在系统托盘加入图标需定义一NOTIFYICONDATAA结构,如下NOTIFYICONDATAA STRUCTcbSize DWORD ? ;长度,为58hwnd DWORD ?uID DWORD ? ;0uFlags DWORD ? ;7uCallbackMessage DWORD ? ;WM_USER+5=405hIcon DWORD ?szTip BYTE 64 dup (?) ;鼠标指向图标时显示的字符串NOTIFYICONDATAA ENDS该结构内容可用代码填充,但为节省代码,我直接写入数据段,该结构的hwnd和hIcon是可变的,其它都是不变的。用WinHex在00030256处添加数据:58000000 00000000 00000000 0700000005040000 00000000 44495920504520666F72204E6F7465706164保存就可以了。~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~一些消息处理变量对应的汇编码:uMsg = dword ptr [ebp+C]wParam = dword ptr [ebp+10]lParam = dword ptr [ebp+14]______________________________________________________________________________________步骤:1.添加函数和数据所用到的函数: LoadIcon,ShowWindow,Shell_NotifyIconA,SendMessage。其中没有Shell_NotifyIcon函数,手工添加。添加后的函数指针为:010130E4数据的添加看上面-------------------------------------------------------------------2.写出程序伪代码:.if uMsg == WM_SIZE ;WM_SIZE equ 5h.if wParam==SIZE_MINIMIZED ;SIZE_MINIMIZED equ 1push dword ptr [1008810] ;hWnd pop dword ptr [ ? +4] ;NOTIFYICONDATAA第2项push 2push 01000000call [10011FC] ;invoke LoadIconW,hInstance,2mov dword ptr [ ? +14],eax ;NOTIFYICONDATAA第6项invoke ShowWindow,hWnd,SW_HIDE ;SW_HIDE equ 0invoke Shell_NotifyIcon,NIM_ADD,addr note .endif.elseif uMsg==WM_COMMAND ;WM_COMMAND equ 111h.if lParam==0 mov eax,wParam .if ax==3e8 invoke ShowWindow,hWnd,SW_RESTORE ;SW_RESTORE equ 9invoke Shell_NotifyIcon,NIM_DELETE,addr note ;NIM_DELETE equ 2h.endif .endif .elseif uMsg==WM_SHELLNOTIFY ;WM_SHELLNOTIFY equ 405h=400+5.if wParam==0 .if lParam==WM_RBUTTONDOWN || lParam==WM_LBUTTONDBLCLK || WM_LBUTTONUPinvoke SendMessage,hWnd,WM_COMMAND,3e8,0 .endif .endif.endif---------------------------------------------------------------3.找出程序的消息处理地址下断"RegisterClassExW",运行。中断在010041BA,看堆栈:0006FDF8 0006FE00 /pWndClassEx = 0006FE000006FDFC 77D14B20 USER32.LoadCursorW0006FE00 000000300006FE04 000000000006FE08 01003134 NOTEPAD.01003134 ;这就是消息处理函数的地址了来到01003134:.......0100313D cmp esi, 1C ; Switch (cases 2..8001)01003140 push edi01003141 push 801003143 pop edx01003144 ja 0100338B ; WM_COMMAND equ 111h > 1C,跳到0100338B...0100338B mov edi, [ebp+14] ;跳到这里0100338E mov eax, esi01003390 sub eax, 11101003395 je 010035D0 ;是WM_COMMAND消息跳到010035D0,修改为je 01007D76------------------------------------------------------------4.WM_COMMAND消息处理代码:A.01003395 je 010035D0 ; 修改为je 01007D76B.在01007D76处写入:pushadcmp dword ptr [ebp+14],0jnz short 01007DA2 ; 不为0则跳到 exitmov eax,dword ptr [ebp+10]cmp ax,3e8jnz short 01007DA2 ; 不等则跳到 exitpush 01008430push 2call [10130E4] ; SHELL32.Shell_NotifyIconApush 9push dword ptr [1008810]call [10011CC] ; USER32.ShowWindowpopad ; exit:(跳到这里)jmp 010035D0---------------------------------------------------------------5.WM_SIZE消息处理代码:A.把010031D8 je 01003223;改为jmp 01007DB0。查找方法同上。B.在01007DB0输入:新增内容:----------------------------mov eax, [ebp+10] ; 取wParamdec eaxtest eax, eax ; 是否为1,SIZE_MINIMIZEDjne 010031DD ; 不是SIZE_MINIMIZED消息直接返回----------------------------------pushadpush dword ptr [1008810]pop dword ptr [1008434]push 2 ; /RsrcName = 2.push 01000000 ; |hInst = 01000000call [10011FC] ; /LoadIconWmov [1008444], eaxpush 0 ; /ShowState = SW_HIDEpush dword ptr [1008810] ; |hWnd = NULLcall [10011CC] ; /ShowWindowpush 01008430push 0call [10130E4] ; SHELL32.Shell_NotifyIconApopadje 01003223dec eaxjnz 010031C6jmp 010031DD--------------------------------------------------------------6.WM_SHELLNOTIFY(405)消息处理代码:A.由于空间不够,所以新建一个节01014000。B.把010033C8 sub eax, 7CE8 ; 改成sub eax, 0EB010033CD je 010034EA ; 改成ja 01014000C.在01014000(我新建的节)输入:dec eaxje short 01014013sub eax, 7BFCje 010034EAjmp 010033D3cmp dword ptr [ebp+10], 0jnz 010033D3cmp dword ptr [ebp+14], 201jnz 010033D3jmp short 01014050 ; jmp _sendcmp dword ptr [ebp+14], 203jnz 010033D3jmp short 01014050 ; jmp _sendcmp dword ptr [ebp+14], 204jnz 010033D3jmp short 01014050nopnopnopnopnopnopnoppush 0 ; _send:push 3E8push 111push dword ptr [1008810]call [1001220] ; USER32.SendMessageWjmp 010033D3---------------------------------------------------------7.保存就可以了,等着看运行结果吧。写代码一定要细心、失败了也不要灰心。偶可以试了n次才成功滴!建议为OllyDbg装个NonaWrite的插件,这样比较方便。
