WIN7_WIN2008_WIN2003_WINXP屏蔽CTRL+ALT+DEL

unit winSuspendThread;

interface

uses
winapi.Windows, winapi.TlHelp32, system.SysUtils, Rhotkey_Unit;

function OpenThread2(dwThreadID: DWORD; bInherit: BOOL): THandle; stdcall;
function GetProcessID(strProcessName: string): DWORD;
function GetThreadID(dwOwnerProcessID: DWORD): DWORD;
function SuspendThread_ctrlaltddel(): BOOL; // 屏蔽 ctrl+alt+del
function ResumeThread_ctrlaltddel(): BOOL; // 唤醒 ctrl+alt+del
function EnableDebugPrivilege: boolean; // 提升权限
function KillTask(ExeFileName: string): integer; // 关闭进程

implementation

const
THREAD_TERMINATE = $0001;
THREAD_SUSPEND_RESUME = $0002;
THREAD_GET_CONTEXT = $0008;
THREAD_SET_CONTEXT = $0010;
THREAD_SET_INFORMATION = $0020;
THREAD_QUERY_INFORMATION = $0040;
THREAD_SET_THREAD_TOKEN = $0080;
THREAD_IMPERSONATE = $0100;
THREAD_DIRECT_IMPERSONATION = $0200;
THREAD_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or $3FF;

type
PPDB = ^T_PDB;

T_PDB = record
mType: WORD;
Refcount: WORD;
Unk0: DWORD;
Unk1: DWORD;
Unk2: DWORD;
TermStatus: DWORD;
Unk3: DWORD;
DefaultHeap: DWORD;
MemContext: DWORD;
Flags: DWORD;
pPsp: DWORD;
psSelector: WORD;
METIndex: WORD;
nThreads: WORD;
nThreadsNotTerm: WORD;
Unk5: WORD;
nR0Threads: WORD;
HeapHandle: DWORD;
K16TDBSel: WORD;
Unk6: WORD;
Unk7: DWORD;
pEDB: DWORD;
pHandleTable: DWORD;
ParentPDB: PPDB;
ModRefList: DWORD;
ThreadList: DWORD;
DebugeeCB: DWORD;
LHFreeHead: DWORD;
InitialR0ID: DWORD;
end;

PDB = T_PDB;

T_TCB = record
mType: WORD;
Refcount: WORD;
Unk1: DWORD;
pvExcept: DWORD;
TopOfStack: DWORD;
BaseOfStace: DWORD;
K16TDB: WORD;
StackSel16: WORD;
Unk2: DWORD;
UserPointer: DWORD;
pTIB: DWORD;
TIBFlags: WORD;
Win16MutxCnt: WORD;
DebugContext: DWORD;
PtrToCurPri: DWORD;
MsgQueue: DWORD;
pTLSarray: DWORD;
pParentPDB: PPDB;
SelmanList: DWORD;
Unk3: DWORD;
Flags: DWORD;
status: DWORD;
TibSel: WORD;
EmulatorSel: WORD;
HandleCount: DWORD;
WaitNodeList: DWORD;
R0hThread: DWORD;
ptdbx: DWORD;
end;

TCB = T_TCB;
PTCB = ^T_TCB;

OBFUNC = function(dwPTID: DWORD): pointer; stdcall;
OTFUNC = function(pH: PHandle; dwVal: DWORD; var var1; var var2): DWORD; stdcall;

function GetTrueProcAddress(lpMod: PChar; lpFunc: PChar): pointer; stdcall; forward;
function OpenThreadNT(dwThreadID: DWORD; bInherit: BOOL): THandle; stdcall; forward;

function XORProcessThreadID(dwPTID: DWORD): pointer; stdcall;
var
obfuscate: OBFUNC;
dwMain: DWORD;
lpdw: PDWORD;
dw1: DWORD;
begin
dwMain := DWORD(GetTrueProcAddress('Kernel32.dll', 'GetCurrentThreadId'));
// if dwMain = nil then begin result := nil; exit; end;
lpdw := PDWORD(dwMain + 8);
dw1 := dwMain + 12;
obfuscate := OBFUNC(dw1 + lpdw^);
result := obfuscate(dwPTID);
end;

function OpenThread2(dwThreadID: DWORD; bInherit: BOOL): THandle; stdcall;
var
hThread, hPrc: THandle;
lp1: PDWORD;
dwProcessID, dwWhere, dwTable: DWORD;
b1: BOOL;
lpThreadObj: PTCB;
procpPdb: PPDB;
osvi: OSVERSIONINFO;
begin
osvi.dwOSVersionInfoSize := sizeof(osvi);
GetVersionEX(osvi);

SetLastError(50);

if osvi.dwPlatformId = VER_PLATFORM_WIN32_NT then
result := OpenThreadNT(dwThreadID, bInherit)
else
begin
procpPdb := PPDB(XORProcessThreadID(GetCurrentProcessID()));
lpThreadObj := PTCB(XORProcessThreadID(dwThreadID));

if IsBadReadPtr(lpThreadObj, sizeof(TCB)) then
begin
result := 0;
exit;
end;

if PBYTE(lpThreadObj)^ <> 7 then
begin
result := 0;
exit;
end;

dwProcessID := DWORD(XORProcessThreadID(DWORD(lpThreadObj^.pParentPDB)));

if (dwProcessID = GetCurrentProcessID()) then
hPrc := GetCurrentProcess()
else
begin
hPrc := OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
if (hPrc = 0) then
begin
result := 0;
exit;
end;
end;

// 4 is the lowest handle in the table
// all proceses have this handle
b1 := DuplicateHandle(hPrc, THandle(4), GetCurrentProcess(), @hThread, THREAD_ALL_ACCESS, bInherit, 0);

if (hPrc <> GetCurrentProcess()) then
CloseHandle(hPrc);

if (b1 = FALSE) then
begin
result := 0;
exit;
end;

dwWhere := DWORD(hThread) shr 2;
dwTable := procpPdb^.pHandleTable;
lp1 := PDWORD(dwTable + dwWhere * 8 + 8);

lp1^ := DWORD(lpThreadObj);

result := hThread;

end;

end;

{$J+}

function EnableDebugPrivilege: boolean;
function EnablePrivilege(hToken: NativeUInt; PrivName: string; bEnable: boolean): boolean;
var
TP: TOKEN_PRIVILEGES;
Dummy: Cardinal;
char123: PAnsiChar;
begin
TP.PrivilegeCount := 1;
char123 := PAnsiChar(ansistring(PrivName));
char123 := PAnsiChar(ansistring(PrivName));
LookupPrivilegevalueW(nil, Pwidechar(WideString(PrivName)), TP.Privileges[0].Luid);
if bEnable then
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TP.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, FALSE, TP, sizeof(TP), nil, Dummy); // [Page]
result := GetLastError = ERROR_SUCCESS;
end;

var
hToken: Cardinal;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, NativeUInt(hToken));
result := EnablePrivilege(hToken, 'SeDebugPrivilege', true);
CloseHandle(hToken);
end;

function KillTask(ExeFileName: string): integer;
const
PROCESS_TERMINATE = $0001;
var
ContinueLoop: boolean;
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
begin
result := 0;
FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
FProcessEntry32.dwSize := sizeof(FProcessEntry32);
ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);

while integer(ContinueLoop) <> 0 do
begin
if ((uppercase(ExtractFileName(FProcessEntry32.szExeFile)) = uppercase(ExeFileName)) or (uppercase(FProcessEntry32.szExeFile) = uppercase(ExeFileName))) then
result := integer(TerminateProcess(OpenProcess(PROCESS_TERMINATE, BOOL(0), FProcessEntry32.th32ProcessID), 0));
ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end;

function OpenThreadNT(dwThreadID: DWORD; bInherit: BOOL): THandle; stdcall;
const
hThread: THandle = 0;
struct1: array [0 .. 5] of DWORD = ($18, 0, 0, 0, 0, 0);
struct2: array [0 .. 1] of DWORD = (0, 0);
hLib: HModule = 0;
OpenThatNTThread: OTFUNC = nil;

begin

hLib := LoadLibrary('ntdll.dll');
OpenThatNTThread := OTFUNC(GetProcAddress(hLib, 'NtOpenThread'));

struct2[1] := dwThreadID;
struct1[3] := DWORD(bInherit);

OpenThatNTThread(@hThread, THREAD_ALL_ACCESS, struct1, struct2);

FreeLibrary(hLib);

result := hThread;
end;
{$J-}

function GetTrueProcAddress(lpMod: PChar; lpFunc: PChar): pointer; stdcall;
var
bla: pointer;
hMod: HModule;
begin
hMod := GetModuleHandle(lpMod);

if hMod = 0 then
begin
result := nil;
exit;
end;

bla := pointer(GetProcAddress(hMod, lpFunc));
if (DWORD(bla) = 0) then
begin
result := nil;
exit;
end;

if PBYTE(bla)^ = $68 then
bla := pointer(PDWORD(DWORD(bla) + 1)^);

result := bla;
end;

function GetProcessID(strProcessName: string): DWORD;
var
dwRet: DWORD;
hSnapShot: THandle;
ProcessEntry: PROCESSENTRY32;
bFlag: BOOL;
begin
dwRet := 0;
hSnapShot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot <> INVALID_HANDLE_VALUE) then
begin
FillChar(ProcessEntry, sizeof(PROCESSENTRY32), 0);
ProcessEntry.dwSize := sizeof(PROCESSENTRY32);
bFlag := Process32First(hSnapShot, ProcessEntry);
while (bFlag) do
begin
if Pos(uppercase(strProcessName), uppercase(ProcessEntry.szExeFile)) <> 0 then
begin
dwRet := ProcessEntry.th32ProcessID;
break;
end;
ProcessEntry.dwSize := sizeof(PROCESSENTRY32);
bFlag := Process32Next(hSnapShot, ProcessEntry);
end;
CloseHandle(hSnapShot);
end;
result := dwRet;
end;

function GetThreadID(dwOwnerProcessID: DWORD): DWORD;
var
dwRet: DWORD;
hThreadSnap: THandle;
te32: THREADENTRY32;
begin
dwRet := 0;
FillChar(te32, sizeof(te32), 0);
hThreadSnap := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap <> INVALID_HANDLE_VALUE) then
begin
te32.dwSize := sizeof(THREADENTRY32);
if (Thread32First(hThreadSnap, te32)) then
repeat
if (te32.th32OwnerProcessID = dwOwnerProcessID) then
begin
dwRet := te32.th32ThreadID;
break;
end;
until not(Thread32Next(hThreadSnap, te32));
CloseHandle(hThreadSnap);
end;
result := dwRet;
end;

function SuspendThread_ctrlaltddel(): BOOL;
var
// ContinueLoop: boolean;
FSnapshotHandle: THandle;
// FProcessEntry32: TProcessEntry32;
b: BOOL;
th32: PROCESSENTRY32;
th32id: Cardinal;
th32_lock: THREADENTRY32;
hThreadSnap: THandle;
oth: THandle;
begin

FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
// FProcessEntry32.dwSize := Sizeof(FProcessEntry32);
// ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);
th32.dwSize := sizeof(th32);
if (FSnapshotHandle = INVALID_HANDLE_VALUE) then
begin
result := FALSE;
exit;
end;
b := Process32First(FSnapshotHandle, th32);
while b do
begin
if th32.szExeFile = 'winlogon.exe' then
begin
// ShowMessage(th32.szExeFile);
th32id := th32.th32ProcessID;
end;
b := Process32Next(FSnapshotHandle, th32);
end;

th32_lock.dwSize := sizeof(th32_lock);
hThreadSnap := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap = INVALID_HANDLE_VALUE) then
begin
// ShowMessage('调用失败');
result := FALSE;
exit;
end;
b := Thread32First(hThreadSnap, th32_lock);
while b do
begin
if th32_lock.th32OwnerProcessID = th32id then
begin
// oth := OpenThread2(THREAD_ALL_ACCESS, False, th32_lock.th32ThreadID);
oth := OpenThread2(th32_lock.th32ThreadID, FALSE);
if SuspendThread(oth) >= 0 then
begin
// ShowMessage('ok');
end;
break;
CloseHandle(oth);
end;
b := Thread32Next(hThreadSnap, th32_lock);
end;
CloseHandle(hThreadSnap);
RunFuckCAD(); //屏蔽功能键
result := true;
end;

function ResumeThread_ctrlaltddel(): BOOL;
var
ContinueLoop: boolean;
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
b: BOOL;
th32: PROCESSENTRY32;
th32id: Cardinal;
th32_lock: THR
9439
EADENTRY32;
hThreadSnap: THandle;
oth: THandle;
begin

FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
FProcessEntry32.dwSize := sizeof(FProcessEntry32);
ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);
th32.dwSize := sizeof(th32);
if (FSnapshotHandle = INVALID_HANDLE_VALUE) then
begin
result := FALSE;
exit;
end;
b := Process32First(FSnapshotHandle, th32);
while b do
begin
if th32.szExeFile = 'winlogon.exe' then
begin
// ShowMessage(th32.szExeFile);
th32id := th32.th32ProcessID;
end;
b := Process32Next(FSnapshotHandle, th32);
end;

th32_lock.dwSize := sizeof(th32_lock);
hThreadSnap := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap = INVALID_HANDLE_VALUE) then
begin
result := FALSE;
exit;
end;
b := Thread32First(hThreadSnap, th32_lock);
while b do
begin
if th32_lock.th32OwnerProcessID = th32id then
begin
// oth := OpenThread2(THREAD_ALL_ACCESS, False, th32_lock.th32ThreadID);
oth := OpenThread2(th32_lock.th32ThreadID, FALSE);
if ResumeThread(oth) >= 0 then
begin
// showmessage('ok');
end;
break;
CloseHandle(oth);
end;
b := Thread32Next(hThreadSnap, th32_lock);
end;
CloseHandle(hThreadSnap);
StopFuckCAD();//释放屏蔽功能键
result := true;
end;

end.