The MFC program is a common type of program. I calmed down and studied the message process of the MFC. After figuring out the source Committee, everything suddenly went on, and found that tracking the MFC program and Message Processing turned out to be so..., tracking button event processing also became particularly simple.
As a result, I have written these studies for future reference. I hope it will be helpful for cainiao like me. If there are any mistakes, please correct them.
The purpose of this article is to take a standard Dialog Box program of MFC as an example, at the same time from the source code and disassembly code to study the process of the MFC message, find out all the sites of the MFC message path, in this way, all message events of MFC can be located at will, and the processing process of MFC can be tracked and analyzed from any site. You can even start from the pumpmessage base camp and keep track of the entire process.
The Startup Process of the dialog box is very simple. After the program enters the winmain function, it will call the domodal function of the dialog box and then enter the runmodalloop function. The message loop starts here. Limited space, I will not talk about this article. If you are interested, please refer to the source code of MFC. This article focuses on analyzing the message delivery and processing process of MFC.
Let's take a look at the source code of the runmodalloop function:
Int cwnd: runmodalloop (DWORD dwflags)
{...
For (;;)
{...
Do
{If (! Afxgetthread ()-> pumpmessage () // pump message, but quit on wm_quit
{
Afxpostquitmessage (0 );
Return-1;
}
...
} While (: peekmessage (PMSG, null, pm_noremove ));
}
...
}
Here, afxgetthread ()-> pumpmessage () is the base camp of MFC message processing. All the messages in the MFC program start from here. After many path transformations, they go through the mountains and go straight to the Windows kernel, return to the MFC field, and find the final destination-message function address after many twists and turns. It can be said that there is no way to recover from problems.
The process of clicking an event with a button is as follows:
CWinThread: PumpMessage-> CWnd: PretranslateMessage-> CWnd: audio-> CD1Dlg: audio-> CDialog: PreTranslateMessage-> CWnd: PreTranslateInput-> CWnd :: isDialogMessageA-> USER32 kernel-> AfxWndProc-> AfxCallWndProc-> CWnd: WindowProc-> CWnd: OnWndMsg-> CWnd: OnCommand-> CDialog :: on‑msg-> c‑target: on‑msg-> _ afxdispatch‑msg-> CD1Dlg: OnButton1 ()
Under VC, you can write a standard Dialog Box program by hand. Put a button above and click the button to bring up a message box. We will analyze the message process from PumpMessage:
1. CWinThread: PumpMessage function (Message pump)
BOOL CWinThread: PumpMessage ()
{// GetMessage: if the message is WM_QUIT, 0 is returned. If the message is other messages, TRUE is returned. If the message is incorrect,-1 is returned.
If (! : Getmessage (& m_msgcur, null) return false;
If (m_msgcur.message! = Wm_kickidle &&! Pretranslatemessage (& m_msgcur ))
{
: Translatemessage (& m_msgcur );
: Dispatchmessage (& m_msgcur );
}
Return true;
}
Pumpmessage returns false only when the wm_quit message is received. In other cases, true is returned. Since the cwinthread: pumpmessage () function is used to obtain, translate, and distribute messages from a message queue, this function is often called a "message pump ".
In the pumpmessage function, the pretranslatemessage function is crucial. It is with this pretranslatemessage () that MFC can flexibly control the message delivery mode. It can be said that pretranslatemessage () is the tool for implementing the Message Delivery Mode of MFC.
Pumpmessage function disassembly code:
73d31194> 56 push ESI
...
73d311a1 ff15 b0b6dc73 call dword ptr ds: [<& user32.getmessagea>]
73d311a7 85c0 test eax, eax
73d311a9 74 26 je short mfc42.73d311d1; Receive wm_quit and exit the program
73d311ab 817e 38 6a030000 cmp dword ptr ds: [ESI + 38], 36a
73d311b2 74 1A je short mfc42.73d311ce
73D311B4 8B06 mov eax, dword ptr ds: [ESI]
73D311B6 57 PUSH EDI
73D311B7 8BCE mov ecx, ESI
73D311B9 FF50 60 call dword ptr ds: [EAX + 60]; PreTranslateMessage (Message preprocessing)
73D311BC 85C0 test eax, EAX
73D311BE 75 0E jnz short MFC42.73D311CE
73D311C0 57 push edi; message preprocessing returns FALSE
73D311C1 FF15 ACB6DC73 call dword ptr ds: [<& USER32.TranslateMessage>]
73D311C7 57 PUSH EDI
73d311c8 ff15 30b6dc73 call dword ptr ds: [<& user32.dispatchmessagea>]
;
73d311ce 6a 01 Push 1; return true
73d311d0 58 pop eax
73d311d1 5f pop EDI
73d311d2 5E pop ESI
73D311D3 C3 RETN
Tip:
A. OD after the program is loaded, call up the MFC42.dll module and locate the PumpMessage code entry.
B. Set the condition breakpoint [[esp] + 4] = 202 on the CALL DWORD PTR DS: [EAX + 60] statement to set the left mouse button to release the breakpoint.
Note: call [eax + 60] calls the PreTranslateMessage function. The entry parameter is MSG * pMsg, so:
[Esp] Is pMsg, while [[esp] Is pMsg-> hWnd, and [[esp] + 4] Is pMsg-> Message
C. [[esp] = 002407B4 & [[esp] + 4] = 202 you can set a breakpoint for a specified button. Here 002407B4 is the handle of the target button.
2. CWinThread: PreTranslateMessage Function
BOOL CWinThread: PreTranslateMessage (MSG * pMsg)
{// If this is a thread-message, short-circuit this function
If (pMsg-> hwnd = NULL & DispatchThreadMessageEx (pMsg) return TRUE;
CWnd * pMainWnd = AfxGetMainWnd ();
// Distribute messages through inclupretranslatetree
If (CWnd: inclupretranslatetree (pMainWnd-> GetSafeHwnd (), pMsg) return TRUE; // key to message distribution
If (pMainWnd! = NULL)
{
CWnd * pWnd = CWnd: FromHandle (pMsg-> hwnd );
If (pWnd-> GetTopLevelParent ()! = PMainWnd)
Return pMainWnd-> PreTranslateMessage (pMsg); // The main program framework processes messages.
}
Return false; // no special processing
}
Pretranslatemessage function disassembly code
73d313d0> push ESI
73d313d1 push EDI
73d313d2 mov EDI, dword ptr ss: [esp + C]
73d313d6 cmp dword ptr ds: [EDI], 0
73d313d9 je mfc42.73d8e9a1
73d313df call mfc42. #6575 _? Afxgetmainwnd @ ygpavcw>
73d313e4 mov ESI, eax
73d313e6 test ESI, ESI
73d313e8 je short mfc42.73d313ed
73d313ea mov eax, dword ptr ds: [ESI + 20]
73d313ed push EDI
73d313ee push eax
73d313ef call mfc42. #6367 _? Walkpretranslatetree @ C>
73d313f4 test eax, eax
73d313f6 jnz short mfc42.73d31415
73d313f8> test ESI, ESI
73d313fa je short mfc42.73d3140e
73d313fc push dword ptr ds: [EDI]
73d313fe call mfc42. #2864 _? Fromhandle @ cwnd @ sgpav>
73d31403 mov ECx, eax
73d31405 call mfc42. #3815 _? Gettoplevelparent @ cwnd>
73d3140a CMP eax, ESI
73d3140c jnz short mfc42.73d3141a
73d3140e XOR eax, eax
73d31410 pop EDI
73d31411 pop ESI
73d31412 retn 4
Tip:
A. OD after the program is loaded, call up the mfc42.dll module and locate the pretranslatemessage code entry.
B. Set the condition breakpoint [[esp + 4] + 4] = 202 at the function entrance to set the left mouse button to release the breakpoint.
Note: The entry parameter of this function is MSG * PMSG. At the entrance, [esp] is the return address of the function, so:
[Esp + 4] Is PMSG, and [[esp + 4] Is PMSG-> hwnd, [[esp + 4] + 4] Is PMSG-> message
C. [[esp + 4] = 002407b4 & [[esp + 4] + 4] = 202 you can set a click breakpoint for a specified button. Here 002407b4 is the handle of the target button.
3. cwnd: extends pretranslatetree Function
The policy used by cwnd: Define pretranslatetree () is very simple. It has the right to process the message first in the message window. If it does not want to process the message (the pretranslatemessage () of the window object () if the function returns false), the processing permission is handed over to its parent window, so that the tree is traversed to the root until hwndstop (in cwinthread: pretranslatemessage, hwndstop indicates the handle of the main thread window ).
Remember the transfer direction of this message processing right. It is transmitted to the root of the tree by a common node or leaf node of the tree!
Bool Pascal cwnd: FIG (hwnd hwndstop, MSG * PMSG)
{For (hwnd = PMSG-> hwnd; hwnd! = NULL; hwnd =: getparent (hwnd) // from the current window to the parent window, layer by layer
{Cwnd * pwnd = cwnd: fromhandlepermanent (hwnd );
If (pwnd! = NULL)
{// Target window is a C ++ window
If (pWnd-> PreTranslateMessage (pMsg) return TRUE; // if the message is processed by a window, return
}
If (hWnd = hWndStop) break; // got to hWndStop window without interest
}
Return FALSE; // no special processing
}
It is this if (pWnd-> PreTranslateMessage (pMsg) return TRUE; that achieves the flexible message distribution and processing mechanism of MFC. The PreTranslateMessage virtual functions that are reloaded in various window classes of the MFC program come in from here.
MFC searches and executes the PreTranslateMessage function of each class step by step from the current message window class, as long as there is a PreTranslateMessage Function
True is returned. If the parameter pretranslatetree is returned, the search is aborted and true is returned. Otherwise, false is returned.
In the pumpmessage function, the final result is to determine whether to process and distribute messages in Windows based on the return value of the paipretranslatetree function.
The disassembly code of the walkpretranslatetree function is as follows:
73d31389 mov EDI, EDI; d1.0040308c
73d3138b push ESI
73d3138c push EDI
73d3138d mov EDI, dword ptr ss: [esp + 10]
73d31391 mov ESI, dword ptr ds: [EDI]
73d31393 JMP short mfc42.73d313bd
73d31395/push ESI
73D31396 | CALL MFC42. #2867 _? FromHandlePermanent @ CWnd @ SGPAV>; obtain the CWnd pointer value.
73D3139B | test eax, EAX; when the value of CWnd * is not NULL, CWnd: PreTranslateMessage () is called ()
73D3139D | je short MFC42.73D313AE
73D3139F | mov edx, dword ptr ds: [EAX]
73D313A1 | PUSH EDI
73D313A2 | mov ecx, EAX
73D313A4 | call dword ptr ds: [EDX + 98]; <JMP. & MFC42. #5280 _? PreTranslateMessage>; call through virtual functions
73D313AA | test eax, EAX
73D313AC | jnz short MFC42.73D313C8; if the message is processed, TRUE is returned.
73D313AE | cmp esi, dword ptr ss: [ESP + C]
73D313B2 | je short MFC42.73D313C1
73D313B4 | push esi;/hWnd
73D313B5 | call dword ptr ds: [<& USER32.GetParent>]; \ GetParent
73D313BB | mov esi, EAX
73D313BD test esi, ESI
73D313BF \ jnz short MFC42.73D31395
73d313c1 XOR eax, eax; false
73d313c3 pop EDI
73d313c4 pop ESI
73d313c5 retn 8
73d313c8 XOR eax, eax
73d313ca Inc eax; returns true
73d313cb JMP short mfc42.73d313c3
Tracking instructions:
In the above sentence 73d313a4 call dword ptr ds: [edX + 98], click the set button to set the condition breakpoint: [[esp] = 002407b4 & [[esp] + 4] = 202
It can be found that when the button is clicked, the event function code will be executed after the button is clicked. After the event function code is executed, the call will return true.
4. cd1dlg: pretranslatemessage Function
Bool cdialog: pretranslatemessage (MSG * PMSG)
{...
Return CDialog: PreTranslateMessage (pMsg );
}
If the window class for receiving messages reloads the PreTranslateMessage function, it will be called at this time; otherwise, step 2 will be taken. In practical application, it is likely to be a watershed in the message process and may go two different ways. This depends entirely on the code added by the application. If the application returns TRUE here, the message flow will return. Otherwise, the execution will continue.
When tracing a button message, this should be taken as a note, and the best position for setting the breakpoint is the position stated in the previous javaspretranslatetree function. Follow up and pay attention to the Message flow.
5. CDialog: PreTranslateMessage Function
BOOL CDialog: PreTranslateMessage (MSG * pMsg)
{
If (CWnd: PreTranslateMessage (pMsg) return TRUE;
CFrameWnd * pFrameWnd = GetTopLevelFrame ();
If (pFrameWnd! = NULL & pFrameWnd-> m_bHelpMode) return FALSE;
If (pMsg-> message = WM_KEYDOWN & (pMsg-> wParam = VK_ESCAPE | pMsg-> wParam = VK_CANCEL )&&
(: GetWindowLong (pMsg-> hwnd, GWL_STYLE) & ES_MULTILINE) & _ AfxCompareClassName (pMsg-> hwnd, _ T ("Edit ")))
{
HWND hItem =: GetDlgItem (m_hWnd, IDCANCEL );
If (hItem = NULL |: isw.wenabled (hItem ))
{
SendMessage (WM_COMMAND, IDCANCEL, 0 );
Return TRUE;
}
}
Return PreTranslateInput (pMsg); // message inflow here
}
CDialog: PreTranslateMessage () The disassembly code is as follows:
73D468A4> PUSH ESI
73D468A5 PUSH EDI
73D468A6 mov edi, dword ptr ss: [ESP + C]
73D468AA mov esi, ECX
73D468AC PUSH EDI
73D468AD CALL MFC42. #5290 _? PreTranslateMessage @ CWnd @ UAEHPAUtagMSG @>
73D468B2 test eax, EAX
73D468B4 JNZ MFC42.73D8D490
73D468BA mov ecx, ESI
73D468BC CALL MFC42. #3813 _? GetTopLevelFrame @ CWnd QBEPAVCFrameWnd>
73d468c1 test eax, eax
73d468c3 jnz mfc42.73d8d429
73d468c9 cmp dword ptr ds: [EDI + 4], 100
73d468d0 je short mfc42.73d468df
73d468d2 push EDI
73d468d3 mov ECx, ESI
73d468d5 call mfc42. #5278 _? Pretranslateinput @ cwnd @ qaehpautagmsg>; the message flows from here
73d468da pop EDI
73d468db pop ESI
73d468dc retn 4
6. cwnd: pretranslateinput Function
Bool cwnd: pretranslateinput (lpmsg)
{
If (lpmsg-> message <wm_keyfirst | lpmsg-> message> wm_keylast )&&
(Lpmsg-> message <wm_mousefirst | lpmsg-> message> wm_mouselast) // filter messages
Return false;
Return isdialogmessage (lpmsg );
}
From the source code, we can see that this function is used to filter messages. For button messages and mouse messages, false is directly returned, and then return to the pumpmessge function, and the translagemessage () and dispatchmessage () are called () function to convert and distribute messages, and then enter the MFC. For other messages, call the cwnd: isdialogmessage () function for next processing.
Cwnd: pretranslateinput () function disassembly code is as follows:
73d34009> mov edX, dword ptr ss: [esp + 4]
73d3400d mov eax, dword ptr ds: [edX + 4]
73d34010 CMP eax, 100
73d34015 JNB short mfc42.73d34023
73d34017 CMP eax, 200
73d3401c JNB short mfc42.73d34032
73d3401e XOR eax, eax
73d34020 retn 4
73d34023 CMP eax, 108
73d34028 ^ ja short mfc42.73d34017
73d3402a push edX
73d3402b call mfc42. #4047 _? Isdialogmessagea @ cwnd qaehpautagmsg @ Z
73d34030 ^ JMP short mfc42.73d34020
73d34032 CMP eax, 209
73d34037 ^ jbe short mfc42.73d3402a
73d34039 ^ JMP short mfc42.73d3401e
7. CWnd: IsDialogMessageA Function
BOOL CWnd: IsDialogMessage (LPMSG lpMsg)
{
If (m_nFlags & WF_OLECTLCONTAINER)
Return afxOccManager-> IsDialogMessage (this, lpMsg );
Else
Return: IsDialogMessage (m_hWnd, lpMsg );
}
Here, the User32.IsDialogMessageA function is transferred to the system kernel, and the Windows system is responsible for transmitting messages to various target Windows.
Note: User32.IsDialogMessage is not used to check the dialog box message as its name, but to explain or convert the message. The more appropriate name is TranslateDialogMessage. CWnd: IsDialogMessage is actually a package function that uses LPMSG as the parameter and adds the m_hWnd parameter to call User32.IsDialogMessage. In this way, each dialog box in MFC will explain its input. Therefore, if you run the five dialogs at the same time, the PreTranslateMessage of each dialog box will automatically call User32.IsDialogMessage, and it works well. We can skip programming. MFC is really awesome.
CWnd: IsDialogMessageA function disassembly code:
73D468F5> PUSH ESI
73D468F6 mov esi, ECX
73D468F8 test byte ptr ds: [ESI + 29], 1
73D468FC JNZ MFC42.73D8E273
73D46902 push dword ptr ss: [ESP + 8]
73D46906 push dword ptr ds: [ESI + 20]
73D46909 call dword ptr ds: [<& USER32.IsDialogMessageA>]; enter the system kernel
73D4690F POP ESI
73D46910 RETN 4
Tip:
1. OD disconnection: bp IsDialogMessageA MSG = 202, when the left mouse button is released, it will be interrupted at the User32.IsDialogMessageA function entry.
2. If you know the handle of a button and require that the program be interrupted on IsDialogMessageA when you click this button, you can make the following settings:
Bp IsDialogMessageA [[esp + 8] ===00060350 & MSG = 202.
3. After interruption, return to the code of the cwnd: isdialogmessagea function through the stack.
========================================================== ========================================================== ======================================
8. USER32 kernel processing without Analysis
In this process, we can use it as a black box. In general, you don't need to worry about it. Because we believe in it.
========================================================== ========================================================== ======================================
When the message arrives here, And before entering the MFC field. Step 1, it can be said that the peak is often turned back and the mountains are heavy. After step 2, it is a dark flower, you can sing a song all the way, go straight to the destination.
I want to know what to do later, and listen to the next decomposition!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
