKEN2(0x100000);

}

UINT GetMouseKeyFlags(

PQ pq)

{

UINT wParam = 0;

if (TestKeyStateDown(pq, VK_LBUTTON))

wParam |= MK_LBUTTON;

if (TestKeyStateDown(pq, VK_RBUTTON))

wParam |= MK_RBUTTON;

if (TestKeyStateDown(pq, VK_MBUTTON))

wParam |= MK_MBUTTON;

if (TestKeyStateDown(pq, VK_XBUTTON1))

wParam |= MK_XBUTTON1;

if (TestKeyStateDown(pq, VK_XBUTTON2))

wParam |= MK_XBUTTON2;

if (TestKeyStateDown(pq, VK_SHIFT))

wParam |= MK_SHIFT;

if (TestKeyStateDown(pq, VK_CONTROL))

wParam |= MK_CONTROL;

return wParam;

}

#define TestKeyStateDown(pq, vk)\

TestKeyDownBit(pq->afKeyState, vk)

/*

* Virtual Keys, Standard Set

*/

#define VK_LBUTTON 0x01

#define VK_RBUTTON 0x02

#define VK_CANCEL 0x03

#define VK_MBUTTON 0x04 /* NOT contiguous with L & RBUTTON */

1: kd> dx -id 0,0,894d43e0 -r1 (*((win32k!unsigned char (*)[64])0xe13d2e4c))

(*((win32k!unsigned char (*)[64])0xe13d2e4c)) [Type: unsigned char [64]]

0\] : 0x4 \[Type: unsigned char

1\] : 0x0 \[Type: unsigned char

2\] : 0x0 \[Type: unsigned char

00 00 01 00

1: kd> dv wParam
wParam = 1 //wParam表示是鼠标左键还是右键还是中键，这里是鼠标左键按下

1: kd> dv message

message = 0x201

现在开始构造lpmsg

ReturnMessage:

if (!RtlEqualMemory(&ptiCurrent->ptLast, &qmsg.msg.pt, sizeof(POINT))) {

ptiCurrent->TIF_flags |= TIF_MSGPOSCHANGED;

}

ptiCurrent->ptLast = qmsg.msg.pt;

ptiCurrent->timeLast = qmsg.msg.time;

ptiCurrent->pq->ExtraInfo = qmsg.ExtraInfo;

/*

* idSysLock value of 1 indicates that the message came from the input

* queue.

*/

ptiCurrent->idLast = ptiCurrent->pq->idSysLock = 1;

/*

* Get the message and split.

*/

lpMsg->hwnd = HW(pwnd);

lpMsg->message = message;

/*

* If the IME claims that it needs this vkey, replace it

* with VK_PROCESSKEY. The real vkey has been saved in

* the input context in the client side.

*/

lpMsg->wParam = (dwImmRet & IPHK_PROCESSBYIME) ? VK_PROCESSKEY : wParam;

lpMsg->lParam = lParam;

lpMsg->time = qmsg.msg.time;

lpMsg->pt = qmsg.msg.pt;

1: kd> dv lpmsg

lpMsg = 0xf75b6d04 {msg=0x201 wp=0x1 lp=0x30008d}

1: kd> dx -id 0,0,894d43e0 -r1 ((win32k!tagMSG *)0xf75b6d04)

((win32k!tagMSG *)0xf75b6d04) : 0xf75b6d04 : {msg=0x201 wp=0x1 lp=0x30008d} [Type: tagMSG *]

\\] \[Type: tagMSG

1: kd> dx -id 0,0,894d43e0 -r1 -nv (*((win32k!tagMSG *)0xf75b6d04))

(*((win32k!tagMSG *)0xf75b6d04)) : {msg=0x201 wp=0x1 lp=0x30008d} [Type: tagMSG]

+0x000\] hwnd : 0x1004a \[Type: HWND__ \*\] //Logon Help对话框编辑区窗口 \[+0x004\] message : 0x201 \[Type: unsigned int

+0x008\] wParam : 0x1 \[Type: unsigned int

+0x00c\] lParam : 3145869 \[Type: long

+0x010\] time : 0xffcf9317 \[Type: unsigned long

+0x014\] pt \[Type: tagPOINT

1: kd> dx -id 0,0,894d43e0 -r1 (*((win32k!tagPOINT *)0xf75b6d18))

(*((win32k!tagPOINT *)0xf75b6d18)) : {x=528 y=462} [Type: tagPOINT]

\\] \[Type: tagPOINT

1: kd> dx -id 0,0,894d43e0 -r1 -nv (*((win32k!tagPOINT *)0xf75b6d18))

(*((win32k!tagPOINT *)0xf75b6d18)) : {x=528 y=462} [Type: tagPOINT]

+0x000\] x : 528 \[Type: long

+0x004\] y : 462 \[Type: long

1: kd> ?0n3145869

Evaluate expression: 3145869 = 0030008d

1: kd> ?0030

Evaluate expression: 48 = 00000030

1: kd> ?8d

Evaluate expression: 141 = 0000008d

此时鼠标的形状发生了变化，位置还没有改变。