$$ Convert HWND to tagWnd
$$ Author: nighxie
$$ Blog: 0cch.net
.if (${/d:$arg1}) {
.if (${/d:$arg2}) {
.if (${$arg2} == 1) {
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0);(@$t1 != 0) & (@$t1 != @$t0);r $t1 = poi(@$t1)) {
r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
as /x ${/v:$ProcAddr} @$t2;
as /ma ${/v:$ImageName} @@c++(&@$t2->ImageFileName[0]);
.block {
$$ .echo ${$ImageName}
.if ($sicmp("${$ImageName}", "explorer.exe") == 0) {
.echo Found the process at ${$ProcAddr};
.process /p /r ${$ProcAddr};
ad ${/v:$ImageName};
ad ${/v:$ProcAddr};
.break;
}
}
ad ${/v:$ImageName};
ad ${/v:$ProcAddr};
}
}
}
r @$t1 = ${$arg1};
r @$t0 = win32k!gSharedInfo;
.if ((@$t1&0xffff) < @@C++(((win32k!tagSHAREDINFO *)@$t0)->psi->cHandleEntries)) {
r @$t0 = @@C++(((win32k!tagSHAREDINFO *)@$t0)->aheList);
r @$t0 = @@C++(@$t0+(@$t1&0xffff)*sizeof(win32k!_HANDLEENTRY));
r @$t0 = poi(@$t0);
.printf "HWND: %p\n", @@C++(((win32k!tagWnd *)@$t0)->head.h);
.printf /D "tagWnd * @ %p\n", @$t0;
.if (@@C++(((win32k!tagWnd *)@$t0)->strName.Buffer) != 0) {
.printf "Window Name: %mu\n", @@C++(((win32k!tagWnd *)@$t0)->strName.Buffer);
}
.printf /D "tagCLS * @ pcls) win32k!tagCLS\">%p\n", @@C++(((win32k!tagWnd *)@$t0)->pcls);
.if (@@C++(((win32k!tagWnd *)@$t0)->pcls->lpszAnsiClassName) != 0) {
.printf "Window Class Name: %ma\n", @@C++(((win32k!tagWnd *)@$t0)->pcls->lpszAnsiClassName);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndNext) != 0) {
.printf "Next Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndNext->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndPrev) != 0) {
.printf "Previous Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndPrev->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndParent) != 0) {
.printf "Parent Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndParent->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndChild) != 0) {
.printf "Child Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndChild->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndOwner) != 0) {
.printf "Own Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndOwner->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->lpfnWndProc) != 0) {
.printf /D "pfnWndProc: head.pti->pEThread)->Tcb.Process);u @@C++(((win32k!tagWnd *)@$t0)->lpfnWndProc)\">%p\n", @@C++(((win32k!tagWnd *)@$t0)->lpfnWndProc);
}
.printf "Visiable: %d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<28)) != 0);
.printf "Child: %d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<30)) != 0);
.printf "Minimized:%d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<29)) != 0);
.printf "Disabled: %d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<27)) != 0);
.printf "Window Rect { %d, %d, %d, %d}\n", @@C++(((win32k!tagWnd *)@$t0)->rcWindow.left), @@C++(((win32k!tagWnd *)@$t0)->rcWindow.top), @@C++(((win32k!tagWnd *)@$t0)->rcWindow.right), @@C++(((win32k!tagWnd *)@$t0)->rcWindow.bottom);
.printf "Clent Rect { %d, %d, %d, %d}\n", @@C++(((win32k!tagWnd *)@$t0)->rcClient.left), @@C++(((win32k!tagWnd *)@$t0)->rcClient.top), @@C++(((win32k!tagWnd *)@$t0)->rcClient.right), @@C++(((win32k!tagWnd *)@$t0)->rcClient.bottom);
}
.else {
.printf "HWND is out of range.\n";
}
}
.else {
.echo "Usage $$>a<${$arg0} HWND(HEX)"
.echo "e.g. $$>a<${$arg0} 0x60962"
}
|
