Blocking CTRL+ALT+DEL and simple DLL injecting

125 · Post by **125** » Fri May 25, 2007 6:52 pm

Hello,
i had a work-free morning and were a bit bored. So I started coding this code, because blocking CTRL+ALT+DEL is asked often.
It is a combination of DLL injecting Functions and a source of a DLL to inject in winlogon.exe to disable CTRL+ALT+DEL.

I only tested on XP, If someone could test it on Vista....

The code was inspired by http://www.codeproject.com/win32/Antoni ... print=true

I ported some passages of it in this code.

Sorry for my bad English.

Functions
Inject(PID,DLLPath.s) -> Inject DLL, Important: Full path!
Eject(PID,hLibModule) -> Eject DLL, hLibModule is returned by Inject
GetPIDFromName(Name.s) -> Get PID of an EXE
DebugPrevileg(Bool) -> #True = Debug Previleg on, is needed for injecting in SYSTEM apps. This function is used by Inject and Eject automatically

The functions:

Code: Select all

EnableExplicit  

Procedure GetPIDFromName(Name.s) 
Define hSnapshot.l, ProcessInfo.PROCESSENTRY32, Retval.l, PID.l 
  
  hSnapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0) 
  ProcessInfo\dwSize = SizeOf(ProcessInfo) 
  Retval = Process32First_(hSnapshot,@ProcessInfo) 
  
  While Retval 
    If PeekS(@ProcessInfo\szExeFile) = Name 
      PID=PeekL(@ProcessInfo\th32ProcessID) 
      Break 
    Else 
      Retval = Process32Next_(hSnapshot,@ProcessInfo) 
    EndIf 
  Wend 
  
ProcedureReturn PID 
EndProcedure 

Procedure DebugPrevileg(Flag) 
Define tk.TOKEN_PRIVILEGES, hToken.l 

OpenProcessToken_(GetCurrentProcess_(),#TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY | #TOKEN_READ, @hToken) 

LookupPrivilegeValue_(0,"SeDebugPrivilege",tk\Privileges\Luid) 

tk\PrivilegeCount = 1 
If Flag = #True 
tk\Privileges\Attributes = #SE_PRIVILEGE_ENABLED 
Else 
tk\Privileges\Attributes = 0 
EndIf 

AdjustTokenPrivileges_(hToken,0,tk,0,0,0) 

EndProcedure 

Procedure Inject(PID,DLLPath.s) 
   Define   hThread.l, hProcess.l,pLibRemote.l,hLibModule.l 

  DebugPrevileg(#True) 

   hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, PID) 

   pLibRemote = VirtualAllocEx_(hProcess, #Null, 255, #MEM_COMMIT, #PAGE_READWRITE) 
    
   WriteProcessMemory_(hProcess, pLibRemote, DLLPath, 255, #Null) 
    
   hThread = CreateRemoteThread_(hProcess,#Null,0,GetProcAddress_(GetModuleHandle_("Kernel32"), "LoadLibraryA"),pLibRemote,0,#Null) 
    
   WaitForSingleObject_(hThread, #INFINITE) 
   GetExitCodeThread_(hThread, @hLibModule) 
   CloseHandle_(hThread) 
   CloseHandle_(hProcess) 

   VirtualFreeEx_(hProcess, pLibRemote, SizeOf(DLLPath), #MEM_RELEASE) 

  DebugPrevileg(#False) 
  
  ProcedureReturn hLibModule 
EndProcedure 

Procedure Eject(PID,hLibModule.l) 
   Define   hThread.l, hProcess.l 

  DebugPrevileg(#True) 

   hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, PID) 
    
   hThread = CreateRemoteThread_(hProcess,#Null,0,GetProcAddress_(GetModuleHandle_("Kernel32"), "FreeLibrary"),hLibModule,0,#Null) 
    
   WaitForSingleObject_(hThread, #INFINITE) 
   CloseHandle_(hThread) 
   CloseHandle_(hProcess) 

  DebugPrevileg(#False) 
EndProcedure

The DLL for injecting in winlogon.exe and disabling CTRL+ALT+DEL

Code: Select all

Global hSASWnd.l,OldSASProc.l 

ProcedureDLL MakeLong(low,high) 
  ProcedureReturn low + (high << 16) 
EndProcedure 

ProcedureDLL SASWindowProc(hWnd,uMsg,wParam,lParam) 
If uMsg = #WM_HOTKEY 
      If lParam = MakeLong(#MOD_CONTROL | #MOD_ALT, #VK_DELETE) 
         ProcedureReturn 1 
      EndIf 
EndIf 

   ProcedureReturn CallWindowProc_(OldSASProc, hWnd, uMsg, wParam, lParam) 
EndProcedure 

ProcedureDLL AttachProcess(hInstance) 
       hSASWnd = FindWindow_("SAS Window class","SAS window") 
        OldSASProc = SetWindowLong_(hSASWnd, #GWL_WNDPROC, @SASWindowProc()) 
EndProcedure 

ProcedureDLL DetachProcess(hInstance) 
     SetWindowLong_(hSASWnd, #GWL_WNDPROC, OldSASProc) 
EndProcedure

Examplecode:

Code: Select all

Define hLibModule.l,PID.l 

PID=GetPidFromName("winlogon.exe") 
hLibModule=Inject(PID,<Put full path of the DLL here>) 

Delay(10000) 

Eject(PID,hLibModule)

Sincerely
125

tomijan · Post by **tomijan** » Mon Nov 05, 2007 9:09 pm

@125
thanks for sharing, interesting code, but

Code: Select all

 VirtualFreeEx_(hProcess, pLibRemote, SizeOf(DLLPath), #MEM_RELEASE)

should be replaced by

Code: Select all

 VirtualFreeEx_(hProcess, pLibRemote, #Null, #MEM_RELEASE)

it works because SizeOf(DLLPath) give wrong result - 0, but its small mistake

tom

Rook Zimbabwe · Post by **Rook Zimbabwe** » Mon Nov 05, 2007 11:31 pm

This is a very dangerous subject...

mueckerich · Post by **mueckerich** » Tue Nov 06, 2007 7:49 am

No, my knife isn't dangerous if i use it it to cut my bread, it's only dangerous if i kill somebody with it. There will be more danger with all the guns in the world.

This code can be very helpfull, especialy on PC-Systems in the industrie where you control machines or have a HMI (Human machine interface). There is a necessity to lock the system to prevent accidents and loss of production.

IMHO there are People who seed maleware or build it with some "MakeYourOwnMalwareToolKit". They don't reard such postings because the most of them don't understand what it means. The other ones who build the "MakeYourOwnMalwareToolKit" and sell it to the others, know this stuff already. These guys are not dumb but criminal.

zikitrake · Post by **zikitrake** » Tue Nov 06, 2007 8:37 am

mueckerich wrote:No, my knife isn't dangerous if i use it it to cut my bread, it's only dangerous if i kill somebody with it. There will be more danger with all the guns in the world.

This code can be very helpfull, especialy on PC-Systems in the industrie where you control machines or have a HMI (Human machine interface). There is a necessity to lock the system to prevent accidents and loss of production.

IMHO there are People who seed maleware or build it with some "MakeYourOwnMalwareToolKit". They don't reard such postings because the most of them don't understand what it means. The other ones who build the "MakeYourOwnMalwareToolKit" and sell it to the others, know this stuff already. These guys are not dumb but criminal.

agree. This code is very useful for me.

Thank you for share it, 125.

NoahPhense · Post by **NoahPhense** » Tue Nov 06, 2007 4:33 pm

sweet .. just like having the guns .. never know when you need to send
a "reach out and touch someone" special kind of greeting card.

this will go nice with my 'unlock and delete file structures' routines... j/k

- np

eJan · Post by **eJan** » Tue Nov 06, 2007 5:05 pm

Thanks 125!
Please write solution to work from copiled exe without .dll.

Godai · Post by **Godai** » Tue Nov 06, 2007 8:15 pm

I sincerely hope it's not possible to block CTRL-ALT-DELETE in Vista.
This is user expected behavior and a severe breach of the user interface guidelines

DoubleDutch · Post by **DoubleDutch** » Wed Nov 07, 2007 12:09 am

But being able to block ctrl-alt-delete is good for programs that run on demo machines or kiosks, etc

NoahPhense · Post by **NoahPhense** » Thu Nov 08, 2007 3:31 pm

lol.. evil is rising ..

- np

byo · Post by **byo** » Thu Nov 08, 2007 4:50 pm

Very nice, 125. Thanks for sharing.

Joakim Christiansen · Post by **Joakim Christiansen** » Thu Nov 08, 2007 6:06 pm

DoubleDutch wrote:But being able to block ctrl-alt-delete is good for programs that run on demo machines or kiosks, etc

Indeed

hardfalcon · Post by **hardfalcon** » Thu Nov 08, 2007 10:09 pm

It's not working in Vista (So you shouldn't run Vista on a kiosk machine

nor should you run it on ANY computer whatsoever

).

//EDIT: This is the thread in the german forum:
http://www.purebasic.fr/german/viewtopic.php?t=13074
If I remember the whole thing right, this is also possible without a DLL, using code injection instead of DLL injection. 125 achieved this, to, but won't publish it because it wouldn't be useful for any applications except malware...

//EDIT 2: Some more or less similar codes from Thorium in the german forum:
http://www.purebasic.fr/german/viewtopic.php?t=13047
http://www.purebasic.fr/german/viewtopic.php?t=13011