Ring3下无驱动移除winlogon.exe进程ctrl+alt+del,win+u,win+l三个系统热键,非屏蔽热键（子类化SAS 窗口）

随手而作，纯粹技术研究，没什么实际意义。

打开xuetr,正常情况下.winlogon.exe注册了三个热键。
ctrl+alt+del,win+u,win+l三个。

这三个键用SetWindowsHookEx()函数，使用键盘钩子也屏蔽不了。

我们先把UnregisterSystemHotKey.dll解压出来，放到任意目录.

比如E盘根目录,就运行

rundll32 E:UnregisterSystemHotKey.dll,Hook

再打开xuetr看下,Winlogo.exe进程注册的热键都没有了.

#include <windows.h>
#include <process.h>
#include <tchar.h>
#include <stdio.h>
#include <shlwapi.h>
#include <psapi.h>

#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "shlwapi.lib")

TCHAR ModuleFile[MAX_PATH];
TCHAR szText[128] = {0};
WNDPROC OldWindowProc;
HWND hWinLogon;
HMODULE hDll;


LRESULT CALLBACK NewWindowProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
    if (message == WM_NULL)
    {
        ::UnregisterHotKey(hWnd, 0); //Ctrl+Alt+delete
        ::UnregisterHotKey(hWnd, 4); //Ctrl+Shift+Esc
        ::UnregisterHotKey(hWnd, 5); //Win+L
        ::UnregisterHotKey(hWnd, 6); //Win+U
        ::SetWindowLongPtr(hWnd, GWL_WNDPROC, (LONG)OldWindowProc);
        return 1;
    }

    return CallWindowProc(OldWindowProc, hWnd, message, wParam, lParam);
}

BOOL WINAPI EnablePrivileges()
{
    HANDLE hToken;
    TOKEN_PRIVILEGES tkp;

    if (!OpenProcessToken(GetCurrentProcess(),
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
        return( FALSE );

    LookupPrivilegeValue(NULL, SE_DEBUG_NAME,
        &tkp.Privileges[0].Luid);

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
        (PTOKEN_PRIVILEGES)NULL, 0);

    if (GetLastError() != ERROR_SUCCESS)
        return FALSE;

    return TRUE;
}

BOOL CALLBACK lpEnumWindowsProc(HWND hwnd, LPARAM lParam)
{
    if (IsWindow(hwnd))
    {
        ::GetWindowText(hwnd, szText, _countof(szText));

        if (!_tcscmp(szText, TEXT("SAS window")))
        {
            hWinLogon = hwnd;
            OldWindowProc = (WNDPROC)::SetWindowLongPtr(hwnd, GWL_WNDPROC, (LONG)NewWindowProc);
            PostMessage(hwnd, WM_NULL, 0, 0);
            return FALSE;
        }
    }

    return TRUE;
}

UINT _stdcall FreeSelfProc(void *Arg)
{
    FreeLibraryAndExitThread(hDll, 0);
    return 1;
}

BOOL WINAPI DllMain(HINSTANCE hDllHandle, DWORD nReason, LPVOID Reserved)
{
    switch ( nReason )
    {
    case DLL_PROCESS_ATTACH:
        hDll = hDllHandle;
        GetModuleFileName(NULL, ModuleFile, _countof(ModuleFile));
        EnablePrivileges();

        if (StrStrI(ModuleFile, TEXT("winlogon.exe")))
        {
            HANDLE hThread;
            UINT ThreadId;

            HDESK hWinLogon = OpenDesktop(TEXT("Winlogon"), 0, FALSE, GENERIC_ALL);
            ::EnumDesktopWindows(hWinLogon, lpEnumWindowsProc, NULL);
            CloseDesktop(hWinLogon);

            hThread = (HANDLE)_beginthreadex(NULL, NULL, &FreeSelfProc, 0, 0, &ThreadId);
            WaitForSingleObject(hThread, INFINITE);
            CloseHandle(hThread);
        }
        else
        {
            DWORD dwProcessId = 0;
            HANDLE hProcess = 0;
            DWORD ProcessList[512], cbNeeded, cProcess;
            TCHAR szFileName[256];

            EnumProcesses(ProcessList, sizeof(ProcessList), &cbNeeded);
            cProcess = cbNeeded/sizeof(DWORD);

            for (UINT i=0; i<cProcess; i++)
            {
                if (ProcessList[i] != 0)
                {
                    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessList[i]);
                    if (hProcess)
                    {
                        GetModuleBaseName(hProcess, NULL, szFileName, _countof(szFileName));
                        if (!_tcsicmp(szFileName, TEXT("winlogon.exe")))
                        {
                            dwProcessId = ProcessList[i];
                            break;
                        }
                    }
                }
            }

            if (dwProcessId)
            {
                hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
            }

            if (!hProcess)
            {
                return 0;
            }

            LPVOID Param = VirtualAllocEx(hProcess, 0, 512, MEM_COMMIT, PAGE_READWRITE);
            if (!Param)
            {
                MessageBox(NULL, TEXT("申请内存失败"), TEXT("申请内存失败"), MB_ICONWARNING);
                return 0;
            }

            GetModuleFileName(hDllHandle, ModuleFile, _countof(ModuleFile));

            if (!WriteProcessMemory(hProcess, Param, (LPVOID)ModuleFile, 256, NULL))
            {
                MessageBox(NULL, TEXT("写入内存失败"), TEXT("写入内存失败"), MB_ICONWARNING);
                return 0;
            }

            HANDLE hThread = CreateRemoteThread(hProcess,
                    NULL,
                    NULL,
                    (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryW"),
                    Param,
                    NULL,
                    NULL);
            if (hThread)
            {
                WaitForSingleObject(hThread, INFINITE);
            }
            else
            {
                TCHAR sztmp[1024];
                _stprintf_s(sztmp, _countof(sztmp), TEXT("创建远程线程失败, 错误代码:%d, dll=%s"), GetLastError(), ModuleFile);
                MessageBox(NULL, sztmp, TEXT("创建远程线程失败"), MB_ICONWARNING);
                return 0;
            }

            VirtualFreeEx(hProcess, Param , 0, MEM_RELEASE);
            CloseHandle(hThread);
            CloseHandle(hProcess);
        }
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        ::SetWindowLongPtr(hWinLogon, GWL_WNDPROC, (LONG)OldWindowProc);
        break;
    default:
        break;
    }

    return 1;
}

EXTERN_C __declspec(dllexport) int Hook(void)
{
    return 1;
}

http://blog.csdn.net/zwfgdlc/article/details/6609591

我仔细看了看，突然想到。这不是传说很久的SAS子类化吗？居然忘记了
http://topic.csdn.net/u/20090402/11/d3e27441-cfcc-45d8-a0b2-1164fc3dd777.html