系统热键分析 TWO - 取热键对应的进程名

又是系统热键分析,静静的夜里分析起来,比打麻将时间过得快...

typedef struct tagHOTKEY {
    W32THREAD pti;    <-- W32THREAD
    PWND    spwnd;
    WORD    fsModifiers; // MOD_SHIFT, MOD_ALT, MOD_CONTROL, MOD_WIN
    WORD    wFlags;      // MOD_SAS
    UINT    vk;
    int     id;
    struct tagHOTKEY *phkNext;
} HOTKEY, *PHOTKEY;

lkd> x /t /v /q /d win32k!gphkFirst
pub global bf9b0bd8             0 
 
   
    
   @!"win32k!gphkFirst" = 
  
    
      lkd> dd /c 6 dwo(win32k!gphkFirst) L6 e10687d8 
     e29749b0 bbe68840 00000006 000000c0 0000c01a e2e8c8f8 lkd> dd /c 6 e2e8c8f8 L6 e2e8c8f8 e29749b0 bbe68840 00000003 0000004a 0000000c e2f4cab8 lkd> dd /c 6 e2f4cab8 L6 e2f4cab8 e29749b0 bbe68840 00000003 000000bd 0000000b e28d4d20 lkd> dd /c 6 e28d4d20 L6 e28d4d20 e29749b0 bbe68840 00000003 0000004e 0000000a e2f30e98 lkd> dt -v win32k!_W32THREAD struct _W32THREAD, 10 elements, 0x28 bytes +0x000 
     pEThread : Ptr32 to struct _ETHREAD, 0 elements, 0x0 bytes lkd> dt -v nt!_ETHREAD struct _ETHREAD, 55 elements, 0x260 bytes +0x000 Tcb : struct _KTHREAD, 74 elements, 0x1c0 bytes ... +0x220 
     ThreadsProcess : Ptr32 to struct _EPROCESS, 107 elements, 0x260 bytes ^^^^^^^^^^^^^^^^^ +0x224 StartAddress : Ptr32 to Void ... lkd> dt -v nt!_EPROCESS struct _EPROCESS, 107 elements, 0x260 bytes +0x000 Pcb : struct _KPROCESS, 29 elements, 0x6c bytes ... +0x174 
     ImageFileName : [16] UChar ^^^^^^^^^^^^^^^^ +0x184 JobLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes ... lkd> dd win32k!gphkFirst L1 <--- 指向 gphkFirst 
     bf9b0bd8 e10687d8 lkd> dd e10687d8 L1 <--- 指向 W32THREAD 
     e10687d8 e29749b0 lkd> dd e29749b0 L1 <--- 指向 _ETHREAD 
     e29749b0 85d64990 lkd> dd 85d64990+0x220 L1 <--- 指向 _EPROCESS 
     85d64bb0 86e1db30 lkd> da 86e1db30+174 <--- 指向 _EPROCESS 的 _EPROCESS->ImageFileName 
     86e1dca4 "explorer.exe" 为了取进程名既然跳了5次...