Does anyone know how rising put the icon on the Windows logon interface?

Use Winlogon notification package
// To capture WINXP user logout and switch user events, use the wtsregistersessionnotification function:
// Bool wtsregistersessionnotification (
// Hwnd,
// DWORD dwflags
//);
//

// Use the handlerex Function
//

// There is a method:ProgramUse the setconsolectrlhandler function to register a callback function handlerroutine. This callback function can receive
// Ctrl_logoff_event
// Ctrl_shutdown_event
// And other messages, which can be processed
//

"Winlogon notification package" is the DLL used to handle events that occur when Winlogon is switched. You can use "Winlogon notification package" to monitor the responses to Winlogon events. You can register these DLLs, so winlogon.exe will load them at startup and will call the event handler function of the registered DLL when the system status switches. Of course, this is a good practice. For example, winlogon.exeis used in the background. winlogon.exe is a system process and generally cannot be terminated. Moreover, killing it will cause the system to crash or restart. No one will do this. Another advantage of using "Winlogon notification package" to load backdoors is that your backend will run under the system permission instead of registering as a system service.

To register your "Winlogon notification package", you must create your "Notification package" sub-key under "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y. In my system, there are six sub-keys: crypt32chain, cryptnet, cscdll, sclgntfy, senslogn, and termsrv. Under notify, you can create the following key values as needed:

Asynchronous [REG_DWORD]: Indicates whether to asynchronously process Winlogon events. If it is set to 1, Winlogon will start a new thread for processing.
Dllname [reg_expand_sz]: name of the DLL to be loaded.
Impersonate [REG_DWORD]: indicates whether the event is handled with the permission of the login user.
Lock [REG_SZ]: Lock the desktop event.
Logoff [REG_SZ]: logs out.
Logon [REG_SZ]: logon event.
Shutdown [REG_SZ]: shutdown event.
Startscreensaver [REG_SZ]: starts the screen saver event.
Startshell [REG_SZ]: Start the shell(explorexplorexplorer.exe) event.
Startup [REG_SZ]: System Boot event.
Stopscreensaver [REG_SZ]: stops the screen saver event.
Unlock [REG_SZ]: removes the desktop lock event.

Each event corresponds to a guide in the dll, that is, winlogon.exe calls the corresponding function whenever an event occurs. For example, if the value of dllnameis test.dll.pdf and the value of logoffis testlogoff.pdf, winlogon.exe calls the "testlogon" function exported from test. dll during system injection.

The implementation of DLL is very simple: as long as the Export Processing Event is the function to be called, the other is the same as other DLL. Below is Code Simple implementation:

// ------------------------------------ Start of WNP. c -------------------------------------------
/* Create File exports. Def with content:
Exports
Testlogoff
Testlogon
*/
# Include <windows. h>
# Pragma comment (linker, "/export: test = _ testlogoff @ 4 ")
# Pragma comment (linker, "/export: test = _ testlogon @ 4 ")
# Pragma comment (linker, "/entry: dllentry ")
# Pragma comment (linker, "/subsystem: Windows ")
# Pragma comment (linker, "/align: 4096 ")
# Pragma comment (linker, "/DLL ")
# Pragma comment (linker, "/base: 1976369152 ")

_ Declspec (dllexport) void _ stdcall testlogoff (DWORD unknow)
{
MessageBox (null, "the system is logged out! "," Winlogon notification package ", mb_ OK );
}

_ Declspec (dllexport) void _ stdcall testlogon (DWORD unknow)
{
MessageBox (null, "the system is logging on! "," Winlogon notification package ", mb_ OK );
}

Bool _ stdcall dllentry (handle hmodule, DWORD ul_reason_for_call, lpvoid lpreserved)
{
Switch (ul_reason_for_call)
{
Case dll_process_attach: break;
Case dll_thread_attach: break;
Case dll_thread_detach: break;
Case dll_process_detach: break;
} Return true;
}
// ------------------------------------ End of WNP. c ---------------------------------------------


Copy the compiled test. dll file to the system folder, modify the registry, and restart it. After that, c: \ winnt \ system32 \ test.dllis successfully merged to the winlogon.exe process.