远程线程、代码注入,禁止CTRL+ALT+DEL求助[已解决]
本帖最后由 seniors 于 2012-2-20 10:03 编辑网上找到的VB代码转化过来,转的过程可能有些小问题,有些参数好像不一样,下面是代码,现在好像是没有把代码注入,跳出内存不能为写还是读,蓝屏了
二楼有P大的代码**** Hidden Message ***** #include <Thread.au3>
#include <lsasecur.au3>
Const $tagHOOK_TASKMGR = "ptr CreateProcessAsUserW;ptr Breakpoint;ubyte OldEntrypoint;struct;align 1;ubyte Push;ptr Address;ubyte Ret;word Breakpoint1;endstruct;wchar wzImageName;ubyte ShellX"
Const $pCreateProcessAsUserW = _RTGetProcAddress("advapi32.dll", "CreateProcessAsUserW")
$hToken = _SeOpenProcessToken(-1)
_SeAdjustTokenPriv($hToken, $SE_DEBUG_PRIV)
_SeCloseHandle($hToken)
$hProcess = _RTOpenProcess("winlogon.exe")
If $hProcess = 0 Then Exit BitOR(0x10000000, @error)
If _RTVirtualProtectEx($hProcess, $pCreateProcessAsUserW, 8) = 0 Then
Exit BitOR(0x20000000, @error)
EndIf
$pStartAddress = _RTVirtualAllocEx($hProcess, 4096)
If $pStartAddress = 0 Then Exit BitOR(0x30000000, @error)
$tBuffer = DllStructCreate($tagHOOK_TASKMGR)
$pBuffer = DllStructGetPtr($tBuffer)
DllStructSetData($tBuffer, "CreateProcessAsUserW", $pCreateProcessAsUserW)
DllStructSetData($tBuffer, "Breakpoint", 0xCCCCCCCC)
DllStructSetData($tBuffer, "Push", 0x68)
DllStructSetData($tBuffer, "Address", $pStartAddress + 0x80)
DllStructSetData($tBuffer, "Ret", 0xC3)
DllStructSetData($tBuffer, "Breakpoint1", 0xCCCC)
DllStructSetData($tBuffer, "wzImageName", "TASKMGR.EXE")
DllStructSetData($tBuffer, "ShellX", _GetShellX())
If _RTReadProcessMemory($hProcess, $pCreateProcessAsUserW, DllStructGetPtr($tBuffer, "OldEntrypoint"), 8) = 0 Then
Exit BitOR(0x40000000, @error)
EndIf
If _RTWriteProcessMemory($hProcess, $pStartAddress, $pBuffer, DllStructGetSize($tBuffer)) = 0 Then
Exit BitOR(0x50000000, @error)
EndIf
If _RTWriteProcessMemory($hProcess, $pCreateProcessAsUserW, DllStructGetPtr($tBuffer, "push"), 8) = 0 Then
Exit BitOR(0x60000000, @error)
EndIf
MsgBox(0, "OK", "Done")
Func _GetShellX()
Local $bBinary = "0x558BEC53E8000000005B81EB89000000E84000000085C0752D578B3BFF73088F07FF730C8F47046A0B598D4508FF7488FCE2FAFFD7FF73108F07FF73148F47045F5B5DC22C0064A1180000006A058F403433C0EBEC8B450C85C0741650E82E0000008D431850FF750CE85200000085C075198B451085C0741250E8110000008D431850FF7510E835000000C3CCCCCCCC558BECFC568B750885F6741D66AD6685C074166683F8617CF36683F87A7FED6625DF00668946FEEBE35E5DC20400CCCC558BEC8B4D088B550C668B01663B02740D6685C0741B83C1028B550CEBEB83C20266830A00740583C102EBDD33C040EB0233C05DC20800CCCCCCCCCC"
Return Binary($bBinary)
EndFunc ;==>_GetShellX
挂钩winlogon进程中,跨权限创建进程的函数CreateProcessAsUserW,并判断文件路径中时是否TASKMGR.EXE字串。
恢复函数:
_RTWriteProcessMemory($hProcess, $pCreateProcessAsUserW, "0x8BFF558BEC83EC10", 8, "binary") 回复 2# pusofalse
请教p版,win7下屏蔽CTRL+ALT+DEL有什么好法子吗
找到办法之一,关闭Winlogon.exe的Desktop类型的句柄就能实现热键失效,但是有时候会蓝屏并 也不知道如何恢复,此法不好。
之二,挂起winlogon.exe的主线程,这样就屏蔽了 ALT+CTRL+DEL,但只要你按过 ALT+CTRL+DEL,那么恢复线程之后就会弹出出现Windows锁定界面,此法不完美,而且想发送一个esc取消那个锁定界面,但又不知道如何取得那个锁定界面的句柄
我想找一个比较完美的方法
另外发现发现win7和xp不同,win7的 ALT+CTRL+DEL由csrss注册
取消系统热键注册的话,但是UnregisterHotKey(HWND hWnd,int id),这个hWnd不知如何搞到手,用XueTr察看csrss并没用看到有窗口看打开 本帖最后由 rsdfjh 于 2012-2-19 02:18 编辑
回复 2# pusofalse
您给的代码没试过,在win7下应该能禁止创建TASKMGR.EXE吧
但是没有达到我想要的效果,我要的是真正屏蔽CTRL+ALT+DEL 回复 4# rsdfjh
2#代码只适用于32位系统。 P版就是牛,小弟只是从网上找的源码,想改改,我怎么没有看到过CreateProcessAsUserW函数呢
问题解决
慢慢消化P大的代码 这个不错.非常棒,有的脚本给人按了 CTRL+A+D就完了.多谢共享 2#代码太牛了,虽然顶楼帖子看不了 远程线程、代码注入, 远程线程、代码注入, 高深 ...
... 高深 ...
高深 谢谢分享,学习学习
页:
[1]