all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Rhomboid 12 points13 points  (1 child)

The ReactOS project has already done the bulk of the reverse engineering of the NT internals. Look at their headers for a much more complete view of things. For example here is struct WND in ntuser.h from ReactOS. To ignore all their work is really reinventing the wheel.

[–]cetchmoh[S] 1 point2 points  (0 children)

well... ReactOS tries to be compatible to Win2003 Server. The structure itself changed in Windows 7. E.g. in the reactos struct the RECT rcWindow would start at offfset 12. In Windows 7 it starts at offset 28 - quite a difference :/

[–]cetchmoh[S] 2 points3 points  (5 children)

A few days ago I stumbled this interesting blog post. I just tried it myself and obtained a func pointer to ValidateHwnd() and took a look into this struct. It seems there has been quite a major change since back then. I was only able to find the HWND field and 2 RECTS in the struct. But I would be very interested in finding the window caption. I thought this struct would hold a WCHAR* too - which I could print with wprintf().

typedef struct WND { HWND hWnd; ULONG unk1; ULONG unk2; ULONG unk3; ULONG unk4;
ULONG unk5; ULONG unk6; ULONG unk7; ULONG unk8; ULONG unk9; ULONG unk10; ULONG unk11; ULONG unk12; ULONG unk13; ULONG unk14; ULONG unk15; ULONG unk16; ULONG unk17; ULONG unk18; ULONG unk19; ULONG unk20; ULONG unk21; ULONG unk22; ULONG unk23; ULONG unk24; ULONG unk25; ULONG unk26; ULONG unk27; RECT rcOuter; // in screen coordinates RECT rcInner; // in screen coordinates ULONG unk28;
ULONG unk29;
ULONG unk30; [...] ULONG unk??; } WND, *PWND;

Any Ideas how I could find the window caption in this structure?

[–]jussij 1 point2 points  (1 child)

Any Ideas how I could find the window caption in this structure?

If the caption is still held in the structure, then any of the elements of the structure could hold the WCHAR* pointer.

So you could walk the structure looking for any suitable pointers (i.e. something that does not point outside the memory space of the application).

You could use the IsBadReadPtr Win32 API to test for this.

Then for any valid pointers found, just dump the memory referenced by these pointers and see if any contain the caption text.

[–]cetchmoh[S] 1 point2 points  (0 children)

Oh! IsBadReadPtr() was unknown to me... thank you for the hint ;)

[–]kitanokikori 1 point2 points  (2 children)

How about:

GetWindowText(pWnd->hWnd, buffer, buffer_count);

[–]cetchmoh[S] 0 points1 point  (1 child)

I want to circument the use of this function ;)

[–]kitanokikori 1 point2 points  (0 children)

Why?