library cad_hook_dll;
uses
Windows, Messages;
var
lpOldSASProc: pointer;
hwSAS: DWORD;
{$R *.res}
function NewSASProc(hSAS, uMsg, wParam, lParam: DWORD): DWORD; stdcall;
begin
if uMsg = WM_HOTKEY then
//Если нажата комбинация клавиш ALT+CTRL+DELETE
if lParam = DWORD(MAKELONG(MOD_CONTROL or MOD_ALT, VK_DELETE)) then
MessageBox(GetActiveWindow, 'Кто-то давит ALT+CTRL+DELETE', 'SAS-хук',
MB_ICONINFORMATION + MB_DEFAULT_DESKTOP_ONLY)
//Если нажата комбинация клавиш CTRL+SHIFT+ESCAPE
else if lParam = DWORD(MAKELONG(MOD_CONTROL or MOD_SHIFT, VK_ESCAPE)) then
MessageBox(GetActiveWindow, 'Кто-то давит CTRL+SHIFT+ESCAPE', 'SAS-хук',
MB_ICONINFORMATION + MB_DEFAULT_DESKTOP_ONLY);
result := CallWindowProc(lpOldSASProc, hSAS, uMsg, wParam, lParam);
end;
begin
hwSAS := FindWindow('SAS Window class', 'SAS window');
if hwSAS <> 0 then
lpOldSASProc := pointer(SetWindowLong(hwSAS, GWL_WNDPROC, DWORD(@NewSASProc)));
MessageBox(GetActiveWindow, 'Сообщение из Winlogon''а', 'Мы здесь!',
MB_ICONINFORMATION + MB_DEFAULT_DESKTOP_ONLY);
end.
А это программа управления
program cad_hook;
uses
Windows;
type
TPROCESSENTRY32 = packed record
dwSize,
cntUsage,
th32ProcessID,
th32DefaultHeapID,
th32ModuleID,
cntThreads,
th32ParentProcessID: DWORD;
pcPriClassBase: Longint;
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of Char;
end;
const
TH32CS_SNAPPROCESS = $00000002;
function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): dword stdcall; external 'kernel32.dll';
function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall; external 'kernel32.dll';
function Process32Next(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall; external 'kernel32.dll';
var
hWinlogon: DWORD;
{$R *.res}
function GetProcessId(pName: PChar): dword;
var
Snap: dword;
Process: TPROCESSENTRY32;
begin
Result := 0;
Snap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if Snap <> INVALID_HANDLE_VALUE then
begin
Process.dwSize := SizeOf(TPROCESSENTRY32);
if Process32First(Snap, Process) then
repeat
if lstrcmpi(Process.szExeFile, pName) = 0 then
begin
result := Process.th32ProcessID;
CloseHandle(Snap);
exit;
end;
until not Process32Next(Snap, Process);
Result := 0;
CloseHandle(Snap);
end;
end;
function EnablePrivilegeEx(Process: dword; lpPrivilegeName: PChar):Boolean;
var
hToken: dword;
NameValue: Int64;
tkp: TOKEN_PRIVILEGES;
ReturnLength: dword;
begin
result := false;
OpenProcessToken(Process, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
if not LookupPrivilegeValue(nil, lpPrivilegeName, NameValue) then
begin
CloseHandle(hToken);
exit;
end;
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Luid := NameValue;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, tkp, SizeOf(TOKEN_PRIVILEGES), tkp, ReturnLength);
if GetLastError <> ERROR_SUCCESS then
begin
CloseHandle(hToken);
exit;
end;
result:=true;
CloseHandle(hToken);
end;
function InjectDll(Process: dword; ModulePath: PChar): boolean;
var
Memory: pointer;
Code,
BytesWritten,
ThreadId,
hThread,
hKernel32: DWORD;
Inject: packed record
PushCommand: BYTE;
PushArgument: DWORD;
CallCommand: WORD;
CallAddr: DWORD;
PushExitThread: BYTE;
ExitThreadArg: DWORD;
CallExitThread: WORD;
CallExitThreadAddr: DWORD;
AddrLoadLibrary: pointer;
AddrExitThread: pointer;
LibraryName: array[0..MAX_PATH] of char;
end;
begin
result := false;
Memory := VirtualAllocEx(Process, nil, sizeof(Inject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if Memory = nil then exit;
Code := DWORD(Memory);
Inject.PushCommand := $68;
inject.PushArgument := code + $1E;
inject.CallCommand := $15FF;
inject.CallAddr := code + $16;
inject.PushExitThread := $68;
inject.ExitThreadArg := 0;
inject.CallExitThread := $15FF;
inject.CallExitThreadAddr := code + $1A;
hKernel32 := GetModuleHandle('kernel32.dll');
inject.AddrLoadLibrary := GetProcAddress(hKernel32, 'LoadLibraryA');
inject.AddrExitThread := GetProcAddress(hKernel32, 'ExitThread');
lstrcpy(@inject.LibraryName, ModulePath);
WriteProcessMemory(Process, Memory, @inject, sizeof(inject), BytesWritten);
hThread := CreateRemoteThread(Process, nil, 0, Memory, nil, 0, ThreadId);
if hThread = 0 then exit;
CloseHandle(hThread);
result := True;
end;
begin
if EnablePrivilegeEx(INVALID_HANDLE_VALUE, 'SeDebugPrivilege') then
begin
//Имея привилегии отладчика можно открыть Winlogon с полными правами доступа!
hWinlogon := OpenProcess(PROCESS_ALL_ACCESS, false, GetProcessId('Winlogon.exe'));
if hWinlogon <> 0 then
begin
if InjectDll(hWinlogon, 'cad_hook_dll.dll') then
MessageBox(0, 'Внедрение в процесс Winlogon успешно проведено', 'Заебись!', MB_ICONINFORMATION)
else
MessageBox(0, 'Не возможно внедриться в Winlogon', 'Ошибка', MB_ICONERROR);
CloseHandle(hWinlogon);
end
else
MessageBox(0, 'Не возможно открыть процесс Winlogon на запись', 'Ошибка', MB_ICONERROR);
end
else
MessageBox(0, 'Не возможно добавить привилегии отладчика', 'Ошибка', MB_ICONERROR);
end.