2017年6月1日星期四

破解win快捷键

52 00 00 00 08 00 00 00 4D 00 00 00 08 00 00 00 4D 00 00 00 0C 00 00 00 70 00 00 00 08 00 00 00 45 00 00 00 08 00 00 00 52 00 00 00 08 00 00 00 52 00 00 00 0A 00 00 00 54 00 00 00 08 00 00 00 54 00 00 00 0C 00 00 00 13 00 00 00 08 00 00 00 44 00 00 00 08 00 00 00 42 00 00 00 08 00 00 00 24 00 00 00 08 00 00 00 20 00 00 00 08 00 00 00 31 00 00 00 08 00 00 00 32 00 00 00 08 00 00 00 33 00 00 00 08 00 00 00 34 00 00 00 08 00 00 00 35 00 00 00 08 00 00 00 36 00 00 00 08 00 00 00 37 00 00 00 08 00 00 00 38 00 00 00 08 00 00 00 39 00 00 00 08 00 00 00 30 00 00 00 08 00 00 00 31 00 00 00 0A 00 00 00 32 00 00 00 0A 00 00 00 33 00 00 00 0A 00 00 00 34 00 00 00 0A 00 00 00 35 00 00 00 0A 00 00 00 36 00 00 00 0A 00 00 00 37 00 00 00 0A 00 00 00 38 00 00 00 0A 00 00 00 39 00 00 00 0A 00 00 00 30 00 00 00 0A 00 00 00 31 00 00 00 0C 00 00 00 32 00 00 00 0C 00 00 00 33 00 00 00 0C 00 00 00 34 00 00 00 0C 00 00 00 35 00 00 00 0C 00 00 00 36 00 00 00 0C 00 00 00 37 00 00 00 0C 00 00 00 38 00 00 00 0C 00 00 00 39 00 00 00 0C 00 00 00 30 00 00 00 0C 00 00 00 31 00 00 00 09 00 00 00 32 00 00 00 09 00 00 00 33 00 00 00 09 00 00 00 34 00 00 00 09 00 00 00 35 00 00 00 09 00 00 00 36 00 00 00 09 00 00 00 37 00 00 00 09 00 00 00 38 00 00 00 09 00 00 00 39 00 00 00 09 00 00 00 30 00 00 00 09 00 00 00 31 00 00 00 0E 00 00 00 32 00 00 00 0E 00 00 00 33 00 00 00 0E 00 00 00 34 00 00 00 0E 00 00 00 35 00 00 00 0E 00 00 00 36 00 00 00 0E 00 00 00 37 00 00 00 0E 00 00 00 38 00 00 00 0E 00 00 00 39 00 00 00 0E 00 00 00 30
win+HOME:将当前工作窗口以外的其他窗口最小化
Win+Shift+T 则是后退
# 具体过程
windows自带的搜索实在是很垃圾,但是它占用了Win+F快捷键,我又不想总挂个破钩子用电脑,但是也不能禁用所有的快捷键,终于找到突破点了:找出存储快捷键表的地址,就可以解决所有问题了。在这之前的思路是:找到explorer进程,然后反注册,结果证明没什么用,有人说必须用钩子干掉相应的消息就不会响应了,但是想想就很恶心,而且那个家伙还说:涉及内核云云,我真就不信了http://www.zhihu.com/question/22681222

废话结束,
使用IDA分析,得到了RegisterHotKey跳前的重要参数:vk和fsmodifiers


这是explorer中的一个调用,定位到了对应的地址,再到x64dbg中定位调试,最终,找到了这个表!

接下来就好办了,我把我要干掉的Win+F中的F改写成之前已经注册好的热键,比如Win+R,由于已经注册,所以再次注册就会失效,等以后如果想改Win+E或者其他的热键,依此方法依然可以干掉!

软件使用技巧(在IDA中甚至可以在IDA View中直接搜索函数名!)

在x64dbg中,可以使用intermolecular calls搜索所有的调用的函数名!

由于win7安全性高,所以即使修改成功,保存也有问题,需要到PE中进行替换,这时,只需要修改windows目录下的explorer,其他的是不需要考虑的~

r8d,rXXXd之类就是指rXXX寄存器本身

发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)