在Win2000中动态禁用/启用Ctrl-Alt-Del

//—————————————————————————
//通过进程名称得到进程的ID（这里使用方法Toolhelp函数，也可使用PSAPI）
DWORD __fastcall GetPIDFromName(LPCTSTR lpszProcName)
{
HANDLE hSnapshot;
PROCESSENTRY32 ProcStruct;
DWORD dwProcessID = -1;
//added by jiangsheng 2002-11-8
BOOL bIsTerminalServices=Is_Terminal_Services();
if(bIsTerminalServices){
//复制自MSDN杂志Windows XP Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities的代码
//get current session ID
CWTSWrapper WTS;
if (WTS.IsValid())
{
DWORD dwCurSessionID = -1;
LPTSTR pSessionInfo=NULL;
DWORD dwBytes;
if(WTS.WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE,WTS_CURRENT_SESSION,
WTSSessionId, (LPTSTR*)&pSessionInfo, &dwBytes)){
dwCurSessionID =*((DWORD*)pSessionInfo);
// enumerate processes
PWTS_PROCESS_INFO pProcessInfo = NULL;
DWORD ProcessCount = 0;
BOOL bFound;
if (WTS.WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1,
&pProcessInfo, &ProcessCount)){
for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++){ CString strCurExePath(pProcessInfo[CurrentProcess].pProcessName); CString strRemoteProc(lpszProcName); strCurExePath.MakeLower(); strRemoteProc.MakeLower(); bFound = (strCurExePath.Find(strRemoteProc) != -1); if(bFound && dwCurSessionID==pProcessInfo[CurrentProcess].SessionId) { dwProcessID = pProcessInfo[CurrentProcess].ProcessId; break; } } } WTS.WTSFreeMemory(pSessionInfo); } } } else{ //end added by jiangsheng 2002-11-8 BOOL bResult; hSnapshot = CreateToolhelp32Snapshot((DWORD)TH32CS_SNAPPROCESS,0); ProcStruct.dwSize = sizeof(PROCESSENTRY32); bResult = Process32First(hSnapshot,&ProcStruct); while(bResult) { BOOL bFound; CString strCurExePath(ProcStruct.szExeFile); CString strRemoteProc(lpszProcName); strCurExePath.MakeLower(); strRemoteProc.MakeLower(); bFound = (strCurExePath.Find(strRemoteProc) != -1); if(bFound) { dwProcessID = ProcStruct.th32ProcessID; break; } bResult = Process32Next(hSnapshot,&ProcStruct); } CloseHandle(hSnapshot); } return dwProcessID; } //--------------------------------------------------------------------------- // 插入代码 //--------------------------------------------------------------------------- //InjectFunc void __fastcall InjectFunc() { HANDLE hRemoteProcess=NULL; DWORD dwRemoteProcess=NULL; DWORD dwThreadSize=0; INJECTLIBINFO InjectLibInfo; PVOID pRemoteThread=NULL; PVOID pRemoteParam=NULL; DWORD dwWriten=0; DWORD dwRet=0; //提升本进程权限然后打开目的进程 //当前用户必须具有调试权限 EnablePrivilege(SE_DEBUG_NAME,true); dwRemoteProcess = GetPIDFromName(szRemoteProcessName); if(dwRemoteProcess == (DWORD)-1) { MessageBox(NULL,_T("Failed to Query Process ID."),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwRemoteProcess); if(hRemoteProcess == NULL) { MessageBox(NULL,_T("Failed to Open Process. Err = ") + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //初始化参数 ZeroMemory(&InjectLibInfo,sizeof(INJECTLIBINFO )); InjectLibInfo.pfnLoadLibrary = (PLOADLIBRARY)GetProcAddress(GetModuleHandle("Kernel32.dll"),LoadLibraryFuncStr); InjectLibInfo.pfnGetLastError = (PGETLASTERROR)GetProcAddress(GetModuleHandle("Kernel32.dll"),GetLastErrorFuncStr); lstrcpyn(InjectLibInfo.szDllName,CTaskKeyMgr::strRemoteDllName,CTaskKeyMgr::strRemoteDllName.GetLength()+1); //在远程线程分配内存来存放参数 pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,sizeof(INJECTLIBINFO),MEM_COMMIT,PAGE_READWRITE); if(pRemoteParam == NULL) { MessageBox(NULL,_T("Failed to Allocate Memory at Remote Process for Param.Err = ") + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } dwRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)&InjectLibInfo,sizeof(INJECTLIBINFO),&dwWriten); if(dwRet == 0) { MessageBox(NULL,_T("Failed to Write Param to Remote Process.Err = ") + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //拷贝线程体 dwThreadSize = (int)AfterThreadFuncAttach - (int)ThreadFuncAttach + 1024 + sizeof(INJECTLIBINFO); pRemoteThread = VirtualAllocEx(hRemoteProcess,NULL,dwThreadSize,MEM_COMMIT,PAGE_READWRITE); if(pRemoteThread == NULL) { MessageBox(NULL,_T("Failed to Allocate Memory at Remote Process for Thread Code.Err = ") + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } dwRet = WriteProcessMemory(hRemoteProcess,pRemoteThread,(LPVOID)ThreadFuncAttach,dwThreadSize,&dwWriten); if(dwRet == 0) { MessageBox(NULL,_T("Failed to Write Thread Code to Remote Process.Err = ") + SysErrorMessage(GetLastError()), NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING); return; } //启动远程线程 HANDLE hRemoteThread; hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,(INJECTLIBINFO*)pRemoteParam,0,&dwWriten); ::WaitForSingleObject(hRemoteThread,INFINITE); if(hRemoteThread == NULL) { MessageBox(NULL,_T("Failed to create unload thread.Err=") + SysErrorMessage(GetLastError()),NULL,MB_OK |MB_APPLMODAL | MB_ICONWARNING); } else { ; }