I'm analyzing a malware in IDA, where I observed the malware launching a MessageBox with negative value of hWnd (FFFFFFF7h).
Message box arguments (Source:MSDN)
int WINAPI MessageBox(
_In_opt_ HWND hWnd,
_In_opt_ LPCTSTR lpText,
_In_opt_ LPCTSTR lpCaption,
_In_ UINT uType
);
hWnd stands for owner window, I wasn't able to find what it means when hWnd argument is negative. Any help is very much appreciated.
Related
Why was RunDLL and later RunDLL32 conceived? What is the purpose of their existence? So as to bypass the task manager?
https://support.microsoft.com/en-us/kb/164787
The article states that RunDLL still requires a particular method header for a candidate entry point:
16-bit DLL:
void FAR PASCAL __loadds
EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
32-bit DLL:
void CALLBACK
EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
What is the purpose of using a RunDLL entry point rather than a main entry point as in a regular executable file?
MSDN -> "GetDlgCtrlID function" -> Remarks:
"... Although GetDlgCtrlID may return a value if hwndCtl is a handle to a top-level window, top-level windows cannot have identifiers and such a return value is never valid."
It seems it is wrong information - "never valid".
At least for Win2k...Win8 this return value is just kernel pointer to hmenu(bar).
And my question is (primarily to MS insiders): why MSDN so inaccurate here?
(Screenshot: http://files.rsdn.ru/42164/gwl(-1)_tagwnd.png)
Upd (tagWND):
Also demo: http://files.rsdn.ru/42164/gwl(-1)_tagwnd.zip
It is not inaccurate. You create a top-level window with CreateWindowEx(). Which looks like this:
HWND WINAPI CreateWindowEx(
_In_ DWORD dwExStyle,
_In_opt_ LPCTSTR lpClassName,
_In_opt_ LPCTSTR lpWindowName,
_In_ DWORD dwStyle,
_In_ int x,
_In_ int y,
_In_ int nWidth,
_In_ int nHeight,
_In_opt_ HWND hWndParent,
_In_opt_ HMENU hMenu,
_In_opt_ HINSTANCE hInstance,
_In_opt_ LPVOID lpParam
);
Note how you don't specify the ID anywhere. But the fine print is in the description for the hMenu argument:
A handle to a menu, or specifies a child-window identifier, depending on the window style. For an overlapped or pop-up window, hMenu identifies the menu to be used with the window; it can be NULL if the class menu is to be used. For a child window, hMenu specifies the child-window identifier, an integer value used by a dialog box control to notify its parent about events. The application determines the child-window identifier; it must be unique for all child windows with the same parent window.
So you can have a menu OR a child ID. Overloaded, pretty common in the winapi, a child control can't have a menu and a toplevel window can't have a child ID. If you forge ahead and ignore this and call GetDlgCtrlID() on a toplevel window anyway then you will get back the value of the hMenu argument you specified in the create call. Well, today, always follow the api or you might get a rude surprise some day, you'd of course use GetMenu() instead.
I try to write simple show_window function but that which uses wide chars, there are no examples anywhere in D of that, only I could find windows creation that uses narrow-string and try now to rewrite that (I know bad english). So I'm failing even at proper registering unicode winapi bindings.
import core.runtime;
import core.sys.windows.windows;
import std.c.windows.windows;
pragma(lib, "gdi32.lib");
pragma(lib, "user32.lib");
struct WNDCLASSW { UINT style; WNDPROC lpfnWndProc; int cbClsExtra; int cbWndExtra; HINSTANCE hInstance; HICON hIcon; HCURSOR hCursor; HBRUSH hbrBackground; LPCWSTR lpszMenuName; LPCWSTR lpszClassName; }
extern(Windows) HWND CreateWindowW(LPCWSTR lpClassName, LPCWSTR lpWindowName, DWORD dwStyle, int x, int y, int nWidth, int nHeight, HWND hWndParent, HMENU hMenu, HINSTANCE hInstance, LPVOID lpParam );
extern(Windows)
int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow) {
HWND hWnd = CreateWindowW("wndClassName",
"window caption", WS_SYSMENU | WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, HWND_DESKTOP, null, hInstance, null);
return 0;
}
and that produces:
Error 42: Symbol Undefined _CreateWindowW#44
Modern versions of Windows do not implement CreateWindow(). It is an ancient winapi function that dates from the 1980s and has been replaced by CreateWindowEx(). In the WinUser.h SDK header, CreateWindowW is a macro that actually calls CreateWindowExW(), passing 0 for the extra dwExStyle argument.
You must use CreateWindowExW() instead.
int APIENTRY _tWinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
what's the purpose of UNREFERENCED_PARAMETER here?
It just suppresses a compiler warning about two parameters being unused in the function.
The macro itself is probably just defined as
#define UNREFERENCED_PARAMETER(x) (x)
so it references its argument but does nothing with it.
I am trying to do some action whenever dialog box is Shown. Its like we have modalless dialog, and we are hinding/showing the dialog on some button click. But we we need to perfomr some action whenever dialog is shown. I have added the WM_SHOWWINDOW message but control is not coming inside of OnShowWindow(BOOL bShow, UINT nStatus) function.
We are using ShowWindow(SW_HIDE) and ShowWindow(SW_SHOW) function to hide/show dialog box
Please suggest some pointer how to achieve that.
Thanks in advance
Mukesh
I tested this with notepad and Spy++ with the following code:
#include <Windows.h>
int CALLBACK WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) {
HWND hwnd = FindWindow(NULL, L"Untitled - Notepad");
ShowWindow( hwnd, SW_HIDE );
Sleep(4000);
ShowWindow( hwnd, SW_SHOW );
return ERROR_SUCCESS;
}
For hiding the window, you should be getting WM_SHOWWINDOW, WM_WINDOWPOSCHANGING, then finally WM_WINDOWPOSCHANGED.
For showing the window, the target did not receive WM_SHOWWINDOW, but still got WM_WINDOWPOSCHANGING and WM_WINDOWPOSCHANGED.
You could handle WM_WINDOWPOSCHANGED and check the flags in WINDOWPOS for SWP_HIDEWINDOW/SWP_SHOWWINDOW.