Win32k(2) 报文驱动的通信机制

一．应用层的api

int APIENTRY _tWinMain(HINSTANCE hInstance,

                     HINSTANCE hPrevInstance,

                     LPTSTR    lpCmdLine,

intnCmdShow)

{

    WNDCLASSEXwcex;

    wcex.lpfnWndProc  = WndProc;

    wcex.cbClsExtra      = 0;

RegisterClassEx(&wcex);

 

    hWnd= CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW,CW_USEDEFAULT, 0,CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);

 

    while(GetMessage(&msg, NULL, 0, 0))//NtUserGetMessage

    {

// NtUserGetMessage目的是循环获取一个普通报文，

在这个循环中会检查被发送的报文，对方send过来的message会由NtUserGetMessage内部直接调用wndproc立即响应

//如果没有普通报文（post 硬件报文定时器报文等）就睡眠循环等待

       if(!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))

       {

           TranslateMessage(&msg);//键盘扫描码变成unicode

           DispatchMessage(&msg);//对wndproc的调用

       }

    }

 

然后在WndProc函数中还能调用到SendMessage、PostQuitMessage等等函数

 

应用层消息的结构是

struct MSG

{

   HWND hwnd;

   UINT message;

   WPARAM wParam;

   LPARAM lParam;

   DWORD time;

   POINT pt;

};

 

二．创建窗口NtUserCreateWindowEx

控件什么也都算window。

创建好的窗口对应的是window_object返回句柄。

Window_object里面包含了许多字段，里面就有用户填充的WndProc地址，消息队列结构

三.接收报文NtUserGetMessage

 

根据HWNDhWnd在全局句柄表中找到窗口

 

主要关注co_IntPeekMessage这个调用，他从w32thread里面拆取消息队列中的消息

Win下

typedefstruct _tagTHREADINFO           // 156 elements, 0x208 bytes (sizeof)

{

/*0x0BC*/     struct _tagQ* pq;// input queue

/*0x0E0*/     struct _tagSMS* psmsSent;// send queue (sent)

/*0x0E4*/     struct _tagSMS* psmsCurrent;// send queue (current)

/*0x0E8*/     struct _tagSMS* psmsReceiveList;// send queue (received)

/*0x174*/     struct _tagMLISTmlPost;// post queue

} tagTHREADINFO, *PtagTHREADINFO;

 

Ros下

typedefstruct_USER_MESSAGE_QUEUE

{

/* Reference counter, only access this variable with interlocked functions! */

LONGReferences;

/* Owner of the message queue */

struct _ETHREAD *Thread;

/* Queue of messages sent to the queue. */

LIST_ENTRYSentMessagesListHead;

/* Queue of messages posted to the queue. */

LIST_ENTRYPostedMessagesListHead;

/* Queue of sent-message notifies for the queue. */

LIST_ENTRYNotifyMessagesListHead;

/* Queue for hardware messages for the queue. */

LIST_ENTRYHardwareMessagesListHead;

/* List of timers, sorted on expiry time (earliest first) */

LIST_ENTRYTimerListHead;

 

/* messages that are currently dispatched by other threads */

LIST_ENTRYDispatchingMessagesHead;

/* messages that are currently dispatched by this message queue, required for cleanup */

LIST_ENTRYLocalDispatchingMessagesHead;

 

（1）获取send报文：

同步方式的消息传递

 

发送方要把消息挂入发送方的DispatchingMessagesHead，也挂入接收方的SentMessagesListHead，等待Message->CompletionEvent

 

接收方从SentMessagesListHead提出消息挂入自己的LocalDispatchingMessagesHead，调用窗口的wndproc或者其消息钩子，完成后摘除，用Message->CompletionEvent通知发送方

BOOLFASTCALL

co_IntPeekMessage(PUSER_MESSAGEMsg,

PWINDOW_OBJECTWindow,

UINTMsgFilterMin,

UINTMsgFilterMax,

UINTRemoveMsg)

{

 

。。。。。。

while (co_MsqDispatchOneSentMessage(ThreadQueue))

;

这一句从循环摘消息发送消息

 

BOOLEAN FASTCALL

co_MsqDispatchOneSentMessage(PUSER_MESSAGE_QUEUE MessageQueue)

{

。。。。。

 

//SentMessagesListHead中获取消息

   Entry = RemoveHeadList(&MessageQueue->SentMessagesListHead);

   Message = CONTAINING_RECORD(Entry, USER_SENT_MESSAGE, ListEntry);

 

//放入LocalDispatchingMessagesHead

InsertTailList(&MessageQueue->LocalDispatchingMessagesHead,

&Message->ListEntry);

//消息钩子另行处理

if (Message->HookMessage == MSQ_ISHOOK)

   {

      Result = co_HOOK_CallHooks（。。。）

;

   }

elseif (Message->HookMessage == MSQ_ISEVENT)

   {

      Result = co_EVENT_CallEvents(。。。);                                  

   }

else

   {

//调用应用层窗口函数wndproc

        Result = co_IntSendMessage(。。。);

   }

//已经送达就可以删除了

RemoveEntryList(&Message->ListEntry);

 

/* remove the message from the dispatching list, so lock the sender's message queue */

SenderReturned = (Message->DispatchingListEntry.Flink == NULL);

if(!SenderReturned)

   {

//从DispatchingListEntry中移除

RemoveEntryList(&Message->DispatchingListEntry);

   }

/* Let the sender know the result. */

if (Message->Result != NULL)

   {

//返回wndproc执行的结果

      *Message->Result = Result;

   }

 

/* Notify the sender. */

if (Message->CompletionEvent != NULL)

   {

//通知发送方可以唤醒

KeSetEvent(Message->CompletionEvent, IO_NO_INCREMENT, FALSE);

   }

 

//对方回调函数的处理，略

/* Notify the sender if they specified a callback. */

if (!SenderReturned&& Message->CompletionCallback != NULL)

   {

。。。

   }

。。。

/* free the message */

ExFreePool(Message);

return(TRUE);

}

 

 

这里面的co_IntSendMessage最终调用co_IntCallWindowProc

在调用KeUserModeCallback(USER32_CALLBACK_WINDOWPROC。。。返回r3

此处暂略

 

（2）获取其他报文

 

NtUserGetMessage -co_IntPeekMessage  -  

 

 

 

BOOLFASTCALL

co_IntPeekMessage(PUSER_MESSAGEMsg,

PWINDOW_OBJECTWindow,

UINTMsgFilterMin,

UINTMsgFilterMax,

UINTRemoveMsg)

{

 

。。。。。。//sent报文的处理，已经分析过

while (co_MsqDispatchOneSentMessage(ThreadQueue))

//接下来看其他报文，伪代码

 

一般的post报文

/* Now check for normal messages. */

Present = co_MsqFindMessage(ThreadQueue,

if (Present)

{

gotoMessageFound;

}

硬件报文

/* Check for hardware events. */

Present = co_MsqFindMessage(ThreadQueue,

if (Present)

{

gotoMessageFound;

}

再次检查sent报文

/* Check for sent messages again. */

while (co_MsqDispatchOneSentMessage(ThreadQueue))

paint报文

/* Check for paint messages. */

if (IntGetPaintMessage(Window, MsgFilterMin, MsgFilterMax, pti, &Msg->Msg, RemoveMessages))

{

Msg->FreeLParam = FALSE;

gotoMsgExit;

}

定时器报文（包括鼠标）

Present = MsqGetTimerMessage(ThreadQueue, Window, MsgFilterMin, MsgFilterMax,

&Msg->Msg, RemoveMessages);

if (Present)

{

Msg->FreeLParam = FALSE;

gotoMessageFound;

}

 

报文可以来自于其他窗口、程序发送的，也可能是鼠标键盘线程投递的

 

 

(3)DispatchMessage对应NtUserDispatchMessage这个也简单了，就是把消息派发出去，调用wndproc或者hook

四．发送视窗报文

(1)Post message

Post很简单，插入链表发送消息根据Wnd找到对应window object，然后插入其post链表并且时间通知有消息了

 

 

NtUserPostMessage–UserPostMessage - UserPostThreadMessage - MsqPostMessage

 

VOIDFASTCALL

MsqPostMessage(PUSER_MESSAGE_QUEUEMessageQueue, MSG* Msg, BOOLEANFreeLParam,

DWORDMessageBits)

{

PUSER_MESSAGEMessage;

 

if(!(Message = MsqCreateMessage(Msg, FreeLParam)))

   {

return;

   }

InsertTailList(&MessageQueue->PostedMessagesListHead,

&Message->ListEntry);

MessageQueue->QueueBits |= MessageBits;

MessageQueue->ChangedBits |= MessageBits;

if (MessageQueue->WakeMask&MessageBits)

KeSetEvent(MessageQueue->NewMessages, IO_NO_INCREMENT, FALSE);

}

（2）send message

如果是向自身线程发送消息，就不用send了，直接回调本线程wndproc

否则的话就调用co_MsqSendMessage

 

co_MsqSendMessage(PUSER_MESSAGE_QUEUE MessageQueue,//接收方队列

                  HWND Wnd, UINT Msg, WPARAM wParam, LPARAM lParam,

                  UINT uTimeout, BOOL Block, INT HookMessage,

                  ULONG_PTR *uResult)

{

……

if(!(Message = ExAllocatePoolWithTag(PagedPool, sizeof(USER_SENT_MESSAGE), TAG_USRMSG)))

……

 

KeInitializeEvent(&CompletionEvent, NotificationEvent, FALSE);

 

pti = PsGetCurrentThreadWin32Thread();

ThreadQueue = pti->MessageQueue; //发送方队列

 

Timeout.QuadPart = (LONGLONG) uTimeout * (LONGLONG) -10000;

 

……//初始化Message结构

 

/* 挂入两个队列自己进程的DispatchingListEntry，对方进程的SentMessagesListHead* /

InsertTailList(&ThreadQueue->DispatchingMessagesHead, &Message->DispatchingListEntry);

InsertTailList(&MessageQueue->SentMessagesListHead, &Message->ListEntry);

 

……//如果对方正在等待报文，将其唤醒

if (MessageQueue->WakeMask&QS_SENDMESSAGE)

KeSetEvent(MessageQueue->NewMessages, IO_NO_INCREMENT, FALSE);

 

//

if(Block)//阻塞方式，单纯等待这个消息被完成的事件CompletionEvent

   {

……

/* 等待这个报文得到处理*/

WaitStatus = KeWaitForSingleObject(&CompletionEvent, UserRequest, UserMode,

                                         FALSE, (uTimeout ?&Timeout : NULL));

 

……

//超时的话

if(WaitStatus == STATUS_TIMEOUT)

      {

/* 从对方的sent链表里面消除消息*/

         Entry = MessageQueue->SentMessagesListHead.Flink;

while (Entry != &MessageQueue->SentMessagesListHead)

         {

if ((PUSER_SENT_MESSAGE) CONTAINING_RECORD(Entry, USER_SENT_MESSAGE, ListEntry)

                  == Message)

            {

               Message->CompletionEvent = NULL;

               Message->Result = NULL;

break;

            }

            Entry = Entry->Flink;

         }

 

/*从自己的Dispatching消除消息 */

         Entry = ThreadQueue->DispatchingMessagesHead.Flink;

while (Entry != &ThreadQueue->DispatchingMessagesHead)

         {

if ((PUSER_SENT_MESSAGE) CONTAINING_RECORD(Entry, USER_SENT_MESSAGE, DispatchingListEntry)

                  == Message)

            {

               Message->CompletionEvent = NULL;

               Message->Result = NULL;

RemoveEntryList(&Message->DispatchingListEntry);

               Message->DispatchingListEntry.Flink = NULL;

break;

            }

            Entry = Entry->Flink;

         }

      }

//这里要捎带脚吧发过来的消息处理一下

while (co_MsqDispatchOneSentMessage(ThreadQueue));

   }

else//非阻塞方式，等待这个消息被完成的事件CompletionEvent以及有对方的报文被贴过来时短暂唤醒，但并不处理这些

   {

 PVOID WaitObjects[2];

 

WaitObjects[0] = &CompletionEvent;

WaitObjects[1] = ThreadQueue->NewMessages;

do

      {

IdlePing();

 

UserLeaveCo();

 

WaitStatus = KeWaitForMultipleObjects(2, WaitObjects, WaitAny, UserRequest,

UserMode, FALSE, (uTimeout ?&Timeout : NULL), NULL);

 

……

//超时的话和上面一样，移除两个链表中的消息，处理sent链表上对方发送过来的消息

      }

while (NT_SUCCESS(WaitStatus) && STATUS_WAIT_0 != WaitStatus); //只要CompletionEvent不满足就要等待

   }

 

if(WaitStatus != STATUS_TIMEOUT)

      *uResult = (STATUS_WAIT_0 == WaitStatus ?Result : -1);

 

returnWaitStatus;

}

阅读全文
类别：内核 查看评论