aubymori
Sophomore Member
Posts: 128 
OS: Windows 10 IoT Enterprise LTSC 2021
Theme: Windows 10 Default
CPU: Intel Core i5-9300H
RAM: 8GB
GPU: Intel UHD Graphics 630 / NVIDIA GeForce GTX 1650
|
Post by aubymori on Oct 10, 2023 14:07:23 GMT -8
THIS BREAKS STUFF DISREGARD FOR NOW
Hey, everyone. I recently patched conhost.exe to have client edge. Here's what that looks like:  Why not just make a Windhawk mod?Windhawk listens for new processes by hooking CreateProcessA and CreateProcessW in just about every running process. However, the conhost.exe process is made by csrss.exe, which Windhawk does not inject into. As a result Windhawk will always be late to inject into conhost.exe. Patching instructions: 1. Grab conhost.exe from C:\Windows\System32 and put it somewhere easily accessible, such as your Documents folder. 2. Open it with a hex editor, such as HxD. 3. Find the hex value B9 10 01 0C 00, and replace it with B9 10 03 0C 00. This is the extended style that is provided to CreateWindowExW for console windows, and we are modifying it to include WS_EX_CLIENTEDGE.4. Save the file, take ownership of conhost.exe in C:\Windows\System32, and replace it with your patched one. If you did everything right, you should get client edge when you open a console window. |
|
ephemeralViolette
Sophomore Member
Posts: 188
OS: Windows 10 (20H2), Windows 10 (22H2)
Theme: Windows XP Luna, Windows 7 Aero
CPU: AMD Ryzen 9 5900X
RAM: 64 GB
GPU: Radeon RX 580
|
Post by ephemeralViolette on Oct 10, 2023 14:34:02 GMT -8
Why not just make a Windhawk modWindhawk listens for new processes by hooking CreateProcessA and CreateProcessW in just about every running process. However, the conhost.exe process is made by csrss.exe, which Windhawk does not inject into. As a result Windhawk will always be late to inject into conhost.exe. I may try looking into this again in the future. Native Windows hooking techniques such as UserApiHook (used by UxTheme), SetWindowsHookEx, and Application Verifier providers are all able to inject into conhost.exe early enough, however the only good approach is to make a custom Application Verifier provider (an approach also used for hooking winlogon and LogonUI by SecureUxTheme patcher), and it proved difficult to get the Windhawk mod loader (windhawk.dll) loaded into the process. Application Verifier providers load so soon in fact that not even user32 is available by the time it loads typically (only C runtime, kernel32, and ntdll I believe).
UserApiHook and SetWindowsHookEx, on the other hand, both inject into all processes running on the system and not just a specific target (at that, UAH is only meant to be used once by the theme server, and the only thing that I know of that uses it at all other than that is WindowBlinds to my knowledge). |
|
aubymori
Sophomore Member
Posts: 128
OS: Windows 10 IoT Enterprise LTSC 2021
Theme: Windows 10 Default
CPU: Intel Core i5-9300H
RAM: 8GB
GPU: Intel UHD Graphics 630 / NVIDIA GeForce GTX 1650
|
Post by aubymori on Oct 10, 2023 17:35:12 GMT -8
ok hold on this actually breaks shit LOL
|
|
|
|
Post by anixx on Oct 10, 2023 20:08:36 GMT -8
This AHK script adds clientedge to console quite well:
DllCall( "RegisterShellHookWindow", UInt,hWnd )
MsgNum := DllCall( "RegisterWindowMessage", Str,"SHELLHOOK" )
OnMessage( MsgNum, "ShellMessage" )
Return
ShellMessage(wParam,lParam) {
If (wParam = 1) {
WinGetClass, WinClass, ahk_id %lParam%
;Clientedge in Console
if (WinClass = "ConsoleWindowClass") {
WinSet, ExStyle, +0x200, ahk_id %lParam%
WinGetPos, , , , h, ahk_id %lParam%
WinMove, ahk_id %lParam%,,,,,h-1
WinMove, ahk_id %lParam%,,,,,h
}
}}
|
|
