Ring3下无驱动移除winlogon.exe进程ctrl+alt+del,win+u,win+l三个系统热键,非屏蔽热键
2011-07-15 21:24
435 查看
随手而作,纯粹技术研究,没什么实际意义。
打开xuetr,正常情况下.winlogon.exe注册了三个热键。
ctrl+alt+del,win+u,win+l三个。
这三个键用SetWindowsHookEx()函数,使用键盘钩子也屏蔽不了。
我们先把UnregisterSystemHotKey.dll解压出来,放到任意目录.
比如E盘根目录,就运行
打开xuetr,正常情况下.winlogon.exe注册了三个热键。
ctrl+alt+del,win+u,win+l三个。
这三个键用SetWindowsHookEx()函数,使用键盘钩子也屏蔽不了。
我们先把UnregisterSystemHotKey.dll解压出来,放到任意目录.
比如E盘根目录,就运行
rundll32 E:\UnregisterSystemHotKey.dll,Hook再打开xuetr看下,Winlogo.exe进程注册的热键都没有了.
#include <windows.h>
#include <process.h>
#include <tchar.h>
#include <stdio.h>
#include <shlwapi.h>
#include <psapi.h>
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "shlwapi.lib")
TCHAR ModuleFile[MAX_PATH];
TCHAR szText[128] = {0};
WNDPROC OldWindowProc;
HWND hWinLogon;
HMODULE hDll;
LRESULT CALLBACK NewWindowProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
if (message == WM_NULL)
{
::UnregisterHotKey(hWnd, 0); //Ctrl+Alt+delete
::UnregisterHotKey(hWnd, 4); //Ctrl+Shift+Esc
::UnregisterHotKey(hWnd, 5); //Win+L
::UnregisterHotKey(hWnd, 6); //Win+U
::SetWindowLongPtr(hWnd, GWL_WNDPROC, (LONG)OldWindowProc);
return 1;
}
return CallWindowProc(OldWindowProc, hWnd, message, wParam, lParam);
}
BOOL WINAPI EnablePrivileges()
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return( FALSE );
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,
&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
(PTOKEN_PRIVILEGES)NULL, 0);
if (GetLastError() != ERROR_SUCCESS)
return FALSE;
return TRUE;
}
BOOL CALLBACK lpEnumWindowsProc(HWND hwnd, LPARAM lParam)
{
if (IsWindow(hwnd))
{
::GetWindowText(hwnd, szText, _countof(szText));
if (!_tcscmp(szText, TEXT("SAS window")))
{
hWinLogon = hwnd;
OldWindowProc = (WNDPROC)::SetWindowLongPtr(hwnd, GWL_WNDPROC, (LONG)NewWindowProc);
PostMessage(hwnd, WM_NULL, 0, 0);
return FALSE;
}
}
return TRUE;
}
UINT _stdcall FreeSelfProc(void *Arg)
{
FreeLibraryAndExitThread(hDll, 0);
return 1;
}
BOOL WINAPI DllMain(HINSTANCE hDllHandle, DWORD nReason, LPVOID Reserved)
{
switch ( nReason )
{
case DLL_PROCESS_ATTACH:
hDll = hDllHandle;
GetModuleFileName(NULL, ModuleFile, _countof(ModuleFile));
EnablePrivileges();
if (StrStrI(ModuleFile, TEXT("winlogon.exe")))
{
HANDLE hThread;
UINT ThreadId;
HDESK hWinLogon = OpenDesktop(TEXT("Winlogon"), 0, FALSE, GENERIC_ALL);
::EnumDesktopWindows(hWinLogon, lpEnumWindowsProc, NULL);
CloseDesktop(hWinLogon);
hThread = (HANDLE)_beginthreadex(NULL, NULL, &FreeSelfProc, 0, 0, &ThreadId);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
else
{
DWORD dwProcessId = 0;
HANDLE hProcess = 0;
DWORD ProcessList[512], cbNeeded, cProcess;
TCHAR szFileName[256];
EnumProcesses(ProcessList, sizeof(ProcessList), &cbNeeded);
cProcess = cbNeeded/sizeof(DWORD);
for (UINT i=0; i<cProcess; i++)
{
if (ProcessList[i] != 0)
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessList[i]);
if (hProcess)
{
GetModuleBaseName(hProcess, NULL, szFileName, _countof(szFileName));
if (!_tcsicmp(szFileName, TEXT("winlogon.exe")))
{
dwProcessId = ProcessList[i];
break;
}
}
}
}
if (dwProcessId)
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
}
if (!hProcess)
{
return 0;
}
LPVOID Param = VirtualAllocEx(hProcess, 0, 512, MEM_COMMIT, PAGE_READWRITE);
if (!Param)
{
MessageBox(NULL, TEXT("申请内存失败"), TEXT("申请内存失败"), MB_ICONWARNING);
return 0;
}
GetModuleFileName(hDllHandle, ModuleFile, _countof(ModuleFile));
if (!WriteProcessMemory(hProcess, Param, (LPVOID)ModuleFile, 256, NULL))
{
MessageBox(NULL, TEXT("写入内存失败"), TEXT("写入内存失败"), MB_ICONWARNING);
return 0;
}
HANDLE hThread = CreateRemoteThread(hProcess,
NULL,
NULL,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryW"),
Param,
NULL,
NULL);
if (hThread)
{
WaitForSingleObject(hThread, INFINITE);
}
else
{
TCHAR sztmp[1024];
_stprintf_s(sztmp, _countof(sztmp), TEXT("创建远程线程失败, 错误代码:%d, dll=%s"), GetLastError(), ModuleFile);
MessageBox(NULL, sztmp, TEXT("创建远程线程失败"), MB_ICONWARNING);
return 0;
}
VirtualFreeEx(hProcess, Param , 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
::SetWindowLongPtr(hWinLogon, GWL_WNDPROC, (LONG)OldWindowProc);
break;
default:
break;
}
return 1;
}
EXTERN_C __declspec(dllexport) int Hook(void)
{
return 1;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Ring3下无驱动移除winlogon.exe进程ctrl+alt+del,win+u,win+l三个系统热键,非屏蔽热键(子类化SAS 窗口)
- 另类屏蔽系统键(Ctrl+Alt+Del)兼谈www.vbaccelerator.com网站
- Win7 禁止Ctrl+Alt+Del、Win+L等任意系统热键(利用IDA,windbg等工具分析)
- Win7 禁止Ctrl+Alt+Del、Win+L等任意系统热键
- 屏闭2000/XP/2003系统的Ctrl+Alt+Del热键
- 屏闭2000/XP/2003系统的Ctrl+Alt+Del热键
- 另类屏蔽系统键(Ctrl+Alt+Del)兼谈www.vbaccelerator.com网站
- windows xp 中如何屏蔽ctrl + Del + Alt等系统键
- Win7 禁止Ctrl+Alt+Del、Win+L等任意系统热键
- 屏闭2000/XP/2003系统的Ctrl+Alt+Del热键
- 另类屏蔽系统键(Ctrl+Alt+Del)兼谈www.vbaccelerator.com网站
- 另类屏蔽系统键(Ctrl+Alt+Del)兼谈www.vbaccelerator.com网站
- Delphi 屏蔽系统的Ctrl+Alt+Del
- 另类屏蔽系统键(Ctrl+Alt+Del)兼谈www.vbaccelerator.com网站
- WINDOWS NT/2000下如何屏蔽CTRL+ALT+DEL
- Windows XP系统中如何屏蔽 Ctrl+Alt+Del、Alt+Tab以及Ctrl+Esc键
- VC实现Win2000下屏蔽Ctrl+Alt+Del键
- Windows XP系统中如何屏蔽 Ctrl+Alt+Del、Alt+Tab以及Ctrl+Esc键序列
- 屏蔽Windows98/2000/XP任务栏、win键、Ctrl+Esc、Alt+Tab、Ctrl+Alt+Del
- Windows XP系统中如何屏蔽 Ctrl+Alt+Del、Alt+Tab以及Ctrl+Esc键序列