利用低级键盘钩子,和子类化SAS窗口屏蔽所有热键!
将DLL注入Winlogon进程接管Sas窗口按键消息能完美屏蔽包括CTRL+DEL+ALT在内所有热键老帖子了 写成汇编版本的 大家看下吧!~
ASMIDE:MASMPlus
EXE:
程序代码:
.386 .Model Flat, StdCall Option Casemap :None Include Windows.Inc Include User32.Inc Include Kernel32.Inc Include Advapi32.inc IncludeLib User32.Lib IncludeLib Kernel32.Lib IncludeLib Advapi32.lib .Data? dwProcessID dd ? szMyDllFull db MAX_PATH dup(?) .Const szDllKernel db 'Kernel32.dll',0 szLoadLibrary db 'LoadLibraryA',0 szMyDll db '\APIHook.DLL',0 .Code EnumProcess Proc Uses esi edi ebx _lpProcName:DWORD,_dwPID:DWORD Local @stProcess:PROCESSENTRY32 Local @hSnapshot invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 mov @hSnapshot,eax mov @stProcess.dwSize,sizeof @stProcess invoke Process32First,@hSnapshot,addr @stProcess .While eax invoke lstrcmp,addr @stProcess.szExeFile,_lpProcName .if eax == 0 mov esi,_dwPID push @stProcess.th32ProcessID pop DWORD ptr [esi] mov eax,TRUE ret .endif invoke Process32Next,@hSnapshot,addr @stProcess .EndW invoke CloseHandle,@hSnapshot xor eax,eax ret EnumProcess EndP EnableDebugPriv Proc Local @tkp:TOKEN_PRIVILEGES Local @sdnv:LUID Local @hToken invoke RtlZeroMemory,addr @tkp,sizeof TOKEN_PRIVILEGES invoke RtlZeroMemory,addr @sdnv,sizeof LUID invoke GetCurrentProcess mov ecx,eax invoke OpenProcessToken,ecx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr @hToken invoke LookupPrivilegeValue,0,CTEXT("SeDebugPrivilege"),addr @sdnv mov @tkp.PrivilegeCount,1 m2m @tkp.Privileges.Luid.LowPart,@sdnv.LowPart m2m @tkp.Privileges.Luid.HighPart,@sdnv.HighPart mov @tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED invoke AdjustTokenPrivileges,@hToken,FALSE,addr @tkp,sizeof @tkp,0,0 invoke CloseHandle,@hToken ret EnableDebugPriv EndP RemoteInject Proc _dwPID:DWORD Local @dwProcessID Local @hProcess Local @lpLoadLibrary Local @lpDllName invoke GetCurrentDirectory,MAX_PATH,addr szMyDllFull invoke lstrcat,addr szMyDllFull,addr szMyDll invoke GetModuleHandle,addr szDllKernel invoke GetProcAddress,eax,offset szLoadLibrary mov @lpLoadLibrary,eax invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID .if eax mov @hProcess,eax invoke VirtualAllocEx,@hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_EXECUTE_READWRITE .if eax mov @lpDllName,eax invoke WriteProcessMemory,@hProcess,eax,offset szMyDllFull,MAX_PATH,NULL invoke CreateRemoteThread,@hProcess,NULL,0,@lpLoadLibrary,@lpDllName,0,NULL invoke CloseHandle,eax .endif invoke CloseHandle,@hProcess .else invoke MessageBox,NULL,CTEXT("无法打开进程"),NULL,MB_OK or MB_ICONWARNING .endif ret RemoteInject EndP Start Proc invoke EnableDebugPriv invoke EnumProcess,CTEXT("winlogon.exe"),offset dwProcessID invoke RemoteInject,dwProcessID ret Start EndP End Start
Dll:
程序代码:
.386 .Model Flat,StdCall Option CaseMap :None Include Windows.inc Include User32.inc Include Kernel32.inc Include Shlwapi.inc IncludeLib User32.lib IncludeLib Kernel32.lib IncludeLib Shlwapi.lib KBDLLHOOKSTRUCT STRUCT vKcode DWORD ? scanCode DWORD ? flags DWORD ? time DWORD ? dwExtraInfo DWORD ? KBDLLHOOKSTRUCT ENDS .Data? hHook dd ? dwThread dd ? hThread dd ? hDesktop dd ? hInstDll dd ? hSasWnd dd ? lpOldProc dd ? .Code KeyboardProc Proc _dwCode:DWORD,_wParam:DWORD,_lParam:DWORD .if _dwCode==HC_ACTION .if (_wParam == WM_KEYDOWN) mov edx,_lParam assume edx:PTR KBDLLHOOKSTRUCT .if ([edx].vKcode == VK_LWIN) || ([edx].vKcode==VK_RWIN) ;拦截左右WIN键 mov eax,TRUE ret .endif .endif .endif invoke CallNextHookEx,hHook,_dwCode,_wParam,_lParam ret KeyboardProc EndP EnumWindowsProc Proc _hWnd:DWORD,_lParam:DWORD Local @szBuff[128]:BYTE invoke GetWindowText,_hWnd,addr @szBuff,sizeof @szBuff invoke StrStr,addr @szBuff,CTEXT("SAS window") .if eax push _hWnd pop hSasWnd mov eax,FALSE ret .endif mov eax,TRUE ret EnumWindowsProc EndP SASWindowProc Proc _hWnd:DWORD,_uMsg:DWORD,_wParam:DWORD,_lParam:DWORD .if _uMsg == WM_HOTKEY ;拦截SAS窗口所有热键 mov eax,TRUE ret .endif invoke CallWindowProc,lpOldProc,_hWnd,_uMsg,_wParam,_lParam ret SASWindowProc EndP ThreadProc Proc lParam:DWORD Local uMsg:MSG invoke OpenDesktop,CTEXT("Winlogon"),0,FALSE,MAXIMUM_ALLOWED mov hDesktop,eax invoke EnumDesktopWindows,hDesktop,offset EnumWindowsProc,NULL .if hSasWnd invoke SetWindowLong,hSasWnd,GWL_WNDPROC,offset SASWindowProc mov lpOldProc,eax .endif invoke OpenDesktop,CTEXT("Default"),0,FALSE,MAXIMUM_ALLOWED mov hDesktop,eax invoke SetThreadDesktop,hDesktop invoke CloseHandle,hDesktop invoke SetWindowsHookEx,WH_KEYBOARD_LL,offset KeyboardProc,hInstDll,NULL .if eax mov hHook,eax invoke OutputDebugString,CTEXT("Set Hook Success!") .endif .While TRUE invoke GetMessage,addr uMsg,0,0,0 .Break .if !eax invoke TranslateMessage,addr uMsg invoke DispatchMessage,addr uMsg .EndW ThreadProc EndP DLLEntry Proc uses ebx esi _hInstance:DWORD,_dwReason:DWORD,_dwReserved:DWORD .if _dwReason == DLL_PROCESS_ATTACH invoke CreateThread,NULL,0,offset ThreadProc,NULL,0,offset dwThread mov hThread,eax .elseif _dwReason == DLL_PROCESS_DETACH invoke SetWindowLong,hSasWnd,GWL_WNDPROC,lpOldProc invoke UnhookWindowsHookEx,hHook invoke TerminateThread,hThread,1 invoke CloseHandle,hThread .endif push _hInstance pop hInstDll mov eax,TRUE ret DLLEntry EndP End DLLEntry
DEF:
EXPORTS
Hooks.rar
(17.09 KB)
[ 本帖最后由 sll0807 于 2009-10-13 14:45 编辑 ]