Win7 修改Winlogon.exe进程代码
2016-06-12 09:41
302 查看
首先要说的我用的方法不一定是最好的,但是可能是最简单的,并且是可恢复的一种方法,程序向winlogon.exe进程具体位置写入一个字节,屏蔽了Win+L。当然Ctrl+Alt+Del、Ctrl+Shift+Esc、Win+P等等都可以屏蔽,前提是你知道原理。
演示程序是64位,由于没32位 win7系统做测试,所有不知道具体偏移
。
发一下具体代码,Win+L的ID为5、Ctrl+Shift+Esc的ID为4、Ctrl+Alt+Del的ID为0
代码:
/*
由进程名获取PID
*/
DWORD GetPidByProcessName(LPCTSTR pszName)
{
PROCESSENTRY32 pe32;
HANDLE hSnapshot;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return -1;
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First( hSnapshot, &pe32 ) )
{
CloseHandle(hSnapshot);
return -1;
}
do
{
if(lstrcmpi(pe32.szExeFile, pszName) == 0)
{
CloseHandle(hSnapshot);
return pe32.th32ProcessID;
}
}
while ( Process32Next(hSnapshot, &pe32) );
CloseHandle(hSnapshot);
return -1;
}
/*
禁止Win+L热键,参数bDisable表示是否禁止
*/
BOOL DisableHotKey(BOOL bDisable)
{
UCHAR uchOrigCode[] = {0x05};
UCHAR uchHookCode[] = {0x25};
UCHAR uchReadCode[] = {0x00};
LPVOID lpReadAddress;
DWORD dwPID;
HANDLE hProcess;
HMODULE lphModule[512];
DWORD_PTR dwReturn;
DWORD dwOldProtect;
INT i;
//查找winlogon.exe进程PID
if(!(dwPID = GetPidByProcessName(_T("winlogon.exe"))))
return FALSE;
//打开进程
if(!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
return FALSE;
//枚举进程模块
if(!EnumProcessModules(hProcess, lphModule, sizeof(lphModule), (LPDWORD)&dwReturn))
{
CloseHandle(hProcess);
return FALSE;
}
//进程加载基址加上偏移
lpReadAddress = (LPVOID)((LPSTR)lphModule[0] + 0x1710D);
if(bDisable)
{
//读取原地址字节
if(!ReadProcessMemory(hProcess, lpReadAddress, uchReadCode, sizeof(uchReadCode), &dwReturn))
{
CloseHandle(hProcess);
return FALSE;
}
//判断是否是要修改的字节
for(i=0; i<sizeof(uchReadCode)/sizeof(UCHAR); i++)
{
if(uchReadCode[i] != uchOrigCode[i])
{
CloseHandle(hProcess);
return FALSE;
}
}
//将Win+L的ID从5改成25
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchHookCode), PAGE_EXECUTE_WRITECOPY, &dwOldProtect);
WriteProcessMemory(hProcess, lpReadAddress, uchHookCode, sizeof(uchHookCode), &dwReturn);
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchHookCode), dwOldProtect, &dwOldProtect);
}
else
{
//读取原地址字节
if(!ReadProcessMemory(hProcess, lpReadAddress, uchReadCode, sizeof(uchReadCode), &dwReturn))
{
CloseHandle(hProcess);
return FALSE;
}
//判断是否是要修改的字节
for(i=0; i<sizeof(uchReadCode)/sizeof(UCHAR); i++)
{
if(uchReadCode[i] != uchHookCode[i])
{
CloseHandle(hProcess);
return FALSE;
}
}
//恢复
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchOrigCode), PAGE_EXECUTE_WRITECOPY, &dwOldProtect);
WriteProcessMemory(hProcess, lpReadAddress, uchOrigCode, sizeof(uchOrigCode), &dwReturn);
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchOrigCode), dwOldProtect, &dwOldProtect);
}
CloseHandle(hProcess);
return TRUE;
}
首先要说的我用的方法不一定是最好的,但是可能是最简单的,并且是可恢复的一种方法,程序向winlogon.exe进程具体位置写入一个字节,屏蔽了Win+L。当然Ctrl+Alt+Del、Ctrl+Shift+Esc、Win+P等等都可以屏蔽,前提是你知道原理。
演示程序是64位,由于没32位 win7系统做测试,所有不知道具体偏移
。
发一下具体代码,Win+L的ID为5、Ctrl+Shift+Esc的ID为4、Ctrl+Alt+Del的ID为0
代码:
/*
由进程名获取PID
*/
DWORD GetPidByProcessName(LPCTSTR pszName)
{
PROCESSENTRY32 pe32;
HANDLE hSnapshot;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return -1;
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First( hSnapshot, &pe32 ) )
{
CloseHandle(hSnapshot);
return -1;
}
do
{
if(lstrcmpi(pe32.szExeFile, pszName) == 0)
{
CloseHandle(hSnapshot);
return pe32.th32ProcessID;
}
}
while ( Process32Next(hSnapshot, &pe32) );
CloseHandle(hSnapshot);
return -1;
}
/*
禁止Win+L热键,参数bDisable表示是否禁止
*/
BOOL DisableHotKey(BOOL bDisable)
{
UCHAR uchOrigCode[] = {0x05};
UCHAR uchHookCode[] = {0x25};
UCHAR uchReadCode[] = {0x00};
LPVOID lpReadAddress;
DWORD dwPID;
HANDLE hProcess;
HMODULE lphModule[512];
DWORD_PTR dwReturn;
DWORD dwOldProtect;
INT i;
//查找winlogon.exe进程PID
if(!(dwPID = GetPidByProcessName(_T("winlogon.exe"))))
return FALSE;
//打开进程
if(!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
return FALSE;
//枚举进程模块
if(!EnumProcessModules(hProcess, lphModule, sizeof(lphModule), (LPDWORD)&dwReturn))
{
CloseHandle(hProcess);
return FALSE;
}
//进程加载基址加上偏移
lpReadAddress = (LPVOID)((LPSTR)lphModule[0] + 0x1710D);
if(bDisable)
{
//读取原地址字节
if(!ReadProcessMemory(hProcess, lpReadAddress, uchReadCode, sizeof(uchReadCode), &dwReturn))
{
CloseHandle(hProcess);
return FALSE;
}
//判断是否是要修改的字节
for(i=0; i<sizeof(uchReadCode)/sizeof(UCHAR); i++)
{
if(uchReadCode[i] != uchOrigCode[i])
{
CloseHandle(hProcess);
return FALSE;
}
}
//将Win+L的ID从5改成25
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchHookCode), PAGE_EXECUTE_WRITECOPY, &dwOldProtect);
WriteProcessMemory(hProcess, lpReadAddress, uchHookCode, sizeof(uchHookCode), &dwReturn);
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchHookCode), dwOldProtect, &dwOldProtect);
}
else
{
//读取原地址字节
if(!ReadProcessMemory(hProcess, lpReadAddress, uchReadCode, sizeof(uchReadCode), &dwReturn))
{
CloseHandle(hProcess);
return FALSE;
}
//判断是否是要修改的字节
for(i=0; i<sizeof(uchReadCode)/sizeof(UCHAR); i++)
{
if(uchReadCode[i] != uchHookCode[i])
{
CloseHandle(hProcess);
return FALSE;
}
}
//恢复
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchOrigCode), PAGE_EXECUTE_WRITECOPY, &dwOldProtect);
WriteProcessMemory(hProcess, lpReadAddress, uchOrigCode, sizeof(uchOrigCode), &dwReturn);
VirtualProtectEx(hProcess, lpReadAddress, sizeof(uchOrigCode), dwOldProtect, &dwOldProtect);
}
CloseHandle(hProcess);
return TRUE;
}
相关文章推荐
- java中matches的用法
- java.util包详解
- c#之线程
- java.lang.outofmemoryerror: permgen space
- [leetcode]Generate Parentheses 生成圆括号 python实现
- java文件读写
- python 遍历select的option选项
- JAVA 有值类型么?
- C# XML序列化方法及常用特性总结分析
- Java操作——获取文件扩展名,去掉文件扩展名
- yii2中结合gridview如何使用modal弹窗实例代码详解
- EXCEL操作替换单元格中的Alt+Enter
- python简单爬虫(一)
- C++ 问题 unknown type name 'class' c中头文件在cpp文件中引用和.h文件引用的思考
- Qt自定义委托在QTableView中绘制控件、图片、文字
- C/C++ 枚举类型详解
- iPad横竖屏代码适配
- c# Dictionary的遍历和排序
- 【编程马拉松】【013-最长句子】
- IIS7配置PHP5.5 对找不到的文件启用文件监视的解决方法[原创]_win服务器_脚本之家