众所周知
NtUserSetWindowDisplayAffinity 设置后的窗口 将会呈现一片黑色
问题是谁让窗口显示黑色的呢 其实就是Desktop Window Manager dwm.exe
而这个思路就是Patch dwm绘制黑色的函数
这个其实在wda_monitor_trick这个项目里提供了思路 但没有兼容win
在window7上 必须开启Aero 才能成功 否则
NtUserSetWindowDisplayAffinity会设置失败
WIN7上 wmcore.dll Patch的函数为
CWindowNode::RenderBlackImage但是有点不完美 其实让窗口变成无边框模式 就可以完美隐藏了
最后在谈谈19041上的 在测试时发现设置窗口后不在显示黑色 而是透明 这是系统机制 还是系统bug呢 也不清楚 但是19041的代码跟1909以下的完全不一样
NtUserSetWindowDisplayAffinityNtUserGetWindowDisplayAffinity 谈谈如何对抗
NtUserGetWindowDisplayAffinity可以获取句柄 是否被设置但是不能调用
NtUserSetWindowDisplayAffinity去设置其他进程的窗口句柄kd> uf win32k!NtUserGetWindowDisplayAffinity
win32k!NtUserGetWindowDisplayAffinity:
fffff960`001a9b60 48895c2408 mov qword ptr [rsp+8],rbx
fffff960`001a9b65 4889742410 mov qword ptr [rsp+10h],rsi
fffff960`001a9b6a 57 push rdi
fffff960`001a9b6b 4883ec40 sub rsp,40h
fffff960`001a9b6f 488bf2 mov rsi,rdx
fffff960`001a9b72 488bd9 mov rbx,rcx
fffff960`001a9b75 33ff xor edi,edi
fffff960`001a9b77 897c2460 mov dword ptr [rsp+60h],edi
fffff960`001a9b7b 488b0d964d2000 mov rcx,qword ptr [win32k!gpresUser (fffff960`003ae918)]
fffff960`001a9b82 ff15f8781c00 call qword ptr [win32k!_imp_ExEnterPriorityRegionAndAcquireResourceShared (fffff960`00371480)]
fffff960`001a9b88 488bcb mov rcx,rbx
fffff960`001a9b8b e83012ffff call win32k!ValidateHwnd (fffff960`0019adc0)
fffff960`001a9b90 4c8bd8 mov r11,rax
fffff960`001a9b93 483bc7 cmp rax,rdi
fffff960`001a9b96 7449 je win32k!NtUserGetWindowDisplayAffinity+0x81 (fffff960`001a9be1) Branch
win32k!NtUserGetWindowDisplayAffinity+0x38:
fffff960`001a9b98 488bc8 mov rcx,rax
fffff960`001a9b9b e810dd0200 call win32k!IsTopLevelWindow (fffff960`001d78b0)
fffff960`001a9ba0 3bc7 cmp eax,edi
fffff960`001a9ba2 7433 je win32k!NtUserGetWindowDisplayAffinity+0x77 (fffff960`001a9bd7) Branch
win32k!NtUserGetWindowDisplayAffinity+0x44:
fffff960`001a9ba4 488d542460 lea rdx,[rsp+60h]
fffff960`001a9ba9 498bcb mov rcx,r11
fffff960`001a9bac e837c40300 call win32k!GetDisplayAffinity (fffff960`001e5fe8)
fffff960`001a9bb1 bf01000000 mov edi,1
fffff960`001a9bb6 488bce mov rcx,rsi
fffff960`001a9bb9 488b05d8802000 mov rax,qword ptr [win32k!W32UserProbeAddress (fffff960`003b1c98)]
fffff960`001a9bc0 483bf0 cmp rsi,rax
fffff960`001a9bc3 480f43c8 cmovae rcx,rax
fffff960`001a9bc7 8b01 mov eax,dword ptr [rcx]
fffff960`001a9bc9 8901 mov dword ptr [rcx],eax
fffff960`001a9bcb 8b442460 mov eax,dword ptr [rsp+60h]
fffff960`001a9bcf 8906 mov dword ptr [rsi],eax
fffff960`001a9bd1 eb0e jmp win32k!NtUserGetWindowDisplayAffinity+0x81 (fffff960`001a9be1) Branch
win32k!NtUserGetWindowDisplayAffinity+0x77:
fffff960`001a9bd7 b957000000 mov ecx,57h
fffff960`001a9bdc e8cb10ffff call win32k!UserSetLastError (fffff960`0019acac)
win32k!NtUserGetWindowDisplayAffinity+0x81:
fffff960`001a9be1 e8025f0100 call win32k!UserSessionSwitchLeaveCrit (fffff960`001bfae8)
fffff960`001a9be6 8bc7 mov eax,edi
fffff960`001a9be8 488b5c2450 mov rbx,qword ptr [rsp+50h]
fffff960`001a9bed 488b742458 mov rsi,qword ptr [rsp+58h]
fffff960`001a9bf2 4883c440 add rsp,40h
fffff960`001a9bf6 5f pop rdi
fffff960`001a9bf7 c3 ret
应用层推荐的方法是NOP掉CALL此函数的地址
CWindowNode::RenderBlackImage 这样窗口就会变成正常了↑↑↑↑↑↑↑↑↑↑↑↑↑ 内核写的 寻找定位特征码地址 win8不清楚