加入我们 登录
紫水晶编程技术论坛 - 努力打造成全国最好的编程论坛 返回首页

Tesla.Angela http://www.m5home.com/bbs/?4158 [收藏] [复制] [分享] [RSS] 空间短域名:ta.m5home.com

日志

【原创】编程实现禁用GLASS8的开机弹框

已有 1962 次阅读2016-12-25 21:17

最近把游戏机的操作系统更新到WIN10,由于游戏机对安全没啥要求,就顺带安装了在WIN10上实现AERO效果的GLASS8。
结果发现GLASS8的作者“大肌肉”特别烦人,每次开机都让GLASS8弹框(内容是一堆不知所云的话)。既然如此,索性写个代码禁用掉。
首先用WIN64AST查看弹框归属进程,发现是DWM.EXE,这就排除了使用NtRaiseHardError弹框(这种情况下弹框归属进程是CSRSS.EXE)。
既然如此,再排除作者精神失常使用自制窗口来弹框,那么函数的选择余地就很小了,基本上只有6个:
MessageBoxW
MessageBoxExW
MessageBoxTimeoutW
MessageBoxIndirectW
DialogBoxParamW
DialogBoxIndirectParamW
然后只要在函数头写C3即可让弹框不出现。

完整代码如下:
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

long gpg()
{
BOOLEAN nEn = 0;
typedef long (WINAPI *RTLADJUSTPRIVILEGE)(ULONG, BOOLEAN, BOOLEAN, PBOOLEAN);
RTLADJUSTPRIVILEGE RtlAdjustPrivilege = (RTLADJUSTPRIVILEGE)GetProcAddress(LoadLibraryW(L"ntdll.dll"), "RtlAdjustPrivilege");
return RtlAdjustPrivilege(0x14, 1, 0, &nEn);
}

void PrintProcessMemory(HANDLE hProcess, PVOID p, ULONG l)
{
SIZE_T size = 0 , i;
PUCHAR xxx = (PUCHAR)malloc(l);
RtlZeroMemory(xxx,l);
ReadProcessMemory(hProcess,p,xxx,l,&size);
for(i=0;i<l;i++)
printf("%X ",xxx[i]);
free(xxx);
puts("");
}

int main()
{
HANDLE             hProcessSnap = 0;
PROCESSENTRY32W     pe32 = {0};
pe32.dwSize = sizeof(PROCESSENTRY32);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap != INVALID_HANDLE_VALUE)
{
if(Process32First(hProcessSnap, &pe32))
{
do
{
if(wcsnicmp(pe32.szExeFile,L"dwm.exe",7)==0)
{
printf("Found DWM.EXE: %ld\n\n",pe32.th32ProcessID);gpg();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
if(hProcess!=INVALID_HANDLE_VALUE && hProcess!=NULL)
{
SIZE_T size;
PVOID p;
BOOL b;
#ifdef AMD64
UCHAR buffer[1] = {0xC3};
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxExW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxTimeoutW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxIndirectW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"DialogBoxIndirectParamW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"DialogBoxParamW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
#endif
CloseHandle(hProcess);
}
else
{
puts("Cannot open DWM.EXE!");
}
}
} while(Process32Next(hProcessSnap, &pe32));
}
CloseHandle(hProcessSnap);
}
system("timeout 10");
return TRUE;
}

路过

雷人

握手

鲜花

鸡蛋

评论 (0 个评论)

facelist

您需要登录后才可以评论 登录 | 加入我们

手机版|Archiver|紫水晶工作室 ( 粤ICP备05020336号 )

GMT+8, 2019-11-13 00:38 , Processed in 0.022505 second(s), 14 queries , Gzip On.

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

返回顶部