https://bugs.winehq.org/show_bug.cgi?id=49195
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello Nikolay,
--- quote --- I'm guessing exact values rely on the order in which they happen to be registered by first application (explorer?) to touch user32 in give winstation? Or maybe it's not preserved as an important compatibility artifact. --- quote ---
when talking about global atom constants the demo scene thread http://www.pouet.net/topic.php?which=9894 references another (Japanese) blog:
http://www5d.biglobe.ne.jp/~noocyte/Programming/Windows/WindowsTips.html
https://translate.google.com/translate?hl=&sl=ja&tl=en&u=http%3A...
"ATOM values for various control classes" -> "System-defined Controls" (user32.dll)
--- quote -- The DLGITEMTEMPLATEEX Structure states that these classes are system definitions. Then is ATOM a (virtually) constant?
The value of ATOM is the value of windowClass written on the above page plus 0xBF97
(" DLGITEMTEMPLATEEX Structure " says these controls are predefined system classes, and the ATOM values seem to be (DLGITEMTEMPLATEEX :: windowClass + 0xBF97).) --- quote --
MSDN page refers to this kind of information:
https://web.archive.org/web/20140920223136/http://msdn.microsoft.com/en-us/l...
--- quote --- windowClass
Type: sz_Or_Ord
A variable-length array of 16-bit elements that specifies the window class of the control. If the first element of this array is any value other than 0xFFFF, the system treats the array as a null-terminated Unicode string that specifies the name of a registered window class.
If the first element is 0xFFFF, the array has one additional element that specifies the ordinal value of a predefined system class. The ordinal can be one of the following atom values. Value Meaning
0x0080 Button 0x0081 Edit 0x0082 Static 0x0083 List box 0x0084 Scroll bar 0x0085 Combo box
... --- quote ---
So according to the blog's formula:
user32 'Button' atom: 0xBF97 + 0x0080 ('Button' system class ordinal) = 0xC017 user32 'Edit atom: 0xBF97 + 0x0081 ('Edit' system class ordinal) = 0xC018 user32 'Static' atom: 0xBF97 + 0x0082 ('Static' system class ordinal) = 0xC019
which matches:
https://github.com/lungetech/ICAS/blob/master/logs/volatility/win32/output/a...
--- snip --- Offset(P) Session WindowStation Atom RefCount HIndex Pinned Name --------- ------- ------------- ------- -------- ------ ------ ---- ... 0xd48ca68 n/a n/a 0xc017 1 23 1 Button ... 0xd48ca68 n/a n/a 0xc018 1 24 1 Edit .... 0xd48ca68 n/a n/a 0xc019 1 25 1 Static --- snip ---
Interestingly the blog is the only reference I could find about this magic offset. Maybe it's a legacy user16/32 implementation detail from Win9x or even Win 3.x era. Who knows.
Regards