进程防杀与屏蔽WIN 、alt+tab、ctrl+esc等键的方法

//DLL文件

//GHook.cpp

#define _WIN32_WINNT 0x0400
#include <windows.h>
#include "HookAPI.h"
#include <Tlhelp32.h>

typedef HANDLE (_stdcall *OPENPROCESS_PROC)(DWORD, BOOL, DWORD);

OPENPROCESS_PROC pOpenProcess = NULL;
HWND g_hWnd;
HHOOK g_hHook;
HINSTANCE g_hInst;
HHOOK g_hHook_Key;
_declspec(dllexport) LRESULT CALLBACK HookKeyDownProc(int nCode,WPARAM wParam,LPARAM lParam);
DWORD FindProcessId(const char* name);
_declspec(dllexport) LRESULT CALLBACK  HookFunction(int code, WPARAM wParam, LPARAM lParam);
HANDLE _stdcall OpenProcess_Handler(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
 HANDLE RetValue = NULL;
 DWORD ProcessId;

 ProcessId=FindProcessId("ProcessID.exe");  //ProcessID.exe为欲防杀的进程名
 if (dwProcessId != ProcessId)
 {    //此处代码，未严加推敲，但防止了任务管理器出错，原因待查。
  UnhookWindowsHookEx(g_hHook);
  RetValue = pOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
  g_hHook=SetWindowsHookEx(WH_SYSMSGFILTER,HookFunction,g_hInst,0);
 } 
 return RetValue;
}
//_declspec(dllexport) LRESULT CALLBACK  HookFunction(int code, WPARAM wParam, LPARAM lParam)
{
 if (pOpenProcess == NULL)
  pOpenProcess = (OPENPROCESS_PROC)HookAPIFunction(GetModuleHandle(NULL), "KERNEL32.DLL", "OpenProcess", (PROC)OpenProcess_Handler);
 return CallNextHookEx(g_hHook,code,wParam,lParam);
// return FALSE;
}

BOOL WINAPI DllMain(/*HANDLE*/HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved)
{
/* switch (dwReason)
 {
 case DLL_PROCESS_ATTACH:
  DisableThreadLibraryCalls(hInst);
  break;
 }*/
 g_hInst=hInst;
 return true;
}
//砞竚秈祘ň炳筥
extern "C" _declspec(dllexport) void  _stdcall SetHook(HWND temphWnd)
{
 g_hWnd=temphWnd;
 g_hHook=SetWindowsHookEx(WH_SYSMSGFILTER,HookFunction,g_hInst,0);
}
//闽超秈祘ň炳筥
extern "C" _declspec(dllexport) void _stdcall  UnHook()
{
 UnhookWindowsHookEx(g_hHook);
}

//砞竚龄絃龄筥
extern "C" _declspec(dllexport) void _stdcall SetHook_Key()
{
 g_hHook_Key=SetWindowsHookEx(WH_KEYBOARD_LL,HookKeyDownProc,g_hInst,0);
}
//
extern "C" _declspec(dllexport) void _stdcall UnHook_Key()
{
 UnhookWindowsHookEx(g_hHook_Key);
}

//
_declspec(dllexport) LRESULT CALLBACK HookKeyDownProc(int nCode,WPARAM wParam,LPARAM lParam)
{
/* if(VK_F4==wParam && (1==(lParam>>29 & 1)))
  return 1;
 if(VK_TAB==wParam && (1==(lParam>>29 & 1)))
  return 1;
 if(VK_LWIN==wParam || VK_RWIN == wParam)
  return 1;
 if(VK_RETURN==wParam)
  return 1;
 return CallNextHookEx(g_hHook_Key,nCode,wParam,lParam);*/
 BOOL fEatKeystroke = FALSE;
    PKBDLLHOOKSTRUCT p = NULL; 
    if (nCode == HC_ACTION)
    {
        p = (PKBDLLHOOKSTRUCT) lParam;
        switch (wParam)
        {
  case WM_KEYDOWN:
   // Backdoor to user information
   if (p->vkCode == VK_F8)
   {
    ::MessageBox(NULL,"Apple Net Coffee Management System/n","Apple",MB_OK);
    break;
   }
  case WM_SYSKEYDOWN:
  case WM_KEYUP:   
  case WM_SYSKEYUP:
   fEatKeystroke =
    (p->vkCode == VK_LWIN) || (p->vkCode == VK_RWIN) ||  // 姜Win
    // 姜Alt+Tab
    ((p->vkCode == VK_TAB) && ((p->flags & LLKHF_ALTDOWN) != 0)) ||
    //ALT+f4
//    ((p->vkCode == VK_F4) && ((p->flags & LLKHF_ALTDOWN) != 0))||
    // 姜Alt+Esc
    ((p->vkCode == VK_ESCAPE) && ((p->flags & LLKHF_ALTDOWN) != 0)) ||
    // 姜Ctrl+Esc
    ((p->vkCode == VK_ESCAPE) && ((GetKeyState(VK_CONTROL) & 0x8000) != 0));
   break;
  default:
   break;
  }
    } 
 return (fEatKeystroke ? TRUE : CallNextHookEx(g_hHook_Key,nCode,wParam,lParam));
}

DWORD FindProcessId(const TCHAR *name) //琩т秈祘
{
 DWORD  dwID = 0; 
    HANDLE m_handle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0); 
    PROCESSENTRY32* Info = new PROCESSENTRY32; 
    Info->dwSize = sizeof(PROCESSENTRY32); 
    BOOL bFind = Process32First(m_handle, Info); 
    while (bFind)
    {  
  if(stricmp(Info->szExeFile,name)==0)
  {  
   
            dwID = Info->th32ProcessID;   
            bFind = FALSE;   
            break;   
        }  
        bFind = Process32Next(m_handle, Info);  
    }  
    delete Info; 
    Info = NULL; 
    CloseHandle(m_handle); 
    return dwID;
} 

 

//Hookapi.cpp

// -----------------------------
//  HOOKAPI - Matt Pietrek 1995
// -----------------------------

#include <windows.h>
#include "HookAPI.h"

// Macro for adding pointers/DWORDs together without C arithmetic interfering

#define MakePtr(cast, ptr, addValue) (cast)((DWORD)(ptr)+(DWORD)(addValue))

PROC HookAPIFunction(HMODULE hFromModule,
                     PSTR pszFunctionModule,
                     PSTR pszFunctionName,
                     PROC pfnNewProc)
{
 PROC pfnOriginalProc;
 PIMAGE_DOS_HEADER pDosHeader;
 PIMAGE_NT_HEADERS pNTHeader;
 PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
 PIMAGE_THUNK_DATA pThunk;
 
 DWORD dwProtectionFlags;
 DWORD dwScratch;
 
 // Verify that a valid pfn was passed 
 if (IsBadCodePtr(pfnNewProc)) return 0;   
 // First, verify the the module and function names passed to use are valid 
 pfnOriginalProc = GetProcAddress(GetModuleHandle(pszFunctionModule), pszFunctionName); 
 if (!pfnOriginalProc) return 0; 
 pDosHeader = (PIMAGE_DOS_HEADER)hFromModule; 
 // Tests to make sure we're looking at a module image (the 'MZ' header) 
 if (IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER))) return 0; 
 if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return 0; 
 // The MZ header has a pointer to the PE header 
 pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); 
 // More tests to make sure we're looking at a "PE" image 
 if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS))) return 0; 
 if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) return 0; 
 // We know have a valid pointer to the module's PE header.
 // Now go get a pointer to its imports section 
 pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
  pNTHeader->OptionalHeader.
  DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
  VirtualAddress); 
 // Bail out if the RVA of the imports section is 0 (it doesn't exist) 
 if (pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader) return 0; 
 // Iterate through the array of imported module descriptors, looking
 // for the module whose name matches the pszFunctionModule parameter 
 while (pImportDesc->Name)
 {
  PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);      
  if (stricmp(pszModName, pszFunctionModule) == 0) break;  
  // Advance to next imported module descriptor  
  pImportDesc++;
 } 
 // Bail out if we didn't find the import module descriptor for the
 // specified module.  pImportDesc->Name will be non-zero if we found it. 
 if (pImportDesc->Name == 0) return 0; 
 // Get a pointer to the found module's import address table (IAT) 
 pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk); 
 // Blast through the table of import addresses, looking for the one
 // that matches the address we got back from GetProcAddress above. 
 while (pThunk->u1.Function)
 {
  if (pThunk->u1.Function == (PDWORD)pfnOriginalProc)
  {
   dwProtectionFlags = PAGE_READWRITE;   
   VirtualProtect(&pThunk->u1.Function, 4096, dwProtectionFlags, &dwScratch);   
   // We found it!  Overwrite the original address with the
   // address of the interception function.  Return the original
   // address to the caller so that they can chain on to it.   
   pThunk->u1.Function = (PDWORD)pfnNewProc;   
   return pfnOriginalProc;
  }       
  // Advance to next imported function address  
  pThunk++;
 }  
 // Function not found 
 return 0;
}

 

//Hookapi.h

#ifndef HOOKAPI_H
#define HOOKAPI_H

PROC HookAPIFunction(HMODULE hFromModule,
                     PSTR pszFunctionModule,
                     PSTR pszFunctionName,
                     PROC pfnNewProc);

#endif