detours

Trying to determine where a message is coming from


I have a complex application. There is a WM_MOUSEMOVE message coming from somewhere with the same coordinates as the last WM_MOUSEMOVE.

So I tried to iterate through all loaded modules to try and detour (using MS Detours 3.0) any ::PostMessageA() and ::PostMessageW() call from every one of them. When I did this, the only module that showed up as having these functions was C:\WINDOWS\SYSTEM32\USER32.dll (well duh!).

I had thought that every module would have it's own call jump table, which is why I thought I could detour on a per module basis, but this doesn't seem to be the case, or if it is, then it is not recognized by the DetourFindFunction() command. Detouring from the local module from C:\WINDOWS\SYSTEM32\USER32.dll will result in only the calls from the local module will be detoured (I think).

Is there some way to detour the same function in each module that is loaded from a common executable?

Might it be possible to have code execute from the POV of the loaded module?


Solution

  • Seems that I was wrong. I do appear to be intercepting all messages, which is awesome!

    However, the message isn't the result of a PostMessage() command. Not exactly sure what is causing lower down as yet (or that I really need to know, probably there is some other internal windows mechanism used to add to the message queue), but it would appear that it is triggered by a DLL that is using SendMessage(hwnd, WM_MOUSEMOVE, 0, MAKELPARAM(-1, -1)). This is making it appear to the system that the mouse is moving, and thus sending out another WM_MOUSEMOVE with the same position.