@H_404_1@

NtUserCreateWindowEx函数主要用来创建一个窗口显示。在Win32k.sys里的代码如下：@H_404_1@

#001 HWND APIENTRY@H_404_1@

#002 NtUserCreateWindowEx(DWORD dwExStyle,@H_404_1@

#003 PUNICODE_STRING UnsafeClassName,@H_404_1@

#004 PUNICODE_STRING UnsafeWindowName,@H_404_1@

#005 DWORD dwStyle,@H_404_1@

#006 LONG x,@H_404_1@

#007 LONG y,@H_404_1@

#008 LONG nWidth,@H_404_1@

#009 LONG nHeight,@H_404_1@

#010 HWND hWndParent,@H_404_1@

#011 HMENU hMenu,@H_404_1@

#012 HINSTANCE hInstance,@H_404_1@

#013 LPVOID lpParam,@H_404_1@

#014 DWORD dwShowMode,@H_404_1@

#015 BOOL bUnicodeWindow,@H_404_1@

#016 DWORD dwUnknown)@H_404_1@

#017 {@H_404_1@

#018 NTSTATUS Status;@H_404_1@

#019 UNICODE_STRING WindowName;@H_404_1@

#020 UNICODE_STRING ClassName;@H_404_1@

#021 HWND NewWindow;@H_404_1@

#022 DECLARE_RETURN(HWND);@H_404_1@

#023 @H_404_1@

#024 DPRINT("Enter NtUserCreateWindowEx(): (%d,%d-%d,%d)/n",x,y,nWidth,nHeight);@H_404_1@

@H_404_1@

用户界面临界区进入。@H_404_1@

#025 UserEnterExclusive();@H_404_1@

#026 @H_404_1@

@H_404_1@

获取窗口类的名称。@H_404_1@

#027 /* Get the class name (string or atom) */@H_404_1@

#028 Status = MmCopyFromCaller(&ClassName,UnsafeClassName,sizeof(UNICODE_STRING));@H_404_1@

#029 if (! NT_SUCCESS(Status))@H_404_1@

#030 {@H_404_1@

#031 SetLastNtError(Status);@H_404_1@

#032 RETURN( NULL);@H_404_1@

#033 }@H_404_1@

#034 if (ClassName.Length != 0)@H_404_1@

#035 {@H_404_1@

#036 Status = IntSafeCopyUnicodeStringTerminateNULL(&ClassName,UnsafeClassName);@H_404_1@

#037 if (! NT_SUCCESS(Status))@H_404_1@

#038 {@H_404_1@

#039 SetLastNtError(Status);@H_404_1@

#040 RETURN( NULL);@H_404_1@

#041 }@H_404_1@

#042 }@H_404_1@

#043 else if (! IS_ATOM(ClassName.Buffer))@H_404_1@

#044 {@H_404_1@

#045 SetLastWin32Error(ERROR_INVALID_PARAMETER);@H_404_1@

#046 RETURN(NULL);@H_404_1@

#047 }@H_404_1@

#048 @H_404_1@

@H_404_1@

拷贝窗口的名称。@H_404_1@

#049 /* safely copy the window name */@H_404_1@

#050 if (NULL != UnsafeWindowName)@H_404_1@

#051 {@H_404_1@

#052 Status = IntSafeCopyUnicodeString(&WindowName,UnsafeWindowName);@H_404_1@

#053 if (! NT_SUCCESS(Status))@H_404_1@

#054 {@H_404_1@

#055 if (! IS_ATOM(ClassName.Buffer))@H_404_1@

#056 {@H_404_1@

#057 ExFreePoolWithTag(ClassName.Buffer,TAG_STRING);@H_404_1@

#058 }@H_404_1@

#059 SetLastNtError(Status);@H_404_1@

#060 RETURN( NULL);@H_404_1@

#061 }@H_404_1@

#062 }@H_404_1@

#063 else@H_404_1@

#064 {@H_404_1@

#065 RtlInitUnicodeString(&WindowName,NULL);@H_404_1@

#066 }@H_404_1@

#067 @H_404_1@

@H_404_1@

调用函数co_IntCreateWindowEx来创建窗口。@H_404_1@

#068 NewWindow = co_IntCreateWindowEx(dwExStyle,&ClassName,&WindowName,dwStyle,nHeight,@H_404_1@

#069 hWndParent,hMenu,hInstance,lpParam,dwShowMode,bUnicodeWindow);@H_404_1@

#070 @H_404_1@

@H_404_1@

清空窗口名称和窗口类名称的缓冲区。@H_404_1@

#071 if (WindowName.Buffer)@H_404_1@

#072 {@H_404_1@

#073 ExFreePoolWithTag(WindowName.Buffer,TAG_STRING);@H_404_1@

#074 }@H_404_1@

#075 if (! IS_ATOM(ClassName.Buffer))@H_404_1@

#076 {@H_404_1@

#077 ExFreePoolWithTag(ClassName.Buffer,TAG_STRING);@H_404_1@

#078 }@H_404_1@

#079 @H_404_1@

@H_404_1@

返回创建的新窗口。@H_404_1@

#080 RETURN( NewWindow);@H_404_1@

#081 @H_404_1@

#082 CLEANUP:@H_404_1@

#083 DPRINT("Leave NtUserCreateWindowEx,ret=%i/n",_ret_);@H_404_1@

#084 UserLeave();@H_404_1@

#085 END_CLEANUP;@H_404_1@

#086 }@H_404_1@

#087@H_404_1@