標籤:tor off ons str win test 部分 reg cal
在NT系列Windows作業系統中,惡意軟體可以通過關聯Winlogon特定的事件來使自身被啟動,如Lock,Logoff,Logon,Shutdown,StartScreenSaver,StartShell,Startup,StopScreenSaver,Unlock等,這甚至能夠使得惡意軟體在安全模式下被載入。WinLogon的通知事件在註冊表的位置是:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify |
當WinLogon.exe產生一個事件通知的時候,Windows會檢查註冊表裡面指定的DLL並調用DLL指定的匯出函數。樣本(當螢幕鎖定時調用WinLogonDemo.dll匯出的LockFun函數):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Test]@="""DLLName"="WinLogonDemo.dll""Asynchronous"=dword:00000001"Impersonate"=dword:00000001"Lock"="LockFun" |
從Windows Vista開始,這項特性被取消了。可以通過註冊一個服務來監聽相應的事件(部分事件不支援),參見Using Service Control Manager (SCM) Notifications
http://www.programlife.net/windows-nt-winlogon-notify.html
Windows NT WinLogon Notify
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
