用户按下字符键后的vk键状态是win32k!NtUserPeekMessage函数里面的win32k!xxxScanSysQueue函数里面的win32k!xxxSkipSysMsg函数里面的win32k!UpdateKeyState函数设置的====非常重要
第一部分:
0: kd> dv
pq = 0xe1630530
pwnd = 0x00000000
message = 0x100
wParam = 0x35
lParam = 0n393217
time = 0xffecc0c1
dwExtraInfo = 0
0: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQ *)0xe1630530)
((win32k!tagQ *)0xe1630530) : 0xe1630530 [Type: tagQ *]
[+0x000] mlInput [Type: tagMLIST]
[+0x00c] ptiSysLock : 0x0 [Type: tagTHREADINFO *]
[+0x010] idSysLock : 0x1 [Type: unsigned long]
[+0x014] idSysPeek : 0x0 [Type: unsigned long]
[+0x018] ptiMouse : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x01c] ptiKeyboard : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x020] spwndCapture : 0x0 [Type: tagWND *]
[+0x024] spwndFocus : 0xbc6449ac [Type: tagWND *]
[+0x028] spwndActive : 0xbc644124 [Type: tagWND *]
[+0x02c] spwndActivePrev : 0x0 [Type: tagWND *]
[+0x030] codeCapture : 0x1 [Type: unsigned int]
[+0x034] msgDblClk : 0x201 [Type: unsigned int]
[+0x038] xbtnDblClk : 0x0 [Type: unsigned short]
[+0x03c] timeDblClk : 0xffe598d9 [Type: unsigned long]
[+0x040] hwndDblClk : 0xc00d6 [Type: HWND__ *]
[+0x044] ptDblClk : {x=464 y=375} [Type: tagPOINT]
[+0x04c] afKeyRecentDown [Type: unsigned char [32]]
[+0x06c] afKeyState [Type: unsigned char [64]]
[+0x0ac] caret [Type: tagCARET]
[+0x0e4] spcurCurrent : 0x0 [Type: tagCURSOR *]
[+0x0e8] iCursorLevel : 0 [Type: int]
[+0x0ec] QF_flags : 0x140 [Type: unsigned long]
0: kd> kc
#
00 win32k!PostInputMessage
01 win32k!xxxKeyEvent
02 win32k!xxxProcessKeyEvent
03 win32k!ProcessKeyboardInputWorker
04 win32k!ProcessKeyboardInput
05 win32k!InputApc
06 nt!KiDeliverApc
07 nt!KiSwapThread
08 nt!KeWaitForMultipleObjects
09 win32k!RawInputThread
0a win32k!xxxCreateSystemThreads
0b win32k!NtUserCallOneParam
0c nt!_KiSystemService
0d SharedUserData!SystemCallStub
0: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x0 [Type: unsigned char]
[13] : 0x2 [Type: unsigned char]
[14] : 0x0 [Type: unsigned char]
[15] : 0x0 [Type: unsigned char]
[16] : 0xa0 [Type: unsigned char]
[17] : 0x2 [Type: unsigned char]
0: kd> dx -id 0,0,8960a020 -r1 (*((win32k!tagMLIST *)0xe1630530))
(*((win32k!tagMLIST *)0xe1630530)) [Type: tagMLIST]
[+0x000] pqmsgRead : 0xe16fa0a8 [Type: tagQMSG *]
[+0x004] pqmsgWriteLast : 0xe16fa0a8 [Type: tagQMSG *]
[+0x008] cMsgs : 0x1 [Type: unsigned long]
0: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQMSG *)0xe16fa0a8)
((win32k!tagQMSG *)0xe16fa0a8) : 0xe16fa0a8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x0 wp=0x0 lp=0x0} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0x0 [Type: tagTHREADINFO *]
StoreQMessage(pqmsgInput, pwnd, message, wParam, lParam, time, 0, dwExtraInfo);
WakeSomeone(pq, message, pqmsgInput);
0: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQMSG *)0xe16fa0a8)
((win32k!tagQMSG *)0xe16fa0a8) : 0xe16fa0a8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x100 wp=0x35 lp=0x60001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0x0 [Type: tagTHREADINFO *]
第二部分:
0: kd> g
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserWaitMessage, retval = 1
Breakpoint 17 hit
eax=e1630530 ebx=00000000 ecx=00000101 edx=bc510000 esi=00060001 edi=e16fa0a8
eip=bf8ad0ba esp=f75d68c0 ebp=f75d693c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!PostInputMessage:
bf8ad0ba 55 push ebp
0: kd> dv
pq = 0xe1630530
pwnd = 0x00000000
message = 0x101
wParam = 0x35
lParam = 0n393217
time = 0xffecc13e
dwExtraInfo = 0
0: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x0 [Type: unsigned char]
[13] : 0x2 [Type: unsigned char]
[14] : 0x0 [Type: unsigned char]
StoreQMessage(pqmsgInput, pwnd, message, wParam, lParam, time, 0, dwExtraInfo);
WakeSomeone(pq, message, pqmsgInput);
0: kd> dx -id 0,0,8960a020 -r1 (*((win32k!tagMLIST *)0xe1630530))
(*((win32k!tagMLIST *)0xe1630530)) [Type: tagMLIST]
[+0x000] pqmsgRead : 0xe16fa0a8 [Type: tagQMSG *]
[+0x004] pqmsgWriteLast : 0xe31096b8 [Type: tagQMSG *]
[+0x008] cMsgs : 0x2 [Type: unsigned long]
0: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQMSG *)0xe16fa0a8)
((win32k!tagQMSG *)0xe16fa0a8) : 0xe16fa0a8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe31096b8 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x100 wp=0x35 lp=0x60001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe1404c50 [Type: tagTHREADINFO *]
0: kd> dx -id 0,0,8960a020 -r1 ((win32k!tagQMSG *)0xe31096b8)
((win32k!tagQMSG *)0xe31096b8) : 0xe31096b8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe16fa0a8 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x35 lp=0x60001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0x0 [Type: tagTHREADINFO *]
第三部分:按下CTRL+win键离开虚拟机
0: kd> g
Breakpoint 17 hit
eax=e1630530 ebx=00000000 ecx=00000100 edx=bc510000 esi=001d0001 edi=e31096b8
eip=bf8ad0ba esp=f75d68c0 ebp=f75d693c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!PostInputMessage:
bf8ad0ba 55 push ebp
0: kd> dv
pq = 0xe1630530
pwnd = 0x00000000
message = 0x100
wParam = 0x11
lParam = 0n1900545
time = 0xffecc15e
dwExtraInfo = 0
第四部分:09 USER32!DialogBox2函数里面的08 USER32!PeekMessageW函数得到一个系统消息并删除
0: kd> g
Breakpoint 0 hit
eax=e1404c50 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf809330 esp=f75c6a78 ebp=f75c6a9c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!UpdateKeyState:
bf809330 55 push ebp
1: kd> kc
#
00 win32k!UpdateKeyState
01 win32k!xxxSkipSysMsg
02 win32k!xxxScanSysQueue
03 win32k!xxxRealInternalGetMessage
04 win32k!NtUserPeekMessage
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 USER32!NtUserPeekMessage
08 USER32!PeekMessageW
09 USER32!DialogBox2
0a USER32!InternalDialogBox
0b USER32!DialogBoxIndirectParamAorW
0c USER32!DialogBoxParamW
0d USER32!DialogBoxParamW_wrapper
0e winlogon!Fusion_DialogBoxParam
0f winlogon!TimeoutDialogBoxParam
10 winlogon!WlxDialogBoxParam
11 MSGINA!WlxWkstaLockedSAS
12 winlogon!DoLockWksta
13 winlogon!DoScreenSaver
14 winlogon!LoggedonDlgProc
15 winlogon!RootDlgProc
16 USER32!InternalCallWinProc
17 USER32!UserCallDlgProcCheckWow
18 USER32!DefDlgProcWorker
19 USER32!DefDlgProcW
1a USER32!InternalCallWinProc
1b USER32!UserCallWinProcCheckWow
1c USER32!DispatchMessageWorker
1d USER32!DispatchMessageW
1e USER32!IsDialogMessageW
1f USER32!DialogBox2
20 USER32!InternalDialogBox
21 USER32!DialogBoxIndirectParamAorW
22 USER32!DialogBoxParamW
23 USER32!DialogBoxParamW_wrapper
24 winlogon!Fusion_DialogBoxParam
25 winlogon!TimeoutDialogBoxParam
26 winlogon!WlxDialogBoxParam
27 winlogon!BlockWaitForUserAction
28 winlogon!MainLoop
29 winlogon!WinMain
2a winlogon!WinMainCRTStartup
1: kd> dv
pq = 0xe1630530
vk = 0x35
fDown = 0n1
1: kd> kv 10
# ChildEBP RetAddr Args to Child
00 f75c6a74 bf80921f e1630530 00000035 00000001 win32k!UpdateKeyState (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 3279]
01 f75c6a9c bf80af08 e1404c50 f75c6bc4 bf9ea2a4 win32k!xxxSkipSysMsg+0x4b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 3572]
02 f75c6c40 bf8ad571 e1404c50 f75c6d04 00000000 win32k!xxxScanSysQueue+0x18a0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 5153]
03 f75c6cd8 bf89b537 f75c6d04 00000000 00000000 win32k!xxxRealInternalGetMessage+0x3c3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelinput.c @ 636]
04 f75c6d3c 80afbcb2 0006f8f8 00000000 00000000 win32k!NtUserPeekMessage+0x7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernel
tstubs.c @ 5734]
05 f75c6d3c 7ffe0304 0006f8f8 00000000 00000000 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75c6d64) (CONV: cdecl) [d:srv03rtm�ase
toskei386 rap.asm @ 1328]
06 0006f878 77d20744 77cbe70b 0006f8f8 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
07 0006f8a4 77cc410d 0006f8f8 00000000 00000000 USER32!NtUserPeekMessage+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscoreumodedaytonaobji386usrstubs.c @
3891]
08 0006f8d0 77cdfedd 0006f8f8 00000000 00000000 USER32!PeekMessageW+0xf5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientcltxt.h @ 661]
09 0006f918 77cff459 001800e0 00000000 00000010 USER32!DialogBox2+0xe2 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1109]
0a 0006f940 77ce5e58 75080000 750b7580 00000000 USER32!InternalDialogBox+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientdlgmgr.c @ 1353]
0b 0006f960 77ce76e7 75080000 750b7580 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 806]
0c 0006f984 77cf607b 75080000 0000079e 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 954]
0d 0006f9ac 0102e8fc 75080000 0000079e 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserclientclres.c @ 933]
0e 0006f9d0 010221e2 75080000 0000079e 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonfusion.cpp @ 39]
0f 0006fa14 0102c860 00077418 75080000 0000079e winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogon imeout.c @ 1092]
windbg> .open -a 77cdfedd
1: kd> dt win32k!tagQ f75c6bc4
+0x000 mlInput : tagMLIST
+0x00c ptiSysLock : 0x00000100 tagTHREADINFO
+0x010 idSysLock : 0x35
+0x014 idSysPeek : 0x60001
+0x018 ptiMouse : 0xffecc0c1 tagTHREADINFO
+0x01c ptiKeyboard : 0x0000015c tagTHREADINFO
+0x020 spwndCapture : 0x000002b3 tagWND
+0x024 spwndFocus : (null)
+0x028 spwndActive : (null)
+0x02c spwndActivePrev : 0xe1404c50 tagWND
+0x030 codeCapture : 0
+0x034 msgDblClk : 0xf75c6c40
+0x038 xbtnDblClk : 0
+0x03c timeDblClk : 0x804edc60
+0x040 hwndDblClk : (null)
+0x044 ptDblClk : tagPOINT
+0x04c afKeyRecentDown : [32] ""
+0x06c afKeyState : [64] "???"
+0x0ac caret : tagCARET
+0x0e4 spcurCurrent : 0x80aede85 tagCURSOR
+0x0e8 iCursorLevel : 0n1
+0x0ec QF_flags : 0x201
+0x0f0 cThreads : 0x530
+0x0f2 cLockCount : 0xe163
+0x0f4 msgJournal : 0
+0x0f8 ExtraInfo : 0n9727
1: kd> dx -id 0,0,89413020 -r1 (*((win32k!tagMLIST *)0xf75c6bc4))
(*((win32k!tagMLIST *)0xf75c6bc4)) [Type: tagMLIST]
[+0x000] pqmsgRead : 0xe31096b8 [Type: tagQMSG *]
[+0x004] pqmsgWriteLast : 0x0 [Type: tagQMSG *]
[+0x008] cMsgs : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe31096b8)
((win32k!tagQMSG *)0xe31096b8) : 0xe31096b8 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0xe2eed4c0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0x0 [Type: tagQMSG *]
[+0x008] msg : {msg=0x101 wp=0x35 lp=0x60001} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe1404c50 [Type: tagTHREADINFO *]
1: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQMSG *)0xe2eed4c0)
((win32k!tagQMSG *)0xe2eed4c0) : 0xe2eed4c0 [Type: tagQMSG *]
[+0x000] pqmsgNext : 0x0 [Type: tagQMSG *]
[+0x004] pqmsgPrev : 0xe31096b8 [Type: tagQMSG *]
[+0x008] msg : {msg=0x100 wp=0x11 lp=0x1d0009} [Type: tagMSG]
[+0x024] ExtraInfo : 0 [Type: long]
[+0x028] dwQEvent : 0x0 [Type: unsigned long]
[+0x02c] pti : 0xe1404c50 [Type: tagTHREADINFO *]
第五部分:
INT_PTR DialogBox2(
HWND hwnd,
HWND hwndOwner,
BOOL fDisabled,
BOOL fOwnerIsActiveWindow)
{
while (PDLG(pwnd) && (!PDLG(pwnd)->fEnd)) {
if (!PeekMessage(&msg, NULL, 0, 0, PM_REMOVE)) {
BOOL NtUserPeekMessage(
OUT LPMSG pmsg,
IN HWND hwnd,
IN UINT wMsgFilterMin,
IN UINT wMsgFilterMax,
IN UINT wRemoveMsg)
{
MSG msg;
BEGINRECV(BOOL, FALSE);
TESTFLAGS(wRemoveMsg, PM_VALID);
retval = xxxPeekMessage(
&msg,
hwnd,
wMsgFilterMin,
wMsgFilterMax,
wRemoveMsg);
BOOL xxxScanSysQueue(
PTHREADINFO ptiCurrent,
LPMSG lpMsg,
PWND pwndFilter,
UINT msgMinFilter,
UINT msgMaxFilter,
DWORD flags,
DWORD fsReason)
{
RestartScan:
CheckPtiSysPeek(2, ptiCurrent->pq, 0);
ptiCurrent->pq->idSysPeek = 0;
ContinueScan:
while (TRUE) {
ULONG_PTR idSysPeek;
DUMPSUBPATHTAKEN(pathTaken, 0xf0);
/*
* Store idSysPeek in a local which forces pq to be reloaded
* in case it changed during the xxx call (the compiler can
* evaluate the LValue at any time)
*/
idSysPeek = (ULONG_PTR)xxxGetNextSysMsg(ptiCurrent,
(PQMSG)ptiCurrent->pq->idSysPeek, &qmsg);
BOOL fRemove = (flags & PM_REMOVE);
/*
* Eat the message from the input queue and set the keystate
* table.
*/
PATHTAKEN3(0x20);
if (fRemove) {
xxxSkipSysMsg(ptiCurrent, &qmsg);
}
PQMSG xxxGetNextSysMsg(
PTHREADINFO pti,
PQMSG pqmsgPrev,
PQMSG pqmsg)
{
DWORD dt;
PMLIST pml;
PQMSG pqmsgT;
/*
* If there is a journal playback hook, call it to get the next message.
*/
if (PhkFirstGlobalValid(pti, WH_JOURNALPLAYBACK) != NULL && IsOnInputDesktop(pti)) {
/*
* We can't search through journal messages: we only get the current
* journal message. So if the caller has already called us once
* before, then exit with no messages.
*/
if (pqmsgPrev != 0)
return NULL;
/*
* Tell the journal playback hook that we're done
* with this message now.
*/
dt = xxxCallJournalPlaybackHook(pqmsg);
if (dt == 0xFFFFFFFF)
return NULL;
/*
* If dt == 0, then we don't need to wait: set the right wake
* bits and return this message.
*/
if (dt == 0) {
WakeSomeone(pti->pq, pqmsg->msg.message, NULL);
/*
* Remember input is coming through journalling so we'll know this is
* an automation scenario.
* Note that we don't change any of the glinp information here so it
* continues to hold what the actual last hardware or SendInput input event was.
* I'm not changing it now to avoid any unexpected side effects from it since
* there's no scenario requesting so.
* This could pontentially be reconsidered so glinp completely reflects
* what the last input event was, regardless of its source.
*/
glinp.dwFlags = glinp.dwFlags | LINP_JOURNALLING;
return PQMSG_PLAYBACK;
} else {
/*
* There is logically no more input in the "queue", so clear the
* bits so that we will sleep when GetMessage is called.
*/
pti->pcti->fsWakeBits &= ~QS_INPUT;
pti->pcti->fsChangeBits &= ~QS_INPUT;
/*
* Need to wait before processing this next message. Set
* a journal timer.
*/
SetJournalTimer(dt, pqmsg->msg.message);
return NULL;
}
}
/*
* No journalling going on... return next message in system queue.
*/
/*
* Queue up a mouse move if the mouse has moved.
*/
if (pti->pq->QF_flags & QF_MOUSEMOVED) {
PostMove(pti->pq);
}
/*
* If no messages in the input queue, return with 0.
*/
pml = &pti->pq->mlInput;
if (pml->cMsgs == 0)
return NULL;
/*
* If this is the first call to xxxGetNextSysMsg(), return the
* first message. 返回第一个消息!!!
*/
if (pqmsgPrev == NULL || pti->pq->idSysPeek <= (ULONG_PTR)PQMSG_PLAYBACK) {
pqmsgT = pml->pqmsgRead;
} else {
/*
* Otherwise return the next message in the queue. Index with
* idSysPeek, because that is updated by recursive calls through
* this code.
*/
pqmsgT = ((PQMSG)(pti->pq->idSysPeek))->pqmsgNext;
}
/*
* Fill in the structure passed, and return the pointer to the
* current message in the message list. This will become the new
* pq->idSysPeek.
*/
if (pqmsgT != NULL)
*pqmsg = *pqmsgT;
return pqmsgT;
}
void xxxSkipSysMsg(
PTHREADINFO pti,
PQMSG pqmsg)
{
case WM_SYSKEYDOWN:
vk = LOBYTE(LOWORD(pqmsg->msg.wParam));
break;
/*
* Update the key state for the differentiated (Left/Right) key.
*/
UpdateKeyState(pti->pq, vkHanded, fDown);
/*
* Update key state for the undifferentiated (logical) key.
*/
if (fDown || !TestKeyStateDown(pti->pq, vkOtherHand)) {
UpdateKeyState(pti->pq, vk, fDown);
第六部分:
1: kd> dt tagQMSG f75c6bc4
win32k!tagQMSG
+0x000 pqmsgNext : 0xe31096b8 tagQMSG
+0x004 pqmsgPrev : (null)
+0x008 msg : tagMSG
+0x024 ExtraInfo : 0n0
+0x028 dwQEvent : 0
+0x02c pti : 0xe1404c50 tagTHREADINFO
1: kd> dx -id 0,0,89413020 -r1 (*((win32k!tagMSG *)0xf75c6bcc))
(*((win32k!tagMSG *)0xf75c6bcc)) : {msg=0x100 wp=0x35 lp=0x60001} [Type: tagMSG]
[<Raw View>] [Type: tagMSG]
1: kd> dx -id 0,0,89413020 -r1 -nv (*((win32k!tagMSG *)0xf75c6bcc))
(*((win32k!tagMSG *)0xf75c6bcc)) : {msg=0x100 wp=0x35 lp=0x60001} [Type: tagMSG]
[+0x000] hwnd : 0x0 [Type: HWND__ *]
[+0x004] message : 0x100 [Type: unsigned int]
[+0x008] wParam : 0x35 [Type: unsigned int]
[+0x00c] lParam : 393217 [Type: long]
[+0x010] time : 0xffecc0c1 [Type: unsigned long]
[+0x014] pt [Type: tagPOINT]
1: kd> ?0n393217
Evaluate expression: 393217 = 00060001
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x0 [Type: unsigned char]
[13] : 0x2 [Type: unsigned char]
[14] : 0x0 [Type: unsigned char]
#define TestKeyStateDown(pq, vk)
TestKeyDownBit(pq->afKeyState, vk)
#define TestKeyDownBit(pb, vk) (KEY_BYTE(pb,vk) & KEY_DOWN_BIT(vk))
if (fDown && !TestKeyStateDown(pq, vk)) {
if (TestKeyStateToggle(pq, vk)) {
ClearKeyStateToggle(pq, vk);
} else {
SetKeyStateToggle(pq, vk);
}
}
1: kd> p
eax=e1404c50 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf809333 esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!UpdateKeyState+0x3:
bf809333 837d0c00 cmp dword ptr [ebp+0Ch],0 ss:0010:f75c6a80=00000035
1: kd> p
eax=e1404c50 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf809337 esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!UpdateKeyState+0x7:
bf809337 0f8485000000 je win32k!UpdateKeyState+0x92 (bf8093c2) [br=0]
1: kd> p
eax=e1404c50 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf80933d esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!UpdateKeyState+0xd:
bf80933d 837d1000 cmp dword ptr [ebp+10h],0 ss:0010:f75c6a84=00000001
1: kd> p
eax=e1404c50 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf809341 esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x11:
bf809341 7451 je win32k!UpdateKeyState+0x64 (bf809394) [br=0]
1: kd> p
eax=e1404c50 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf809343 esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x13:
bf809343 0fb6450c movzx eax,byte ptr [ebp+0Ch] ss:0010:f75c6a80=35
1: kd> p
eax=00000035 ebx=00000000 ecx=00000000 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf809347 esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x17:
bf809347 8b4d08 mov ecx,dword ptr [ebp+8] ss:0010:f75c6a7c=e1630530
1: kd> p
eax=00000035 ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf80934a esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x1a:
bf80934a 53 push ebx
1: kd> p
eax=00000035 ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf80934b esp=f75c6a70 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x1b:
bf80934b 56 push esi
1: kd> p
eax=00000035 ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=bf9ea2a4 edi=bf9eb174
eip=bf80934c esp=f75c6a6c ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x1c:
bf80934c 8bf0 mov esi,eax
1: kd> p
eax=00000035 ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000035 edi=bf9eb174
eip=bf80934e esp=f75c6a6c ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x1e:
bf80934e 83e603 and esi,3
1: kd> p
eax=00000035 ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000001 edi=bf9eb174
eip=bf809351 esp=f75c6a6c ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x21:
bf809351 c1e802 shr eax,2
1: kd> p
eax=0000000d ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000001 edi=bf9eb174
eip=bf809354 esp=f75c6a6c ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x24:
bf809354 33db xor ebx,ebx
1: kd> p
eax=0000000d ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000001 edi=bf9eb174
eip=bf809356 esp=f75c6a6c ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x26:
bf809356 57 push edi
1: kd> p
eax=0000000d ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000001 edi=bf9eb174
eip=bf809357 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x27:
bf809357 8d3c36 lea edi,[esi+esi]
1: kd> p
eax=0000000d ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000001 edi=00000002
eip=bf80935a esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x2a:
bf80935a 8d44086c lea eax,[eax+ecx+6Ch]
1: kd> p
eax=e16305a9 ebx=00000000 ecx=e1630530 edx=f75c6bc4 esi=00000001 edi=00000002
eip=bf80935e esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x2e:
bf80935e 0fb610 movzx edx,byte ptr [eax] ds:0023:e16305a9=02
1: kd> db e16305a9
e16305a9 02 00 00 a0 02 00 00 80-00 00 00 00 00 00 00 00 ................
e16305b9 00 00 00 00 00 00 00 02-00 00 00 00 00 00 00 00 ................
e16305c9 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 82 ................
e16305d9 20 80 00 ac 49 64 bc 00-00 00 00 00 00 00 00 1c ...Id..........
e16305e9 00 00 00 01 00 00 00 0d-00 00 00 01 00 00 00 00 ................
e16305f9 00 00 00 ff ff 00 00 cc-01 00 00 00 00 00 00 00 ................
e1630609 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e1630619 00 00 00 40 01 00 00 01-00 00 00 00 00 00 00 00 ...@............
1: kd> p
eax=e16305a9 ebx=00000000 ecx=e1630530 edx=00000002 esi=00000001 edi=00000002
eip=bf809361 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x31:
bf809361 43 inc ebx
1: kd> p
eax=e16305a9 ebx=00000001 ecx=e1630530 edx=00000002 esi=00000001 edi=00000002
eip=bf809362 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x32:
bf809362 8bcf mov ecx,edi
1: kd> p
eax=e16305a9 ebx=00000001 ecx=00000002 edx=00000002 esi=00000001 edi=00000002
eip=bf809364 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x34:
bf809364 d3e3 shl ebx,cl
1: kd> p
eax=e16305a9 ebx=00000004 ecx=00000002 edx=00000002 esi=00000001 edi=00000002
eip=bf809366 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x36:
bf809366 85da test edx,ebx
1: kd> p
eax=e16305a9 ebx=00000004 ecx=00000002 edx=00000002 esi=00000001 edi=00000002
eip=bf809368 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x38:
bf809368 751d jne win32k!UpdateKeyState+0x57 (bf809387) [br=0]
1: kd> p
eax=e16305a9 ebx=00000004 ecx=00000002 edx=00000002 esi=00000001 edi=00000002
eip=bf80936a esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x3a:
bf80936a 33db xor ebx,ebx
1: kd> p
eax=e16305a9 ebx=00000000 ecx=00000002 edx=00000002 esi=00000001 edi=00000002
eip=bf80936c esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x3c:
bf80936c 8d743601 lea esi,[esi+esi+1]
1: kd> p
eax=e16305a9 ebx=00000000 ecx=00000002 edx=00000002 esi=00000003 edi=00000002
eip=bf809370 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x40:
bf809370 43 inc ebx
1: kd> p
eax=e16305a9 ebx=00000001 ecx=00000002 edx=00000002 esi=00000003 edi=00000002
eip=bf809371 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x41:
bf809371 8bce mov ecx,esi
1: kd> p
eax=e16305a9 ebx=00000001 ecx=00000003 edx=00000002 esi=00000003 edi=00000002
eip=bf809373 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x43:
bf809373 d3e3 shl ebx,cl
1: kd> p
eax=e16305a9 ebx=00000008 ecx=00000003 edx=00000002 esi=00000003 edi=00000002
eip=bf809375 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x45:
bf809375 85da test edx,ebx
1: kd> p
eax=e16305a9 ebx=00000008 ecx=00000003 edx=00000002 esi=00000003 edi=00000002
eip=bf809377 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x47:
bf809377 b201 mov dl,1
1: kd> p
eax=e16305a9 ebx=00000008 ecx=00000003 edx=00000001 esi=00000003 edi=00000002
eip=bf809379 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x49:
bf809379 7408 je win32k!UpdateKeyState+0x53 (bf809383) [br=1]
1: kd> p
eax=e16305a9 ebx=00000008 ecx=00000003 edx=00000001 esi=00000003 edi=00000002
eip=bf809383 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!UpdateKeyState+0x53:
bf809383 d2e2 shl dl,cl
1: kd> p
eax=e16305a9 ebx=00000008 ecx=00000003 edx=00000008 esi=00000003 edi=00000002
eip=bf809385 esp=f75c6a68 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x55:
bf809385 0810 or byte ptr [eax],dl ds:0023:e16305a9=02
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x0 [Type: unsigned char]
[13] : 0xa [Type: unsigned char]
} else {
SetKeyStateToggle(pq, vk);
1010
/*
* Now set/clear the key down state.
*/
if (fDown) {
SetKeyStateDown(pq, vk);
}
1: kd> p
eax=e16305a9 ebx=00000000 ecx=00000002 edx=00000004 esi=bf9ea2a4 edi=bf9eb174
eip=bf809390 esp=f75c6a74 ebp=f75c6a74 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!UpdateKeyState+0x60:
bf809390 0810 or byte ptr [eax],dl ds:0023:e16305a9=0a
1: kd> p
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x0 [Type: unsigned char]
[13] : 0xe [Type: unsigned char]
1110
原来是0000 0010
现在是0000 1110
![[SLG/中文/PC+安卓] 库拉拉酱逃不掉了 [92MB]](https://pic.songma.com/upload/215908/1750557333-215908/0391944001750557416tp215908-1.jpg)
![[ACT/中文/PC+安卓] 扶她山谷/Futaken Valley v0.040 【308M】](https://pic.songma.com/upload/69459/1692094178-69459/0402205001750378602tp69459-1.jpg)
手机访问领取大礼包