How to Locate Code Execution at the Click of a Menu

As described in my article about determining menu ID on mouse click, to determine the code when certain menu is activated is to trace the call chain, after trapping the WM_COMMAND (0x111) message for certain menu ID starting on FrameWndFilterProc.

But this proved to be so far from the final destination stack, which requires so much step trace before eventually arrived at the intended routine.

One of the short-cut is to trap the MFC’s CCmdTarget::OnCmdMsg, using the conditional breakpoint for intended menu id at first parameter (ebp+8), and null value for second and third parameter.

In the case of Save EasyLanguage Document (menu id 0x4562), first parameter is 0x4562, second and third parameter is set to null (0x0).

Using this short-cut, the only required steps is to checks every event of this break-point for the sign of whether it is successfully processed the message or not. This is indicated by successful call to AfxFindMessageEntry which eventually calls _AfxDispatchCmdMsg.

For menu id 0x4562, the routine that we sought for is located at this call stack pattern :

Then by tracing right into _AfxDispatchCmdMsg, provided that AfxFindMessageEntry has the entry for the above menu id :

We then landed on routine that is responsible for Save EasyLanguage Document menu :

As you can see from the above, the routine for EasyLanguage document saving is located at 0x49292b0. This actually part of tselad.ocx address space.

By using the same fashion of trapping methods, it can also applied to other menu id, for example the Verify menu (0x4542) :

So, the address for Verify Easy Language Document routine is starting at Which is 0x04927040, still within address space of tselad.ocx.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: