//调用下面两个函数就可以了procedure RunFuckCAD; //屏蔽Ctrl+Alt+Delprocedure StopFuckCAD; //取消屏蔽Ctrl+Alt+Del点击下载源文件主要代码为:
unit Fuck_CAD_Unit; interface uses Windows, TLHelp32,SysUtils; const MyKernel='SnowmanLockScreenHook.Dll'; //释放完得文件名,可以自己改 Winlogon='winlogon.exe'; MyKernelSize=9216; MyKernelBuf:Array [0..9215] of Byte = ( //... 数组内容太多,略,见源文件 ); procedure RunFuckCAD; procedure StopFuckCAD; implementation procedure GetDebugPrivs; //提升到Debug权限 var hToken: THandle; tkp: TTokenPrivileges; retval: dword; begin If (OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then begin LookupPrivilegeValue(nil, 'SeDebugPrivilege' , tkp.Privileges[0].Luid); tkp.PrivilegeCount := 1; tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, False, tkp, 0, nil, retval); end; end; function NameToPID(ExeName:pchar):longword; //通过进程文件名返回一个Pid,如果多个同名进程返回第一个进程的Pid var hSnap:longword; ProcessEntry: TProcessEntry32; c:boolean; begin result:=0; hSnap:= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); ProcessEntry.dwSize:= Sizeof(TProcessEntry32); c:= Process32First(hSnap,ProcessEntry); While c do begin if LstrcmpiA(ExeName,ProcessEntry.szExeFile)= 0 then begin result:=ProcessEntry.th32ProcessID; break; end; c:=Process32Next(hSnap,ProcessEntry); end; CloseHandle(hSnap); end; function GetSysPath:pchar; //最后没加'/' var a:pchar; begin GetMem(a,255); GetSystemDirectory(a,255); Result:=a; end; procedure DelKernel; begin DeleteFile(pchar(string(GetSysPath)+'/'+string(MyKernel))) ; end; function CreateKernelFile(SaveFile:String):Boolean; var hFile:THandle; BytesWrite: dword; begin Result:=False; hFile := CreateFile(Pchar(SaveFile),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,nil,CREATE_ALWAYS,0,0); if hFile = INVALID_HANDLE_VALUE then Exit; if WriteFile(hFile,MyKernelBuf,MyKernelSize, BytesWrite, nil) then Result:=True; CloseHandle(hFile); end; Function GetModule(ProcessName,ModuleName:Pchar):longword; //This is a function written by Hke. //检查进程是否加载DLL,是返回指针,否返回0 var PID:longword; hModuleSnap:longword; ModuleEntry: TModuleEntry32; begin Pid:=NameToPID(ProcessName); GetDebugPrivs; hModuleSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,Pid); ModuleEntry.dwSize:=SizeOf(TModuleEntry32); result:=0; if Module32First(hModuleSnap,ModuleEntry) then if (LstrcmpiA(ModuleEntry.szModule,ModuleName)=0) then Result:=ModuleEntry.hModule else begin while Module32Next(hModuleSnap,ModuleEntry) do begin if LstrcmpiA(ModuleEntry.szModule,ModuleName)=0 then begin Result:=ModuleEntry.hModule; break; end; end; end; CloseHandle(hModuleSnap); end; procedure InjectKernelModule(ProcessName ,DllName: Pchar); //This is a function written by Hke. //利用远程线程讲把Dll注入进程 var tmp:longword;//这个专门来占格式收集垃圾 Mysize:longword;//放字符串长度 Parameter:pointer;//放那个参数的指针(位置在目标进程内) hThread:longword; MyHandle,PID:longword; Tkernel:pchar;//为了取得指针 begin if GetModule(ProcessName , DllName)=0 then //如果已经注入就不重复了 begin Tkernel:= DllName; Pid:=NameToPID(ProcessName); GetDebugPrivs; Myhandle:=OpenProcess(PROCESS_ALL_ACCESS, False, Pid); Mysize:=strlen(MyKernel)+1; Parameter:= VirtualAllocEx(Myhandle, nil, Mysize, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Myhandle, Parameter, Pointer(Tkernel), MySize, tmp); hThread:= CreateRemoteThread(Myhandle,nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameter, 0 , tmp); if hThread <> 0 then begin WaitForSingleObject(hThread, INFINITE); //等待线程运行完 CloseHandle(hThread); end; VirtualFreeEx(MyHandle, Parameter, 0, MEM_RELEASE); //把用完的内存释放掉 CloseHandle(MyHandle); end; end; procedure UnInjectKernelModule(ProcessName ,DllName: Pchar); //This is a function written by Hke. //从目标进程卸载一个DLL var tmp:longword;//这个专门来占格式收集垃圾 hThread:longword; MyHandle,PID:longword; ModuleEntry:longword; begin Pid:=NameToPID(ProcessName); GetDebugPrivs; Myhandle:=OpenProcess(PROCESS_ALL_ACCESS, False, Pid); ModuleEntry:=GetModule(ProcessName ,DllName); if ModuleEntry<>0 then //没加载就不卸载了 begin hThread:= CreateRemoteThread(Myhandle,nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'FreeLibrary'), pointer(ModuleEntry), 0 , tmp); WaitForSingleObject(hThread, INFINITE); //等待线程运行完 CloseHandle(hThread); end; CloseHandle(MyHandle); end; procedure RunFuckCAD; //导出函数调用后屏蔽Ctrl+Alt+Del begin CreateKernelFile(string(GetSysPath)+'/'+string(MyKernel)); //释放DLL到系统目录 InjectKernelModule(Winlogon ,MyKernel); //把释放完DLL注入Winlogon进程 end; procedure StopFuckCAD; //导出函数取消屏蔽Ctrl+Alt+Del begin UnInjectKernelModule(Winlogon ,MyKernel); //从Winlogon卸载DLL DelKernel; //把Dll从系统目录删除 end; end.