Love such articles where I learn something new. cdb is completely new to me. It's apparently the Microsoft Console Debugger. For others like me who were wondering how `eb win32u!NtUserSetLayeredWindowAttributes c3` neutered the window animation:
"By executing this command, you are effectively replacing the first byte of the `NtUserSetLayeredWindowAttributes` function with a `ret` instruction. This means that any call to `NtUserSetLayeredWindowAttributes` will immediately return without executing any of its original code. This can be used to bypass or disable the functionality of this function"
- eb[0] "enters bytes" into memory at the specified location;
- The RETN[1] instruction is encoded as C3 in x86 opcodes; and
- Debuggers will typically load ELF symbols so you can refer to memory locations with their names, i.e. function names refer to their jump target.
Putting those three together, we almost get the author's command. I'm not sure about the "win32u!NtUser" name prefix, though. Is it name-munging performed on the compiler side? Maybe some debugger syntax thrown in to select the dll source of the name?
The "win32u!" prefix is for the name of the DLL where the symbol lives. On Windows, the imported symbols are bound to their DLLs, instead of floating in the ether like they do on Linux where the dynamic loader just searches for them in whatever shared objects it has previously loaded.
"By executing this command, you are effectively replacing the first byte of the `NtUserSetLayeredWindowAttributes` function with a `ret` instruction. This means that any call to `NtUserSetLayeredWindowAttributes` will immediately return without executing any of its original code. This can be used to bypass or disable the functionality of this function"
(Thanks to GitHub Copilot for that)
Also see https://learn.microsoft.com/en-us/windows-hardware/drivers/d...