在Win2000中动态禁用/启用Ctrl-Alt-Del

//—————————————————————————
//作者 ：韦覃武,jiangsheng
//网上呢称：BCB_FANS(四大名捕之追杀令)（此为CSDN和www.driverdevelop.com之帐号）jiangsheng（此为CSDN帐号）
//E-Mail ：[email protected]
//日期 ：2002-10-20
//2002-11-5 jingsheng修改
//功能 ：在2000下屏蔽Ctrl + Alt + Del组合键。（在Windows 2000 Professional SP3
// 中文版平台下面测试通过）
//原理 ：采用远程线程注入技术，装载一个DLL到Winlogon进程，然后截获SAS窗口的窗
// 口过程，接管WM_HOTKEY消息，以达到屏蔽Ctrl + Alt + Del之目的。
//开发语言：Borland C++Builder 5.0 Patch2，Visual C++ 6.0 SP5
//技术比较：关于在2000下面如何屏蔽Ctrl + Alt + Del组合键，一种常被提到的解决方法就
// 是使用自己写的GINA去替换MSGINA.DLL，然后在WlxLoggedOnSAS里边直接返回
// WLX_SAS_ACTION_NONE。嘿嘿，说到底这并不是真正地屏蔽了这个组合键，只是
// 直接返回WLX_SAS_ACTION_NONE时，Winlogon进程又自动从”Winlogon”桌面切换
// 回原来的”Default”桌面了，而不是显示安全对话框，所以看起来被屏蔽了：），
// 使用那种方法明显地看到桌面在闪烁！但是使用本文的方法时，你不会看到任
// 何闪烁！
//鸣谢 ：www.driverdevelop.com上的icube和lu0。
//版权 ：转载请注明原作者：）
//—————————————————————————
#include “stdafx.h”
#include
#include
#include “Hook.h”
//add by jiangsheng 2002-11-5
#include “TaskKeyMgr.h”
#include “Wrappers.h”//复制自MSDN杂志Windows XP Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities的代码
extern BOOL Is_Terminal_Services () ;//复制自Platform SDK文档: Windows System Information /Verifying the System Version
//end add by jiangsheng 2002-11-5
//—————————————————————————
//错误代码格式化函数
//replaced by jiangsheng 2002-11-5
//from Q149409 HOWTO: Get Message Text from Networking Error Codes
CString __fastcall SysErrorMessage(DWORD dwLastError )
{
CString strRet(_T(“Unknown error”));
HMODULE hModule = NULL; // default to system source
LPSTR MessageBuffer;
DWORD dwBufferLength;
DWORD dwFormatFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_FROM_SYSTEM ;
//
// If dwLastError is in the network range,
// load the message source.
//
if(dwLastError >= NERR_BASE && dwLastError <= MAX_NERR) { hModule = LoadLibraryEx(TEXT("netmsg.dll"),NULL,LOAD_LIBRARY_AS_DATAFILE); if(hModule != NULL) dwFormatFlags |= FORMAT_MESSAGE_FROM_HMODULE; } // // Call FormatMessage() to allow for message // text to be acquired from the system // or from the supplied module handle. // if(dwBufferLength = FormatMessageA( dwFormatFlags, hModule, // module to get message from (NULL == system) dwLastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // default language (LPSTR) &MessageBuffer, 0, NULL )) { // // Output message string on stderr. // strRet=CString(MessageBuffer,dwBufferLength); // // Free the buffer allocated by the system. // LocalFree(MessageBuffer); } // // If we loaded a message source, unload it. // if(hModule != NULL) FreeLibrary(hModule); return strRet; } //end replaced by jiangsheng 2002-11-5 //--------------------------------------------------------------------------- #ifdef UNICODE LPCSTR LoadLibraryFuncStr = "LoadLibraryW"; LPCSTR GetModuleHandleFuncStr = "GetModuleHandleW"; #else LPCSTR LoadLibraryFuncStr = "LoadLibraryA"; LPCSTR GetModuleHandleFuncStr = "GetModuleHandleA"; #endif LPCSTR FreeLibraryFuncStr = "FreeLibrary"; LPCSTR GetProcAddressFuncStr = "GetProcAddress"; LPCSTR GetLastErrorFuncStr = "GetLastError"; //--------------------------------------------------------------------------- //removed by jiangsheng 2002-11-5 //const char* const RemoteDllName = "RemoteDll.Dll"; //end removed by jiangsheng 2002-11-5 LPCTSTR szRemoteProcessName = "Winlogon.exe"; typedef HINSTANCE (WINAPI *PLOADLIBRARY)(LPCTSTR ); typedef BOOL (WINAPI *PFREELIBRARY)(HINSTANCE); typedef HMODULE (WINAPI* PGETMODULEHANDLE)(LPCTSTR ); typedef PVOID (WINAPI* PGETPROCADDRESS)(HINSTANCE,LPCSTR); typedef DWORD (WINAPI* PGETLASTERROR)(VOID); BOOL __fastcall EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable); DWORD __fastcall GetPIDFromName(LPCTSTR lpszProcName); //--------------------------------------------------------------------------- typedef struct { PLOADLIBRARY pfnLoadLibrary; PGETLASTERROR pfnGetLastError; TCHAR szDllName[1024]; DWORD dwReturnValue; } INJECTLIBINFO; typedef struct { PFREELIBRARY pfnFreeLibrary; PGETMODULEHANDLE pfnGetModuleHandle; PGETLASTERROR pfnGetLastError; DWORD dwReturnValue; TCHAR szDllName[1024]; } DEINJECTLIBINFO; //--------------------------------------------------------------------------- //远程线程，用来装载DLL static DWORD WINAPI ThreadFuncAttach(INJECTLIBINFO *pInfo) { HINSTANCE hDll=NULL; pInfo->dwReturnValue = 0;
hDll = (HINSTANCE)pInfo->pfnLoadLibrary(pInfo->szDllName);
if(hDll == NULL)
pInfo->dwReturnValue = pInfo->pfnGetLastError();
return((DWORD)hDll);
}
//—————————————————————————
//占位函数，用来计算ThreadFuncAttach的大小
static void AfterThreadFuncAttach(void)
{
}
//—————————————————————————
//远程线程，用来卸载DLL
static DWORD WINAPI ThreadFuncDetach(DEINJECTLIBINFO *pInfo)
{
HINSTANCE hDll = NULL;
BOOL bResult=FALSE;
BOOL bHasFoundModule = FALSE;
pInfo->dwReturnValue = 0;//意味成功，如果这个值不是0，则是一个错误代码。
while((hDll = pInfo->pfnGetModuleHandle(pInfo->szDllName)) != NULL)
{
bHasFoundModule = TRUE;
bResult = pInfo->pfnFreeLibrary(hDll);
if(bResult == FALSE)
{
pInfo->dwReturnValue = pInfo->pfnGetLastError();
break;
}
}
if(pInfo->dwReturnValue == 0 && !bHasFoundModule)
{
pInfo->dwReturnValue = pInfo->pfnGetLastError();
}
return 1;
}
//—————————————————————————
//占位函数，用来计算ThreadFuncDetach的大小
static void AfterThreadFuncDetach(void)
{
}
//—————————————————————————
//修改本进程的权限
BOOL __fastcall EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return FALSE;
if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return TRUE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return (GetLastError() == ERROR_SUCCESS);
}