A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #32172  by SirRonald
 Thu Oct 04, 2018 9:38 pm

I'm looking into creating my own external forms, windows, UIs, etc.. by hooking into whatever kernel module handles the specific drawing operations.

I've looked into NtUserPaintMonitor, and also NtUserPaintDesktop - however none of these functions are triggered on my system (Using normal detours, Windows 10, 1803).

I've tried more generic functions like NtGdiExtEscape, however that is not called (unless of course I start some type of application that uses it).

Surely, there would be some sort of module that renders the desktop/monitor at your selected refresh rate? Preferably something with a HDC, so that I can use GDI calls to it?

Windows Internals book, said that Cdd.dll handles the rendering of the mouse cursor, however I found no evidence of that looking at the code.
 #32174  by mrfearless
 Sun Oct 07, 2018 6:50 pm
Im guessing its probably this:

https://docs.microsoft.com/en-us/window ... erspective
"GDI service functions are identified by their Eng prefix, and functions that provide access to GDI-maintained structures have names in the form XxxOBJ*_*Xxx."

Looking at the reactos code might give you a better idea if that is where you need to look: https://doxygen.reactos.org/dir_27871eb ... 01fd6.html

And some of the functions listed here might be useful: https://j00ru.vexillium.org/syscalls/win32k/32/

like NtGdiEngBitBlt, NtGdiBitBlt, NtGdiCreateCompatibleDC, NtGdiCreateCompatibleBitmap, NtGdiCreateSolidBrush etc

also check the ntgdi.h in the SDKs for those functions, and they seem referenced in the win32k.lib file which is for the Win32k.sys file.