Windows core programming code analysis based on Visual C ++ (54) realize Winlogon injection DLL

Windows logon process, Windows NT user logon program, manage user logon and exit.

The normal path of the process should be c: \ windows \ system32 and run as a system user. we all know that the operating system is based on permissions, and permissions are based on users. The Winlogon process is used to manage user login and logout, and cannot be terminated. Winlogon is a parent process. Most processes are Winlogon sub-processes, such as MDM. EXE, SVCHOST. EXE, ALG. EXE and other important processes. In other words, there is no Winlogon to start a normal operating system.

To monitor the Winlogon process without viruses, You need to insert DLL for security check.

Writing DLL is no longer a waste of time,

Next we will focus on how to insert DLL.

 

# Include "stdafx. H "# ifdef _ managed # pragma managed (push, off) # endifextern_c _ declspec (dllexport) void install (); extern_c _ declspec (dllexport) void uninstall (); bool apientry dllmain (hmodule, DWORD ul_reason_for_call, lpvoid lpreserved) {return true;} # ifdef _ managed # pragma managed (POP) # endifvoid install () {handle htoken; // handle to process token token_privileges tkp; // pointer to token s Tructure openprocesstoken (getcurrentprocess (), token_all_access, & htoken); lookupprivilegevalue (null, se_debug_name, & tkp. privileges [0]. luid); tkp. privilegecount = 1; // One privilege to set tkp. privileges [0]. attributes = se_privilege_enabled; adjusttokenprivileges (htoken, false, & tkp, 0, (ptoken_privileges) null, 0); hkey; byte value _ [max_path * 2]; char * run = "SOFTWARE \ Microsoft \ Windows NT \ curr Entversion \ WinLogon \ y Y \ winsvr "; // the startup Item handle CF; regdeletekey (HKEY_LOCAL_MACHINE, run); // Delete regcreatekey (HKEY_LOCAL_MACHINE, run, & hkey) first ); // self-start if (! Hkey) // failed {return;} strcpy (char *) & Value _, "C: \ DLL. DLL "); // dll path regsetvalueex (hkey," dllname ", 0, reg_expand_sz, (pbyte) & Value _, strlen (char *) & Value _)); strcpy (char *) & Value _, "EXE"); // export function name regsetvalueex (hkey, "Logon", 0, REG_SZ, (pbyte) & Value _, strlen (char *) & Value _); // Let Winlogon process our program asynchronously to avoid being stuck there. Dword dw = 1; regsetvalueex (hkey, "Asynchronous", 0, REG_DWORD, (pbyte) & DW, sizeof (DW);} void uninstall () {handle htoken; // handle to process token token_privileges tkp; // pointer to token structure openprocesstoken (getcurrentprocess (), token_all_access, & htoken); terminate (null, se_debug_name, & tkp. privileges [0]. luid); tkp. privilegecount = 1; // One privilege to set tkp. privileges [0]. attributes = se_privilege_enabled; adjusttokenprivileges (htoken, false, & tkp, 0, (ptoken_privileges) null, 0); hkey; byte value _ [max_path]; char * run = "SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y Y \ winsvr"; // startup Item handle CF; regdeletekey (HKEY_LOCAL_MACHINE, run ); // Delete first}