以FindWinow为例,首先逆向FindWindow,分析写出下面代码
#pragma pack(1)
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING,*PUNICODE_STRING;
#pragma pack()
__declspec(naked) void sysFastCall()
{
__asm{
mov edx,esp
__emit 0x0f
__emit 0x34
}
}
__declspec(naked) HWND __stdcall My_FindWindow(
int p1,
int p2,
PUNICODE_STRING pu_classname,
PUNICODE_STRING pu_catption,
int p5)
{
__asm
{
MOV EAX,0x1179
call sysFastCall
RETN 0x14
}
}
下面是调用:
void CFindWindowsDemoDlg::OnBtnMyFindwindow()
{
// TODO: Add your control notification handler code here
UNICODE_STRING pu_className,pu_Caption;
typedef (__stdcall *PRtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);
PRtlInitUnicodeString RtlInitUnicodeString;
RtlInitUnicodeString=(PRtlInitUnicodeString)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString");
RtlInitUnicodeString(&pu_className,L"SciCalc");
RtlInitUnicodeString(&pu_Caption,L"计算器");
HWND h=My_FindWindow(0,0,&pu_className,&pu_Caption,0);
::SendMessage(h,WM_CLOSE,0,0);
}