在Windows2000中Ctrl-Alt-Delete組合鍵的處理如下：

Winlogon初始化的時(shí)候，在系統(tǒng)中注冊(cè)了CTRL+ALT+DEL Secure Attention Sequence(SAS)熱鍵，并且在WinSta0 Windows 系統(tǒng)中創(chuàng)建三個(gè)桌面。

SAS熱鍵的注冊(cè)使得Winlogon成為第一個(gè)處理CTRL+ALT+DEL的進(jìn)程，所以保證了沒(méi)有其他應(yīng)用程序能夠處理這個(gè)熱鍵。

在 Windows;NT/Windows;2000/Windows;XP中， WinSta0 是表示物理屏幕、鼠標(biāo)和鍵盤的Windows系統(tǒng)對(duì)象的名字。Winlogon在WinSta0 Windows系統(tǒng)中創(chuàng)建了SAS窗口（窗口標(biāo)題是'SAS Window'）和如下三個(gè)桌面。 Winlogon 桌面 應(yīng)用程序 桌面 屏幕保護(hù) 桌面當(dāng)用戶按下Ctrl-Alt-Delete組合鍵時(shí)，Winlogon桌面上的SAS窗口收到它注冊(cè)的系統(tǒng)熱鍵消息(WM_HOTKEY) SAS Window窗口處理這個(gè)消息調(diào)用Graphical Identification and Authentication(GINA)動(dòng)態(tài)連接庫(kù)中的相關(guān)函數(shù)

要中斷Ctrl-Alt-Delete組合鍵的處理,可以有以下方式

從鍵盤驅(qū)動(dòng)層捕獲Ctrl-Alt-Delete 替換Winlogon 替換GINA Hook Winlogon 上SAS窗口的窗口過(guò)程(需要當(dāng)前登錄用戶有調(diào)試權(quán)限) Hook; GINA里邊的函數(shù)WlxLoggedOnSAS，然后返回WLX_SAS_ACTION_NONE（未研究）更多信息

鑒于系統(tǒng)的更新可能造成我們替換的系統(tǒng)文件和其他系統(tǒng)文件不兼容（著名的DLL地獄），所以不推薦替換Winlogon.exe和GINA的方法。這里我們討論Hook Winlogon 上的SAS窗口的窗口過(guò)程的方法。

因?yàn)镾AS窗口和我們的程序內(nèi)存地址空間不同，所以要寫(xiě)一個(gè)動(dòng)態(tài)連接庫(kù)，加載到SAS窗口的內(nèi)存空間中。下面是動(dòng)態(tài)連接庫(kù)的源代碼。

//---------------------------------------------------------------------------//作者 ：韋覃武//網(wǎng)上呢稱：BCB_FANS(四大名捕之追殺令)（此為CSDN和www.driverdevelop.com之帳號(hào)）//E-Mail ：slwqw@163.com//日期 ：2002-10-20////功能 ：在2000下屏蔽Ctrl + Alt + Del組合鍵。（在Windows 2000 Professional SP3// 中文版平臺(tái)下面測(cè)試通過(guò)）//原理 ：采用遠(yuǎn)程線程注入技術(shù)，裝載一個(gè)DLL到Winlogon進(jìn)程，然后截獲SAS窗口的窗// 口過(guò)程，接管WM_HOTKEY消息，以達(dá)到屏蔽Ctrl + Alt + Del之目的。//開(kāi)發(fā)語(yǔ)言：Borland C++Builder 5.0 Patch2//技術(shù)比較：關(guān)于在2000下面如何屏蔽Ctrl + Alt + Del組合鍵，一種常被提到的解決方法就// 是使用自己寫(xiě)的GINA去替換MSGINA.DLL，然后在WlxLoggedOnSAS里邊直接返回// WLX_SAS_ACTION_NONE。嘿嘿，說(shuō)到底這并不是真正地屏蔽了這個(gè)組合鍵，只是// 直接返回WLX_SAS_ACTION_NONE時(shí)，Winlogon進(jìn)程又自動(dòng)從'Winlogon'桌面切換// 回原來(lái)的'Default'桌面了，而不是顯示安全對(duì)話框，所以看起來(lái)被屏蔽了：），// 使用那種方法明顯地看到桌面在閃爍！但是使用本文的方法時(shí)，你不會(huì)看到任// 何閃爍！//鳴謝 ：www.driverdevelop.com上的icube和lu0。//版權(quán) ：轉(zhuǎn)載請(qǐng)注明原作者：）//---------------------------------------------------------------------------#include 'stdafx.h'#include <string>using namespace std;//---------------------------------------------------------------------------HWND hSASWnd;FARPROC FOldProc;LRESULT CALLBACK SASWindowProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam);BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM lParam);//---------------------------------------------------------------------------HANDLE hThread = NULL;DWord dwThreadId;DWORD WINAPI ThreadFunc();//---------------------------------------------------------------------------BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){ switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH : hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ThreadFunc,NULL,0,&dwThreadId); break; case DLL_PROCESS_DETACH : if(FOldProc != NULL) { SetWindowLong(hSASWnd,GWL_WNDPROC,long(FOldProc)); } CloseHandle(hThread); break; } return TRUE;}//---------------------------------------------------------------------------DWORD WINAPI ThreadFunc(){ HDESK hDesk; hDesk = OpenDesktop('Winlogon',0,false,MAXIMUM_ALLOWED); FOldProc = NULL; hSASWnd = NULL; EnumDesktopWindows(hDesk,(WNDENUMPROC)EnumWindowsProc,0); if(hSASWnd != NULL) { FOldProc = (FARPROC)SetWindowLong(hSASWnd,GWL_WNDPROC,long(SASWindowProc)); } CloseHandle(hDesk); return 1;}//---------------------------------------------------------------------------//查找'Winlogon'桌面的窗口BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM lParam){ char ClassBuf[128]; GetWindowText(hwnd,ClassBuf,sizeof(ClassBuf)); //我自己寫(xiě)了一個(gè)系統(tǒng)服務(wù)，然后在里邊查詢'Winlogon'桌面上的窗口，發(fā)現(xiàn)桌面上存在 //窗口'SAS window'。 string ClassName(ClassBuf); if(ClassName.find('SAS window') != -1) { hSASWnd = hwnd; return false; } return true;}//---------------------------------------------------------------------------//SAS窗口的窗口過(guò)程LRESULT CALLBACK SASWindowProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam){ //屏蔽Ctrl + Alt + Del if(uMsg == WM_HOTKEY) { WORD wKey = HIWORD(lParam); WORD wModifier = LOWORD(lParam); bool IsCtrlDown = ((wModifier & VK_CONTROL) != 0); bool IsAltDown = ((wModifier & VK_MENU) != 0); bool IsShiftDown = ((wModifier & VK_SHIFT) != 0); //按下Ctrl + Alt + Del組合鍵 if(IsCtrlDown && IsAltDown && wKey == VK_DELETE) { return 1; } //按下Ctrl + Shift + Esc組合鍵，這個(gè)組合鍵將顯示任務(wù)管理器，可根據(jù)需要是否屏蔽。 else if(IsCtrlDown && IsShiftDown && wKey == VK_ESCAPE) { // Do nothing } } return CallWindowProc((WNDPROC)FOldProc,hwnd,uMsg,wParam,lParam);}//---------------------------------------------------------------------------這樣，如果Winlogon加載了這個(gè)動(dòng)態(tài)連接庫(kù)，那么就替換了SAS窗口的窗口過(guò)程。如果Winlogon卸載了這個(gè)動(dòng)態(tài)連接庫(kù)，則恢復(fù)了SAS窗口的窗口過(guò)程。

為了讓W(xué)inlogon加載我們的動(dòng)態(tài)連接庫(kù)，首先要找到Winlogon進(jìn)程，然后在進(jìn)程中分配空間存放我們的代碼，再通過(guò)創(chuàng)建遠(yuǎn)程線程賴執(zhí)行我們的代碼。下面是Hook部分的代碼

//---------------------------------------------------------------------------//作者 ：韋覃武,jiangsheng//網(wǎng)上呢稱：BCB_FANS(四大名捕之追殺令)（此為CSDN和www.driverdevelop.com之帳號(hào)）jiangsheng（此為CSDN帳號(hào)）//E-Mail ：slwqw@163.com//日期 ：2002-10-20//2002-11-5 jingsheng修改//功能 ：在2000下屏蔽Ctrl + Alt + Del組合鍵。（在Windows 2000 Professional SP3// 中文版平臺(tái)下面測(cè)試通過(guò)）//原理 ：采用遠(yuǎn)程線程注入技術(shù)，裝載一個(gè)DLL到Winlogon進(jìn)程，然后截獲SAS窗口的窗// 口過(guò)程，接管WM_HOTKEY消息，以達(dá)到屏蔽Ctrl + Alt + Del之目的。//開(kāi)發(fā)語(yǔ)言：Borland C++Builder 5.0 Patch2，Visual C++ 6.0 SP5//技術(shù)比較：關(guān)于在2000下面如何屏蔽Ctrl + Alt + Del組合鍵，一種常被提到的解決方法就// 是使用自己寫(xiě)的GINA去替換MSGINA.DLL，然后在WlxLoggedOnSAS里邊直接返回// WLX_SAS_ACTION_NONE。嘿嘿，說(shuō)到底這并不是真正地屏蔽了這個(gè)組合鍵，只是// 直接返回WLX_SAS_ACTION_NONE時(shí)，Winlogon進(jìn)程又自動(dòng)從'Winlogon'桌面切換// 回原來(lái)的'Default'桌面了，而不是顯示安全對(duì)話框，所以看起來(lái)被屏蔽了：），// 使用那種方法明顯地看到桌面在閃爍！但是使用本文的方法時(shí)，你不會(huì)看到任// 何閃爍！//鳴謝 ：www.driverdevelop.com上的icube和lu0。//版權(quán) ：轉(zhuǎn)載請(qǐng)注明原作者：）//---------------------------------------------------------------------------#include 'stdafx.h'#include <tlhelp32.h>#include <lmerr.h>#include 'Hook.h'//add by jiangsheng 2002-11-5#include 'TaskKeyMgr.h'#include 'Wrappers.h'//復(fù)制自MSDN雜志W(wǎng)indows XP Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities的代碼extern BOOL Is_Terminal_Services () ;//復(fù)制自Platform SDK文檔: Windows System Information /Verifying the System Version//end add by jiangsheng 2002-11-5//---------------------------------------------------------------------------//錯(cuò)誤代碼格式化函數(shù)//replaced by jiangsheng 2002-11-5 //from Q149409 HOWTO: Get Message Text from Networking Error Codes

CString __fastcall SysErrorMessage(DWORD dwLastError ){ CString strRet(_T('Unknown error')); HMODULE hModule = NULL; // default to system source LPSTR MessageBuffer; DWORD dwBufferLength; DWORD dwFormatFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM ; // // If dwLastError is in the network range, // load the message source. // if(dwLastError >= NERR_BASE && dwLastError <= MAX_NERR) { hModule = LoadLibraryEx(TEXT('netmsg.dll'),NULL,LOAD_LIBRARY_AS_DATAFILE); if(hModule != NULL) dwFormatFlags |= FORMAT_MESSAGE_FROM_HMODULE; } // // Call FormatMessage() to allow for message // text to be acquired from the system // or from the supplied module handle. // if(dwBufferLength = FormatMessageA( dwFormatFlags, hModule, // module to get message from (NULL == system) dwLastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // default language (LPSTR) &MessageBuffer, 0, NULL )) { // // Output message string on stderr. // strRet=CString(MessageBuffer,dwBufferLength); // // Free the buffer allocated by the system. // LocalFree(MessageBuffer); } // // If we loaded a message source, unload it. // if(hModule != NULL) FreeLibrary(hModule); return strRet;}//end replaced by jiangsheng 2002-11-5 //---------------------------------------------------------------------------#ifdef UNICODELPCSTR LoadLibraryFuncStr = 'LoadLibraryW';LPCSTR GetModuleHandleFuncStr = 'GetModuleHandleW';#elseLPCSTR LoadLibraryFuncStr = 'LoadLibraryA';LPCSTR GetModuleHandleFuncStr = 'GetModuleHandleA';#endifLPCSTR FreeLibraryFuncStr = 'FreeLibrary';LPCSTR GetProCADdressFuncStr = 'GetProcAddress';LPCSTR GetLastErrorFuncStr = 'GetLastError';//---------------------------------------------------------------------------//removed by jiangsheng 2002-11-5//const char* const RemoteDllName = 'RemoteDll.Dll';//end removed by jiangsheng 2002-11-5LPCTSTR szRemoteProcessName = 'Winlogon.exe';typedef HINSTANCE (WINAPI *PLOADLIBRARY)(LPCTSTR );typedef BOOL (WINAPI *PFREELIBRARY)(HINSTANCE);typedef HMODULE (WINAPI* PGETMODULEHANDLE)(LPCTSTR );typedef PVOID (WINAPI* PGETPROCADDRESS)(HINSTANCE,LPCSTR);typedef DWORD (WINAPI* PGETLASTERROR)(VOID);BOOL __fastcall EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable);DWORD __fastcall GetPIDFromName(LPCTSTR lpszProcName);//---------------------------------------------------------------------------typedef struct{ PLOADLIBRARY pfnLoadLibrary; PGETLASTERROR pfnGetLastError; TCHAR szDllName[1024]; DWORD dwReturnValue; } INJECTLIBINFO;typedef struct{ PFREELIBRARY pfnFreeLibrary; PGETMODULEHANDLE pfnGetModuleHandle; PGETLASTERROR pfnGetLastError; DWORD dwReturnValue; TCHAR szDllName[1024];} DEINJECTLIBINFO;//---------------------------------------------------------------------------//遠(yuǎn)程線程，用來(lái)裝載DLLstatic DWORD WINAPI ThreadFuncAttach(INJECTLIBINFO *pInfo){HINSTANCE hDll=NULL;pInfo->dwReturnValue = 0;hDll = (HINSTANCE)pInfo->pfnLoadLibrary(pInfo->szDllName);if(hDll == NULL)pInfo->dwReturnValue = pInfo->pfnGetLastError();return((DWORD)hDll);}//---------------------------------------------------------------------------//占位函數(shù)，用來(lái)計(jì)算ThreadFuncAttach的大小static void AfterThreadFuncAttach(void){}//---------------------------------------------------------------------------//遠(yuǎn)程線程，用來(lái)卸載DLLstatic DWORD WINAPI ThreadFuncDetach(DEINJECTLIBINFO *pInfo){ HINSTANCE hDll = NULL; BOOL bResult=FALSE; BOOL bHasFoundModule = FALSE; pInfo->dwReturnValue = 0;//意味成功，如果這個(gè)值不是0，則是一個(gè)錯(cuò)誤代碼。 while((hDll = pInfo->pfnGetModuleHandle(pInfo->szDllName)) != NULL) { bHasFoundModule = TRUE; bResult = pInfo->pfnFreeLibrary(hDll); if(bResult == FALSE) { pInfo->dwReturnValue = pInfo->pfnGetLastError(); break; } } if(pInfo->dwReturnValue == 0 && !bHasFoundModule) { pInfo->dwReturnValue = pInfo->pfnGetLastError(); } return 1;}//---------------------------------------------------------------------------//占位函數(shù)，用來(lái)計(jì)算ThreadFuncDetach的大小static void AfterThreadFuncDetach(void){}//---------------------------------------------------------------------------//修改本進(jìn)程的權(quán)限BOOL __fastcall EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable){ HANDLE hToken; TOKEN_PRIVILEGES tp; LUID luid; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ,&hToken)) return FALSE; if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid)) return TRUE; tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL); CloseHandle(hToken); return (GetLastError() == ERROR_SUCCESS);}//---------------------------------------------------------------------------//通過(guò)進(jìn)程名稱得到進(jìn)程的ID（這里使用方法Toolhelp函數(shù)，也可使用PSAPI）DWORD __fastcall GetPIDFromName(LPCTSTR lpszProcName){ HANDLE hSnapshot; PROCESSENTRY32 ProcStruct; DWORD dwProcessID = -1; //added by jiangsheng 2002-11-8 BOOL bIsTerminalServices=Is_Terminal_Services(); if(bIsTerminalServices){

//復(fù)制自MSDN雜志W(wǎng)indows XP Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities的代碼 //get current session ID CWTSWrapper WTS; if (WTS.IsValid()) { DWORD dwCurSessionID = -1; LPTSTR pSessionInfo=NULL; DWORD dwBytes; if(WTS.WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE,WTS_CURRENT_SESSION, WTSSessionId, (LPTSTR*)&pSessionInfo, &dwBytes)){ dwCurSessionID =*((DWORD*)pSessionInfo); // enumerate processes PWTS_PROCESS_INFO pProcessInfo = NULL; DWORD ProcessCount = 0; BOOL bFound; if (WTS.WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount)){ for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++){ CString strCurExePath(pProcessInfo[CurrentProcess].pProcessName); CString strRemoteProc(lpszProcName); strCurExePath.MakeLower(); strRemoteProc.MakeLower(); bFound = (strCurExePath.Find(strRemoteProc) != -1); if(bFound && dwCurSessionID==pProcessInfo[CurrentProcess].SessionId) { dwProcessID = pProcessInfo[CurrentProcess].ProcessId; break; } } } WTS.WTSFreeMemory(pSessionInfo); } } } else{ //end added by jiangsheng 2002-11-8 BOOL bResult; hSnapshot = CreateToolhelp32Snapshot((DWORD)TH32CS_SNAPPROCESS,0); ProcStruct.dwSize = sizeof(PROCESSENTRY32); bResult = Process32First(hSnapshot,&ProcStruct); while(bResult) { BOOL bFound; CString strCurExePath(ProcStruct.szExeFile); CString strRemoteProc(lpszProcName); strCurExePath.MakeLower(); strRemoteProc.MakeLower(); bFound = (strCurExePath.Find(strRemoteProc) != -1); if(bFound) { dwProcessID = ProcStruct.th32ProcessID; break; } bResult = Process32Next(hSnapshot,&ProcStruct); } CloseHandle(hSnapshot); } return dwProcessID;}//---------------------------------------------------------------------------// 插入代碼//---------------------------------------------------------------------------//InjectFuncvoid __fastcall InjectFunc(){ HANDLE hRemoteProcess=NULL; DWORD dwRemoteProcess=NULL; DWORD dwThreadSize=0; INJECTLIBINFO InjectLibInfo; PVOID pRemoteThread=NULL; PVOID pRemoteParam=NULL; DWORD dwWriten=0; DWORD dwRet=0; //提升本進(jìn)程權(quán)限然后打開(kāi)目的進(jìn)程 //當(dāng)前用戶必須具有調(diào)試權(quán)限 EnablePrivilege(SE_DEBUG_NAME,true); dwRemoteProcess = GetPIDFromName(szRemoteProcessName); if(dwRemoteProcess == (DWORD)-1) { MessageBox(NULL,_T('Failed to Query Process ID.'),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwRemoteProcess); if(hRemoteProcess == NULL) { MessageBox(NULL,_T('Failed to Open Process. Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //初始化參數(shù) ZeroMemory(&InjectLibInfo,sizeof(INJECTLIBINFO )); InjectLibInfo.pfnLoadLibrary = (PLOADLIBRARY)GetProcAddress(GetModuleHandle('Kernel32.dll'),LoadLibraryFuncStr); InjectLibInfo.pfnGetLastError = (PGETLASTERROR)GetProcAddress(GetModuleHandle('Kernel32.dll'),GetLastErrorFuncStr); lstrcpyn(InjectLibInfo.szDllName,CTaskKeyMgr::strRemoteDllName,CTaskKeyMgr::strRemoteDllName.GetLength()+1); //在遠(yuǎn)程線程分配內(nèi)存來(lái)存放參數(shù) pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,sizeof(INJECTLIBINFO),MEM_COMMIT,PAGE_READWRITE); if(pRemoteParam == NULL) { MessageBox(NULL,_T('Failed to Allocate Memory at Remote Process for Param.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } dwRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)&InjectLibInfo,sizeof(INJECTLIBINFO),&dwWriten); if(dwRet == 0) { MessageBox(NULL,_T('Failed to Write Param to Remote Process.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //拷貝線程體 dwThreadSize = (int)AfterThreadFuncAttach - (int)ThreadFuncAttach + 1024 + sizeof(INJECTLIBINFO); pRemoteThread = VirtualAllocEx(hRemoteProcess,NULL,dwThreadSize,MEM_COMMIT,PAGE_READWRITE); if(pRemoteThread == NULL) { MessageBox(NULL,_T('Failed to Allocate Memory at Remote Process for Thread Code.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } dwRet = WriteProcessMemory(hRemoteProcess,pRemoteThread,(LPVOID)ThreadFuncAttach,dwThreadSize,&dwWriten); if(dwRet == 0) { MessageBox(NULL,_T('Failed to Write Thread Code to Remote Process.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //啟動(dòng)遠(yuǎn)程線程 HANDLE hRemoteThread; hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,(INJECTLIBINFO*)pRemoteParam,0,&dwWriten); ::WaitForSingleObject(hRemoteThread,INFINITE); if(hRemoteThread == NULL) { MessageBox(NULL,_T('Failed to create unload thread.Err=') + SysErrorMessage(GetLastError()),NULL,MB_OK |MB_APPLMODAL | MB_ICONWARNING); } else { ; } //讀卸載返回值 dwRet =ReadProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)&InjectLibInfo,sizeof(INJECTLIBINFO),&dwWriten); if(dwRet == 0) { MessageBox(NULL,_T('Unable to read load return value.Err=') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); } else { if(InjectLibInfo.dwReturnValue == 0) { ; } else { MessageBox(NULL,_T('Failed to load library to Winlogon.Err=') +SysErrorMessage(InjectLibInfo.dwReturnValue),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); } } //恢復(fù)權(quán)限 EnablePrivilege(SE_DEBUG_NAME,false); CloseHandle(hRemoteProcess);}//---------------------------------------------------------------------------// 卸載線程//---------------------------------------------------------------------------//DeinjectFuncvoid __fastcall DeinjectFunc(){ HANDLE hRemoteProcess=NULL; DWORD dwRemoteProcess=0; DWORD dwThreadSize=0; DEINJECTLIBINFO DeinjectLibInfo; PVOID pRemoteThread=NULL; PVOID pRemoteParam=NULL; DWORD dwWriten=0; DWORD Ret=0; //提升本進(jìn)程權(quán)限然后打開(kāi)目的進(jìn)程 EnablePrivilege(SE_DEBUG_NAME,true); dwRemoteProcess = GetPIDFromName(szRemoteProcessName); if(dwRemoteProcess == (DWORD)-1) { MessageBox(NULL,_T('Failed to Query Process ID.'),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwRemoteProcess); if(hRemoteProcess == NULL) { MessageBox(NULL,_T('Failed to Open Process. Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //初始化參數(shù) ZeroMemory(&DeinjectLibInfo,sizeof(DEINJECTLIBINFO )); DeinjectLibInfo.pfnFreeLibrary = (PFREELIBRARY)GetProcAddress(GetModuleHandle('Kernel32.dll'),FreeLibraryFuncStr); DeinjectLibInfo.pfnGetModuleHandle = (PGETMODULEHANDLE)GetProcAddress(GetModuleHandle('Kernel32.dll'),GetModuleHandleFuncStr); DeinjectLibInfo.pfnGetLastError = (PGETLASTERROR)GetProcAddress(GetModuleHandle('Kernel32.dll'),GetLastErrorFuncStr); lstrcpyn(DeinjectLibInfo.szDllName,CTaskKeyMgr::strRemoteDllName,CTaskKeyMgr::strRemoteDllName.GetLength()+1); //在遠(yuǎn)程線程分配內(nèi)存來(lái)存放參數(shù) pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,sizeof(DEINJECTLIBINFO),MEM_COMMIT,PAGE_READWRITE); if(pRemoteParam == NULL) { MessageBox(NULL,_T('Failed to Allocate Memory at Remote Process.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); } Ret = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)&DeinjectLibInfo,sizeof(DEINJECTLIBINFO),&dwWriten); if(Ret == 0) { MessageBox(NULL,_T('Failed to Write Param to Remote Process.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //拷貝線程體 dwThreadSize = (int)AfterThreadFuncDetach - (int)ThreadFuncDetach + 1024 + sizeof(DEINJECTLIBINFO); pRemoteThread = VirtualAllocEx(hRemoteProcess,NULL,dwThreadSize,MEM_COMMIT,PAGE_READWRITE); if(pRemoteThread == NULL) { MessageBox(NULL,_T('Failed to Allocate Memory at Remote Process for Thread Code.Err = ') +;;SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } Ret = WriteProcessMemory(hRemoteProcess,pRemoteThread,(LPVOID)ThreadFuncDetach,dwThreadSize,&dwWriten); if(Ret == 0) { MessageBox(NULL,_T('Failed to Write Thread Code to Remote Process.Err = ') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //啟動(dòng)遠(yuǎn)程線程 HANDLE hRemoteThread; hRemoteThread = CreateRemoteThread(hRemoteProcess ,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,(DEINJECTLIBINFO*)pRemoteParam,0,&dwWriten); if(hRemoteThread == NULL) { MessageBox(NULL,_T('Failed to create remote unload thread.Err=') + SysErrorMessage(GetLastError()),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); } else { CloseHandle(hRemoteThread); } //讀卸載返回值 Ret = ReadProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)&DeinjectLibInfo,sizeof(DEINJECTLIBINFO),&dwWriten); if(Ret == 0) { MessageBox(NULL,_T('Unable to read unload return value.Err=') + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); } else { if(DeinjectLibInfo.dwReturnValue == 0) { } else { MessageBox(NULL,_T('Failed to unload .Err=')+ SysErrorMessage(DeinjectLibInfo.dwReturnValue),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); } } //恢復(fù)權(quán)限 CloseHandle(hRemoteProcess); EnablePrivilege(SE_DEBUG_NAME,false);}//---------------------------------------------------------------------------//使用方法　

BOOL CTaskKeyMgr::IsCtrlAltDeleteDisabled(){return bInjectFuncLoaded;}　

if (dwFlags & CTRLALTDEL) { if(bDisable&&!IsCtrlAltDeleteDisabled()){ InjectFunc(); bInjectFuncLoaded=TRUE; } if(!bDisable&&IsCtrlAltDeleteDisabled()){ DeinjectFunc(); bInjectFuncLoaded=FALSE; }}

注意

如果Windows的后續(xù)版本更改了Ctrl+Alt+Delete的處理，本文所提供的技術(shù)可能不再工作。如果你在你的代碼中使用了本文的技術(shù)，請(qǐng)注意你可能必須在未來(lái)修改你的代碼。

已知問(wèn)題尚無(wú)Unicode版本 VirtualAllocEx分配的內(nèi)存沒(méi)有用VirtualFreeEx釋放 在Debug方式下運(yùn)行會(huì)造成Winlogon出錯(cuò)（出錯(cuò)后請(qǐng)不要確認(rèn)或取消那個(gè)出錯(cuò)對(duì)話框，然后保存打開(kāi)的所有文檔，關(guān)閉所有程序，通過(guò)正常的途徑關(guān)機(jī)，否則Windows會(huì)立刻關(guān)機(jī)）