Searching for the Window Procedure | The Assembly Programming Master Book

Most operations in Windows programs are executed in windows . Window behavior is defined by its function. To change the program behavior, you often need to find the required window function to edit it.

To demonstrate this technique, I have chosen the FILES.EXE program. This program is useful for searching information in a local area network. For example, choose one of the dialogs of this program and try to find its window function. Let it be the "Network computer name " window.

First, use the W32Dasm program. The step-by-step searching procedure is as follows :

Load the FILES.EXE program.
Choose the Debug Load Process menu options to start the debugger.
Press <F9> to start the program and go to the required window.
Now is the crucial moment. Click the Terminate Process button to open the disassembler window.
Scroll the code upward, and you'll locate the call to the DialogBoxParam API function. Listing 26.3 shows the required code fragment.

Listing 26.3: The code fragment containing the call to the DialogBoxParam function

 *  Referenced  by  an (U)nconditional or  (C)onditional Jump at Address: :004156BE(C) :004156CA FF7508         PUSH   [EBP+08] :004156CD E8369EFFFF     CALL   0040F508 :004156D2 59             POP    ECX :004156D3 6A00           PUSH   00000000 :004156D5 68019C4000     PUSH   00409C01 :004156DA FF7508         PUSH   [EBP+08] *  Possible StringData Ref from Data Obj ->"DIAL3000" :004156DD 6896904300     PUSH   00439096 :004156E2 FF3548CA4300   PUSH   DWORD PTR  [0043CA48] * Reference To:  USER32.DialogBoxParamA, Ord:0000h :004156E8 E85F0D0200     CALL   0043644C :004156ED 8A153C324DO0   MOV    DL, BYTE PTR  [004D323C]

Recall the arguments of the DialogBoxParam function. The fourth parameter is the address of the window procedure. Thus, you'll discover that the window procedure is located by the address 00409C01 . Go to that address (Listing 26.4).

Listing 26.4: The beginning of the window function

 :00409C01 55              PUSH  EBP :00409C02 8BEC            MOV   EBP, ESP :00409C04 8B450C          MOV   EAX, DWORD PTR  [EBP+0C] :00409C07 2D10010000      SUB   EAX, 00000110 :00409C0C 7413            JE    00409C21 :00409C0E 48              DEC   EAX :00409C0F 0F84EB000000    JE    00409D00 :00409C15 2D01020000      SUB   EAX, 00000201 :00409C1A 7444            JE    00409C60 :00409C1C E969010000      JMP   00409D8A

Look at Fig. 26.4 to make sure that this code starts some function. To make sure at this function is the one that you require, it is necessary to introduce some changes ad check the result.

Now, try to achieve the same goal using the SoftIce debugger:

Use LOADER32.EXE to load the FILES.EXE program into the SoftIce debugger.
Press <Ctrl>+<D> to start the program.
Open all dialogs except the last one.
Before opening the last dialog, enter the debugger and set a breakpoint to the DialogBoxParamA function: BPX DialogBoxParamA .
Return to the program that you need to change, and open the required dialog. The debugger will start automatically because of the breakpoint.
Press <F11>, and you'll be returned to the breakpoint either immediately or after closing the dialog (once again, you'll be returned to the debugger).

View the call to the DialogBoxParam function, and you'll easily find the address of the window procedure. Naturally, it will be the same as the address found using the W32Dasm debugger (see Listing 26.3).

To continue the use of the SoftIce debugger, I'll mention that there is another way of finding the window function. This method consists in using the HWND command locate the handles of opened windows. After that, set a breakpoint to the content of the first parameter, which must be equal to the window handle. For example, this can be done using the following command:

 BPX EIP  IF(EBP+8==N)

Here, n is the window handle that you located earlier. After that, it only remains carry out some operation in the window; this will cause a message to be sent to its window function.