win32k!xxxInternalToUnicode函数分析之GetModifierBits是否有修饰键和virtual key的寻找是否为字符键==非常重要
第一部分:按下字符键4
TranslateMessage(lpMsg);
DispatchMessage(lpMsg);
return TRUE;
}
1: kd> p
eax=00000089 ebx=00000002 ecx=00000009 edx=000800ec esi=0006f8f8 edi=00000087
eip=77cdb476 esp=0006f8c4 ebp=0006f8dc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
USER32!IsDialogMessageW+0x38f:
001b:77cdb476 56 push esi
1: kd> p
win32k!xxxTranslateMessage+0x11:
bf8e35ff 8b7508 mov esi,dword ptr [ebp+8]
1: kd> dv
pmsg = 0xf75c6d10 {msg=0x100 wp=0x34 lp=0x50001}
uiTMFlags = 0
fSysKey = 0n0
awch = unsigned short [16]
pwnd = 0x00000000
wMsgType = 0
dwKeyFlags = 0xf75c6d10
1: kd> t
win32k!xxxInternalToUnicode:
bf8ea157 55 push ebp
1: kd> kc
#
00 win32k!xxxInternalToUnicode
01 win32k!xxxTranslateMessage
02 win32k!NtUserTranslateMessage
03 nt!_KiSystemService
04 SharedUserData!SystemCallStub
05 USER32!NtUserTranslateMessage
06 USER32!TranslateMessage
07 USER32!IsDialogMessageW
08 USER32!DialogBox2
09 USER32!InternalDialogBox
0a USER32!DialogBoxIndirectParamAorW
0b USER32!DialogBoxParamW
0c USER32!DialogBoxParamW_wrapper
0d winlogon!Fusion_DialogBoxParam
0e winlogon!TimeoutDialogBoxParam
0f winlogon!WlxDialogBoxParam
10 MSGINA!WlxWkstaLockedSAS
11 winlogon!DoLockWksta
12 winlogon!DoScreenSaver
13 winlogon!LoggedonDlgProc
14 winlogon!RootDlgProc
15 USER32!InternalCallWinProc
16 USER32!UserCallDlgProcCheckWow
17 USER32!DefDlgProcWorker
18 USER32!DefDlgProcW
19 USER32!InternalCallWinProc
1a USER32!UserCallWinProcCheckWow
1b USER32!DispatchMessageWorker
1c USER32!DispatchMessageW
1d USER32!IsDialogMessageW
1e USER32!DialogBox2
1f USER32!InternalDialogBox
20 USER32!DialogBoxIndirectParamAorW
21 USER32!DialogBoxParamW
22 USER32!DialogBoxParamW_wrapper
23 winlogon!Fusion_DialogBoxParam
24 winlogon!TimeoutDialogBoxParam
25 winlogon!WlxDialogBoxParam
26 winlogon!BlockWaitForUserAction
27 winlogon!MainLoop
28 winlogon!WinMain
29 winlogon!WinMainCRTStartup
1: kd> dv
uVirtKey = 0x34
uScanCode = 5
pfvk = 0xe163059c “???”
awchChars = 0xf75c6cd0
cChar = 0n16
uiTMFlags = 0
pdwKeyFlags = 0xf75c6cfc
hkl = 0x00000000
第二部分:ctrl键和ALT键和shift键都没有按下
1: kd> dx -id 0,0,8960a020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
[5] : 0x0 [Type: unsigned char]
[6] : 0x0 [Type: unsigned char]
[7] : 0x0 [Type: unsigned char]
[8] : 0x0 [Type: unsigned char]
[9] : 0x0 [Type: unsigned char]
[10] : 0x0 [Type: unsigned char]
[11] : 0x20 [Type: unsigned char]
[12] : 0x0 [Type: unsigned char]
[13] : 0x3 [Type: unsigned char]
dv
hkl = 0x00000000
if ((hkl == NULL) && ptiCurrent->spklActive) {
pkl = ptiCurrent->spklActive;
pKbdTbl = pkl->spkf->pKbdTbl;
}
1: kd> dt win32k!THREADINFO e1404c50
+0x000 pEThread : 0x897f2020 _ETHREAD
+0x004 RefCount : 1
+0x008 ptlW32 : (null)
+0x00c pgdiDcattr : 0x005e0570 Void
+0x010 pgdiBrushAttr : (null)
+0x014 pUMPDObjs : (null)
+0x018 pUMPDHeap : (null)
+0x01c pUMPDObj : (null)
+0x020 GdiTmpAllocList : _LIST_ENTRY [ 0xe1404c70 – 0xe1404c70 ]
+0x028 ptl : (null)
+0x02c ppi : 0xe1619070 tagPROCESSINFO
+0x030 pq : 0xe1630530 tagQ
+0x034 spklActive : 0xe13e6bb8 tagKL
1: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKL *)0xe13e6bb8)
((win32k!tagKL *)0xe13e6bb8) : 0xe13e6bb8 [Type: tagKL *]
[+0x000] head [Type: _HEAD]
[+0x008] pklNext : 0xe13e6bb8 [Type: tagKL *]
[+0x00c] pklPrev : 0xe13e6bb8 [Type: tagKL *]
[+0x010] dwKL_Flags : 0x0 [Type: unsigned long]
[+0x014] hkl : 0x4090409 [Type: HKL__ *]
[+0x018] spkf : 0xe166c5d8 [Type: tagKBDFILE *]
[+0x01c] spkfPrimary : 0xe166c5d8 [Type: tagKBDFILE *]
[+0x020] dwFontSigs : 0x3f01ff [Type: unsigned long]
[+0x024] iBaseCharset : 0x0 [Type: unsigned int]
[+0x028] CodePage : 0x4e4 [Type: unsigned short]
[+0x02a] wchDiacritic : 0x0 [Type: unsigned short]
[+0x02c] piiex : 0x0 [Type: tagIMEINFOEX *]
[+0x030] uNumTbl : 0x0 [Type: unsigned int]
[+0x034] pspkfExtra : 0x0 [Type: tagKBDFILE * *]
[+0x038] dwLastKbdType : 0x0 [Type: unsigned long]
[+0x03c] dwLastKbdSubType : 0x0 [Type: unsigned long]
[+0x040] dwKLID : 0x409 [Type: unsigned long]
1: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKBDFILE *)0xe166c5d8)
((win32k!tagKBDFILE *)0xe166c5d8) : 0xe166c5d8 [Type: tagKBDFILE *]
[+0x000] head [Type: _HEAD]
[+0x008] pkfNext : 0x0 [Type: tagKBDFILE *]
[+0x00c] hBase : 0xe16ef018 [Type: void *]
[+0x010] pKbdTbl : 0xe16ef9b0 [Type: tagKbdLayer *]
[+0x014] Size : 0xaa7 [Type: unsigned long]
[+0x018] pKbdNlsTbl : 0x0 [Type: tagKbdNlsLayer *]
[+0x01c] awchDllName [Type: unsigned short [32]]
1: kd> dx -id 0,0,89413020 -r1 ((win32k!tagKbdLayer *)0xe16ef9b0)
((win32k!tagKbdLayer *)0xe16ef9b0) : 0xe16ef9b0 [Type: tagKbdLayer *]
[+0x000] pCharModifiers : 0xe16ef1c4 [Type: MODIFIERS *]
[+0x004] pVkToWcharTable : 0xe16ef394 [Type: _VK_TO_WCHAR_TABLE *]
[+0x008] pDeadKey : 0x0 [Type: DEADKEY *]
[+0x00c] pKeyNames : 0xe16ef5e8 [Type: VSC_LPWSTR *]
[+0x010] pKeyNamesExt : 0xe16ef8f8 [Type: VSC_LPWSTR *]
[+0x014] pKeyNamesDead : 0x0 [Type: unsigned short * *]
[+0x018] pusVSCtoVK : 0xe16ef018 : 0xff [Type: unsigned short *]
[+0x01c] bMaxVSCtoVK : 0x7f [Type: unsigned char]
[+0x020] pVSCtoVK_E0 : 0xe16ef118 [Type: _VSC_VK *]
[+0x024] pVSCtoVK_E1 : 0xe16ef1b4 [Type: _VSC_VK *]
[+0x028] fLocaleFlags : 0x10000 [Type: unsigned long]
[+0x02c] nLgMax : 0x0 [Type: unsigned char]
[+0x02d] cbLgEntry : 0x0 [Type: unsigned char]
[+0x030] pLigature : 0x0 [Type: _LIGATURE1 *]
[+0x034] dwType : 0x0 [Type: unsigned long]
[+0x038] dwSubType : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,89413020 -r1 ((win32k!_VK_TO_WCHAR_TABLE *)0xe16ef394)
((win32k!_VK_TO_WCHAR_TABLE *)0xe16ef394) : 0xe16ef394 [Type: _VK_TO_WCHAR_TABLE *]
[+0x000] pVkToWchars : 0xe16ef2f0 [Type: _VK_TO_WCHARS1 *]
[+0x004] nModifications : 0x3 [Type: unsigned char]
[+0x005] cbSize : 0x8 [Type: unsigned char]
1: kd> dx -id 0,0,89413020 -r1 ((win32k!_VK_TO_WCHARS1 *)0xe16ef2f0)
((win32k!_VK_TO_WCHARS1 *)0xe16ef2f0) : 0xe16ef2f0 [Type: _VK_TO_WCHARS1 *]
[+0x000] VirtualKey : 0xdb [Type: unsigned char]
[+0x001] Attributes : 0x0 [Type: unsigned char]
[+0x002] wch [Type: unsigned short [1]]
1: kd> dt _VK_TO_WCHARS1 -v
USER32!_VK_TO_WCHARS1
struct _VK_TO_WCHARS1, 3 elements, 0x4 bytes
+0x000 VirtualKey : UChar
+0x001 Attributes : UChar
+0x002 wch : [1] Uint2B
1: kd> db 0xe16ef2f0
e16ef2f0 db 00 5b 00 7b 00 1b 00-dd 00 5d 00 7d 00 1d 00 ..[.{…..].}…
e16ef300 dc 00 5c 00 7c 00 1c 00-e2 00 5c 00 7c 00 1c 00 …|……|…
e16ef310 08 00 08 00 08 00 7f 00-1b 00 1b 00 1b 00 1b 00 …………….
e16ef320 0d 00 0d 00 0d 00 0a 00-20 00 20 00 20 00 20 00 …….. . . . .
e16ef330 03 00 03 00 03 00 03 00-00 00 00 00 00 00 00 00 …………….
e16ef340 32 00 32 00 40 00 00 f0-00 00 36 00 36 00 5e 00 2.2.@…..6.6.^.
e16ef350 00 f0 1e 00 bd 00 2d 00-5f 00 00 f0 1f 00 00 00 ……-._…….
e16ef360 00 00 00 00 00 00 00 00-60 00 30 00 61 00 31 00 ……..`.0.a.1.
Shift键: VK_SHIFT ($10)
wModBits = GetModifierBits(pKbdTbl->pCharModifiers, pfvk);
确定所有修饰键(修饰键是指任何可以修改其他键所产生值的键:通常包括SHIFT、CTRL和/或ALT)的状态。
构建一个位掩码(wModBits)来编码哪些修饰键被按下。
/*
* Determine the state of all the Modifier Keys (a Modifier Key
* is any key that may modify values produced by other keys: these are
* commonly SHIFT, CTRL and/or ALT)
* Build a bit-mask (wModBits) to encode which modifier keys are depressed.
*/
WORD GetModifierBits(
PMODIFIERS pModifiers,
LPBYTE afKeyState)
{
PVK_TO_BIT pVkToBit = pModifiers->pVkToBit;
WORD wModBits = 0;
CheckCritIn();
while (pVkToBit->Vk) {
if (TestKeyDownBit(afKeyState, pVkToBit->Vk)) {
wModBits |= pVkToBit->ModBits;
}
pVkToBit++;
}
return wModBits;
}
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!MODIFIERS *)0xe16ef1c4)
((win32k!MODIFIERS *)0xe16ef1c4) : 0xe16ef1c4 [Type: MODIFIERS *]
[+0x000] pVkToBit : 0xe16ef1bc [Type: VK_TO_BIT *]
[+0x004] wMaxModBits : 0x3 [Type: unsigned short]
[+0x006] ModNumber [Type: unsigned char [0]]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!VK_TO_BIT *)0xe16ef1bc)
((win32k!VK_TO_BIT *)0xe16ef1bc) : 0xe16ef1bc [Type: VK_TO_BIT *]
[+0x000] Vk : 0x10 [Type: unsigned char]
[+0x001] ModBits : 0x1 [Type: unsigned char]
1: kd> dt win32k!VK_TO_BIT 0xe16ef1bc+2
+0x000 Vk : 0x11 ''
+0x001 ModBits : 0x2 ''
1: kd> dt win32k!VK_TO_BIT 0xe16ef1bc+2*2
+0x000 Vk : 0x12 ''
+0x001 ModBits : 0x4 ''
1: kd> dt win32k!VK_TO_BIT 0xe16ef1bc+2*3
+0x000 Vk : 0 ''
+0x001 ModBits : 0 ''
VK_SHIFT 10 16 Shift键
VK_CONTROL 11 17 Ctrl键
VK_MENU 12 18 Alt键
00 00 00 00
00 00 00 00
ALT CTRL SHIFT
1: kd> dx -id 0,0,89413020 -r1 ((win32k!tagQ *)0xe1630530)
((win32k!tagQ *)0xe1630530) : 0xe1630530 [Type: tagQ *]
[+0x000] mlInput [Type: tagMLIST]
[+0x00c] ptiSysLock : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x010] idSysLock : 0x1 [Type: unsigned long]
[+0x014] idSysPeek : 0x0 [Type: unsigned long]
[+0x018] ptiMouse : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x01c] ptiKeyboard : 0xe1404c50 [Type: tagTHREADINFO *]
[+0x020] spwndCapture : 0x0 [Type: tagWND *]
[+0x024] spwndFocus : 0xbc6449ac [Type: tagWND *]
[+0x028] spwndActive : 0xbc644124 [Type: tagWND *]
[+0x02c] spwndActivePrev : 0x0 [Type: tagWND *]
[+0x030] codeCapture : 0x1 [Type: unsigned int]
[+0x034] msgDblClk : 0x201 [Type: unsigned int]
[+0x038] xbtnDblClk : 0x0 [Type: unsigned short]
[+0x03c] timeDblClk : 0xffe598d9 [Type: unsigned long]
[+0x040] hwndDblClk : 0xc00d6 [Type: HWND__ *]
[+0x044] ptDblClk : {x=464 y=375} [Type: tagPOINT]
[+0x04c] afKeyRecentDown [Type: unsigned char [32]]
[+0x06c] afKeyState [Type: unsigned char [64]]
1: kd> dx -id 0,0,89413020 -r1 (*((win32k!unsigned char (*)[64])0xe163059c))
(*((win32k!unsigned char (*)[64])0xe163059c)) [Type: unsigned char [64]]
[0] : 0x8 [Type: unsigned char]
[1] : 0x0 [Type: unsigned char]
[2] : 0x8 [Type: unsigned char]
[3] : 0x0 [Type: unsigned char]
[4] : 0x0 [Type: unsigned char]
1: kd> dv
pModifiers = 0xe16ef1c4
afKeyState = 0xe163059c “???”
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!MODIFIERS *)0xe16ef1c4)
((win32k!MODIFIERS *)0xe16ef1c4) : 0xe16ef1c4 [Type: MODIFIERS *]
[+0x000] pVkToBit : 0xe16ef1bc [Type: VK_TO_BIT *]
[+0x004] wMaxModBits : 0x3 [Type: unsigned short]
[+0x006] ModNumber [Type: unsigned char [0]]
1: kd> dx -id 0,0,8960a020 -r1 ((win32k!VK_TO_BIT *)0xe16ef1bc)
((win32k!VK_TO_BIT *)0xe16ef1bc) : 0xe16ef1bc [Type: VK_TO_BIT *]
[+0x000] Vk : 0x10 [Type: unsigned char]
[+0x001] ModBits : 0x1 [Type: unsigned char]
1: kd> dt win32k!VK_TO_BIT 0xe16ef1bc+2*1
+0x000 Vk : 0x11 ''
+0x001 ModBits : 0x2 ''
1: kd> dt win32k!VK_TO_BIT 0xe16ef1bc+2*2
+0x000 Vk : 0x12 ''
+0x001 ModBits : 0x4 ''
1: kd> dt win32k!VK_TO_BIT 0xe16ef1bc+2*3
+0x000 Vk : 0 ''
+0x001 ModBits : 0 ''
1: kd> gu
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.
win32k!xxxInternalToUnicode+0x208:
bf8ea35f 894524 mov dword ptr [ebp+24h],eax
1: kd> r
eax=00000000 ebx=00008000 ecx=e163059c edx=00000010 esi=bfa03694 edi=bfa03388
eip=bf8ea35f esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxInternalToUnicode+0x208:
bf8ea35f 894524 mov dword ptr [ebp+24h],eax ss:0010:f75c6cbc=00000000
eax=00000000 说明三个键都没有被按下 CTRL ALT SHIFT
dv
wModBits = 0
#define MODIFIER_FOR_ALT_NUMPAD(wModBit)
((((wModBits) & ~KBDKANA) == KBDALT) || (((wModBits) & ~KBDKANA) == (KBDALT | KBDSHIFT)))
/*
* Keyboard Shift State defines. These correspond to the bit mask defined
* by the VkKeyScan() API.
*/
#define KBDBASE 0
#define KBDSHIFT 1
#define KBDCTRL 2
#define KBDALT 4
// three symbols KANA, ROYA, LOYA are for FE
#define KBDKANA 8
Scan through all the shift-state tables until a matching Virtual Key is found.
浏览所有换档状态表,直到找到匹配的虚拟键。
第三部分:Virtual Key的寻找,for循环,里面有有二重循环while循环。
/*
* Scan through all the shift-state tables until a matching Virtual
* Key is found.
*/
for (pVKT = pKbdTbl->pVkToWcharTable; pVKT->pVkToWchars != NULL; pVKT++) {
pVK = pVKT->pVkToWchars;
while (pVK->VirtualKey != 0) {
if (pVK->VirtualKey == (BYTE)uVirtKey) {
goto VK_Found;
}
pVK = (PVK_TO_WCHARS1)((PBYTE)pVK + pVKT->cbSize);
}
}
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*2
+0x000 pVkToWchars : 0xe16ef1d0 _VK_TO_WCHARS1
+0x004 nModifications : 0x2 ''
+0x005 cbSize : 0x6 ''
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*3
+0x000 pVkToWchars : 0xe16ef368 _VK_TO_WCHARS1
+0x004 nModifications : 0x1 ''
+0x005 cbSize : 0x4 ''
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*4
+0x000 pVkToWchars : (null)
+0x004 nModifications : 0 ''
+0x005 cbSize : 0 ''
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*3
+0x000 pVkToWchars : 0xe16ef368 _VK_TO_WCHARS1
+0x004 nModifications : 0x1 ''
+0x005 cbSize : 0x4 ''
1: kd> dx -id 0,0,89413020 -r1 ((win32k!_VK_TO_WCHARS1 *)0xe16ef368)
((win32k!_VK_TO_WCHARS1 *)0xe16ef368) : 0xe16ef368 [Type: _VK_TO_WCHARS1 *]
[+0x000] VirtualKey : 0x60 [Type: unsigned char]
[+0x001] Attributes : 0x0 [Type: unsigned char]
[+0x002] wch [Type: unsigned short [1]]
1: kd> db 0xe16ef368
e16ef368 60 00 30 00 61 00 31 00-62 00 32 00 63 00 33 00 `.0.a.1.b.2.c.3.
e16ef378 64 00 34 00 65 00 35 00-66 00 36 00 67 00 37 00 d.4.e.5.f.6.g.7.
e16ef388 68 00 38 00 69 00 39 00-00 00 00 00 f0 f2 6e e1 h.8.i.9…….n.
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*2
+0x000 pVkToWchars : 0xe16ef1d0 _VK_TO_WCHARS1
+0x004 nModifications : 0x2 ''
+0x005 cbSize : 0x6 ''
1: kd> dx -id 0,0,89413020 -r1 ((win32k!_VK_TO_WCHARS1 *)0xe16ef1d0)
((win32k!_VK_TO_WCHARS1 *)0xe16ef1d0) : 0xe16ef1d0 [Type: _VK_TO_WCHARS1 *]
[+0x000] VirtualKey : 0xc0 [Type: unsigned char]
[+0x001] Attributes : 0x0 [Type: unsigned char]
[+0x002] wch [Type: unsigned short [1]]
1: kd> db 0xe16ef1d0
e16ef1d0 c0 00 60 00 7e 00 31 00-31 00 21 00 33 00 33 00 ..`.~.1.1.!.3.3.
e16ef1e0 23 00 34 00 34 00 24 00-35 00 35 00 25 00 37 00 #.4.4.$.5.5.%.7.
e16ef1f0 37 00 26 00 38 00 38 00-2a 00 39 00 39 00 28 00 7.&.8.8.*.9.9.(.
e16ef200 30 00 30 00 29 00 bb 00-3d 00 2b 00 51 01 71 00 0.0.)…=.+.Q.q.
e16ef210 51 00 57 01 77 00 57 00-45 01 65 00 45 00 52 01 Q.W.w.W.E.e.E.R.
e16ef220 72 00 52 00 54 01 74 00-54 00 59 01 79 00 59 00 r.R.T.t.T.Y.y.Y.
e16ef230 55 01 75 00 55 00 49 01-69 00 49 00 4f 01 6f 00 U.u.U.I.i.I.O.o.
e16ef240 4f 00 50 01 70 00 50 00-41 01 61 00 41 00 53 01 O.P.p.P.A.a.A.S.
1: kd> db 0xe16ef1d0+80
e16ef250 73 00 53 00 44 01 64 00-44 00 46 01 66 00 46 00 s.S.D.d.D.F.f.F.
e16ef260 47 01 67 00 47 00 48 01-68 00 48 00 4a 01 6a 00 G.g.G.H.h.H.J.j.
e16ef270 4a 00 4b 01 6b 00 4b 00-4c 01 6c 00 4c 00 ba 00 J.K.k.K.L.l.L…
e16ef280 3b 00 3a 00 de 00 27 00-22 00 5a 01 7a 00 5a 00 ;.:…'.”.Z.z.Z.
e16ef290 58 01 78 00 58 00 43 01-63 00 43 00 56 01 76 00 X.x.X.C.c.C.V.v.
e16ef2a0 56 00 42 01 62 00 42 00-4e 01 6e 00 4e 00 4d 01 V.B.b.B.N.n.N.M.
e16ef2b0 6d 00 4d 00 bc 00 2c 00-3c 00 be 00 2e 00 3e 00 m.M…,.<…..>.
e16ef2c0 bf 00 2f 00 3f 00 6e 00-2e 00 2e 00 09 00 09 00 ../.?.n………
1: kd> db 0xe16ef1d0+80*2
e16ef2d0 09 00 6b 00 2b 00 2b 00-6f 00 2f 00 2f 00 6a 00 ..k.+.+.o././.j.
e16ef2e0 2a 00 2a 00 6d 00 2d 00-2d 00 00 00 00 00 00 00 *.*.m.-.-…….
e16ef2f0 db 00 5b 00 7b 00 1b 00-dd 00 5d 00 7d 00 1d 00 ..[.{…..].}…
e16ef300 dc 00 5c 00 7c 00 1c 00-e2 00 5c 00 7c 00 1c 00 …|……|…
e16ef310 08 00 08 00 08 00 7f 00-1b 00 1b 00 1b 00 1b 00 …………….
e16ef320 0d 00 0d 00 0d 00 0a 00-20 00 20 00 20 00 20 00 …….. . . . .
e16ef330 03 00 03 00 03 00 03 00-00 00 00 00 00 00 00 00 …………….
e16ef340 32 00 32 00 40 00 00 f0-00 00 36 00 36 00 5e 00 2.2.@…..6.6.^.
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*1
+0x000 pVkToWchars : 0xe16ef340 _VK_TO_WCHARS1
+0x004 nModifications : 0x4 ''
+0x005 cbSize : 0xa ''
1: kd> dx -id 0,0,89413020 -r1 ((win32k!_VK_TO_WCHARS1 *)0xe16ef340)
((win32k!_VK_TO_WCHARS1 *)0xe16ef340) : 0xe16ef340 [Type: _VK_TO_WCHARS1 *]
[+0x000] VirtualKey : 0x32 [Type: unsigned char]
[+0x001] Attributes : 0x0 [Type: unsigned char]
[+0x002] wch [Type: unsigned short [1]]
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef340+a*0
+0x000 VirtualKey : 0x32 '2'
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x32
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef340+a*1
+0x000 VirtualKey : 0x36 '6'
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x36
1: kd> db 0xe16ef340
e16ef340 32 00 32 00 40 00 00 f0-00 00 36 00 36 00 5e 00 2.2.@…..6.6.^.
e16ef350 00 f0 1e 00 bd 00 2d 00-5f 00 00 f0 1f 00 00 00 ……-._…….
e16ef360 00 00 00 00 00 00 00 00
1: kd> db 0xe16ef2f0
e16ef2f0 db 00 5b 00 7b 00 1b 00-dd 00 5d 00 7d 00 1d 00 ..[.{…..].}…
e16ef300 dc 00 5c 00 7c 00 1c 00-e2 00 5c 00 7c 00 1c 00 …|……|…
e16ef310 08 00 08 00 08 00 7f 00-1b 00 1b 00 1b 00 1b 00 …………….
e16ef320 0d 00 0d 00 0d 00 0a 00-20 00 20 00 20 00 20 00 …….. . . . .
e16ef330 03 00 03 00 03 00 03 00-00 00 00 00 00 00 00 00 …………….
e16ef340 32 00 32 00 40 00 00 f0-00 00 36 00 36 00 5e 00 2.2.@…..6.6.^.
e16ef350 00 f0 1e 00 bd 00 2d 00-5f 00 00 f0 1f 00 00 00 ……-._…….
e16ef360 00 00 00 00 00 00 00 00-60 00 30 00 61 00 31 00 ……..`.0.a.1.
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*4
+0x000 pVkToWchars : (null)
+0x004 nModifications : 0 ''
+0x005 cbSize : 0 ''
1: kd> dt win32k!_VK_TO_WCHAR_TABLE 0xe16ef394+8*0
+0x000 pVkToWchars : 0xe16ef2f0 _VK_TO_WCHARS1
+0x004 nModifications : 0x3 ''
+0x005 cbSize : 0x8 ''
1: kd> dx -id 0,0,89413020 -r1 ((win32k!_VK_TO_WCHARS1 *)0xe16ef2f0)
((win32k!_VK_TO_WCHARS1 *)0xe16ef2f0) : 0xe16ef2f0 [Type: _VK_TO_WCHARS1 *]
[+0x000] VirtualKey : 0xdb [Type: unsigned char]
[+0x001] Attributes : 0x0 [Type: unsigned char]
[+0x002] wch [Type: unsigned short [1]]
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*1
+0x000 VirtualKey : 0xdd ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x5d
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*2
+0x000 VirtualKey : 0xdc ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x5c
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*3
+0x000 VirtualKey : 0xe2 ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x5c
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*4
+0x000 VirtualKey : 0x8 ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 8
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*5
+0x000 VirtualKey : 0x1b ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x1b
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*6
+0x000 VirtualKey : 0xd ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0xd
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*7
+0x000 VirtualKey : 0x20 ' '
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0x20
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*8
+0x000 VirtualKey : 0x3 ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 3
1: kd> dt win32k!_VK_TO_WCHARS1 0xe16ef2f0+8*9
+0x000 VirtualKey : 0 ''
+0x001 Attributes : 0 ''
+0x002 wch : [1] 0
1: kd> db 0xe16ef2f0
e16ef2f0 db 00 5b 00 7b 00 1b 00-dd 00 5d 00 7d 00 1d 00 ..[.{…..].}…
e16ef300 dc 00 5c 00 7c 00 1c 00-e2 00 5c 00 7c 00 1c 00 …|……|…
e16ef310 08 00 08 00 08 00 7f 00-1b 00 1b 00 1b 00 1b 00 …………….
e16ef320 0d 00 0d 00 0d 00 0a 00-20 00 20 00 20 00 20 00 …….. . . . .
e16ef330 03 00 03 00 03 00 03 00-00 00 00 00 00 00 00 00 …………….
1: kd> p
eax=000000c0 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d0
eip=bf8ea558 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292
win32k!xxxInternalToUnicode+0x401:
bf8ea558 0fb64305 movzx eax,byte ptr [ebx+5] ds:0023:e16ef3a9=06
1: kd> p
eax=00000006 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d0
eip=bf8ea55c esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292
win32k!xxxInternalToUnicode+0x405:
bf8ea55c 03f8 add edi,eax
1: kd> p
eax=00000006 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea55e esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
win32k!xxxInternalToUnicode+0x407:
bf8ea55e 8a07 mov al,byte ptr [edi] ds:0023:e16ef1d6=31
1: kd> p
eax=00000031 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea560 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
win32k!xxxInternalToUnicode+0x409:
bf8ea560 84c0 test al,al
1: kd> p
eax=00000031 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea562 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxInternalToUnicode+0x40b:
bf8ea562 75ef jne win32k!xxxInternalToUnicode+0x3fc (bf8ea553) [br=1]
1: kd> p
eax=00000031 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea553 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxInternalToUnicode+0x3fc:
bf8ea553 3a4508 cmp al,byte ptr [ebp+8] ss:0010:f75c6ca0=34
1: kd> p
eax=00000031 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea556 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
win32k!xxxInternalToUnicode+0x3ff:
bf8ea556 741d je win32k!xxxInternalToUnicode+0x41e (bf8ea575) [br=0]
1: kd> p
eax=00000031 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea558 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
win32k!xxxInternalToUnicode+0x401:
bf8ea558 0fb64305 movzx eax,byte ptr [ebx+5] ds:0023:e16ef3a9=06
1: kd> p
eax=00000006 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1d6
eip=bf8ea55c esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
win32k!xxxInternalToUnicode+0x405:
bf8ea55c 03f8 add edi,eax
1: kd> p
eax=00000006 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea55e esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
win32k!xxxInternalToUnicode+0x407:
bf8ea55e 8a07 mov al,byte ptr [edi] ds:0023:e16ef1dc=33
1: kd> p
eax=00000033 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea560 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
win32k!xxxInternalToUnicode+0x409:
bf8ea560 84c0 test al,al
1: kd> p
eax=00000033 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea562 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!xxxInternalToUnicode+0x40b:
bf8ea562 75ef jne win32k!xxxInternalToUnicode+0x3fc (bf8ea553) [br=1]
1: kd> p
eax=00000033 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea553 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!xxxInternalToUnicode+0x3fc:
bf8ea553 3a4508 cmp al,byte ptr [ebp+8] ss:0010:f75c6ca0=34
1: kd> p
eax=00000033 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea556 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
win32k!xxxInternalToUnicode+0x3ff:
bf8ea556 741d je win32k!xxxInternalToUnicode+0x41e (bf8ea575) [br=0]
1: kd> p
eax=00000033 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea558 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
win32k!xxxInternalToUnicode+0x401:
bf8ea558 0fb64305 movzx eax,byte ptr [ebx+5] ds:0023:e16ef3a9=06
1: kd> p
eax=00000006 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1dc
eip=bf8ea55c esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
win32k!xxxInternalToUnicode+0x405:
bf8ea55c 03f8 add edi,eax
1: kd> p
eax=00000006 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1e2
eip=bf8ea55e esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000296
win32k!xxxInternalToUnicode+0x407:
bf8ea55e 8a07 mov al,byte ptr [edi] ds:0023:e16ef1e2=34
1: kd> p
eax=00000034 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1e2
eip=bf8ea560 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000296
win32k!xxxInternalToUnicode+0x409:
bf8ea560 84c0 test al,al //al=34了。
1: kd> p
eax=00000034 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1e2
eip=bf8ea562 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxInternalToUnicode+0x40b:
bf8ea562 75ef jne win32k!xxxInternalToUnicode+0x3fc (bf8ea553) [br=1]
1: kd> p
eax=00000034 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1e2
eip=bf8ea553 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
win32k!xxxInternalToUnicode+0x3fc:
bf8ea553 3a4508 cmp al,byte ptr [ebp+8] ss:0010:f75c6ca0=34
1: kd> p
eax=00000034 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1e2
eip=bf8ea556 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxInternalToUnicode+0x3ff:
bf8ea556 741d je win32k!xxxInternalToUnicode+0x41e (bf8ea575) [br=1]
1: kd> p
eax=00000034 ebx=e16ef3a4 ecx=00000008 edx=00000010 esi=bfa03694 edi=e16ef1e2
eip=bf8ea575 esp=f75c6c80 ebp=f75c6c98 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!xxxInternalToUnicode+0x41e:
bf8ea575 8a4701 mov al,byte ptr [edi+1] ds:0023:e16ef1e3=00
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...
