完美屏蔽 Ctrl+Alt+Del 键
一、前言
在Windows 9x/Me系统中,屏蔽Ctrl+Alt+Del和各种任务开关键的方法是通过下面的方法实现的:
BOOL bOldState;
SystemParametersInfo(SPI_SETSCREENSAVERRUNNING, TRUE, &bOldState, 0); 但在NT平台下,此方法不再适用,即使使用钩子技术也无法拦截到这个组合热键(原因稍后解释)。在网上,可以看到众多高手的解决方案,再此我做个简单的总结,同时提出完美的解决方案,并提供所需的 SellCode 数据供 VC,Delphi等程序员使用,最后考虑到VB在实现这些方面的不便还给出VB完整的源码,相信这是很不错的例子,可以让VB程序员了解更多的技巧。
二、不够完美的解决方案
原理:代理系统相关的DLL,对相关的函数作特殊处理
不足之处:使用不方便!并且效果不佳(屏幕会闪)
下面将具体讨论这种方案:
在NT平台下,用户登陆是使用Winlogon和GINA——Graphical Identification and Authentication,意思是图形化的身份认证。Winlogon是Windows系统的一部分,它专门提供交互式登陆支持,而GINA则是Winlogon用来实现认证的一个DLL——这个DLL就是msgina.dll。WlxInitialize、WlxActivateUserShell便是其中输出,当然不知这两个,还有别的。前者进行自身的初始化,后者激活用户的外壳程序。Windows就是用这个DLL来实现用户名+口令的身份认证的,但是开发人员可以用自己的GINA代替msgina.dll。例如,实现智能卡、视网膜扫描仪、DNA检查等等认证机制来代替输入用户名+口令形式的身份检查。 下面的表格中列出了与GINA有关的全部函数。其中有一个是WlxLoggedOnSAS,当按下Ctrl+Alt+Del 键时,Winlogon便调用这个函数。
(表一)GINA 函数一览表 函数 描述
WlxActivateUserShell 激活用户外壳程序
WlxDisplayLockedNotice 允许GINA DLL 显示锁定信息
WlxDisplaySASNotice 当没有用户登陆时,Winlogon调用此函数
WlxDisplayStatusMessage Winlogon 用一个状态信息调用此函数进行显示
WlxGetConsoleSwitchCredentials Winlogon调用此函数读取当前登陆用户的信任信息,并透明地将它们传到目标会话
WlxGetStatusMessage Winlogon 调用此函数获取当前状态信息
WlxInitialize 针对指定的窗口位置进行GINA DLL初始化
WlxIsLockOk 验证工作站正常锁定
WlxIslogoffOk 验证注销正常
WlxLoggedOnSAS 用户已登陆并且工作站没有被加锁,如果此时接收到SAS事件,则Winlogon 调用此函数
WlxLoggedOutSAS 没有用户登陆,如果此时收到SAS事件,则Winlogon 调用此函数
WlxLogoff 请求注销操作时通知GINA DLL
WlxNegotiate 表示当前的Winlogon版本是否能使用GINA DLL
WlxNetworkProviderLoad 在加载网络服务提供程序收集了身份和认证信息后,Winlogon 调用此函数
WlxRemoveStatusMessage Winlogon 调用此函数告诉GINA DLL 停止显示状态信息
WlxScreensaverNotify 允许GINA与屏幕保护操作交互
WlxShutdown 在关闭之前Winlogon 调用此函数,允许GINA实现任何关闭任务,例如从读卡器中退出智能卡
WlxStartApplication 当系统需要在用户的上下文中启动应用程序时调用此函数
WlxWkstaLockedSAS 当工作站被锁定,如果接收到一个SAS,则Winlogon 调用此函数
在默认情况下,GINA显示登陆对话框,用户输入用户名及口令。所以要想屏蔽掉Ctrl+Alt+Del,则可以写一个新的MyGina.dll,其中提供接口调用msgina.dll的函数WlxLoggedOnSAS,从而实现Ctrl+Alt+Del屏蔽。或者编写一个键盘驱动程序来实现。
NT系统允许使用我们自己的 GINA,因此,我们只要写一个这样的DLL,当然其它无关的函数我们可以转调用原GINA库中的函数,只处理WlxLoggedOnSAS这个函数。在此函数中可以结合原子操作,有条件的屏蔽Ctrl+Alt+Del,即如果某个(当然是你规定的)原子存在,你就返回 WLX_SAS_ACTION_NONE, 将将屏幕切换到应用程序桌面,从而好像屏蔽掉CTRL+ALT+DEL ,因此屏幕会闪一下,呵呵。具体的实现就我就不列出来了,毕竟不是本文的主要目的,而且网上大把参考代码的。如何安装这个DLL,也请自个到网上找,蛮多的。
三、不完美解决方案的另类实现
这个方法是我根据上面的原理再改进的,解决它的安装不方便的地方。不过也引出很多弊端。具体实现就是使用进程内存读写函数,以及虚拟内存管理函数,动态修改WinLogon进程中GIAN的函数。如果打开WinLogon进程在下面有讨论,至于如何定位函数及如何读写内存,自个去找资料吧。
四、完美的解决方案
本来用键盘驱动程序能完美解决的,可未免也杀鸡用牛刀,场面搞大了点。其实当你登录后,Winlogon创建一个新的桌面并调用Explorer。,而Winlogon则在另一个名为Winlogon的桌面中,也就是说,NT至少有一个桌面,就是你登录前看到的那个,(题外话:所以写个虚拟桌面工具,就难不倒你啦)。而Ctrl+Alt+Del对系统而言,也不过就是个热键罢了,只是它被定位到Winlogon桌面中去了,同样,它也必然有一个窗口负责处理这个热键消息的,因此,解决方案就出来,如果我们可找到这个窗口并子类化它,呵呵,不就...。(使用我提供的ShellCode代码,在我的电脑上有枚举出Winlogon桌面的四个窗口,其中有一个名为SAS window的窗口,其它是什么IME啦,等等,猜都能猜出啦,SAS windows应该就是啦)。因为我们要子类化WinLogon桌面中的窗口,别无选择的我们应该使用远程线程了,本文使用的是将所有代码注入到WinLogon进程中去,而不是远程挂接DLL的方式,这样在你开发程序过程中,无需任何第三方文件了。(这应该是你乐意的)
用文字描述,还真会难倒我,我们程序员用代码交流就是最好的语言,我起初的开发语言使用的是Win32ASM,之后有改写成VB版的,下面就列出VB版的代码,毕竟高级语言的代码能被大众所阅读。
'《应用代码(1个Form,两个按钮cmdLock及cmdUnLock)》
Option Explicit
Private Sub cmdLock_Click()
If LockKeyboard(True) Then
cmdLock.Enabled = False
cmdUnLock.Enabled = True
End If
End Sub
Private Sub cmdUnLock_Click()
If LockKeyboard(False) Then
cmdLock.Enabled = True
cmdUnLock.Enabled = False
End If
End Sub
Private Sub Form_Load()
Dim bIsLock As Boolean
bIsLock = GetKeyboardState
cmdLock.Enabled = Not bIsLock
cmdUnLock.Enabled = bIsLock
End Sub
'《模块代码》
' /----------------------------------------------------------/
' | 屏蔽 NT 系统的下所有按键消息 v2.1 |
' | ================================ |
' | Author : Hackor(阿国哥) |
' | Email : hackor@yeah.net |
' | Website: http://www.aguoge.com |
' | ~~~~~~~~~~ 请保留作者原版信息 ~~~~~~~~~~~ |
' | |
' | Usage: |
' | Call LockKeyboard(T | F ) |
' | 返回: True 成功;False 失败 |
' | |
' | Call GetKeyboardState |
' | 返回: True 已锁定 |
' | |
' | |
' | 实现原理: |
' | 锁定 Ctrl+Alt+Del 使用远程线程、代码注入及子类化技术 |
' | 其它键盘消息使用普通钩子技术 |
' | |
' | 本模块向 VB 程序员展示远程线程、代码注入等似乎被列入 |
' | 只有Delphi、VC程序员才可能使用的技术,同时目前诸多木马 |
' | 也同样大量使用这些技术。注入的方式比 Dll 钩入更加隐蔽。 |
' | 注入后无进程、无文件。 |
' /----------------------------------------------------------/
Option Explicit
'是否包含处理其它键盘消息,True表示处理.
#Const INC_OTHER_KEY = True
'注意,以下所有双版本的API均声明成了 UNICODE 版。 并且许多地方与VB的API浏览器生成的代码有所不同。
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GlobalAddAtom Lib "kernel32" Alias "GlobalAddAtomW" (ByVal lpString As Long) As Integer
Private Declare Function GlobalDeleteAtom Lib "kernel32" (ByVal nAtom As Integer) As Integer
Private Declare Function GlobalFindAtom Lib "kernel32" Alias "GlobalFindAtomW" (ByVal lpString As Long) As Integer
Private Const TH32CS_SNAPPROCESS = 2
Private Type PROCESSENTRY32W
dwSize As Long
cntUsage As Long
h32ProcessID As Long ' // this process
th32DefaultHeapID As Long '
h32ModuleID As Long ' // associated exe
cntThreads As Long '
th32ParentProcessID As Long ' // this process's parent process
pcPriClassBase As Long ' // Base priority of process's threads
dwFlags As Long '
szExeFile(1 To 260) As Integer ' // Path
End Type
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" Alias "Process32FirstW" (ByVal hSnapshot As Long, lpPE As PROCESSENTRY32W) As Long
Private Declare Function Process32Next Lib "kernel32" Alias "Process32NextW" (ByVal hSnapshot As Long, lpPE As PROCESSENTRY32W) As Long
Private Declare Function lstrcmpi Lib "kernel32" Alias "lstrcmpiW" (lpString1 As Integer, ByVal lpString2 As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetLastError Lib "kernel32" () As Long
Private Type LUID
lowpart As Long
highpart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges As LUID_AND_ATTRIBUTES
End Type
Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Const TOKEN_QUERY As Long = &H8&
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20&
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueW" (ByVal lpSystemName As Long, ByVal lpName As Long, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, ByVal PrevState As Long, ByVal N As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleW" (ByVal lpwModuleName As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Const MEM_COMMIT As Long = &H1000
Private Const MEM_DECOMMIT As Long = &H4000
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
#If INC_OTHER_KEY Then
Private Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Private Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal nCode As Long, ByVal wParam As Long, lParam As Any) As Long
#End If
Private Const ATOM_FLAG As String = "HookSysKey"
Private Const SHELL_FALG As String = "Winlogon"
Private Const SHELL_CODE_DWORDLEN = 317 '注入代码所占的双字数
Private Const SHELL_CODE_LENGTH = (SHELL_CODE_DWORDLEN * 4) '字节数
Private Const SHELL_FUNCOFFSET = &H8 '注入代码线程函数偏移量
Private mlShellCode(SHELL_CODE_DWORDLEN - 1) As Long
#If INC_OTHER_KEY Then
Private m_lHookID As Long '键盘钩子句柄
'!! V2.1版就网友要求,增加了键盘钩子处理示例
Private Type KBDLLHOOKSTRUCT
vkCode As Long
scanCode As Long
flags As Long
time As Long
dwExtraInfo As Long
End Type
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
#End If
'============================================
' 锁定/解锁键盘
' 参数:布尔型,真表示锁定
' 返回:布尔型, 真表示成功
' 注意:非 Ctrl+Alt+Del 键使用普通钩子技术,因此
' 程序在退出时注意要卸载钩子。
'============================================
Public Function LockKeyboard(ByVal bLock As Boolean) As Boolean
Dim lResult As Long
Dim lStrPtr As Long
Dim iAtom As Integer
lStrPtr = StrPtr(SHELL_FALG)
iAtom = GlobalFindAtom(lStrPtr)
If iAtom = 0 Then
lResult = InsertAsmCode
Debug.Assert lResult = 0
If lResult Then Exit Function
End If
lStrPtr = StrPtr(ATOM_FLAG)
iAtom = GlobalFindAtom(lStrPtr)
If bLock Then
#If INC_OTHER_KEY Then
'强烈建议:使用了SetWindowsHookEx的话,请编译后再运行!
m_lHookID = SetWindowsHookEx(13, AddressOf LowLevelKeyboardProc, App.hInstance, 0)
#End If
If iAtom = 0 Then iAtom = GlobalAddAtom(lStrPtr)
LockKeyboard = (iAtom <> 0)
Debug.Assert LockKeyboard
Else
#If INC_OTHER_KEY Then
If m_lHookID Then Call UnhookWindowsHookEx(m_lHookID)
#End If
If iAtom Then iAtom = GlobalDeleteAtom(iAtom)
LockKeyboard = iAtom = 0
End If
End Function
Public Function GetKeyboardState() As Boolean
GetKeyboardState = GlobalFindAtom(StrPtr(ATOM_FLAG)) <> 0
End Function
#If INC_OTHER_KEY Then
Private Function LowLevelKeyboardProc(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Dim KBEvent As KBDLLHOOKSTRUCT
If nCode >= 0 Then
'在这里可以加入实际的过滤条件
CopyMemory KBEvent, ByVal lParam, 20& 'sizeof KBDLLHOOKSTRUCT=20
'wParam = 消息,如WM_KEYDOWN, WM_KEYUP等
Debug.Print Hex$(KBEvent.vkCode) 'VK_??? 定义的键码
LowLevelKeyboardProc = 1 '1屏蔽,否则应调用CallNextHookEx
Else
LowLevelKeyboardProc = CallNextHookEx(m_lHookID, nCode, wParam, lParam)
End If
End Function
#End If
'----------------------------------------------
' 远程线程插入函数
' 功能:向 Winlogon 进程插入远程线程代码,并执行
' 返回:0表示成功,非0表示标准的系统错误代号
'----------------------------------------------
Private Function InsertAsmCode() As Long
Const WINLOGON As String = "Winlogon.exe"
Dim hProcess As Long '远端进程句柄
Dim hPId As Long '远端进程ID
Dim lResult As Long '一般返回变量
Dim pToken As TOKEN_PRIVILEGES
Dim hToken As Long
Dim hRemoteThread As Long
Dim hRemoteThreadID As Long
Dim lDbResult(1) As Long
Dim lRemoteAddr As Long
'------------------------------------
'取winlogon进程ID
'------------------------------------
hPId = GetProcessIdFromName(WINLOGON)
If hPId = 0 Then
InsertAsmCode = GetLastError
Debug.Assert False
Exit Function
End If
'------------------------------------
'提升本进程权限,以取得对winlogon进程操作的许可
'------------------------------------
lResult = OpenProcessToken(GetCurrentProcess(), _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, _
hToken)
Debug.Assert lResult
lResult = LookupPrivilegeValue(0, StrPtr(SE_DEBUG_NAME), pToken.Privileges.pLuid)
Debug.Assert lResult
pToken.PrivilegeCount = 1
pToken.Privileges.Attributes = SE_PRIVILEGE_ENABLED
lResult = AdjustTokenPrivileges(hToken, False, pToken, Len(pToken), 0, 0)
Debug.Assert lResult
'------------------------------------
'打开winlogon进程
'------------------------------------
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hPId)
Debug.Assert hProcess
If hProcess Then
'------------------------------------
'初始注入代码
'------------------------------------
Call InitShellCode
'------------------------------------
'远端进程分配内存
'------------------------------------
lRemoteAddr = VirtualAllocEx(hProcess, 0, SHELL_CODE_LENGTH, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
Debug.Assert lRemoteAddr
'------------------------------------
'写入 shell 代码
'------------------------------------
If lRemoteAddr Then
InsertAsmCode = WriteProcessMemory(hProcess, lRemoteAddr, mlShellCode(0), SHELL_CODE_LENGTH, 0)
Else
InsertAsmCode = GetLastError
Exit Function
End If
'------------------------------------
'创建远程线程
'------------------------------------
hRemoteThread = CreateRemoteThread(hProcess, 0, 0, lRemoteAddr + SHELL_FUNCOFFSET, 0, 0, hRemoteThreadID)
If hRemoteThread = 0 Then
InsertAsmCode = GetLastError
Debug.Assert hRemoteThread
Exit Function
End If
'------------------------------------
'等待远程线程
'------------------------------------
Call WaitForSingleObject(hRemoteThread, -1)
Call GetExitCodeThread(hRemoteThread, InsertAsmCode)
Call CloseHandle(hRemoteThread)
'------------------------------------
'释放远端进程内存
'------------------------------------
Call VirtualFreeEx(hProcess, lRemoteAddr, SHELL_CODE_LENGTH, MEM_DECOMMIT)
Else
InsertAsmCode = GetLastError
End If
End Function
'============================================
' 初始线程代码
'============================================
Private Function InitShellCode() As Long
Const kernel32 As String = "kernel32.dll"
Dim hDll As Long
'------------------------------------
'提取注入代码所需的API函数
'------------------------------------
hDll = GetModuleHandle(StrPtr(kernel32)): Debug.Assert hDll
mlShellCode(0) = GetProcAddress(hDll, "GetModuleHandleW")
mlShellCode(1) = GetProcAddress(hDll, "GetProcAddress")
'---------------------------
' 以下代码由 MASM32 产生
mlShellCode(2) = &HE853&
mlShellCode(3) = &H815B0000
mlShellCode(4) = &H40100EEB
mlShellCode(5) = &H238E800
mlShellCode(6) = &HC00B0000
mlShellCode(7) = &H838D5075
mlShellCode(8) = &H4010B0
mlShellCode(9) = &HD093FF50
mlShellCode(10) = &HF004013
mlShellCode(11) = &HC00BC0B7
mlShellCode(12) = &H683A75
mlShellCode(13) = &H6A020000
mlShellCode(14) = &H8D006A00
mlShellCode(15) = &H4010B083
mlShellCode(16) = &H93FF5000
mlShellCode(17) = &H401090
mlShellCode(18) = &H1874C00B
mlShellCode(19) = &H10C2938D
mlShellCode(20) = &H6A0040
mlShellCode(21) = &H93FF5052
mlShellCode(22) = &H401094
mlShellCode(23) = &H474C00B
mlShellCode(24) = &HAEB0AEB
mlShellCode(25) = &H108C93FF
mlShellCode(26) = &H2EB0040
mlShellCode(27) = &HC25BC033
mlShellCode(28) = &HFF8B0004
mlShellCode(38) = &H410053
mlShellCode(39) = &H200053
mlShellCode(40) = &H690077
mlShellCode(41) = &H64006E
mlShellCode(42) = &H77006F
mlShellCode(43) = &HFF8B0000
mlShellCode(44) = &H690057
mlShellCode(45) = &H6C006E
mlShellCode(46) = &H67006F
mlShellCode(47) = &H6E006F
mlShellCode(48) = &H8B550000
mlShellCode(49) = &HF0C481EC
mlShellCode(50) = &H53FFFFFD
mlShellCode(51) = &HE8&
mlShellCode(52) = &HEB815B00
mlShellCode(53) = &H4010D1
mlShellCode(54) = &H10468
mlShellCode(55) = &HF8858D00
mlShellCode(56) = &H50FFFFFD
mlShellCode(57) = &HFF0875FF
mlShellCode(58) = &H40108093
mlShellCode(59) = &HF8858D00
mlShellCode(60) = &H50FFFFFD
mlShellCode(61) = &H1098838D
mlShellCode(62) = &HFF500040
mlShellCode(63) = &H40107C93
mlShellCode(64) = &H75C00B00
mlShellCode(65) = &H68406A69
mlShellCode(66) = &H1000&
mlShellCode(67) = &H7668&
mlShellCode(68) = &HFF006A00
mlShellCode(69) = &H40107493
mlShellCode(70) = &H74C00B00
mlShellCode(71) = &H85896054
mlShellCode(72) = &HFFFFFDF0
mlShellCode(73) = &H75FFFC6A
mlShellCode(74) = &H8493FF08
mlShellCode(75) = &H8D004010
mlShellCode(76) = &H4013C893
mlShellCode(77) = &HFC028900
mlShellCode(78) = &HFDF0BD8B
mlShellCode(79) = &H76B9FFFF
mlShellCode(80) = &H8D000000
mlShellCode(81) = &H401374B3
mlShellCode(82) = &H8DA4F300
mlShellCode(83) = &H4010B083
mlShellCode(84) = &H93FF5000
mlShellCode(85) = &H401078
mlShellCode(86) = &HFDF0B5FF
mlShellCode(87) = &HFC6AFFFF
mlShellCode(88) = &HFF0875FF
mlShellCode(89) = &H40108893
mlShellCode(90) = &HC0336100
mlShellCode(91) = &HC03303EB
mlShellCode(92) = &HC2C95B40
mlShellCode(93) = &H6B0008
mlShellCode(94) = &H720065
mlShellCode(95) = &H65006E
mlShellCode(96) = &H33006C
mlShellCode(97) = &H2E0032
mlShellCode(98) = &H6C0064
mlShellCode(99) = &H6C&
mlShellCode(100) = &H730075
mlShellCode(101) = &H720065
mlShellCode(102) = &H320033
mlShellCode(103) = &H64002E
mlShellCode(104) = &H6C006C
mlShellCode(105) = &H69560000
mlShellCode(106) = &H61757472
mlShellCode(107) = &H6572466C
mlShellCode(108) = &H6C470065
mlShellCode(109) = &H6C61626F
mlShellCode(110) = &H646E6946
mlShellCode(111) = &H6D6F7441
mlShellCode(112) = &H6C470057
mlShellCode(113) = &H6C61626F
mlShellCode(114) = &H41646441
mlShellCode(115) = &H576D6F74
mlShellCode(116) = &H74736C00
mlShellCode(117) = &H706D6372
mlShellCode(118) = &H4F005769
mlShellCode(119) = &H446E6570
mlShellCode(120) = &H746B7365
mlShellCode(121) = &H57706F
mlShellCode(122) = &H6D756E45
mlShellCode(123) = &H6B736544
mlShellCode(124) = &H57706F74
mlShellCode(125) = &H6F646E69
mlShellCode(126) = &H47007377
mlShellCode(127) = &H69577465
mlShellCode(128) = &H776F646E
mlShellCode(129) = &H74786554
mlShellCode(130) = &H65470057
mlShellCode(131) = &H6E695774
mlShellCode(132) = &H4C776F64
mlShellCode(133) = &H57676E6F
mlShellCode(134) = &H74655300
mlShellCode(135) = &H646E6957
mlShellCode(136) = &H6F4C776F
mlShellCode(137) = &H57676E
mlShellCode(138) = &H6C6C6143
mlShellCode(139) = &H646E6957
mlShellCode(140) = &H7250776F
mlShellCode(141) = &H57636F
mlShellCode(142) = &H4C746547
mlShellCode(143) = &H45747361
mlShellCode(144) = &H726F7272
mlShellCode(145) = &H72695600
mlShellCode(146) = &H6C617574
mlShellCode(147) = &H6F6C6C41
mlShellCode(148) = &H8B550063
mlShellCode(149) = &HFCC483EC
mlShellCode(150) = &H48C03360
mlShellCode(151) = &H8DFC4589
mlShellCode(152) = &H40117683
mlShellCode(153) = &H93FF5000
mlShellCode(154) = &H401000
mlShellCode(155) = &H840FC00B
mlShellCode(156) = &HFA&
mlShellCode(157) = &H838DF88B
mlShellCode(158) = &H401190
mlShellCode(159) = &H93FF50
mlShellCode(160) = &HB004010
mlShellCode(161) = &HE3840FC0
mlShellCode(162) = &H8B000000
mlShellCode(163) = &H45838DF0
mlShellCode(164) = &H50004012
mlShellCode(165) = &H493FF57
mlShellCode(166) = &H89004010
mlShellCode(167) = &H40107483
mlShellCode(168) = &H38838D00
mlShellCode(169) = &H50004012
mlShellCode(170) = &H493FF57
mlShellCode(171) = &H89004010
mlShellCode(172) = &H40108C83
mlShellCode(173) = &HC2838D00
mlShellCode(174) = &H50004011
mlShellCode(175) = &H493FF57
mlShellCode(176) = &H89004010
mlShellCode(177) = &H40107883
mlShellCode(178) = &HB2838D00
mlShellCode(179) = &H50004011
mlShellCode(180) = &H493FF57
mlShellCode(181) = &H89004010
mlShellCode(182) = &H4013D083
mlShellCode(183) = &HD1838D00
mlShellCode(184) = &H50004011
mlShellCode(185) = &H493FF57
mlShellCode(186) = &H89004010
mlShellCode(187) = &H40107C83
mlShellCode(188) = &HDB838D00
mlShellCode(189) = &H50004011
mlShellCode(190) = &H493FF56
mlShellCode(191) = &H89004010
mlShellCode(192) = &H40109083
mlShellCode(193) = &HE8838D00
mlShellCode(194) = &H50004011
mlShellCode(195) = &H493FF56
mlShellCode(196) = &H89004010
mlShellCode(197) = &H40109483
mlShellCode(198) = &HFB838D00
mlShellCode(199) = &H50004011
mlShellCode(200) = &H493FF56
mlShellCode(201) = &H89004010
mlShellCode(202) = &H40108083
mlShellCode(203) = &HA838D00
mlShellCode(204) = &H50004012
mlShellCode(205) = &H493FF56
mlShellCode(206) = &H89004010
mlShellCode(207) = &H40108483
mlShellCode(208) = &H19838D00
mlShellCode(209) = &H50004012
mlShellCode(210) = &H493FF56
mlShellCode(211) = &H89004010
mlShellCode(212) = &H40108883
mlShellCode(213) = &H28838D00
mlShellCode(214) = &H50004012
mlShellCode(215) = &H493FF56
mlShellCode(216) = &H89004010
mlShellCode(217) = &H4013CC83
mlShellCode(218) = &H89C03300
mlShellCode(219) = &H8B61FC45
mlShellCode(220) = &HC3C9FC45
mlShellCode(221) = &H53EC8B55
mlShellCode(222) = &HE8&
mlShellCode(223) = &HEB815B00
mlShellCode(224) = &H40137D
mlShellCode(225) = &H120C7D81
mlShellCode(226) = &H75000003
mlShellCode(227) = &HD4838D1C
mlShellCode(228) = &H50004013
mlShellCode(229) = &H13D093FF
mlShellCode(230) = &HB70F0040
mlShellCode(231) = &H74C00BC0
mlShellCode(232) = &H40C03308
mlShellCode(233) = &H10C2C95B
mlShellCode(234) = &H1475FF00
mlShellCode(235) = &HFF1075FF
mlShellCode(236) = &H75FF0C75
mlShellCode(237) = &HC8B3FF08
mlShellCode(238) = &HFF004013
mlShellCode(239) = &H4013CC93
mlShellCode(240) = &HC2C95B00
mlShellCode(241) = &HFF8B0010
mlShellCode(245) = &H6F0048
mlShellCode(246) = &H6B006F
mlShellCode(247) = &H790053
mlShellCode(248) = &H4B0073
mlShellCode(249) = &H790065
mlShellCode(250) = &H8B550000
mlShellCode(251) = &HD8C481EC
mlShellCode(252) = &HE8FFFFFD
mlShellCode(253) = &H226&
mlShellCode(254) = &H8DE84589
mlShellCode(255) = &H6A50EC45
mlShellCode(256) = &HE875FF28
mlShellCode(257) = &H24BE8
mlShellCode(258) = &HFC00B00
mlShellCode(259) = &H11584
mlShellCode(260) = &HF4458D00
mlShellCode(261) = &H20606850
mlShellCode(262) = &H6A0040
mlShellCode(263) = &H22DE8
mlShellCode(264) = &H74C00B00
mlShellCode(265) = &HF045C722
mlShellCode(266) = &H1&
mlShellCode(267) = &H2FC45C7
mlShellCode(268) = &H6A000000
mlShellCode(269) = &H6A006A00
mlShellCode(270) = &HF0458D00
mlShellCode(271) = &HFF006A50
mlShellCode(272) = &H1E8EC75
mlShellCode(273) = &HFF000002
mlShellCode(274) = &H6A0875
mlShellCode(275) = &H1F0FFF68
mlShellCode(276) = &H1CEE800
mlShellCode(277) = &H45890000
mlShellCode(278) = &H68046AE8
mlShellCode(279) = &H1000&
mlShellCode(280) = &H4F268
mlShellCode(281) = &HFF006A00
mlShellCode(282) = &HC1E8E875
mlShellCode(283) = &H89000001
mlShellCode(284) = &H6AE445
mlShellCode(285) = &H4F268
mlShellCode(286) = &H10006800
mlShellCode(287) = &H75FF0040
mlShellCode(288) = &HE875FFE4
mlShellCode(289) = &H1B9E8
mlShellCode(290) = &H30186800
mlShellCode(291) = &H86A0040
mlShellCode(292) = &H40300068
mlShellCode(293) = &HE475FF00
mlShellCode(294) = &HE8E875FF
mlShellCode(295) = &H1A2&
mlShellCode(296) = &H81E4558B
mlShellCode(297) = &H8C2&
mlShellCode(298) = &H6A006A00
mlShellCode(299) = &H52006A00
mlShellCode(300) = &H6A006A
mlShellCode(301) = &HE8E875FF
mlShellCode(302) = &H156&
mlShellCode(303) = &H144E850
mlShellCode(304) = &H18680000
mlShellCode(305) = &H6A004030
mlShellCode(306) = &H30006808
mlShellCode(307) = &H75FF0040
mlShellCode(308) = &HE875FFE4
mlShellCode(309) = &H151E8
mlShellCode(310) = &H58D00
mlShellCode(311) = &H8B004030
mlShellCode(312) = &H4408B10
mlShellCode(313) = &HCB685250
mlShellCode(314) = &H8D004020
mlShellCode(315) = &HFFFDD885
mlShellCode(316) = &H909050FF
End Function
'-------------------------------------------
' 根据可执行文件的名称取回进程ID
' 参数:可执行文件名(含扩展名)
' 返回:进程ID。0表示无
'-------------------------------------------
Private Function GetProcessIdFromName(ByVal sName As String) As Long
Dim hSnapshot As Long
Dim lpPE As PROCESSENTRY32W
Dim lpWinlogon As Long
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
Debug.Assert hSnapshot
lpPE.dwSize = Len(lpPE)
If Process32First(hSnapshot, lpPE) Then
lpWinlogon = StrPtr(sName)
Do
If lstrcmpi(lpPE.szExeFile(1), lpWinlogon) = 0 Then
GetProcessIdFromName = lpPE.h32ProcessID
Exit Do
End If
If Process32Next(hSnapshot, lpPE) = 0 Then Exit Do
Loop
End If
Call CloseHandle(hSnapshot)
End Function
在Windows 9x/Me系统中,屏蔽Ctrl+Alt+Del和各种任务开关键的方法是通过下面的方法实现的:
BOOL bOldState;
SystemParametersInfo(SPI_SETSCREENSAVERRUNNING, TRUE, &bOldState, 0); 但在NT平台下,此方法不再适用,即使使用钩子技术也无法拦截到这个组合热键(原因稍后解释)。在网上,可以看到众多高手的解决方案,再此我做个简单的总结,同时提出完美的解决方案,并提供所需的 SellCode 数据供 VC,Delphi等程序员使用,最后考虑到VB在实现这些方面的不便还给出VB完整的源码,相信这是很不错的例子,可以让VB程序员了解更多的技巧。
二、不够完美的解决方案
原理:代理系统相关的DLL,对相关的函数作特殊处理
不足之处:使用不方便!并且效果不佳(屏幕会闪)
下面将具体讨论这种方案:
在NT平台下,用户登陆是使用Winlogon和GINA——Graphical Identification and Authentication,意思是图形化的身份认证。Winlogon是Windows系统的一部分,它专门提供交互式登陆支持,而GINA则是Winlogon用来实现认证的一个DLL——这个DLL就是msgina.dll。WlxInitialize、WlxActivateUserShell便是其中输出,当然不知这两个,还有别的。前者进行自身的初始化,后者激活用户的外壳程序。Windows就是用这个DLL来实现用户名+口令的身份认证的,但是开发人员可以用自己的GINA代替msgina.dll。例如,实现智能卡、视网膜扫描仪、DNA检查等等认证机制来代替输入用户名+口令形式的身份检查。 下面的表格中列出了与GINA有关的全部函数。其中有一个是WlxLoggedOnSAS,当按下Ctrl+Alt+Del 键时,Winlogon便调用这个函数。
(表一)GINA 函数一览表 函数 描述
WlxActivateUserShell 激活用户外壳程序
WlxDisplayLockedNotice 允许GINA DLL 显示锁定信息
WlxDisplaySASNotice 当没有用户登陆时,Winlogon调用此函数
WlxDisplayStatusMessage Winlogon 用一个状态信息调用此函数进行显示
WlxGetConsoleSwitchCredentials Winlogon调用此函数读取当前登陆用户的信任信息,并透明地将它们传到目标会话
WlxGetStatusMessage Winlogon 调用此函数获取当前状态信息
WlxInitialize 针对指定的窗口位置进行GINA DLL初始化
WlxIsLockOk 验证工作站正常锁定
WlxIslogoffOk 验证注销正常
WlxLoggedOnSAS 用户已登陆并且工作站没有被加锁,如果此时接收到SAS事件,则Winlogon 调用此函数
WlxLoggedOutSAS 没有用户登陆,如果此时收到SAS事件,则Winlogon 调用此函数
WlxLogoff 请求注销操作时通知GINA DLL
WlxNegotiate 表示当前的Winlogon版本是否能使用GINA DLL
WlxNetworkProviderLoad 在加载网络服务提供程序收集了身份和认证信息后,Winlogon 调用此函数
WlxRemoveStatusMessage Winlogon 调用此函数告诉GINA DLL 停止显示状态信息
WlxScreensaverNotify 允许GINA与屏幕保护操作交互
WlxShutdown 在关闭之前Winlogon 调用此函数,允许GINA实现任何关闭任务,例如从读卡器中退出智能卡
WlxStartApplication 当系统需要在用户的上下文中启动应用程序时调用此函数
WlxWkstaLockedSAS 当工作站被锁定,如果接收到一个SAS,则Winlogon 调用此函数
在默认情况下,GINA显示登陆对话框,用户输入用户名及口令。所以要想屏蔽掉Ctrl+Alt+Del,则可以写一个新的MyGina.dll,其中提供接口调用msgina.dll的函数WlxLoggedOnSAS,从而实现Ctrl+Alt+Del屏蔽。或者编写一个键盘驱动程序来实现。
NT系统允许使用我们自己的 GINA,因此,我们只要写一个这样的DLL,当然其它无关的函数我们可以转调用原GINA库中的函数,只处理WlxLoggedOnSAS这个函数。在此函数中可以结合原子操作,有条件的屏蔽Ctrl+Alt+Del,即如果某个(当然是你规定的)原子存在,你就返回 WLX_SAS_ACTION_NONE, 将将屏幕切换到应用程序桌面,从而好像屏蔽掉CTRL+ALT+DEL ,因此屏幕会闪一下,呵呵。具体的实现就我就不列出来了,毕竟不是本文的主要目的,而且网上大把参考代码的。如何安装这个DLL,也请自个到网上找,蛮多的。
三、不完美解决方案的另类实现
这个方法是我根据上面的原理再改进的,解决它的安装不方便的地方。不过也引出很多弊端。具体实现就是使用进程内存读写函数,以及虚拟内存管理函数,动态修改WinLogon进程中GIAN的函数。如果打开WinLogon进程在下面有讨论,至于如何定位函数及如何读写内存,自个去找资料吧。
四、完美的解决方案
本来用键盘驱动程序能完美解决的,可未免也杀鸡用牛刀,场面搞大了点。其实当你登录后,Winlogon创建一个新的桌面并调用Explorer。,而Winlogon则在另一个名为Winlogon的桌面中,也就是说,NT至少有一个桌面,就是你登录前看到的那个,(题外话:所以写个虚拟桌面工具,就难不倒你啦)。而Ctrl+Alt+Del对系统而言,也不过就是个热键罢了,只是它被定位到Winlogon桌面中去了,同样,它也必然有一个窗口负责处理这个热键消息的,因此,解决方案就出来,如果我们可找到这个窗口并子类化它,呵呵,不就...。(使用我提供的ShellCode代码,在我的电脑上有枚举出Winlogon桌面的四个窗口,其中有一个名为SAS window的窗口,其它是什么IME啦,等等,猜都能猜出啦,SAS windows应该就是啦)。因为我们要子类化WinLogon桌面中的窗口,别无选择的我们应该使用远程线程了,本文使用的是将所有代码注入到WinLogon进程中去,而不是远程挂接DLL的方式,这样在你开发程序过程中,无需任何第三方文件了。(这应该是你乐意的)
用文字描述,还真会难倒我,我们程序员用代码交流就是最好的语言,我起初的开发语言使用的是Win32ASM,之后有改写成VB版的,下面就列出VB版的代码,毕竟高级语言的代码能被大众所阅读。
'《应用代码(1个Form,两个按钮cmdLock及cmdUnLock)》
Option Explicit
Private Sub cmdLock_Click()
If LockKeyboard(True) Then
cmdLock.Enabled = False
cmdUnLock.Enabled = True
End If
End Sub
Private Sub cmdUnLock_Click()
If LockKeyboard(False) Then
cmdLock.Enabled = True
cmdUnLock.Enabled = False
End If
End Sub
Private Sub Form_Load()
Dim bIsLock As Boolean
bIsLock = GetKeyboardState
cmdLock.Enabled = Not bIsLock
cmdUnLock.Enabled = bIsLock
End Sub
'《模块代码》
' /----------------------------------------------------------/
' | 屏蔽 NT 系统的下所有按键消息 v2.1 |
' | ================================ |
' | Author : Hackor(阿国哥) |
' | Email : hackor@yeah.net |
' | Website: http://www.aguoge.com |
' | ~~~~~~~~~~ 请保留作者原版信息 ~~~~~~~~~~~ |
' | |
' | Usage: |
' | Call LockKeyboard(T | F ) |
' | 返回: True 成功;False 失败 |
' | |
' | Call GetKeyboardState |
' | 返回: True 已锁定 |
' | |
' | |
' | 实现原理: |
' | 锁定 Ctrl+Alt+Del 使用远程线程、代码注入及子类化技术 |
' | 其它键盘消息使用普通钩子技术 |
' | |
' | 本模块向 VB 程序员展示远程线程、代码注入等似乎被列入 |
' | 只有Delphi、VC程序员才可能使用的技术,同时目前诸多木马 |
' | 也同样大量使用这些技术。注入的方式比 Dll 钩入更加隐蔽。 |
' | 注入后无进程、无文件。 |
' /----------------------------------------------------------/
Option Explicit
'是否包含处理其它键盘消息,True表示处理.
#Const INC_OTHER_KEY = True
'注意,以下所有双版本的API均声明成了 UNICODE 版。 并且许多地方与VB的API浏览器生成的代码有所不同。
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GlobalAddAtom Lib "kernel32" Alias "GlobalAddAtomW" (ByVal lpString As Long) As Integer
Private Declare Function GlobalDeleteAtom Lib "kernel32" (ByVal nAtom As Integer) As Integer
Private Declare Function GlobalFindAtom Lib "kernel32" Alias "GlobalFindAtomW" (ByVal lpString As Long) As Integer
Private Const TH32CS_SNAPPROCESS = 2
Private Type PROCESSENTRY32W
dwSize As Long
cntUsage As Long
h32ProcessID As Long ' // this process
th32DefaultHeapID As Long '
h32ModuleID As Long ' // associated exe
cntThreads As Long '
th32ParentProcessID As Long ' // this process's parent process
pcPriClassBase As Long ' // Base priority of process's threads
dwFlags As Long '
szExeFile(1 To 260) As Integer ' // Path
End Type
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" Alias "Process32FirstW" (ByVal hSnapshot As Long, lpPE As PROCESSENTRY32W) As Long
Private Declare Function Process32Next Lib "kernel32" Alias "Process32NextW" (ByVal hSnapshot As Long, lpPE As PROCESSENTRY32W) As Long
Private Declare Function lstrcmpi Lib "kernel32" Alias "lstrcmpiW" (lpString1 As Integer, ByVal lpString2 As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetLastError Lib "kernel32" () As Long
Private Type LUID
lowpart As Long
highpart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges As LUID_AND_ATTRIBUTES
End Type
Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Const TOKEN_QUERY As Long = &H8&
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20&
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueW" (ByVal lpSystemName As Long, ByVal lpName As Long, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, ByVal PrevState As Long, ByVal N As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleW" (ByVal lpwModuleName As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Const MEM_COMMIT As Long = &H1000
Private Const MEM_DECOMMIT As Long = &H4000
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
#If INC_OTHER_KEY Then
Private Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Private Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal nCode As Long, ByVal wParam As Long, lParam As Any) As Long
#End If
Private Const ATOM_FLAG As String = "HookSysKey"
Private Const SHELL_FALG As String = "Winlogon"
Private Const SHELL_CODE_DWORDLEN = 317 '注入代码所占的双字数
Private Const SHELL_CODE_LENGTH = (SHELL_CODE_DWORDLEN * 4) '字节数
Private Const SHELL_FUNCOFFSET = &H8 '注入代码线程函数偏移量
Private mlShellCode(SHELL_CODE_DWORDLEN - 1) As Long
#If INC_OTHER_KEY Then
Private m_lHookID As Long '键盘钩子句柄
'!! V2.1版就网友要求,增加了键盘钩子处理示例
Private Type KBDLLHOOKSTRUCT
vkCode As Long
scanCode As Long
flags As Long
time As Long
dwExtraInfo As Long
End Type
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
#End If
'============================================
' 锁定/解锁键盘
' 参数:布尔型,真表示锁定
' 返回:布尔型, 真表示成功
' 注意:非 Ctrl+Alt+Del 键使用普通钩子技术,因此
' 程序在退出时注意要卸载钩子。
'============================================
Public Function LockKeyboard(ByVal bLock As Boolean) As Boolean
Dim lResult As Long
Dim lStrPtr As Long
Dim iAtom As Integer
lStrPtr = StrPtr(SHELL_FALG)
iAtom = GlobalFindAtom(lStrPtr)
If iAtom = 0 Then
lResult = InsertAsmCode
Debug.Assert lResult = 0
If lResult Then Exit Function
End If
lStrPtr = StrPtr(ATOM_FLAG)
iAtom = GlobalFindAtom(lStrPtr)
If bLock Then
#If INC_OTHER_KEY Then
'强烈建议:使用了SetWindowsHookEx的话,请编译后再运行!
m_lHookID = SetWindowsHookEx(13, AddressOf LowLevelKeyboardProc, App.hInstance, 0)
#End If
If iAtom = 0 Then iAtom = GlobalAddAtom(lStrPtr)
LockKeyboard = (iAtom <> 0)
Debug.Assert LockKeyboard
Else
#If INC_OTHER_KEY Then
If m_lHookID Then Call UnhookWindowsHookEx(m_lHookID)
#End If
If iAtom Then iAtom = GlobalDeleteAtom(iAtom)
LockKeyboard = iAtom = 0
End If
End Function
Public Function GetKeyboardState() As Boolean
GetKeyboardState = GlobalFindAtom(StrPtr(ATOM_FLAG)) <> 0
End Function
#If INC_OTHER_KEY Then
Private Function LowLevelKeyboardProc(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Dim KBEvent As KBDLLHOOKSTRUCT
If nCode >= 0 Then
'在这里可以加入实际的过滤条件
CopyMemory KBEvent, ByVal lParam, 20& 'sizeof KBDLLHOOKSTRUCT=20
'wParam = 消息,如WM_KEYDOWN, WM_KEYUP等
Debug.Print Hex$(KBEvent.vkCode) 'VK_??? 定义的键码
LowLevelKeyboardProc = 1 '1屏蔽,否则应调用CallNextHookEx
Else
LowLevelKeyboardProc = CallNextHookEx(m_lHookID, nCode, wParam, lParam)
End If
End Function
#End If
'----------------------------------------------
' 远程线程插入函数
' 功能:向 Winlogon 进程插入远程线程代码,并执行
' 返回:0表示成功,非0表示标准的系统错误代号
'----------------------------------------------
Private Function InsertAsmCode() As Long
Const WINLOGON As String = "Winlogon.exe"
Dim hProcess As Long '远端进程句柄
Dim hPId As Long '远端进程ID
Dim lResult As Long '一般返回变量
Dim pToken As TOKEN_PRIVILEGES
Dim hToken As Long
Dim hRemoteThread As Long
Dim hRemoteThreadID As Long
Dim lDbResult(1) As Long
Dim lRemoteAddr As Long
'------------------------------------
'取winlogon进程ID
'------------------------------------
hPId = GetProcessIdFromName(WINLOGON)
If hPId = 0 Then
InsertAsmCode = GetLastError
Debug.Assert False
Exit Function
End If
'------------------------------------
'提升本进程权限,以取得对winlogon进程操作的许可
'------------------------------------
lResult = OpenProcessToken(GetCurrentProcess(), _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, _
hToken)
Debug.Assert lResult
lResult = LookupPrivilegeValue(0, StrPtr(SE_DEBUG_NAME), pToken.Privileges.pLuid)
Debug.Assert lResult
pToken.PrivilegeCount = 1
pToken.Privileges.Attributes = SE_PRIVILEGE_ENABLED
lResult = AdjustTokenPrivileges(hToken, False, pToken, Len(pToken), 0, 0)
Debug.Assert lResult
'------------------------------------
'打开winlogon进程
'------------------------------------
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hPId)
Debug.Assert hProcess
If hProcess Then
'------------------------------------
'初始注入代码
'------------------------------------
Call InitShellCode
'------------------------------------
'远端进程分配内存
'------------------------------------
lRemoteAddr = VirtualAllocEx(hProcess, 0, SHELL_CODE_LENGTH, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
Debug.Assert lRemoteAddr
'------------------------------------
'写入 shell 代码
'------------------------------------
If lRemoteAddr Then
InsertAsmCode = WriteProcessMemory(hProcess, lRemoteAddr, mlShellCode(0), SHELL_CODE_LENGTH, 0)
Else
InsertAsmCode = GetLastError
Exit Function
End If
'------------------------------------
'创建远程线程
'------------------------------------
hRemoteThread = CreateRemoteThread(hProcess, 0, 0, lRemoteAddr + SHELL_FUNCOFFSET, 0, 0, hRemoteThreadID)
If hRemoteThread = 0 Then
InsertAsmCode = GetLastError
Debug.Assert hRemoteThread
Exit Function
End If
'------------------------------------
'等待远程线程
'------------------------------------
Call WaitForSingleObject(hRemoteThread, -1)
Call GetExitCodeThread(hRemoteThread, InsertAsmCode)
Call CloseHandle(hRemoteThread)
'------------------------------------
'释放远端进程内存
'------------------------------------
Call VirtualFreeEx(hProcess, lRemoteAddr, SHELL_CODE_LENGTH, MEM_DECOMMIT)
Else
InsertAsmCode = GetLastError
End If
End Function
'============================================
' 初始线程代码
'============================================
Private Function InitShellCode() As Long
Const kernel32 As String = "kernel32.dll"
Dim hDll As Long
'------------------------------------
'提取注入代码所需的API函数
'------------------------------------
hDll = GetModuleHandle(StrPtr(kernel32)): Debug.Assert hDll
mlShellCode(0) = GetProcAddress(hDll, "GetModuleHandleW")
mlShellCode(1) = GetProcAddress(hDll, "GetProcAddress")
'---------------------------
' 以下代码由 MASM32 产生
mlShellCode(2) = &HE853&
mlShellCode(3) = &H815B0000
mlShellCode(4) = &H40100EEB
mlShellCode(5) = &H238E800
mlShellCode(6) = &HC00B0000
mlShellCode(7) = &H838D5075
mlShellCode(8) = &H4010B0
mlShellCode(9) = &HD093FF50
mlShellCode(10) = &HF004013
mlShellCode(11) = &HC00BC0B7
mlShellCode(12) = &H683A75
mlShellCode(13) = &H6A020000
mlShellCode(14) = &H8D006A00
mlShellCode(15) = &H4010B083
mlShellCode(16) = &H93FF5000
mlShellCode(17) = &H401090
mlShellCode(18) = &H1874C00B
mlShellCode(19) = &H10C2938D
mlShellCode(20) = &H6A0040
mlShellCode(21) = &H93FF5052
mlShellCode(22) = &H401094
mlShellCode(23) = &H474C00B
mlShellCode(24) = &HAEB0AEB
mlShellCode(25) = &H108C93FF
mlShellCode(26) = &H2EB0040
mlShellCode(27) = &HC25BC033
mlShellCode(28) = &HFF8B0004
mlShellCode(38) = &H410053
mlShellCode(39) = &H200053
mlShellCode(40) = &H690077
mlShellCode(41) = &H64006E
mlShellCode(42) = &H77006F
mlShellCode(43) = &HFF8B0000
mlShellCode(44) = &H690057
mlShellCode(45) = &H6C006E
mlShellCode(46) = &H67006F
mlShellCode(47) = &H6E006F
mlShellCode(48) = &H8B550000
mlShellCode(49) = &HF0C481EC
mlShellCode(50) = &H53FFFFFD
mlShellCode(51) = &HE8&
mlShellCode(52) = &HEB815B00
mlShellCode(53) = &H4010D1
mlShellCode(54) = &H10468
mlShellCode(55) = &HF8858D00
mlShellCode(56) = &H50FFFFFD
mlShellCode(57) = &HFF0875FF
mlShellCode(58) = &H40108093
mlShellCode(59) = &HF8858D00
mlShellCode(60) = &H50FFFFFD
mlShellCode(61) = &H1098838D
mlShellCode(62) = &HFF500040
mlShellCode(63) = &H40107C93
mlShellCode(64) = &H75C00B00
mlShellCode(65) = &H68406A69
mlShellCode(66) = &H1000&
mlShellCode(67) = &H7668&
mlShellCode(68) = &HFF006A00
mlShellCode(69) = &H40107493
mlShellCode(70) = &H74C00B00
mlShellCode(71) = &H85896054
mlShellCode(72) = &HFFFFFDF0
mlShellCode(73) = &H75FFFC6A
mlShellCode(74) = &H8493FF08
mlShellCode(75) = &H8D004010
mlShellCode(76) = &H4013C893
mlShellCode(77) = &HFC028900
mlShellCode(78) = &HFDF0BD8B
mlShellCode(79) = &H76B9FFFF
mlShellCode(80) = &H8D000000
mlShellCode(81) = &H401374B3
mlShellCode(82) = &H8DA4F300
mlShellCode(83) = &H4010B083
mlShellCode(84) = &H93FF5000
mlShellCode(85) = &H401078
mlShellCode(86) = &HFDF0B5FF
mlShellCode(87) = &HFC6AFFFF
mlShellCode(88) = &HFF0875FF
mlShellCode(89) = &H40108893
mlShellCode(90) = &HC0336100
mlShellCode(91) = &HC03303EB
mlShellCode(92) = &HC2C95B40
mlShellCode(93) = &H6B0008
mlShellCode(94) = &H720065
mlShellCode(95) = &H65006E
mlShellCode(96) = &H33006C
mlShellCode(97) = &H2E0032
mlShellCode(98) = &H6C0064
mlShellCode(99) = &H6C&
mlShellCode(100) = &H730075
mlShellCode(101) = &H720065
mlShellCode(102) = &H320033
mlShellCode(103) = &H64002E
mlShellCode(104) = &H6C006C
mlShellCode(105) = &H69560000
mlShellCode(106) = &H61757472
mlShellCode(107) = &H6572466C
mlShellCode(108) = &H6C470065
mlShellCode(109) = &H6C61626F
mlShellCode(110) = &H646E6946
mlShellCode(111) = &H6D6F7441
mlShellCode(112) = &H6C470057
mlShellCode(113) = &H6C61626F
mlShellCode(114) = &H41646441
mlShellCode(115) = &H576D6F74
mlShellCode(116) = &H74736C00
mlShellCode(117) = &H706D6372
mlShellCode(118) = &H4F005769
mlShellCode(119) = &H446E6570
mlShellCode(120) = &H746B7365
mlShellCode(121) = &H57706F
mlShellCode(122) = &H6D756E45
mlShellCode(123) = &H6B736544
mlShellCode(124) = &H57706F74
mlShellCode(125) = &H6F646E69
mlShellCode(126) = &H47007377
mlShellCode(127) = &H69577465
mlShellCode(128) = &H776F646E
mlShellCode(129) = &H74786554
mlShellCode(130) = &H65470057
mlShellCode(131) = &H6E695774
mlShellCode(132) = &H4C776F64
mlShellCode(133) = &H57676E6F
mlShellCode(134) = &H74655300
mlShellCode(135) = &H646E6957
mlShellCode(136) = &H6F4C776F
mlShellCode(137) = &H57676E
mlShellCode(138) = &H6C6C6143
mlShellCode(139) = &H646E6957
mlShellCode(140) = &H7250776F
mlShellCode(141) = &H57636F
mlShellCode(142) = &H4C746547
mlShellCode(143) = &H45747361
mlShellCode(144) = &H726F7272
mlShellCode(145) = &H72695600
mlShellCode(146) = &H6C617574
mlShellCode(147) = &H6F6C6C41
mlShellCode(148) = &H8B550063
mlShellCode(149) = &HFCC483EC
mlShellCode(150) = &H48C03360
mlShellCode(151) = &H8DFC4589
mlShellCode(152) = &H40117683
mlShellCode(153) = &H93FF5000
mlShellCode(154) = &H401000
mlShellCode(155) = &H840FC00B
mlShellCode(156) = &HFA&
mlShellCode(157) = &H838DF88B
mlShellCode(158) = &H401190
mlShellCode(159) = &H93FF50
mlShellCode(160) = &HB004010
mlShellCode(161) = &HE3840FC0
mlShellCode(162) = &H8B000000
mlShellCode(163) = &H45838DF0
mlShellCode(164) = &H50004012
mlShellCode(165) = &H493FF57
mlShellCode(166) = &H89004010
mlShellCode(167) = &H40107483
mlShellCode(168) = &H38838D00
mlShellCode(169) = &H50004012
mlShellCode(170) = &H493FF57
mlShellCode(171) = &H89004010
mlShellCode(172) = &H40108C83
mlShellCode(173) = &HC2838D00
mlShellCode(174) = &H50004011
mlShellCode(175) = &H493FF57
mlShellCode(176) = &H89004010
mlShellCode(177) = &H40107883
mlShellCode(178) = &HB2838D00
mlShellCode(179) = &H50004011
mlShellCode(180) = &H493FF57
mlShellCode(181) = &H89004010
mlShellCode(182) = &H4013D083
mlShellCode(183) = &HD1838D00
mlShellCode(184) = &H50004011
mlShellCode(185) = &H493FF57
mlShellCode(186) = &H89004010
mlShellCode(187) = &H40107C83
mlShellCode(188) = &HDB838D00
mlShellCode(189) = &H50004011
mlShellCode(190) = &H493FF56
mlShellCode(191) = &H89004010
mlShellCode(192) = &H40109083
mlShellCode(193) = &HE8838D00
mlShellCode(194) = &H50004011
mlShellCode(195) = &H493FF56
mlShellCode(196) = &H89004010
mlShellCode(197) = &H40109483
mlShellCode(198) = &HFB838D00
mlShellCode(199) = &H50004011
mlShellCode(200) = &H493FF56
mlShellCode(201) = &H89004010
mlShellCode(202) = &H40108083
mlShellCode(203) = &HA838D00
mlShellCode(204) = &H50004012
mlShellCode(205) = &H493FF56
mlShellCode(206) = &H89004010
mlShellCode(207) = &H40108483
mlShellCode(208) = &H19838D00
mlShellCode(209) = &H50004012
mlShellCode(210) = &H493FF56
mlShellCode(211) = &H89004010
mlShellCode(212) = &H40108883
mlShellCode(213) = &H28838D00
mlShellCode(214) = &H50004012
mlShellCode(215) = &H493FF56
mlShellCode(216) = &H89004010
mlShellCode(217) = &H4013CC83
mlShellCode(218) = &H89C03300
mlShellCode(219) = &H8B61FC45
mlShellCode(220) = &HC3C9FC45
mlShellCode(221) = &H53EC8B55
mlShellCode(222) = &HE8&
mlShellCode(223) = &HEB815B00
mlShellCode(224) = &H40137D
mlShellCode(225) = &H120C7D81
mlShellCode(226) = &H75000003
mlShellCode(227) = &HD4838D1C
mlShellCode(228) = &H50004013
mlShellCode(229) = &H13D093FF
mlShellCode(230) = &HB70F0040
mlShellCode(231) = &H74C00BC0
mlShellCode(232) = &H40C03308
mlShellCode(233) = &H10C2C95B
mlShellCode(234) = &H1475FF00
mlShellCode(235) = &HFF1075FF
mlShellCode(236) = &H75FF0C75
mlShellCode(237) = &HC8B3FF08
mlShellCode(238) = &HFF004013
mlShellCode(239) = &H4013CC93
mlShellCode(240) = &HC2C95B00
mlShellCode(241) = &HFF8B0010
mlShellCode(245) = &H6F0048
mlShellCode(246) = &H6B006F
mlShellCode(247) = &H790053
mlShellCode(248) = &H4B0073
mlShellCode(249) = &H790065
mlShellCode(250) = &H8B550000
mlShellCode(251) = &HD8C481EC
mlShellCode(252) = &HE8FFFFFD
mlShellCode(253) = &H226&
mlShellCode(254) = &H8DE84589
mlShellCode(255) = &H6A50EC45
mlShellCode(256) = &HE875FF28
mlShellCode(257) = &H24BE8
mlShellCode(258) = &HFC00B00
mlShellCode(259) = &H11584
mlShellCode(260) = &HF4458D00
mlShellCode(261) = &H20606850
mlShellCode(262) = &H6A0040
mlShellCode(263) = &H22DE8
mlShellCode(264) = &H74C00B00
mlShellCode(265) = &HF045C722
mlShellCode(266) = &H1&
mlShellCode(267) = &H2FC45C7
mlShellCode(268) = &H6A000000
mlShellCode(269) = &H6A006A00
mlShellCode(270) = &HF0458D00
mlShellCode(271) = &HFF006A50
mlShellCode(272) = &H1E8EC75
mlShellCode(273) = &HFF000002
mlShellCode(274) = &H6A0875
mlShellCode(275) = &H1F0FFF68
mlShellCode(276) = &H1CEE800
mlShellCode(277) = &H45890000
mlShellCode(278) = &H68046AE8
mlShellCode(279) = &H1000&
mlShellCode(280) = &H4F268
mlShellCode(281) = &HFF006A00
mlShellCode(282) = &HC1E8E875
mlShellCode(283) = &H89000001
mlShellCode(284) = &H6AE445
mlShellCode(285) = &H4F268
mlShellCode(286) = &H10006800
mlShellCode(287) = &H75FF0040
mlShellCode(288) = &HE875FFE4
mlShellCode(289) = &H1B9E8
mlShellCode(290) = &H30186800
mlShellCode(291) = &H86A0040
mlShellCode(292) = &H40300068
mlShellCode(293) = &HE475FF00
mlShellCode(294) = &HE8E875FF
mlShellCode(295) = &H1A2&
mlShellCode(296) = &H81E4558B
mlShellCode(297) = &H8C2&
mlShellCode(298) = &H6A006A00
mlShellCode(299) = &H52006A00
mlShellCode(300) = &H6A006A
mlShellCode(301) = &HE8E875FF
mlShellCode(302) = &H156&
mlShellCode(303) = &H144E850
mlShellCode(304) = &H18680000
mlShellCode(305) = &H6A004030
mlShellCode(306) = &H30006808
mlShellCode(307) = &H75FF0040
mlShellCode(308) = &HE875FFE4
mlShellCode(309) = &H151E8
mlShellCode(310) = &H58D00
mlShellCode(311) = &H8B004030
mlShellCode(312) = &H4408B10
mlShellCode(313) = &HCB685250
mlShellCode(314) = &H8D004020
mlShellCode(315) = &HFFFDD885
mlShellCode(316) = &H909050FF
End Function
'-------------------------------------------
' 根据可执行文件的名称取回进程ID
' 参数:可执行文件名(含扩展名)
' 返回:进程ID。0表示无
'-------------------------------------------
Private Function GetProcessIdFromName(ByVal sName As String) As Long
Dim hSnapshot As Long
Dim lpPE As PROCESSENTRY32W
Dim lpWinlogon As Long
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
Debug.Assert hSnapshot
lpPE.dwSize = Len(lpPE)
If Process32First(hSnapshot, lpPE) Then
lpWinlogon = StrPtr(sName)
Do
If lstrcmpi(lpPE.szExeFile(1), lpWinlogon) = 0 Then
GetProcessIdFromName = lpPE.h32ProcessID
Exit Do
End If
If Process32Next(hSnapshot, lpPE) = 0 Then Exit Do
Loop
End If
Call CloseHandle(hSnapshot)
End Function
5059
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
