.I have a bit of spyware I am looking at and have done a fair amount of the basic RE already, but I ran into a problem debugging how the spyware hijacks explorer windows to display its content (which I believe is the main payload). I am stuck where the code sits in a GetMessage/TranslateMessage/DispatchMessage loop:
.text:100051E4 loc_100051E4: ; CODE XREF: STRANGE_MESSAGE_PASSING+A1j
.text:100051E4 lea ecx, [esp+28h+Msg]
.text:100051E8 push ecx ; lpMsg
.text:100051E9 call edi ; TranslateMessage
.text:100051EB lea edx, [esp+28h+Msg]
.text:100051EF push edx ; lpMsg
.text:100051F0 call ebx ; DispatchMessageA
.text:100051F2 push 0 ; wMsgFilterMax
.text:100051F4 push 0 ; wMsgFilterMin
.text:100051F6 push 0 ; hWnd
.text:100051F8 lea eax, [esp+34h+Msg]
.text:100051FC push eax ; lpMsg
.text:100051FD call esi ; GetMessageA
.text:100051FF test eax, eax
.text:10005201 jnz short loc_100051E4
I'm fairly new to RE'ing on Windows, so I've been reading up on this Windows event passing. From what I understand, when an action is done on the screen, a message is passed to the thread controlling the window and then the event is passed onto its stub function which designates what occurs when the action is performed.
So, my question is, is there an easy way to locate these stub functions within the code?
If what I said made no sense, my apologies.
Cheers!
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}