Quote Originally Posted by Kayaker View Post
I guess what's confusing me is I don't see GetMessageW in the list of imports in IDA in either mmc.exe or devmgr.dll. You must have a secret trick.
Heh!!!

No trick of mine it all comes down to the code snippet to break on a message box OK button.

bp user32!GetMessageW "pt;gc"
g
bc *
.load sdbgext
bp @eip ".if (poi(poi(esp+4)+4) == 0x202) {!hwnd poi(poi(esp+4));gc } .else {gc}"
g
I could not get the extension sdbgext to work in w64 therefore could not employ the !hwnd poi(poi(esp+4)). However, the bp user32!GetMessageW "pt;gc" got me right into the message loop for windows and it was retrieving messages from Device Manager (I presume devmgr.dll).

I know the message loop processes all messages from user apps but when I was there it was processing only device manager windows messages. Many of them we 0xf messages for wm_paint.

I guess because I was in the context for Device Manager when I activated the OK button, windows must have retrieved the message. It was a 32770 dialog box.

https://docs.microsoft.com/en-us/windows/desktop/winmsg/about-window-classes

I may be all wet but it is my understanding that the window's message loop uses getmessagew and that it is a system thing. It processes any windows message and passes it on to the calling application.

Looked it up:

https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-getmessagew

GetMessageW function

Retrieves a message from the calling thread's message queue. The function dispatches incoming sent messages until a posted message is available for retrieval.