首页 博客列表 精选博客 智能问答 chat-GPT 关于我
note : Creates a hidden IE window
发布日期:2021-06-30 22:03:59 浏览次数:2 分类:技术文章

本文共 6653 字,大约阅读时间需要 22 分钟。

BOOL CBaseWindow::Create(DWORD dwStyles, RECT* rect){     // Create the window    DWORD   dwExStyle = 0;    rect->top = 100;    rect->left = 100;    rect->right = 200;    rect->bottom = 200;/// @note 将入参改了, 用于建立隐藏的窗口// #define CREATE_BY_CREATEWINDOW   ///< 使用CreateWindowW建立窗体#define CREATE_WINDOW_TO_HIDE       ///< 是否建立隐藏窗口#ifdef CREATE_WINDOW_TO_HIDE    dwStyles = WS_OVERLAPPEDWINDOW & ~WS_VISIBLE; ///< 创建不显示的窗口    dwExStyle =         WS_EX_NOACTIVATE            ///< 非前景窗口        | WS_EX_TRANSPARENT;        ///< 透明的#else    dwStyles = WS_OVERLAPPEDWINDOW | WS_VISIBLE; ///< 创建显示的窗口#endif#ifdef CREATE_BY_CREATEWINDOW    m_hwnd = CreateWindowW(        szClassName,                ///< LPCTSTR     lpClassName,         szWindowTitle,              ///< LPCTSTR     lpWindowName,        dwStyles,                   ///< DWORD       dwStyle,        rect->left,                 ///< int         x,        rect->top,                  ///< int         y,        rect->right - rect->left,   ///< int         nWidth,        rect->bottom - rect->top,   ///< int         nHeight,        NULL,                       ///< HWND        hWndParent,        NULL,                       ///< HMENU       hMenu,        hInstance,                  ///< HINSTANCE   hInstance,        (void *)this);              ///< LPVOID      lpParam#else    m_hwnd = CreateWindowExW(        dwExStyle,                  ///< DWORD       dwExStyle,        szClassName,                ///< LPCTSTR     lpClassName,         szWindowTitle,              ///< LPCTSTR     lpWindowName,        dwStyles,                   ///< DWORD       dwStyle,        rect->left,                 ///< int         x,        rect->top,                  ///< int         y,        rect->right - rect->left,   ///< int         nWidth,        rect->bottom - rect->top,   ///< int         nHeight,        NULL,                       ///< HWND        hWndParent,        NULL,                       ///< HMENU       hMenu,        hInstance,                  ///< HINSTANCE   hInstance,        (void *)this);              ///< LPVOID      lpParam#endif    /**    CComQIPtr
   
    m_pIE;    m_pIE.CoCreateInstance(CLSID_InternetExplorer); ///< 执行完这句, IE窗口就出来了。    m_pIE.CoCreateInstance 调用了CreateWindowExW,     将 CreateWindowExW Hook 住, 修改 dwStyles 或 dwExStyle    实现"建立隐藏的IE窗口"    */    return (m_hwnd != NULL);}

某人直接下断点试出来的. 

用IDA分析Ole32.dll中的CoCreateInstance并不能直接看到CreateWindowEx的调用.

HRESULT __stdcall CoCreateInstance(_GUID *rclsid, IUnknown *pUnkOuter, unsigned int dwContext, _GUID *riid, void **ppv){  HRESULT result; // eax@2  tagMULTI_QI OneQI; // [sp+4h] [bp-Ch]@2  if ( ppv )  {    OneQI.pItf = 0;    OneQI.pIID = riid;    result = CoCreateInstanceEx(rclsid, pUnkOuter, dwContext, 0, 1u, &OneQI);    *ppv = OneQI.pItf;  }  else  {    result = -2147024809;  }  return result;}HRESULT __stdcall CoCreateInstanceEx(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults){  if ( memcmp(Clsid, &GUID_NULL, 16) )    CoVrfDllMainCheck();  return CComActivator::DoCreateInstance(Clsid, punkOuter, dwClsCtx, pServerInfo, dwCount, pResults, 0);}HRESULT __stdcall CComActivator::DoCreateInstance(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults, ActivationPropertiesIn *pActIn){  HRESULT result; // eax@5  tagSOleTlsData *v8; // eax@1  int v9; // eax@2  const wchar_t *v10; // ecx@10  COleTls tls; // [sp+ACh] [bp-1Ch]@1  _COSERVERINFO *hr; // [sp+B0h] [bp-18h]@1  _GUID ConfClsid; // [sp+B4h] [bp-14h]@2  unsigned int v14; // [sp+C4h] [bp-4h]@1  int v15; // [sp+C8h] [bp+0h]@1  v14 = (unsigned int)&v15 ^ __security_cookie;  hr = pServerInfo;  CComActivator::GetActvFlags(dwClsCtx);  v8 = *(tagSOleTlsData **)(__readfsdword(24) + 3968);  tls._pData = v8;  if ( v8 )  {LABEL_2:    v9 = (int)&v8->outgoingActivationData;    ConfClsid.Data1 = *(_DWORD *)v9;    *(_DWORD *)&ConfClsid.Data2 = *(_DWORD *)(v9 + 4);    *(_DWORD *)&ConfClsid.Data4[0] = *(_DWORD *)(v9 + 8);    *(_DWORD *)&ConfClsid.Data4[4] = *(_DWORD *)(v9 + 12);    *(_DWORD *)v9 = Clsid->Data1;    *(_DWORD *)(v9 + 4) = *(_DWORD *)&Clsid->Data2;    *(_DWORD *)(v9 + 8) = *(_DWORD *)&Clsid->Data4[0];    *(_DWORD *)(v9 + 12) = *(_DWORD *)&Clsid->Data4[4];    if ( gfEnableTracing && WPP_GLOBAL_Control != &WPP_GLOBAL_Control && *((_BYTE *)WPP_GLOBAL_Control + 28) & 8 )    {      if ( hr )        v10 = hr->pwszName;      else        v10 = &szPathName;      WPP_SF__guid_dS(*((_QWORD *)WPP_GLOBAL_Control + 2), 0xCu, &WPP_immact_hxx_Traceguids, Clsid, dwClsCtx, v10);    }    JUMPOUT(ICoCreateInstanceEx);  }  result = COleTls::TLSAllocData(&tls);  if ( result >= 0 )  {    v8 = tls._pData;    goto LABEL_2;  }  return result;}

在网上找了一段CoCreateInstance的蓝屏dump调用栈,也看不到 CreateWindowEx的调用.

0:000> kbChildEBP RetAddr  Args to Child              0006be18 76671b2a 76671b74 00000020 00000003 kernel32!CreateFileW0006be94 766724e2 000a6b40 0006bf4c 00000000 cscui!IsCSCEnabled+0x380006bea8 77a68b49 000a7084 77a51a60 0006bf44 cscui!DllGetClassObject+0x720006bec4 77a80f5e 000a7084 77a51a60 0006bf44 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x2d0006bedc 77a80e9a 0006bef0 77a51a60 0006bf44 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f0006bf08 77a81cc6 0006bf4c 00000000 0006c540 ole32!CClassCache::GetClassObject+0x380006bf84 77a806aa 77b76ca4 00000000 0006c540 ole32!CServerContextActivator::CreateInstance+0x1060006bfc4 77a81e19 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf70006c018 77a81d90 77b76ca8 00000000 0006c540 ole32!CApartmentActivator::CreateInstance+0x1100006c038 77a8101e 77b76ca8 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d0006c058 77a80fd5 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::AttemptActivation+0x2c0006c090 77a81e7a 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::ActivateByContext+0x420006c0b8 77a806aa 77b76ca0 00000000 0006c540 ole32!CProcessActivator::CreateInstance+0x490006c0f8 77a81bc4 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf70006c348 77a806aa 77b765d4 00000000 0006c540 ole32!CClientContextActivator::CreateInstance+0x8f0006c388 77a805dc 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf70006cb38 77a64eb1 000a2f08 00000000 00000001 ole32!ICoCreateInstanceEx+0x3c90006cb60 77a64e80 000a2f08 00000000 00000001 ole32!CComActivator::DoCreateInstance+0x280006cb84 77a65102 000a2f08 00000000 00000001 ole32!CoCreateInstanceEx+0x1e0006cbb4 779d69a5 000a2f08 00000000 00000001 ole32!CoCreateInstance+0x37

转载地址:https://lostspeed.blog.csdn.net/article/details/12244955 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!

上一篇:experiment : use class member function pointer
下一篇:note : add COM interface To Shell Extension DLL

发表评论

最新留言

感谢大佬
[***.8.128.20]2024年05月01日 09时15分36秒

关于作者

    喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!

推荐文章

Java 8新特性之--lambda表达式的使用和应用 2019-04-30
Java Lambda表达式的应用--Stream API操作集合框架 2019-04-30
Java 8新特性之-- Date-Time API(LocalDate/Time/DateTime 日期时间API) 2019-04-30
省市区三级联动插件Distpicker--前端实现地区三级联动 2019-04-30
solr的使用详解 2019-04-30
Myslq连接(JDBC)url属性的参数的设置 2019-04-30
关于Java继承,重载及运行的顺序的总结 2019-04-30
关于Spring MVC与前端的交互 2019-04-30
Mybatis逆向工程的使用 2019-04-30
关于Hibernate的优缺点 2019-04-30
常用的 Maven 命令 2019-04-30
常用的20个正则表达式 2019-04-30
数据结构之顺序表的实现 2019-04-30
数据结构之线性链表 2019-04-30
JQuery使用validate插件完成校验 2019-04-30
关于java的继承 2019-04-30
关于java的内部类 2019-04-30
关于java的枚举 2019-04-30
一个简单的layui登陆界面 2019-04-30
SQL考试常见题目 2019-04-30
白红宇的个人博客 - 记录点点滴滴的事 - 您是第 311143362 位访客
访问时间: 2024-05-05 16:56:24 访问IP: 3.145.186.6     Copyright © 2020 - 2023 blog.css8.cn 京ICP备2021015314号-1 手机版