Quote Originally Posted by Kayaker View Post
Thanks for that Kayaker.

I was just investigating another possible method that I got from this suggestion:

What you need is to get the window procedure address....
A simple solution is to retrieve it manually with Spy++. Once you have it, go to that address and put a conditional breakpoint....

What I did was load explorer and open it to a directory in which I could install notepad. I then opened SPYXX and found the entry for explorer under "directory" ExploreWClass. Under that heading is another called SHELLDLL_DefView with the hwnd in front of it.

Under SHELLDLL_DefView is another entry called "FolderView" SysListView32. FolderView is the window in Explorer where the folders are found.

If you highlight that line, "FolderView" SysListView32, right-click and select Properties, you will find the Window Proc address to be 77420C9D and it is found in comctrl32.dll for version 6.0.2600.6028.

Note: the comctrl32 version is found in Windows\winsxs, not in windows\system32.

That winproc in comctrl32 is the beginning of a function in IDA that leads to CALL GetWindowLongW. The first push before that call is the hwnd and the previous push is the index.

Theoretically, in my particular version of Explorer, I should be able to BP on GetWindowLongW with the hwnd found in SPYXX as a condition.

I realize that the winproc shown in SPYXX is not the address of the call to GetWindowLongW, which comes shortly after at 77420CC5. However, the push for the hwnd is a push eax and that is loaded by a mov eax, [ebp+8] a few steps before.

It might be possible to use the SPYXX winproc address for the "FolderView" SysListView32 explorer window with the condition that [ebp+8] = hwnd of same. ebp does not seem to change from the winproc address until GetWindowLongW is called.

.text:77420C9D                 mov     edi, edi
.text:77420C9F                 push    ebp
.text:77420CA0                 mov     ebp, esp
.text:77420CA2                 sub     esp, 148h
.text:77420CA8                 mov     eax, dword_774623E0
.text:77420CAD                 push    ebx
.text:77420CAE                 mov     ebx, [ebp+10h]
.text:77420CB1                 push    esi
.text:77420CB2                 push    edi
.text:77420CB3                 mov     edi, [ebp+14h]
.text:77420CB6                 mov     [ebp-4], eax
.text:77420CB9                 mov     eax, [ebp+8]
.text:77420CBC                 push    0
.text:77420CBE                 push    eax
.text:77420CBF                 mov     [ebp-108h], eax
.text:77420CC5                 call    ds:GetWindowLongW