系统热键分析 TWO 取热键对应的进程名

又是系统热键分析,静静的夜里分析起来,比打麻将时间过得快...

typedef struct tagHOTKEY {
    W32THREAD pti;    <-- W32THREAD
    PWND    spwnd;
    WORD    fsModifiers; // MOD_SHIFT, MOD_ALT, MOD_CONTROL, MOD_WIN
    WORD    wFlags;      // MOD_SAS
    UINT    vk;
    int     id;
    struct tagHOTKEY *phkNext;
} HOTKEY, *PHOTKEY;

lkd> x /t /v /q /d win32k!gphkFirst
pub global bf9b0bd8             0  @!"win32k!gphkFirst" = 

lkd> dd /c 6 dwo(win32k!gphkFirst) L6
e10687d8  e29749b0 bbe68840 00000006 000000c0 0000c01a e2e8c8f8
lkd> dd /c 6 e2e8c8f8 L6
e2e8c8f8  e29749b0 bbe68840 00000003 0000004a 0000000c e2f4cab8
lkd> dd /c 6 e2f4cab8 L6
e2f4cab8  e29749b0 bbe68840 00000003 000000bd 0000000b e28d4d20
lkd> dd /c 6 e28d4d20 L6
e28d4d20  e29749b0 bbe68840 00000003 0000004e 0000000a e2f30e98

lkd> dt -v win32k!_W32THREAD
struct _W32THREAD, 10 elements, 0x28 bytes
   +0x000 pEThread         : Ptr32 to struct _ETHREAD, 0 elements, 0x0 bytes

lkd> dt -v nt!_ETHREAD
struct _ETHREAD, 55 elements, 0x260 bytes
   +0x000 Tcb              : struct _KTHREAD, 74 elements, 0x1c0 bytes
   ...
   +0x220 ThreadsProcess   : Ptr32 to struct _EPROCESS, 107 elements, 0x260 bytes
          ^^^^^^^^^^^^^^^^^
   +0x224 StartAddress     : Ptr32 to Void
   ...

lkd> dt -v nt!_EPROCESS
struct _EPROCESS, 107 elements, 0x260 bytes
   +0x000 Pcb              : struct _KPROCESS, 29 elements, 0x6c bytes
   ...
   +0x174 ImageFileName    : [16] UChar
          ^^^^^^^^^^^^^^^^
   +0x184 JobLinks         : struct _LIST_ENTRY, 2 elements, 0x8 bytes
   ...

lkd> dd win32k!gphkFirst L1   <--- 指向 gphkFirst
bf9b0bd8  e10687d8            

lkd> dd e10687d8 L1           <--- 指向 W32THREAD
e10687d8  e29749b0            

lkd> dd e29749b0 L1           <--- 指向 _ETHREAD
e29749b0  85d64990            

lkd> dd 85d64990+0x220 L1     <--- 指向 _EPROCESS
85d64bb0  86e1db30            

lkd> da 86e1db30+174          <--- 指向 _EPROCESS 的 _EPROCESS->ImageFileName
86e1dca4  "explorer.exe"
为了取进程名既然跳了5次...