00EA841C |. /75 6A JNZ SHORT taskmgr.00EA8488 00EA841E |. |8D4D F4 LEA ECX,[LOCAL.3] 00EA8421 |. |51 PUSH ECX ; /pResult 00EA8422 |. |68 F4010000 PUSH 0x1F4 ; |Timeout = 500. ms 00EA8427 |. |6A 03 PUSH 0x3 ; |Flags = SMTO_BLOCK|SMTO_ABORTIFHUNG 00EA8429 |. |50 PUSH EAX ; |lParam => 0x0 00EA842A |. |50 PUSH EAX ; |wParam => 0x0 00EA842B |. |6A 10 PUSH 0x10 ; |Message = WM_CLOSE 00EA842D |. |FF76 04 PUSH DWORD PTR DS:[ESI+0x4] ; |hWnd 00EA8430 |. |FF15 5013E900 CALL DWORD PTR DS:[<&USER32.SendMessageT>; SendMessageTimeoutW 00EA8436 |. |85C0 TEST EAX,EAX 00EA8438 |. |74 04 JE SHORT taskmgr.00EA843E 00EA843A |. |33FF XOR EDI,EDI 00EA843C |. |EB 17 JMP SHORT taskmgr.00EA8455 00EA843E |> |FF15 6811E900 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError 00EA8444 |. |85C0 TEST EAX,EAX 00EA8446 |. |7E 07 JLE SHORT taskmgr.00EA844F 00EA8448 |. |25 FFFF0000 AND EAX,0xFFFF 00EA844D |. |0BC3 OR EAX,EBX 00EA844F |> |8BF8 MOV EDI,EAX 00EA8451 |. |85FF TEST EDI,EDI 00EA8453 |. |7C 18 JL SHORT taskmgr.00EA846D 00EA8455 |> |68 F4010000 PUSH 0x1F4 ; /Timeout = 500. ms 00EA845A |. |FF15 C810E900 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; Sleep 00EA8460 |. |FF76 04 PUSH DWORD PTR DS:[ESI+0x4] ; /hWnd 00EA8463 |. |FF15 9812E900 CALL DWORD PTR DS:[<&USER32.IsWindowVisi>; IsWindowVisible 00EA8469 |. |85C0 TEST EAX,EAX 00EA846B |. |74 42 JE SHORT taskmgr.00EA84AF 00EA846D |> |33FF XOR EDI,EDI 00EA846F |. |57 PUSH EDI 00EA8470 |. |57 PUSH EDI 00EA8471 |. |FF76 04 PUSH DWORD PTR DS:[ESI+0x4] 00EA8474 |. |FF15 9412E900 CALL DWORD PTR DS:[<&USER32.EndTask>] ; user32.EndTask 00EA847A |. |85C0 TEST EAX,EAX
结束任务是使用SendMessageTimeoutW发送WM_CLOSE消息,并设定超时时间为500ms,
函数失败或者超过 了500ms才走EndTask,
函数成功也会检测要结束的窗口是否可视,如果可视还是会调用EndTask
如果我们需要hook掉结束任务按钮需要hook掉函数SendMessageTimeoutW和EndTask(或者IsWindowVisible)