Sunday, August 7, 2011

How to bypass message break

Guess one:Through window subclass to operate
Checking:That is Impossible .Subclassing operation need to windows receive massage.To do so would still be broken,code of function also point to processing message code after broken,so no to bypass effect of message breaking.

Guess two:Through hooking to operate
Preliminary idea:First step use SetWindowsHookEx intercept and capture message first,After that,Intercept of Message dispense to original windows,Modified msg's parameter.

Question:How to realized message breaking of OLLDBG?If message breaking through to hooking created yet,Depending on specialty of hooking installation: 根据钩子的安装特点:First installation in the behind after the installation,in the front,So debugger's message breaking before execute hook function oneself be breaked yet.

Confirmation:Through create one windows oneself,According to the above hook and don't return breaking,That demonstrate message breaking not through created hooking to realize.
#include <windows.h>
  HWND HookHwnd;         //Hooked windows
  UINT HookMsg;          //sub-definite windows's msg
  int HookBool;          //Window is be created or be called
    WNDPROC HookProc;      //Old address
  HHOOK HookID;          //
    char StoreString[50];  //Return import string
LRESULT  CALLBACK AvoidProc(HWND hwnd, UINT Msg, WPARAM wParam, LPARAM lParam){//Escape hooked function
  if(lParam&0x80000000){//Enter one key generate two event:WM_KEYDOWN和WM_KEYUP,So removed one
    if(Msg== HookMsg){//
static int n;                                                   //
static char HideString[50];                          
n=n+1;                                                        //
SetWindowText(hwnd,HideString);             //“*”
    return 1;                   
return CallWindowProc ((WNDPROC)HookProc,hwnd,Msg,wParam,lParam);//Call old window

LRESULT   CALLBACK MessageHook(int nCode,WPARAM wParam,LPARAM lParam){//Hooking callback function
    if (GetFocus()==HookHwnd){//判断输入焦点是不是想逃脱断点的窗口
        if (HookBool==1){
          static int Count;//判断是否已进行过GetWindowLong
          if (Count==0){
         HookProc=(WNDPROC)GetWindowLong(HookHwnd,GWL_WNDPROC);                                          //得到以前的窗口
   HookProc = (WNDPROC)SetWindowLong(HookHwnd, GWL_WNDPROC, (LONG)AvoidProc);//窗口子类化
return 1;

int MessageBreakAvoid(HWND hwnd,UINT msg,int Bool){//挂钩的函数,并进行一些初始化
  HookHwnd=hwnd;                         //初始化
return 0; 

int UnMessageBreakAvoid(){//删除钩子
return 0; 
Next code followed by above code,example to do,

int PASCAL  WinMain(HINSTANCE MyHinst,HINSTANCE hPrev,LPSTR CmdLine,int ShowNumber){
HWND hwndB=CreateWindow("edit","个人简介",WS_VISIBLE,20,130,950,950,NULL,NULL,MyHinst,NULL);
MSG MyMsg;
MessageBreakAvoid(hwndB,1101,1);                     ///注意这里
while (GetMessage(&MyMsg, NULL, 0, 0))
return TRUE;
The first step create window,after that,use MessageBreakAvoid to bypass message breaking,The second paramenter of MessageBreakAvoid convert WM_KEYDOWN or WM_KEYUP to custom message,There is 1101,When set this,You try large number,otherwise collide with windows msg code.
Th third paramenter is be create oneself or not

Debug return:succeed to bypass OllyDbg's msg trace.

No comments:

Post a Comment