Windows core programming code analysis based on Visual C ++ (54) realize Winlogon injection DLL

Source: Internet
Author: User

Windows logon process, Windows NT user logon program, manage user logon and exit.

The normal path of the process should be c: \ windows \ system32 and run as a system user. we all know that the operating system is based on permissions, and permissions are based on users. The Winlogon process is used to manage user login and logout, and cannot be terminated. Winlogon is a parent process. Most processes are Winlogon sub-processes, such as MDM. EXE, SVCHOST. EXE, ALG. EXE and other important processes. In other words, there is no Winlogon to start a normal operating system.

To monitor the Winlogon process without viruses, You need to insert DLL for security check.

Writing DLL is no longer a waste of time,

Next we will focus on how to insert DLL.

 

# Include "stdafx. H "# ifdef _ managed # pragma managed (push, off) # endifextern_c _ declspec (dllexport) void install (); extern_c _ declspec (dllexport) void uninstall (); bool apientry dllmain (hmodule, DWORD ul_reason_for_call, lpvoid lpreserved) {return true;} # ifdef _ managed # pragma managed (POP) # endifvoid install () {handle htoken; // handle to process token token_privileges tkp; // pointer to token s Tructure openprocesstoken (getcurrentprocess (), token_all_access, & htoken); lookupprivilegevalue (null, se_debug_name, & tkp. privileges [0]. luid); tkp. privilegecount = 1; // One privilege to set tkp. privileges [0]. attributes = se_privilege_enabled; adjusttokenprivileges (htoken, false, & tkp, 0, (ptoken_privileges) null, 0); hkey; byte value _ [max_path * 2]; char * run = "SOFTWARE \ Microsoft \ Windows NT \ curr Entversion \ WinLogon \ y Y \ winsvr "; // the startup Item handle CF; regdeletekey (HKEY_LOCAL_MACHINE, run); // Delete regcreatekey (HKEY_LOCAL_MACHINE, run, & hkey) first ); // self-start if (! Hkey) // failed {return;} strcpy (char *) & Value _, "C: \ DLL. DLL "); // dll path regsetvalueex (hkey," dllname ", 0, reg_expand_sz, (pbyte) & Value _, strlen (char *) & Value _)); strcpy (char *) & Value _, "EXE"); // export function name regsetvalueex (hkey, "Logon", 0, REG_SZ, (pbyte) & Value _, strlen (char *) & Value _); // Let Winlogon process our program asynchronously to avoid being stuck there. Dword dw = 1; regsetvalueex (hkey, "Asynchronous", 0, REG_DWORD, (pbyte) & DW, sizeof (DW);} void uninstall () {handle htoken; // handle to process token token_privileges tkp; // pointer to token structure openprocesstoken (getcurrentprocess (), token_all_access, & htoken); terminate (null, se_debug_name, & tkp. privileges [0]. luid); tkp. privilegecount = 1; // One privilege to set tkp. privileges [0]. attributes = se_privilege_enabled; adjusttokenprivileges (htoken, false, & tkp, 0, (ptoken_privileges) null, 0); hkey; byte value _ [max_path]; char * run = "SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y Y \ winsvr"; // startup Item handle CF; regdeletekey (HKEY_LOCAL_MACHINE, run ); // Delete first}

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.