禁止 拦击 关机 重启 注销 事件
来源:互联网 发布:mac重装系统后无声音 编辑:程序博客网 时间:2024/05/21 17:48
新网站 http://www.softwareace.cn/?p=120前段时间 有个项目需要此功能,貌似国内没人放出完整的例子新建 DLL 动态库 工程名 InterceptShutdown本文出自 王牌软件,转载时请注明出处及相应链接。本文永久链接: http://www.softwareace.cn/?p=120//新建 InterceptShutdown.h#if !defined __INTERCEPTSHUTDOWN__H#define __INTERCEPTSHUTDOWN__H#define INJECT_EX_EXPORTS #ifdef INJECT_EX_EXPORTS#define HOOKDLL_API __declspec(dllexport)#else#define HOOKDLL_API __declspec(dllimport)#endif #include <mapidefs.h> typedefstruct _APIHOOK32_ENTRY{ LPCTSTR pszAPIName; //API名字 LPCTSTR pszCallerModuleName; //被调用的模块名 PROC pfnOriginApiAddress; //原始的函数地址 PROC pfnDummyFuncAddress; //新的函数地址 HMODULE hModCallerModule; //调用的模块句柄}APIHOOK32_ENTRY, *PAPIHOOK32_ENTRY; PROC lpAdder;APIHOOK32_ENTRY pe; HOOKDLL_APIintInstallHook();HOOKDLL_APIintUninstallHook(); #endif // !defined(INJECT_EX__H) //新建 InterceptShutdown.cpp #include "InterceptShutdown.h"#include <windows.h>#include <imagehlp.h>#include <tlhelp32.h>//odbc32.lib odbccp32.lib ImageHlp.lib#pragma comment(lib, "odbc32.lib")#pragma comment(lib, "odbccp32.lib")#pragma comment(lib, "ImageHlp.lib")//-------------------------------------------------------------// shared data // Notice: seen by both: the instance of "HookInjEx.dll" mapped// into "explorer.exe" as well as by the instance// of "HookInjEx.dll" mapped into our "HookInjEx.exe" #pragma data_seg("mydata") HHOOKglhHook=NULL;//安装的勾子句柄 //HINSTANCE glhInstance=NULL; //DLL实例句柄 #pragma data_seg() #pragma comment(linker,"/SECTION:mydata,RWS") //-------------------------------------------------------------// global variables (unshared!)//HINSTANCEglhInstance=NULL; //DLL实例句柄 LRESULTHookProc(int code, // hook code WPARAMwParam, // removal option LPARAMlParam // message ) { returnCallNextHookEx(glhHook,code,wParam,lParam);} BOOLWINAPI _SetApiHookUp(PAPIHOOK32_ENTRY phk){ PIMAGE_THUNK_DATA pThunk; ULONG size; //获取指向PE文件中的Import中IMAGE_DIRECTORY_DESCRIPTOR数组的指针 PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(phk->hModCallerModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT,&size); if(pImportDesc == NULL) returnFALSE; //查找记录,察看导入表中是否存指定的DLL for(;pImportDesc->Name;pImportDesc++) { LPSTRpszDllName = (LPSTR)((PBYTE)phk->hModCallerModule+pImportDesc->Name); if(lstrcmpiA(pszDllName,phk->pszCallerModuleName) == 0) break; } if(pImportDesc->Name ==NULL) returnFALSE; //寻找我们想要的函数 pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->FirstThunk);//IAT // pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->OriginalFirstThunk); for(;pThunk->u1.Function;pThunk++) { //ppfn记录了与IAT表项相应的函数的地址 PROC *ppfn= (PROC *)&pThunk->u1.Function; if(*ppfn == phk->pfnOriginApiAddress) { //如果地址相同,也就是找到了我们想要的函数,进行改写,将其指向我们所定义的函数 WriteProcessMemory(GetCurrentProcess(),ppfn,&(phk->pfnDummyFuncAddress),sizeof(phk->pfnDummyFuncAddress),NULL); returnTRUE; } } returnFALSE;} //***************************************************************************************/// SetWindowsAPIHook 挂接WindowsAPI函数 当phk->hModCallerModule == NULL //// 会在整个系统内挂接函数 //// 仿照SetWindowsHookEx 建立 ////***************************************************************************************//BOOLWINAPI SetWindowsAPIHook(PAPIHOOK32_ENTRY phk){ MEMORY_BASIC_INFORMATION mInfo; HMODULE hModHookDLL; HANDLE hSnapshot; BOOL bOk; MODULEENTRY32 me = {sizeof(MODULEENTRY32)}; if(phk->pszAPIName == NULL || phk->pszCallerModuleName == NULL || phk->pfnOriginApiAddress == NULL) returnFALSE; if(phk->hModCallerModule == NULL) { VirtualQuery(_SetApiHookUp,&mInfo,sizeof(mInfo)); hModHookDLL=(HMODULE)mInfo.AllocationBase; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0); bOk = Module32First(hSnapshot,&me); while(bOk) { if(me.hModule != hModHookDLL) { phk->hModCallerModule = me.hModule; _SetApiHookUp(phk); } bOk = Module32Next(hSnapshot,&me); } phk->hModCallerModule = NULL; returnTRUE; } else return_SetApiHookUp(phk); returnFALSE; } BOOLWINAPI UnhookWindowsAPIHooks(PAPIHOOK32_ENTRY lpHk){ PROC temp; temp = lpHk->pfnOriginApiAddress; lpHk->pfnOriginApiAddress = lpHk->pfnDummyFuncAddress; lpHk->pfnDummyFuncAddress = temp; returnSetWindowsAPIHook(lpHk);} BOOLWINAPI MyExitWindowsEx( UINTuFlags, // shutdown operation DWORDdwReserved // reserved ){ //MessageBox(NULL,"不能重起!!!","提示",MB_OKCANCEL); returnFALSE;} intInstallHook(){ glhHook = SetWindowsHookEx( WH_GETMESSAGE,(HOOKPROC)HookProc,glhInstance, 0); if( glhHook==NULL ) return0; return1;} intUninstallHook(){ if(!UnhookWindowsAPIHooks(&pe) || !UnhookWindowsHookEx(glhHook)) return0; return1;}//-------------------------------------------------------------// DllMain//BOOLAPIENTRY DllMain( HINSTANCEhModule, DWORD ul_reason_for_call, LPVOIDlpReserved ){ if(ul_reason_for_call == DLL_PROCESS_ATTACH) { glhInstance=hModule; // MessageBox(NULL,"不能重起!!!","提示",MB_OKCANCEL); // showup(); pe.pszAPIName ="ExitWindowsEx"; //API名字 pe.pszCallerModuleName="user32.dll"; //被调用的模块名 pe.pfnOriginApiAddress=(PROC)ExitWindowsEx;//原始的函数地址 pe.pfnDummyFuncAddress=(PROC)MyExitWindowsEx; //新的函数地址 pe.hModCallerModule =NULL; lpAdder=(PROC)ExitWindowsEx; SetWindowsAPIHook(&pe); } return(TRUE);} //新建 InterceptShutdown.def LIBRARY"InterceptShutdown"DESCRIPTION 'Intercept shutdown restart'EXPORTSInstallHookUninstallHook1
