locked
How to dodge the Wow64 handle sign-extension problem RRS feed

  • General discussion

  • There is a bug in Windows 7 WOW64 -- http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6cc761ea-8a54-4403-9cca-2fa8680f4409/magnifier-api-on-wow64

    Now I have same problem too.

    I have written a driver to hook NtGdiBitBlt, and use NtUserCallOneParam to get the window handle from HDC handle(WindowFromDC API implemention). BUT I found the same sign-extension problem.

    The log looks like:

    OK:
    Kernel(R0) -- In Hooked_NtGdiBitBlt,  hdcSrc=0x0000000035010B75, hWndSrc=0x10010
    App(R3)    -- screen:dcScreen=0x2010ec5, hWndDesktop=0x10010, DeskWndFromDC=0x10010

    BUG:
    Kernel(R0) -- In Hooked_NtGdiBitBlt, hdcSrc=0xFFFFFFFFD3010EEB, hWndSrc=0x0
    App(R3)    -- screen: dcScreen=0xd3010eeb, hWndDesktop=0x10010, DeskWndFromDC=0x10010

    My code looks like:

    Kernel(R0)

    BOOL Hooked_NtGdiBitBlt(
                         HDC hdcDst,int  XDest,int  YDest,int  Width,int  Height,
                         HDC hdcSrc, int  XSrc, int  YSrc,
                         ULONG  ROP, ULONG crBackColor, ULONG fl)
    {
            HDC hDCLocal = hdcSrc;
    #if defined(_M_AMD64)
            if (IoIs32bitProcess(NULL))
            {
                hDCLocal = (HDC)((ULONG64)hDCLocal & 0x00000000FFFFFFFF);
            }
    #endif 
        HWND hWndFromDC = (HWND)g_pOrigNtUserCallOneParam((DWORD_PTR)hDCLocal,  ONEPARAM_ROUTINE_WINDOWFROMDC); // 0x24 in Win7 64
        KdPrint(("In Hooked_NtGdiBitBlt, hdcSrc=0x%p, hWndSrc=0x%p\n", hdcSrc, hWndFromDC));

        //some othere code
    }

    App(R3)

        HWND hWndDesktop = ::GetDesktopWindow();
        HDC hDCWDesktop = ::GetWindowDC(hWndDesktop);

        //some other code

        ::BitBlt(hDCMemory, 0, 0, width, height, hDCWDesktop 0, 0, SRCCOPY); //this will be hook in kernel

    Anybody knowns that are there any method to fix or dodge this problem?

    Thanks.


    Thursday, August 29, 2013 7:19 AM

All replies

  • hooking is not supported by Microsoft or in this forum.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, August 29, 2013 6:10 PM