note : Creates a hidden IE window
2013-10-03 01:11
120 查看
BOOL CBaseWindow::Create(DWORD dwStyles, RECT* rect) { // Create the window DWORD dwExStyle = 0; rect->top = 100; rect->left = 100; rect->right = 200; rect->bottom = 200; /// @note 将入参改了, 用于建立隐藏的窗口 // #define CREATE_BY_CREATEWINDOW ///< 使用CreateWindowW建立窗体 #define CREATE_WINDOW_TO_HIDE ///< 是否建立隐藏窗口 #ifdef CREATE_WINDOW_TO_HIDE dwStyles = WS_OVERLAPPEDWINDOW & ~WS_VISIBLE; ///< 创建不显示的窗口 dwExStyle = WS_EX_NOACTIVATE ///< 非前景窗口 | WS_EX_TRANSPARENT; ///< 透明的 #else dwStyles = WS_OVERLAPPEDWINDOW | WS_VISIBLE; ///< 创建显示的窗口 #endif #ifdef CREATE_BY_CREATEWINDOW m_hwnd = CreateWindowW( szClassName, ///< LPCTSTR lpClassName, szWindowTitle, ///< LPCTSTR lpWindowName, dwStyles, ///< DWORD dwStyle, rect->left, ///< int x, rect->top, ///< int y, rect->right - rect->left, ///< int nWidth, rect->bottom - rect->top, ///< int nHeight, NULL, ///< HWND hWndParent, NULL, ///< HMENU hMenu, hInstance, ///< HINSTANCE hInstance, (void *)this); ///< LPVOID lpParam #else m_hwnd = CreateWindowExW( dwExStyle, ///< DWORD dwExStyle, szClassName, ///< LPCTSTR lpClassName, szWindowTitle, ///< LPCTSTR lpWindowName, dwStyles, ///< DWORD dwStyle, rect->left, ///< int x, rect->top, ///< int y, rect->right - rect->left, ///< int nWidth, rect->bottom - rect->top, ///< int nHeight, NULL, ///< HWND hWndParent, NULL, ///< HMENU hMenu, hInstance, ///< HINSTANCE hInstance, (void *)this); ///< LPVOID lpParam #endif /** CComQIPtr<IWebBrowser2>m_pIE; m_pIE.CoCreateInstance(CLSID_InternetExplorer); ///< 执行完这句, IE窗口就出来了。 m_pIE.CoCreateInstance 调用了CreateWindowExW, 将 CreateWindowExW Hook 住, 修改 dwStyles 或 dwExStyle 实现"建立隐藏的IE窗口" */ return (m_hwnd != NULL); }
某人直接下断点试出来的.
用IDA分析Ole32.dll中的CoCreateInstance并不能直接看到CreateWindowEx的调用.
HRESULT __stdcall CoCreateInstance(_GUID *rclsid, IUnknown *pUnkOuter, unsigned int dwContext, _GUID *riid, void **ppv) { HRESULT result; // eax@2 tagMULTI_QI OneQI; // [sp+4h] [bp-Ch]@2 if ( ppv ) { OneQI.pItf = 0; OneQI.pIID = riid; result = CoCreateInstanceEx(rclsid, pUnkOuter, dwContext, 0, 1u, &OneQI); *ppv = OneQI.pItf; } else { result = -2147024809; } return result; } HRESULT __stdcall CoCreateInstanceEx(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults) { if ( memcmp(Clsid, &GUID_NULL, 16) ) CoVrfDllMainCheck(); return CComActivator::DoCreateInstance(Clsid, punkOuter, dwClsCtx, pServerInfo, dwCount, pResults, 0); } HRESULT __stdcall CComActivator::DoCreateInstance(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults, ActivationPropertiesIn *pActIn) { HRESULT result; // eax@5 tagSOleTlsData *v8; // eax@1 int v9; // eax@2 const wchar_t *v10; // ecx@10 COleTls tls; // [sp+ACh] [bp-1Ch]@1 _COSERVERINFO *hr; // [sp+B0h] [bp-18h]@1 _GUID ConfClsid; // [sp+B4h] [bp-14h]@2 unsigned int v14; // [sp+C4h] [bp-4h]@1 int v15; // [sp+C8h] [bp+0h]@1 v14 = (unsigned int)&v15 ^ __security_cookie; hr = pServerInfo; CComActivator::GetActvFlags(dwClsCtx); v8 = *(tagSOleTlsData **)(__readfsdword(24) + 3968); tls._pData = v8; if ( v8 ) { LABEL_2: v9 = (int)&v8->outgoingActivationData; ConfClsid.Data1 = *(_DWORD *)v9; *(_DWORD *)&ConfClsid.Data2 = *(_DWORD *)(v9 + 4); *(_DWORD *)&ConfClsid.Data4[0] = *(_DWORD *)(v9 + 8); *(_DWORD *)&ConfClsid.Data4[4] = *(_DWORD *)(v9 + 12); *(_DWORD *)v9 = Clsid->Data1; *(_DWORD *)(v9 + 4) = *(_DWORD *)&Clsid->Data2; *(_DWORD *)(v9 + 8) = *(_DWORD *)&Clsid->Data4[0]; *(_DWORD *)(v9 + 12) = *(_DWORD *)&Clsid->Data4[4]; if ( gfEnableTracing && WPP_GLOBAL_Control != &WPP_GLOBAL_Control && *((_BYTE *)WPP_GLOBAL_Control + 28) & 8 ) { if ( hr ) v10 = hr->pwszName; else v10 = &szPathName; WPP_SF__guid_dS(*((_QWORD *)WPP_GLOBAL_Control + 2), 0xCu, &WPP_immact_hxx_Traceguids, Clsid, dwClsCtx, v10); } JUMPOUT(ICoCreateInstanceEx); } result = COleTls::TLSAllocData(&tls); if ( result >= 0 ) { v8 = tls._pData; goto LABEL_2; } return result; }
在网上找了一段CoCreateInstance的蓝屏dump调用栈,也看不到 CreateWindowEx的调用.
0:000> kb ChildEBP RetAddr Args to Child 0006be18 76671b2a 76671b74 00000020 00000003 kernel32!CreateFileW 0006be94 766724e2 000a6b40 0006bf4c 00000000 cscui!IsCSCEnabled+0x38 0006bea8 77a68b49 000a7084 77a51a60 0006bf44 cscui!DllGetClassObject+0x72 0006bec4 77a80f5e 000a7084 77a51a60 0006bf44 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x2d 0006bedc 77a80e9a 0006bef0 77a51a60 0006bf44 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f 0006bf08 77a81cc6 0006bf4c 00000000 0006c540 ole32!CClassCache::GetClassObject+0x38 0006bf84 77a806aa 77b76ca4 00000000 0006c540 ole32!CServerContextActivator::CreateInstance+0x106 0006bfc4 77a81e19 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0006c018 77a81d90 77b76ca8 00000000 0006c540 ole32!CApartmentActivator::CreateInstance+0x110 0006c038 77a8101e 77b76ca8 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d 0006c058 77a80fd5 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::AttemptActivation+0x2c 0006c090 77a81e7a 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::ActivateByContext+0x42 0006c0b8 77a806aa 77b76ca0 00000000 0006c540 ole32!CProcessActivator::CreateInstance+0x49 0006c0f8 77a81bc4 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0006c348 77a806aa 77b765d4 00000000 0006c540 ole32!CClientContextActivator::CreateInstance+0x8f 0006c388 77a805dc 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0006cb38 77a64eb1 000a2f08 00000000 00000001 ole32!ICoCreateInstanceEx+0x3c9 0006cb60 77a64e80 000a2f08 00000000 00000001 ole32!CComActivator::DoCreateInstance+0x28 0006cb84 77a65102 000a2f08 00000000 00000001 ole32!CoCreateInstanceEx+0x1e 0006cbb4 779d69a5 000a2f08 00000000 00000001 ole32!CoCreateInstance+0x37
相关文章推荐
- window.location.href在IE下失效的问题
- IE中,关闭窗口时 window.onunload 不执行的 bug
- IE下 window.location.href 跳转失效的解决方法
- 火狐和IE的window.event对象详解
- IE里Window的Method列表
- IE中用window.open() 新开页面,有时会丢失Session 的问题。
- window.alert重写实现友好的对话框(支持IE)
- window.confirm重写实现友好的对话框(支持IE)
- Window client application 使用IE的http代理配置访问外网
- DHTML 怎样防止IE工具对window.open的拦截
- note-show hidden files
- 浅谈隐式马尔可夫模型 - A Brief Note of Hidden Markov Model (HMM)
- ie不支持hidden解决
- 解决window.open 会被IE阻止的问题
- ie8下overflow:hidden 无效果
- 关于 prototype-window 在 prototype 1.6 下的 ie下报错问题
- IE 6下overflow:hidden无效的问题
- S+ hidden tray with window start
- IE7 overflow:hidden bug
- IE下a标签会触发window.onbeforeunload的问题