逆向工程 - 如何在 OllyDbg 中设置鼠标点击断点？ - 吾爱随笔录

如何在 OllyDbg 中设置鼠标点击断点？

逆向工程 ollydbg 断点

2021-06-16 17:51:58

在调试器程序OllyDbg中，如何设置鼠标左键按下时的断点？它点击什么并不重要，所以一旦点击鼠标，断点就会停止调试器。

2个回答

gui 应用程序中的所有消息都通过应用程序定义的回调 WinProc，其原型为

LRESULT CALLBACK WindowProc(
  _In_ HWND   hwnd,
  _In_ UINT   uMsg,
  _In_ WPARAM wParam,
  _In_ LPARAM lParam
);

所以当你在 wndproc 上断点时

esp    -> return Address
esp+4  -> hwnd 
esp+8  -> uMsg  
.....

** MSDN Doc 消息列表**

要了解windoproc 或class proc，请在ollydbg 中使用alt+w 快捷方式（打开窗口列表）右键单击以打开上下文菜单，然后按照Wndproc 或ClassProc 选择适当的窗口

按 shift+f4 并设置一个永不暂停的日志断点并将函数类型设置为 WndProc（假设函数类型为 DropDown）

请参阅下面的屏幕截图

并运行应用程序

转到日志窗口并观察您会看到很多这样的日志

00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00010236  hWnd = 00010236, class = CalcFrame, text = Calculator
            00000210  Msg = WM_PARENTNOTIFY
            00000204  Event = WM_RBUTTONDOWN, ID = 0
            00230006  Data = 230006
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000021  Msg = WM_MOUSEACTIVATE
            00010236  hParent = 00010236, class = CalcFrame, text = Calculator
            02040001  Hittest = HTCLIENT, MouseMsg = WM_RBUTTONDOWN
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00010236  hWnd = 00010236, class = CalcFrame, text = Calculator
            00000021  Msg = WM_MOUSEACTIVATE
            00010236  hParent = 00010236, class = CalcFrame, text = Calculator
            02040001  Hittest = HTCLIENT, MouseMsg = WM_RBUTTONDOWN
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000020  Msg = WM_SETCURSOR
            00030248  hWnd = 00030248, class = CalcFrame
            02040001  Hittest = HTCLIENT, MouseMsg = WM_RBUTTONDOWN
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00010236  hWnd = 00010236, class = CalcFrame, text = Calculator
            00000020  Msg = WM_SETCURSOR
            00030248  hWnd = 00030248, class = CalcFrame
            02040001  Hittest = HTCLIENT, MouseMsg = WM_RBUTTONDOWN
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000204  Msg = WM_RBUTTONDOWN
            00000002  Keys = MK_RBUTTON
            00230006  X = 6, Y = 35.
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000084  Msg = WM_NCHITTEST
            00000000  wParam = 0
            01790207  X = 519., Y = 377.
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000020  Msg = WM_SETCURSOR
            00030248  hWnd = 00030248, class = CalcFrame
            02050001  Hittest = HTCLIENT, MouseMsg = WM_RBUTTONUP
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00010236  hWnd = 00010236, class = CalcFrame, text = Calculator
            00000020  Msg = WM_SETCURSOR
            00030248  hWnd = 00030248, class = CalcFrame
            02050001  Hittest = HTCLIENT, MouseMsg = WM_RBUTTONUP
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000205  Msg = WM_RBUTTONUP

现在细化断点以适合您的条件
（从从不更改为条件
添加条件，例如 uMsg == WM_LBUTTONDOWN 即
[esp+8] == 0x20x..20y（参见前面提到的堆栈布局
0x200 t0 0x220 是 WM_MOUSE EVENT MESSAGES

这是屏幕截图，在屏幕截图下方显示了可能的配置和结果

00551EDE  INT3: [esp+8] = WM_MOUSEMOVE
00551EDE  INT3: [esp+8] = WM_NCHITTEST
00551EDE  INT3: [esp+8] = WM_PARENTNOTIFY
00551EDE  INT3: [esp+8] = WM_MOUSEACTIVATE
00551EDE  INT3: [esp+8] = WM_MOUSEACTIVATE
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_LBUTTONDOWN
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000201  Msg = WM_LBUTTONDOWN
            00000001  Keys = MK_LBUTTON
            00350004  X = 4, Y = 53.
00551EDE  INT3: [esp+8] = WM_NCHITTEST
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_LBUTTONUP
00551EDE  INT3: [esp+8] = WM_NCHITTEST
00551EDE  INT3: [esp+8] = WM_PARENTNOTIFY
00551EDE  INT3: [esp+8] = WM_MOUSEACTIVATE
00551EDE  INT3: [esp+8] = WM_MOUSEACTIVATE
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_RBUTTONDOWN
00551EDE  Call to CALC.WndProc from USER32.77B4C4E4
            00030248  hWnd = 00030248, class = CalcFrame
            00000204  Msg = WM_RBUTTONDOWN
            00000002  Keys = MK_RBUTTON
            00350004  X = 4, Y = 53.
00551EDE  INT3: [esp+8] = WM_NCHITTEST
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_SETCURSOR
00551EDE  INT3: [esp+8] = WM_RBUTTONUP

无论操作系统如何，鼠标单击都代表一个事件，并且有一堆事件处理管道可以实现这一点。其中一些可能取决于某些设计选择，例如如何在 GUI 中分离进程。

一个常见的模式是注册一个上下文相关的事件可以通过一个实现的处理程序来处理。传统上在 Windows 下，这是一个“窗口类”，实际上一切都是一个窗口。该窗口类的定义包括处理发送到目标窗口的事件/消息的函数/方法。要使用调试器定位特定窗口，您可能希望在使用所需事件调用消息/事件处理函数的条件下中断（如WM_LBUTTONDOWN在 Windows 上）。在某些情况下，事件的默认处理也可能发生，例如 la DefWindowProc()。

在更广泛的上下文中执行此操作将需要由操作系统（可能在内核级别）提供便利的挂钩。通过Hooks可能还有其他选项可供您使用。

其它你可能感兴趣的问题

上一篇paddr、baddr、laddr、haddr 和 hvaddr 指的是什么？下一篇radare2 标签未显示在 jmp 指令中