note : Creates a hidden IE window
发布日期:2021-06-30 22:03:59
浏览次数:2
分类:技术文章
本文共 6653 字,大约阅读时间需要 22 分钟。
BOOL CBaseWindow::Create(DWORD dwStyles, RECT* rect){ // Create the window DWORD dwExStyle = 0; rect->top = 100; rect->left = 100; rect->right = 200; rect->bottom = 200;/// @note 将入参改了, 用于建立隐藏的窗口// #define CREATE_BY_CREATEWINDOW ///< 使用CreateWindowW建立窗体#define CREATE_WINDOW_TO_HIDE ///< 是否建立隐藏窗口#ifdef CREATE_WINDOW_TO_HIDE dwStyles = WS_OVERLAPPEDWINDOW & ~WS_VISIBLE; ///< 创建不显示的窗口 dwExStyle = WS_EX_NOACTIVATE ///< 非前景窗口 | WS_EX_TRANSPARENT; ///< 透明的#else dwStyles = WS_OVERLAPPEDWINDOW | WS_VISIBLE; ///< 创建显示的窗口#endif#ifdef CREATE_BY_CREATEWINDOW m_hwnd = CreateWindowW( szClassName, ///< LPCTSTR lpClassName, szWindowTitle, ///< LPCTSTR lpWindowName, dwStyles, ///< DWORD dwStyle, rect->left, ///< int x, rect->top, ///< int y, rect->right - rect->left, ///< int nWidth, rect->bottom - rect->top, ///< int nHeight, NULL, ///< HWND hWndParent, NULL, ///< HMENU hMenu, hInstance, ///< HINSTANCE hInstance, (void *)this); ///< LPVOID lpParam#else m_hwnd = CreateWindowExW( dwExStyle, ///< DWORD dwExStyle, szClassName, ///< LPCTSTR lpClassName, szWindowTitle, ///< LPCTSTR lpWindowName, dwStyles, ///< DWORD dwStyle, rect->left, ///< int x, rect->top, ///< int y, rect->right - rect->left, ///< int nWidth, rect->bottom - rect->top, ///< int nHeight, NULL, ///< HWND hWndParent, NULL, ///< HMENU hMenu, hInstance, ///< HINSTANCE hInstance, (void *)this); ///< LPVOID lpParam#endif /** CComQIPtrm_pIE; m_pIE.CoCreateInstance(CLSID_InternetExplorer); ///< 执行完这句, IE窗口就出来了。 m_pIE.CoCreateInstance 调用了CreateWindowExW, 将 CreateWindowExW Hook 住, 修改 dwStyles 或 dwExStyle 实现"建立隐藏的IE窗口" */ return (m_hwnd != NULL);}
某人直接下断点试出来的.
用IDA分析Ole32.dll中的CoCreateInstance并不能直接看到CreateWindowEx的调用.
HRESULT __stdcall CoCreateInstance(_GUID *rclsid, IUnknown *pUnkOuter, unsigned int dwContext, _GUID *riid, void **ppv){ HRESULT result; // eax@2 tagMULTI_QI OneQI; // [sp+4h] [bp-Ch]@2 if ( ppv ) { OneQI.pItf = 0; OneQI.pIID = riid; result = CoCreateInstanceEx(rclsid, pUnkOuter, dwContext, 0, 1u, &OneQI); *ppv = OneQI.pItf; } else { result = -2147024809; } return result;}HRESULT __stdcall CoCreateInstanceEx(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults){ if ( memcmp(Clsid, &GUID_NULL, 16) ) CoVrfDllMainCheck(); return CComActivator::DoCreateInstance(Clsid, punkOuter, dwClsCtx, pServerInfo, dwCount, pResults, 0);}HRESULT __stdcall CComActivator::DoCreateInstance(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults, ActivationPropertiesIn *pActIn){ HRESULT result; // eax@5 tagSOleTlsData *v8; // eax@1 int v9; // eax@2 const wchar_t *v10; // ecx@10 COleTls tls; // [sp+ACh] [bp-1Ch]@1 _COSERVERINFO *hr; // [sp+B0h] [bp-18h]@1 _GUID ConfClsid; // [sp+B4h] [bp-14h]@2 unsigned int v14; // [sp+C4h] [bp-4h]@1 int v15; // [sp+C8h] [bp+0h]@1 v14 = (unsigned int)&v15 ^ __security_cookie; hr = pServerInfo; CComActivator::GetActvFlags(dwClsCtx); v8 = *(tagSOleTlsData **)(__readfsdword(24) + 3968); tls._pData = v8; if ( v8 ) {LABEL_2: v9 = (int)&v8->outgoingActivationData; ConfClsid.Data1 = *(_DWORD *)v9; *(_DWORD *)&ConfClsid.Data2 = *(_DWORD *)(v9 + 4); *(_DWORD *)&ConfClsid.Data4[0] = *(_DWORD *)(v9 + 8); *(_DWORD *)&ConfClsid.Data4[4] = *(_DWORD *)(v9 + 12); *(_DWORD *)v9 = Clsid->Data1; *(_DWORD *)(v9 + 4) = *(_DWORD *)&Clsid->Data2; *(_DWORD *)(v9 + 8) = *(_DWORD *)&Clsid->Data4[0]; *(_DWORD *)(v9 + 12) = *(_DWORD *)&Clsid->Data4[4]; if ( gfEnableTracing && WPP_GLOBAL_Control != &WPP_GLOBAL_Control && *((_BYTE *)WPP_GLOBAL_Control + 28) & 8 ) { if ( hr ) v10 = hr->pwszName; else v10 = &szPathName; WPP_SF__guid_dS(*((_QWORD *)WPP_GLOBAL_Control + 2), 0xCu, &WPP_immact_hxx_Traceguids, Clsid, dwClsCtx, v10); } JUMPOUT(ICoCreateInstanceEx); } result = COleTls::TLSAllocData(&tls); if ( result >= 0 ) { v8 = tls._pData; goto LABEL_2; } return result;}
在网上找了一段CoCreateInstance的蓝屏dump调用栈,也看不到 CreateWindowEx的调用.
0:000> kbChildEBP RetAddr Args to Child 0006be18 76671b2a 76671b74 00000020 00000003 kernel32!CreateFileW0006be94 766724e2 000a6b40 0006bf4c 00000000 cscui!IsCSCEnabled+0x380006bea8 77a68b49 000a7084 77a51a60 0006bf44 cscui!DllGetClassObject+0x720006bec4 77a80f5e 000a7084 77a51a60 0006bf44 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x2d0006bedc 77a80e9a 0006bef0 77a51a60 0006bf44 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f0006bf08 77a81cc6 0006bf4c 00000000 0006c540 ole32!CClassCache::GetClassObject+0x380006bf84 77a806aa 77b76ca4 00000000 0006c540 ole32!CServerContextActivator::CreateInstance+0x1060006bfc4 77a81e19 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf70006c018 77a81d90 77b76ca8 00000000 0006c540 ole32!CApartmentActivator::CreateInstance+0x1100006c038 77a8101e 77b76ca8 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d0006c058 77a80fd5 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::AttemptActivation+0x2c0006c090 77a81e7a 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::ActivateByContext+0x420006c0b8 77a806aa 77b76ca0 00000000 0006c540 ole32!CProcessActivator::CreateInstance+0x490006c0f8 77a81bc4 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf70006c348 77a806aa 77b765d4 00000000 0006c540 ole32!CClientContextActivator::CreateInstance+0x8f0006c388 77a805dc 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf70006cb38 77a64eb1 000a2f08 00000000 00000001 ole32!ICoCreateInstanceEx+0x3c90006cb60 77a64e80 000a2f08 00000000 00000001 ole32!CComActivator::DoCreateInstance+0x280006cb84 77a65102 000a2f08 00000000 00000001 ole32!CoCreateInstanceEx+0x1e0006cbb4 779d69a5 000a2f08 00000000 00000001 ole32!CoCreateInstance+0x37
转载地址:https://lostspeed.blog.csdn.net/article/details/12244955 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
感谢大佬
[***.8.128.20]2024年05月01日 09时15分36秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
Java 8新特性之--lambda表达式的使用和应用
2019-04-30
Java Lambda表达式的应用--Stream API操作集合框架
2019-04-30
省市区三级联动插件Distpicker--前端实现地区三级联动
2019-04-30
solr的使用详解
2019-04-30
Myslq连接(JDBC)url属性的参数的设置
2019-04-30
关于Java继承,重载及运行的顺序的总结
2019-04-30
关于Spring MVC与前端的交互
2019-04-30
Mybatis逆向工程的使用
2019-04-30
关于Hibernate的优缺点
2019-04-30
常用的 Maven 命令
2019-04-30
常用的20个正则表达式
2019-04-30
数据结构之顺序表的实现
2019-04-30
数据结构之线性链表
2019-04-30
JQuery使用validate插件完成校验
2019-04-30
关于java的继承
2019-04-30
关于java的内部类
2019-04-30
关于java的枚举
2019-04-30
一个简单的layui登陆界面
2019-04-30
SQL考试常见题目
2019-04-30