禁止拦击关机重启注销事件

作者: admin 分类: C++ 发布时间: 2013-01-22 15:55 ė3,566 浏览数 6没有评论

前段时间有个项目需要此功能，貌似国内没人放出完整的例子
新建 DLL 动态库工程名 InterceptShutdown

//新建 InterceptShutdown.h
#if !defined __INTERCEPTSHUTDOWN__H
#define __INTERCEPTSHUTDOWN__H
#define INJECT_EX_EXPORTS

#ifdef INJECT_EX_EXPORTS
#define HOOKDLL_API __declspec(dllexport)
#else
#define HOOKDLL_API __declspec(dllimport)
#endif

#include &lt;mapidefs.h&gt;

typedef struct _APIHOOK32_ENTRY
{
	LPCTSTR     pszAPIName;			//API名字
	LPCTSTR     pszCallerModuleName;	//被调用的模块名
	PROC        pfnOriginApiAddress;	//原始的函数地址
	PROC        pfnDummyFuncAddress;	//新的函数地址
	HMODULE     hModCallerModule;		//调用的模块句柄
}APIHOOK32_ENTRY, *PAPIHOOK32_ENTRY;

PROC lpAdder;
APIHOOK32_ENTRY pe;

HOOKDLL_API int InstallHook();
HOOKDLL_API int UninstallHook();

#endif // !defined(INJECT_EX__H)

//新建 InterceptShutdown.h

#if !defined __INTERCEPTSHUTDOWN__H

#define __INTERCEPTSHUTDOWN__H

#define INJECT_EX_EXPORTS

#ifdef INJECT_EX_EXPORTS

#define HOOKDLL_API __declspec(dllexport)

#else

#define HOOKDLL_API __declspec(dllimport)

#endif

#include <mapidefs.h>

typedef struct _APIHOOK32_ENTRY

{

LPCTSTR pszAPIName; //API名字

LPCTSTR pszCallerModuleName; //被调用的模块名

PROC pfnOriginApiAddress; //原始的函数地址

PROC pfnDummyFuncAddress; //新的函数地址

HMODULE hModCallerModule; //调用的模块句柄

}APIHOOK32_ENTRY, *PAPIHOOK32_ENTRY;

PROC lpAdder;

APIHOOK32_ENTRY pe;

HOOKDLL_API int InstallHook();

HOOKDLL_API int UninstallHook();

#endif // !defined(INJECT_EX__H)

//新建 InterceptShutdown.cpp

#include &quot;InterceptShutdown.h&quot;
#include &lt;windows.h&gt;
#include &lt;imagehlp.h&gt;
#include &lt;tlhelp32.h&gt;
//odbc32.lib odbccp32.lib ImageHlp.lib
#pragma comment(lib, &quot;odbc32.lib&quot;)
#pragma comment(lib, &quot;odbccp32.lib&quot;)
#pragma comment(lib, &quot;ImageHlp.lib&quot;)
//-------------------------------------------------------------
// shared data 
// Notice:	seen by both: the instance of &quot;HookInjEx.dll&quot; mapped
//			into &quot;explorer.exe&quot; as well as by the instance
//			of &quot;HookInjEx.dll&quot; mapped into our &quot;HookInjEx.exe&quot;

#pragma data_seg(&quot;mydata&quot;)  
HHOOK glhHook=NULL;//安装的勾子句柄  
//HINSTANCE glhInstance=NULL; //DLL实例句柄  
#pragma data_seg() 

#pragma comment(linker,&quot;/SECTION:mydata,RWS&quot;)

//-------------------------------------------------------------
// global variables (unshared!)
//
HINSTANCE glhInstance=NULL; //DLL实例句柄 

LRESULT HookProc(int   code,  // hook code
				 WPARAM wParam,  // removal option
				 LPARAM lParam   // message
				 )     
{    
	return CallNextHookEx(glhHook,code,wParam,lParam);
}

BOOL WINAPI _SetApiHookUp(PAPIHOOK32_ENTRY phk)
{
	PIMAGE_THUNK_DATA	pThunk;
	ULONG			size;

	//获取指向PE文件中的Import中IMAGE_DIRECTORY_DESCRIPTOR数组的指针
	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(phk-&gt;hModCallerModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT,&amp;size);

	if (pImportDesc == NULL)
		return FALSE;

	//查找记录,察看导入表中是否存指定的DLL
	for (;pImportDesc-&gt;Name;pImportDesc++)
	{
		LPSTR pszDllName = (LPSTR)((PBYTE)phk-&gt;hModCallerModule+pImportDesc-&gt;Name);
		if (lstrcmpiA(pszDllName,phk-&gt;pszCallerModuleName) == 0)
			break;
	}

	if (pImportDesc-&gt;Name ==NULL)
		return FALSE;

	//寻找我们想要的函数
	pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk-&gt;hModCallerModule+pImportDesc-&gt;FirstThunk);//IAT
	//	pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk-&gt;hModCallerModule+pImportDesc-&gt;OriginalFirstThunk);

	for (;pThunk-&gt;u1.Function;pThunk++)
	{
		//ppfn记录了与IAT表项相应的函数的地址
		PROC *ppfn= (PROC *)&amp;pThunk-&gt;u1.Function;
		if (*ppfn == phk-&gt;pfnOriginApiAddress)
		{
			//如果地址相同，也就是找到了我们想要的函数，进行改写，将其指向我们所定义的函数
			WriteProcessMemory(GetCurrentProcess(),ppfn,&amp;(phk-&gt;pfnDummyFuncAddress),sizeof(phk-&gt;pfnDummyFuncAddress),NULL);
			return TRUE;
		}
	}
	return FALSE;
}

//***************************************************************************************/
//        SetWindowsAPIHook    挂接WindowsAPI函数  当phk-&gt;hModCallerModule == NULL       //
//                                                 会在整个系统内挂接函数                //
//                             仿照SetWindowsHookEx 建立                                 //
//***************************************************************************************//
BOOL WINAPI SetWindowsAPIHook(PAPIHOOK32_ENTRY phk)
{
	MEMORY_BASIC_INFORMATION mInfo;
	HMODULE		hModHookDLL;
	HANDLE		hSnapshot;
	BOOL		bOk;
	MODULEENTRY32	me = {sizeof(MODULEENTRY32)};

	if (phk-&gt;pszAPIName == NULL || phk-&gt;pszCallerModuleName == NULL ||
		phk-&gt;pfnOriginApiAddress == NULL)
		return FALSE;

	if (phk-&gt;hModCallerModule == NULL)
	{
		VirtualQuery(_SetApiHookUp,&amp;mInfo,sizeof(mInfo));
		hModHookDLL=(HMODULE)mInfo.AllocationBase;

		hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);
		bOk = Module32First(hSnapshot,&amp;me);
		while (bOk)
		{
			if (me.hModule != hModHookDLL)
			{
				phk-&gt;hModCallerModule = me.hModule;
				_SetApiHookUp(phk);
			}
			bOk = Module32Next(hSnapshot,&amp;me);
		}

		phk-&gt;hModCallerModule = NULL;		
		return TRUE;
	}
	else
		return _SetApiHookUp(phk);	

	return FALSE;

}

BOOL WINAPI UnhookWindowsAPIHooks(PAPIHOOK32_ENTRY lpHk)
{
	PROC temp;
	temp = lpHk-&gt;pfnOriginApiAddress;
	lpHk-&gt;pfnOriginApiAddress = lpHk-&gt;pfnDummyFuncAddress;
	lpHk-&gt;pfnDummyFuncAddress = temp;
	return SetWindowsAPIHook(lpHk);
}

BOOL WINAPI  MyExitWindowsEx(
							 UINT uFlags,       // shutdown operation
							 DWORD dwReserved   // reserved
							 )
{
	//MessageBox(NULL,&quot;不能重起！！！&quot;,&quot;提示&quot;,MB_OKCANCEL);
	return FALSE;
}

int InstallHook()
{
	glhHook = SetWindowsHookEx( WH_GETMESSAGE,(HOOKPROC)HookProc,glhInstance, 0);
	if( glhHook==NULL )
		return 0;
	return 1;
}

int UninstallHook()
{
	if(!UnhookWindowsAPIHooks(&amp;pe) || !UnhookWindowsHookEx(glhHook))
		return 0;
	return 1;
}
//-------------------------------------------------------------
// DllMain
//
BOOL APIENTRY DllMain( HINSTANCE hModule, 
					  DWORD  ul_reason_for_call, 
					  LPVOID lpReserved
					  )
{
	if (ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
		glhInstance=hModule;

		//		MessageBox(NULL,&quot;不能重起！！！&quot;,&quot;提示&quot;,MB_OKCANCEL);

		//	showup();	  
		pe.pszAPIName         =&quot;ExitWindowsEx&quot;;		//API名字
		pe.pszCallerModuleName=&quot;user32.dll&quot;;	//被调用的模块名
		pe.pfnOriginApiAddress=(PROC)ExitWindowsEx;	//原始的函数地址
		pe.pfnDummyFuncAddress=(PROC)MyExitWindowsEx;	//新的函数地址
		pe.hModCallerModule   =NULL;

		lpAdder=(PROC)ExitWindowsEx;
		SetWindowsAPIHook(&amp;pe);	

	}
	return(TRUE);
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

//新建 InterceptShutdown.cpp

#include "InterceptShutdown.h"

#include <windows.h>

#include <imagehlp.h>

#include <tlhelp32.h>

//odbc32.lib odbccp32.lib ImageHlp.lib

#pragma comment(lib, "odbc32.lib")

#pragma comment(lib, "odbccp32.lib")

#pragma comment(lib, "ImageHlp.lib")

//-------------------------------------------------------------

// shared data

// Notice: seen by both: the instance of "HookInjEx.dll" mapped

// into "explorer.exe" as well as by the instance

// of "HookInjEx.dll" mapped into our "HookInjEx.exe"

#pragma data_seg("mydata")

HHOOK glhHook=NULL;//安装的勾子句柄

//HINSTANCE glhInstance=NULL; //DLL实例句柄

#pragma data_seg()

#pragma comment(linker,"/SECTION:mydata,RWS")

//-------------------------------------------------------------

// global variables (unshared!)

HINSTANCE glhInstance=NULL; //DLL实例句柄

LRESULT HookProc(int code, // hook code

WPARAM wParam, // removal option

LPARAM lParam // message

)

{

return CallNextHookEx(glhHook,code,wParam,lParam);

}

BOOL WINAPI _SetApiHookUp(PAPIHOOK32_ENTRY phk)

{

PIMAGE_THUNK_DATA pThunk;

ULONG size;

//获取指向PE文件中的Import中IMAGE_DIRECTORY_DESCRIPTOR数组的指针

PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(phk->hModCallerModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT,&size);

if (pImportDesc == NULL)

return FALSE;

//查找记录,察看导入表中是否存指定的DLL

for (;pImportDesc->Name;pImportDesc++)

{

LPSTR pszDllName = (LPSTR)((PBYTE)phk->hModCallerModule+pImportDesc->Name);

if (lstrcmpiA(pszDllName,phk->pszCallerModuleName) == 0)

break;

}

if (pImportDesc->Name ==NULL)

return FALSE;

//寻找我们想要的函数

pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->FirstThunk);//IAT

// pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->OriginalFirstThunk);

for (;pThunk->u1.Function;pThunk++)

{

//ppfn记录了与IAT表项相应的函数的地址

PROC *ppfn= (PROC *)&pThunk->u1.Function;

if (*ppfn == phk->pfnOriginApiAddress)

{

//如果地址相同，也就是找到了我们想要的函数，进行改写，将其指向我们所定义的函数

WriteProcessMemory(GetCurrentProcess(),ppfn,&(phk->pfnDummyFuncAddress),sizeof(phk->pfnDummyFuncAddress),NULL);

return TRUE;

}

return FALSE;

}

//***************************************************************************************/

// SetWindowsAPIHook 挂接WindowsAPI函数当phk->hModCallerModule == NULL //

// 会在整个系统内挂接函数 //

// 仿照SetWindowsHookEx 建立 //

//***************************************************************************************//

BOOL WINAPI SetWindowsAPIHook(PAPIHOOK32_ENTRY phk)

{

MEMORY_BASIC_INFORMATION mInfo;

HMODULE hModHookDLL;

HANDLE hSnapshot;

BOOL bOk;

MODULEENTRY32 me = {sizeof(MODULEENTRY32)};

if (phk->pszAPIName == NULL || phk->pszCallerModuleName == NULL ||

phk->pfnOriginApiAddress == NULL)

return FALSE;

if (phk->hModCallerModule == NULL)

{

VirtualQuery(_SetApiHookUp,&mInfo,sizeof(mInfo));

hModHookDLL=(HMODULE)mInfo.AllocationBase;

hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);

bOk = Module32First(hSnapshot,&me);

while (bOk)

{

if (me.hModule != hModHookDLL)

{

phk->hModCallerModule = me.hModule;

_SetApiHookUp(phk);

}

bOk = Module32Next(hSnapshot,&me);

}

phk->hModCallerModule = NULL;

return TRUE;

}

else

return _SetApiHookUp(phk);

return FALSE;

}

BOOL WINAPI UnhookWindowsAPIHooks(PAPIHOOK32_ENTRY lpHk)

{

PROC temp;

temp = lpHk->pfnOriginApiAddress;

lpHk->pfnOriginApiAddress = lpHk->pfnDummyFuncAddress;

lpHk->pfnDummyFuncAddress = temp;

return SetWindowsAPIHook(lpHk);

}

BOOL WINAPI MyExitWindowsEx(

UINT uFlags, // shutdown operation

DWORD dwReserved // reserved

)

{

//MessageBox(NULL,"不能重起！！！","提示",MB_OKCANCEL);

return FALSE;

}

int InstallHook()

{

glhHook = SetWindowsHookEx( WH_GETMESSAGE,(HOOKPROC)HookProc,glhInstance, 0);

if( glhHook==NULL )

return 0;

return 1;

}

int UninstallHook()

{

if(!UnhookWindowsAPIHooks(&pe) || !UnhookWindowsHookEx(glhHook))

return 0;

return 1;

}

//-------------------------------------------------------------

// DllMain

BOOL APIENTRY DllMain( HINSTANCE hModule,

DWORD ul_reason_for_call,

LPVOID lpReserved

)

{

if (ul_reason_for_call == DLL_PROCESS_ATTACH)

{

glhInstance=hModule;

// MessageBox(NULL,"不能重起！！！","提示",MB_OKCANCEL);

// showup();

pe.pszAPIName ="ExitWindowsEx"; //API名字

pe.pszCallerModuleName="user32.dll"; //被调用的模块名

pe.pfnOriginApiAddress=(PROC)ExitWindowsEx; //原始的函数地址

pe.pfnDummyFuncAddress=(PROC)MyExitWindowsEx; //新的函数地址

pe.hModCallerModule =NULL;

lpAdder=(PROC)ExitWindowsEx;

SetWindowsAPIHook(&pe);

}

return(TRUE);

}

//新建 InterceptShutdown.def

LIBRARY	&quot;InterceptShutdown&quot;
DESCRIPTION  &#39;Intercept shutdown restart&#39;
EXPORTS
InstallHook
UninstallHook

//新建 InterceptShutdown.def

LIBRARY "InterceptShutdown"

DESCRIPTION 'Intercept shutdown restart'

EXPORTS

InstallHook

UninstallHook

只回答业务咨询

学习日记，兼职软件设计，软件修改，毕业设计。

本文出自学习日记，转载时请注明出处及相应链接。

本文永久链接: https://www.softwareace.cn/?p=120

« IP 代理

vs2012官方中、英文旗舰版附Key »

禁止拦击关机重启注销事件

发表评论取消回复

分类目录

业务咨询站长

禁止 拦击 关机 重启 注销 事件

发表评论 取消回复

分类目录

业务咨询站长

禁止拦击关机重启注销事件

发表评论取消回复