前面介绍了DllMain的入口函数，但GDI32的初始化函数并不是在入口函数里进行的，那么它到底在那里初始化的呢？它的初始化流程又是怎么样的呢？下面就来解决这两个问题，通过代码来分析它的过程。

通过仔细地分析代码的调用关系，可以看到GDI32的初始化是在USER32模板里进行的，先在USER32的DllMain函数里初始化，如下：

#001 INT WINAPI

#002 DllMain(

#003 IN PVOID hInstanceDll,

#004 IN ULONG dwReason,

#005 IN PVOID reserved)

#006 {

#007 switch (dwReason)

#008 {

#009 case DLL_PROCESS_ATTACH:

#010 User32Instance = hInstanceDll;

#011 if (!NtUserRegisterUserModule(hInstanceDll) ||

#012 !RegisterSystemControls())

#013 {

#014 return FALSE;

#015 }

#016

这里调用USER32的初始化函数。

#017 if (!Init())

#018 return FALSE;

#019 if (!InitThread())

#020 {

#021 Cleanup();

#022 return FALSE;

#023 }

#024

#025 /* Initialize message spying */

#026 if (!SPY_Init()) return FALSE;

#027

#028 break;

#029

#030 case DLL_THREAD_ATTACH:

#031 if (!InitThread())

#032 return FALSE;

#033 break;

#034

#035 case DLL_THREAD_DETACH:

#036 CleanupThread();

#037 break;

#038

#039 case DLL_PROCESS_DETACH:

#040 if (hImmInstance) FreeLibrary(hImmInstance);

#041 CleanupThread();

#042 Cleanup();

#043 break;

#044 }

#045

#046 return TRUE;

#047 }

#048

在函数Init()函数里调用GDI32的初始化函数，如下：

#001 BOOL

#002 Init(VOID)

#003 {

#004 /* Set up the kernel callbacks. */

#005 NtCurrentPeb()->KernelCallbackTable[USER32_CALLBACK_WINDOWPROC] =

#006 (PVOID)User32CallWindowProcFromKernel;

#007 NtCurrentPeb()->KernelCallbackTable[USER32_CALLBACK_SENDASYNCPROC] =

#008 (PVOID)User32CallSendAsyncProcForKernel;

#009 NtCurrentPeb()->KernelCallbackTable[USER32_CALLBACK_LOADSYSMENUTEMPLATE] =

#010 (PVOID)User32LoadSysMenuTemplateForKernel;

#011 NtCurrentPeb()->KernelCallbackTable[USER32_CALLBACK_LOADDEFAULTCURSORS] =

#012 (PVOID)User32SetupDefaultCursors;

#013 NtCurrentPeb()->KernelCallbackTable[USER32_CALLBACK_HOOKPROC] =

#014 (PVOID)User32CallHookProcFromKernel;

#015 NtCurrentPeb()->KernelCallbackTable[USER32_CALLBACK_EVENTPROC] =

#016 (PVOID)User32CallEventProcFromKernel;

#017

#018 g_pi = GetW32ProcessInfo();

#019 g_kpi = SharedPtrToKernel(g_pi);

#020 g_psi = SharedPtrToUser(g_pi->psi);

#021 gHandleTable = SharedPtrToUser(g_pi->UserHandleTable);

#022 gHandleEntries = SharedPtrToUser(gHandleTable->handles);

#023

#024 /* Allocate an index for user32 thread local data. */

#025 User32TlsIndex = TlsAlloc();

#026 if (User32TlsIndex != TLS_OUT_OF_INDEXES)

#027 {

#028 if (MessageInit())

#029 {

#030 if (MenuInit())

#031 {

#032 InitializeCriticalSection(&U32AccelCacheLock);

在这里调用GDI32的初始化函数GdiDllInitialize。

#033 GdiDllInitialize(NULL,DLL_PROCESS_ATTACH,NULL);

#034 InitStockObjects();

#035 LoadAppInitDlls();

#036

#037 return TRUE;

#038 }

#039 MessageCleanup();

#040 }

#041 TlsFree(User32TlsIndex);

#042 }

#043

#044 return FALSE;

#045}

原文链接：https://www.f2er.com/react/308368.html