note : Creates a hidden IE window
2013-10-03 01:11
120 查看
BOOL CBaseWindow::Create(DWORD dwStyles, RECT* rect)
{
// Create the window
DWORD dwExStyle = 0;
rect->top = 100;
rect->left = 100;
rect->right = 200;
rect->bottom = 200;
/// @note 将入参改了, 用于建立隐藏的窗口
// #define CREATE_BY_CREATEWINDOW ///< 使用CreateWindowW建立窗体
#define CREATE_WINDOW_TO_HIDE ///< 是否建立隐藏窗口
#ifdef CREATE_WINDOW_TO_HIDE
dwStyles = WS_OVERLAPPEDWINDOW & ~WS_VISIBLE; ///< 创建不显示的窗口
dwExStyle =
WS_EX_NOACTIVATE ///< 非前景窗口
| WS_EX_TRANSPARENT; ///< 透明的
#else
dwStyles = WS_OVERLAPPEDWINDOW | WS_VISIBLE; ///< 创建显示的窗口
#endif
#ifdef CREATE_BY_CREATEWINDOW
m_hwnd = CreateWindowW(
szClassName, ///< LPCTSTR lpClassName,
szWindowTitle, ///< LPCTSTR lpWindowName,
dwStyles, ///< DWORD dwStyle,
rect->left, ///< int x,
rect->top, ///< int y,
rect->right - rect->left, ///< int nWidth,
rect->bottom - rect->top, ///< int nHeight,
NULL, ///< HWND hWndParent,
NULL, ///< HMENU hMenu,
hInstance, ///< HINSTANCE hInstance,
(void *)this); ///< LPVOID lpParam
#else
m_hwnd = CreateWindowExW(
dwExStyle, ///< DWORD dwExStyle,
szClassName, ///< LPCTSTR lpClassName,
szWindowTitle, ///< LPCTSTR lpWindowName,
dwStyles, ///< DWORD dwStyle,
rect->left, ///< int x,
rect->top, ///< int y,
rect->right - rect->left, ///< int nWidth,
rect->bottom - rect->top, ///< int nHeight,
NULL, ///< HWND hWndParent,
NULL, ///< HMENU hMenu,
hInstance, ///< HINSTANCE hInstance,
(void *)this); ///< LPVOID lpParam
#endif
/**
CComQIPtr<IWebBrowser2>m_pIE;
m_pIE.CoCreateInstance(CLSID_InternetExplorer); ///< 执行完这句, IE窗口就出来了。
m_pIE.CoCreateInstance 调用了CreateWindowExW,
将 CreateWindowExW Hook 住, 修改 dwStyles 或 dwExStyle
实现"建立隐藏的IE窗口"
*/
return (m_hwnd != NULL);
}某人直接下断点试出来的.
用IDA分析Ole32.dll中的CoCreateInstance并不能直接看到CreateWindowEx的调用.
HRESULT __stdcall CoCreateInstance(_GUID *rclsid, IUnknown *pUnkOuter, unsigned int dwContext, _GUID *riid, void **ppv)
{
HRESULT result; // eax@2
tagMULTI_QI OneQI; // [sp+4h] [bp-Ch]@2
if ( ppv )
{
OneQI.pItf = 0;
OneQI.pIID = riid;
result = CoCreateInstanceEx(rclsid, pUnkOuter, dwContext, 0, 1u, &OneQI);
*ppv = OneQI.pItf;
}
else
{
result = -2147024809;
}
return result;
}
HRESULT __stdcall CoCreateInstanceEx(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults)
{
if ( memcmp(Clsid, &GUID_NULL, 16) )
CoVrfDllMainCheck();
return CComActivator::DoCreateInstance(Clsid, punkOuter, dwClsCtx, pServerInfo, dwCount, pResults, 0);
}
HRESULT __stdcall CComActivator::DoCreateInstance(_GUID *Clsid, IUnknown *punkOuter, unsigned int dwClsCtx, _COSERVERINFO *pServerInfo, unsigned int dwCount, tagMULTI_QI *pResults, ActivationPropertiesIn *pActIn)
{
HRESULT result; // eax@5
tagSOleTlsData *v8; // eax@1
int v9; // eax@2
const wchar_t *v10; // ecx@10
COleTls tls; // [sp+ACh] [bp-1Ch]@1
_COSERVERINFO *hr; // [sp+B0h] [bp-18h]@1
_GUID ConfClsid; // [sp+B4h] [bp-14h]@2
unsigned int v14; // [sp+C4h] [bp-4h]@1
int v15; // [sp+C8h] [bp+0h]@1
v14 = (unsigned int)&v15 ^ __security_cookie;
hr = pServerInfo;
CComActivator::GetActvFlags(dwClsCtx);
v8 = *(tagSOleTlsData **)(__readfsdword(24) + 3968);
tls._pData = v8;
if ( v8 )
{
LABEL_2:
v9 = (int)&v8->outgoingActivationData;
ConfClsid.Data1 = *(_DWORD *)v9;
*(_DWORD *)&ConfClsid.Data2 = *(_DWORD *)(v9 + 4);
*(_DWORD *)&ConfClsid.Data4[0] = *(_DWORD *)(v9 + 8);
*(_DWORD *)&ConfClsid.Data4[4] = *(_DWORD *)(v9 + 12);
*(_DWORD *)v9 = Clsid->Data1;
*(_DWORD *)(v9 + 4) = *(_DWORD *)&Clsid->Data2;
*(_DWORD *)(v9 + 8) = *(_DWORD *)&Clsid->Data4[0];
*(_DWORD *)(v9 + 12) = *(_DWORD *)&Clsid->Data4[4];
if ( gfEnableTracing && WPP_GLOBAL_Control != &WPP_GLOBAL_Control && *((_BYTE *)WPP_GLOBAL_Control + 28) & 8 )
{
if ( hr )
v10 = hr->pwszName;
else
v10 = &szPathName;
WPP_SF__guid_dS(*((_QWORD *)WPP_GLOBAL_Control + 2), 0xCu, &WPP_immact_hxx_Traceguids, Clsid, dwClsCtx, v10);
}
JUMPOUT(ICoCreateInstanceEx);
}
result = COleTls::TLSAllocData(&tls);
if ( result >= 0 )
{
v8 = tls._pData;
goto LABEL_2;
}
return result;
}在网上找了一段CoCreateInstance的蓝屏dump调用栈,也看不到 CreateWindowEx的调用.
0:000> kb ChildEBP RetAddr Args to Child 0006be18 76671b2a 76671b74 00000020 00000003 kernel32!CreateFileW 0006be94 766724e2 000a6b40 0006bf4c 00000000 cscui!IsCSCEnabled+0x38 0006bea8 77a68b49 000a7084 77a51a60 0006bf44 cscui!DllGetClassObject+0x72 0006bec4 77a80f5e 000a7084 77a51a60 0006bf44 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x2d 0006bedc 77a80e9a 0006bef0 77a51a60 0006bf44 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f 0006bf08 77a81cc6 0006bf4c 00000000 0006c540 ole32!CClassCache::GetClassObject+0x38 0006bf84 77a806aa 77b76ca4 00000000 0006c540 ole32!CServerContextActivator::CreateInstance+0x106 0006bfc4 77a81e19 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0006c018 77a81d90 77b76ca8 00000000 0006c540 ole32!CApartmentActivator::CreateInstance+0x110 0006c038 77a8101e 77b76ca8 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d 0006c058 77a80fd5 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::AttemptActivation+0x2c 0006c090 77a81e7a 77b76ca0 0006c39c 00000000 ole32!CProcessActivator::ActivateByContext+0x42 0006c0b8 77a806aa 77b76ca0 00000000 0006c540 ole32!CProcessActivator::CreateInstance+0x49 0006c0f8 77a81bc4 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0006c348 77a806aa 77b765d4 00000000 0006c540 ole32!CClientContextActivator::CreateInstance+0x8f 0006c388 77a805dc 0006c540 00000000 0006ca8c ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0006cb38 77a64eb1 000a2f08 00000000 00000001 ole32!ICoCreateInstanceEx+0x3c9 0006cb60 77a64e80 000a2f08 00000000 00000001 ole32!CComActivator::DoCreateInstance+0x28 0006cb84 77a65102 000a2f08 00000000 00000001 ole32!CoCreateInstanceEx+0x1e 0006cbb4 779d69a5 000a2f08 00000000 00000001 ole32!CoCreateInstance+0x37
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- window.location.href在IE下失效的问题
- IE中,关闭窗口时 window.onunload 不执行的 bug
- IE下 window.location.href 跳转失效的解决方法
- 火狐和IE的window.event对象详解
- IE里Window的Method列表
- IE中用window.open() 新开页面,有时会丢失Session 的问题。
- window.alert重写实现友好的对话框(支持IE)
- window.confirm重写实现友好的对话框(支持IE)
- Window client application 使用IE的http代理配置访问外网
- DHTML 怎样防止IE工具对window.open的拦截
- note-show hidden files
- 浅谈隐式马尔可夫模型 - A Brief Note of Hidden Markov Model (HMM)
- ie不支持hidden解决
- 解决window.open 会被IE阻止的问题
- ie8下overflow:hidden 无效果
- 关于 prototype-window 在 prototype 1.6 下的 ie下报错问题
- IE 6下overflow:hidden无效的问题
- S+ hidden tray with window start
- IE7 overflow:hidden bug
- IE下a标签会触发window.onbeforeunload的问题