hook NtUserCreateWindowEx

1. 附加个有窗口的进程（确保会加载 user32.dll）, 一开始还以为这个函数在 ntdll.dll 中

2. 查找函数地址

   0:012> x user32!NtUserCreateWindowEx
758aa948 USER32!NtUserCreateWindowEx = <no type information>
0:012> uf 758aa948
USER32!NtUserCreateWindowEx:
758aa948 b876100000      mov     eax,1076h
758aa94d b900000000      mov     ecx,0
758aa952 8d542404        lea     edx,[esp+4]
758aa956 64ff15c0000000  call    dword ptr fs:[0C0h]
758aa95d 83c404          add     esp,4
758aa960 c23c00          ret     3Ch

3. 看能不能按以前修改首部5字节跳转。。。

引用 http://bbs.csdn.net/topics/360133376 里 aiwnx的分析

CreateWindowExW -> _CreateWindowEx -> VerNtUserCreateWindowEx -> (kernel: 0x157:NtUserCreateWindowEx)
CreateWindowExA -> _CreateWindowEx -> VerNtUserCreateWindowEx -> (kernel: 0x157:NtUserCreateWindowEx)
DialogBoxParam -> DialogBoxIndirectParamAorW -> InternalDialogBox -> InternalCreateDialog -> VerNtUserCreateWindowEx -> (kernel: 0x157:NtUserCreateWindowEx)
CreateDialogParam -> CreateDialogIndirectParamAorW -> InternalCreateDialog ->  VerNtUserCreateWindowEx -> (kernel: 0x157:NtUserCreateWindowEx)

函数原型：

NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING  UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD  dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND  hWndParent,HMENU hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD  dwShowMode,DWORD dwUnknown2)