未记录的 nIndex 为 -1 的 GetWindowLongPtr

逆向工程 视窗 C 登录
2021-06-15 08:30:48

我正在尝试反转滚动条的功能,comctrl32.dll并且我一直目睹它们GetWindowLongPtr使用未记录的索引调用函数,-1如下所示:

在此处输入图片说明

有人知道在这种情况下该函数返回什么吗?

1个回答

我想我明白了。GetWindowLongPtr(hWnd, -1)返回一个指向嵌套的指针,struct它是WND结构的一部分(包含有关窗口的主要信息。)它确实没有正式名称,但从以下函数名称判断comctrl32

在此处输入图片说明

我会这样定义:

struct WF{
    WF_STATE state;
    WF_STATE2 state2;
    DWORD ExStyles;     //With additional bits
    DWORD Styles;
    HMODULE hModule;
    USHORT reserved;
    USHORT fnid;        // ?
};

所以我们可以这样做:

WF* p_wf = (WF*)::GetWindowLongPtr(hWnd, -1);

哪里WF_STATE位域

enum WF_STATE{
    WNDS_HASMENU                 = 0x00000001,
    WNDS_HASVERTICALSCROOLLBAR   = 0x00000002,
    WNDS_HASHORIZONTALSCROLLBAR  = 0x00000004,
    WNDS_HASCAPTION              = 0x00000008,
    WNDS_SENDSIZEMOVEMSGS        = 0x00000010,
    WNDS_MSGBOX                  = 0x00000020,
    WNDS_ACTIVEFRAME             = 0x00000040,
    WNDS_HASSPB                  = 0x00000080,
    WNDS_NONCPAINT               = 0x00000100,
    WNDS_SENDERASEBACKGROUND     = 0x00000200,
    WNDS_ERASEBACKGROUND         = 0x00000400,
    WNDS_SENDNCPAINT             = 0x00000800,
    WNDS_INTERNALPAINT           = 0x00001000,
    WNDS_UPDATEDIRTY             = 0x00002000,
    WNDS_HIDDENPOPUP             = 0x00004000,
    WNDS_FORCEMENUDRAW           = 0x00008000,
    WNDS_DIALOGWINDOW            = 0x00010000,
    WNDS_HASCREATESTRUCTNAME     = 0x00020000,
    WNDS_SERVERSIDEWINDOWPROC    = 0x00040000,      //WndProc is in win32k.sys
    WNDS_ANSIWINDOWPROC          = 0x00080000,
    WNDS_BEINGACTIVATED          = 0x00100000,
    WNDS_HASPALETTE              = 0x00200000,
    WNDS_PAINTNOTPROCESSED       = 0x00400000,
    WNDS_SYNCPAINTPENDING        = 0x00800000,
    WNDS_RECEIVEDQUERYSUSPENDMSG = 0x01000000,
    WNDS_RECEIVEDSUSPENDMSG      = 0x02000000,
    WNDS_TOGGLETOPMOST           = 0x04000000,
    WNDS_REDRAWIFHUNG            = 0x08000000,
    WNDS_REDRAWFRAMEIFHUNG       = 0x10000000,
    WNDS_ANSICREATOR             = 0x20000000,
    WNDS_MAXIMIZESTOMONITOR      = 0x40000000,
    WNDS_DESTROYED               = 0x80000000,
};

WF_STATE2另一个位域

enum WF_STATE2{
    WNDS2_WMPAINTSENT               = 0x00000001,
    WNDS2_ENDPAINTINVALIDATE        = 0x00000002,
    WNDS2_STARTPAINT                = 0x00000004,
    WNDS2_OLDUI                     = 0x00000008,
    WNDS2_HASCLIENTEDGE             = 0x00000010,
    WNDS2_BOTTOMMOST                = 0x00000020,
    WNDS2_FULLSCREEN                = 0x00000040,
    WNDS2_INDESTROY                 = 0x00000080,
    WNDS2_WIN31COMPAT               = 0x00000100,
    WNDS2_WIN40COMPAT               = 0x00000200,
    WNDS2_WIN50COMPAT               = 0x00000400,
    WNDS2_MAXIMIZEDMONITORREGION    = 0x00000800,
    WNDS2_CLOSEBUTTONDOWN           = 0x00001000,
    WNDS2_MAXIMIZEBUTTONDOWN        = 0x00002000,
    WNDS2_MINIMIZEBUTTONDOWN        = 0x00004000,
    WNDS2_HELPBUTTONDOWN            = 0x00008000,
    WNDS2_SCROLLBARLINEUPBTNDOWN    = 0x00010000,
    WNDS2_SCROLLBARPAGEUPBTNDOWN    = 0x00020000,
    WNDS2_SCROLLBARPAGEDOWNBTNDOWN  = 0x00040000,
    WNDS2_SCROLLBARLINEDOWNBTNDOWN  = 0x00080000,
    WNDS2_ANYSCROLLBUTTONDOWN       = 0x00100000,
    WNDS2_SCROLLBARVERTICALTRACKING = 0x00200000,
    WNDS2_FORCENCPAINT              = 0x00400000,
    WNDS2_FORCEFULLNCPAINTCLIPRGN   = 0x00800000,
    WNDS2_FULLSCREENMODE            = 0x01000000,
    WNDS2_CAPTIONTEXTTRUNCATED      = 0x08000000,
    WNDS2_NOMINMAXANIMATERECTS      = 0x10000000,
    WNDS2_SMALLICONFROMWMQUERYDRAG  = 0x20000000,
    WNDS2_SHELLHOOKREGISTERED       = 0x40000000,
    WNDS2_WMCREATEMSGPROCESSED      = 0x80000000,
};

StylesExStyles成员似乎接近于记录的窗口样式(和扩展样式),但有自己的无证位为好。

fnid可能是这个,但我无法验证。

其它你可能感兴趣的问题
上一篇导入后可以更改 Ghidra 中的架构吗? 下一篇Python 的封送代码对象(或 .pyc 文件)的结构