通过注入的方式禁用windows的Ctrl+alt+del。
- 方式一:挂起winlogon.exe进程
缺点:如果开机挂起过早,可能导致系统无法进入。关机的时候如果没有恢复winlogon.exe会导致系统无法关机(卡界面)。
- 方式二:注入winlogon.exe
目前仅仅针对64位程序有效
#include <windows.h>
#include <TlHelp32.h>
#include <winnt.h>
#include <iostream>
void RaiseToDebug(){
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
}
bool Start(){
auto module = GetModuleHandleA("rpcrt4.dll");
auto func = GetProcAddress(module, "RpcServerTestCancel");
if(func){
auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(snapshot, &pe32)){
do{
if(!strcmp(pe32.szExeFile, "winlogon.exe")){
auto hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if(hProcess){
DWORD oldpp;
if(VirtualProtectEx(hProcess,(void *)func, 0x100,PAGE_EXECUTE_READWRITE ,&oldpp)){
unsigned char buf[] = {0x33,0xc0,0xc3};
WriteProcessMemory(hProcess, (void *)func,buf, sizeof(buf), NULL);
}
CloseHandle(hProcess);
}
}
}while(Process32Next(snapshot, &pe32));
}
}
return true;
}
bool Stop(){
auto module = GetModuleHandleA("rpcrt4.dll");
auto func = GetProcAddress(module, "RpcServerTestCancel");
if(func){
auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(snapshot, &pe32)){
do{
if(!strcmp(pe32.szExeFile, "winlogon.exe")){
auto hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if(hProcess){
DWORD oldpp;
if(VirtualProtectEx(hProcess,(void *)func, 0x100,PAGE_EXECUTE_READWRITE ,&oldpp)){
WriteProcessMemory(hProcess, (void *)func,(void *)func, 3, NULL);
}
CloseHandle(hProcess);
}
}
}while(Process32Next(snapshot, &pe32));
}
}
return true;
}
int main(){
LoadLibraryA("rpcrt4.dll");
RaiseToDebug();
//禁用ctrl+alt+del
Start();
getchar();
//启用ctrl+alt+del
Stop();
return 1;
}