[讨论]如何禁用Device\\PhysicalMemory-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
qiluword 雪币： 225 活跃值： (294) 能力值： ( LV2，RANK：10 ) 在线值：发帖 50 回帖 209 粉丝 0 关注私信	qiluword 2 楼 Hook NtOpenSection 不彻底. 2011-4-19 17:49 0
qiluword 雪币： 225 活跃值： (294) 能力值： ( LV2，RANK：10 ) 在线值：发帖 50 回帖 209 粉丝 0 关注私信	qiluword 3 楼 HANDLE Section; DWORD Res; NTSTATUS ntS; PACL OldDacl=NULL, NewDacl=NULL; PSECURITY_DESCRIPTOR SecDesc=NULL; EXPLICIT_ACCESS Access; OBJECT_ATTRIBUTES ObAttributes; INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory"); BOOL mode; memset(&Access, 0, sizeof(EXPLICIT_ACCESS)); InitializeObjectAttributes(&ObAttributes, &ObName, OBJ_CASE_INSENSITIVE \| OBJ_KERNEL_HANDLE, NULL, NULL); // open handle de \Device\PhysicalMemory ntS = NtOpenSection(&Section, WRITE_DAC \| READ_CONTROL, &ObAttributes); if (ntS != STATUS_SUCCESS) { printf("error: NtOpenSection (code: %x)\n", ntS); goto cleanup; } // retrieve a copy of the security descriptor Res = GetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &OldDacl, NULL, &SecDesc); if (Res != ERROR_SUCCESS) { printf("error: GetSecurityInfo (code: %lu)\n", Res); goto cleanup; } Access.grfAccessPermissions = 0； // :P Access.grfAccessMode = DENY_ACCESS; Access.grfInheritance = NO_INHERITANCE; Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; // change these informations to grant access to a group or other user Access.Trustee.TrusteeForm = TRUSTEE_IS_NAME; Access.Trustee.TrusteeType = TRUSTEE_IS_USER; Access.Trustee.ptstrName = "CURRENT_USER"; // create the new ACL Res = SetEntriesInAcl(1, &Access, NULL, &NewDacl); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } // update ACL Res = SetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl, NULL); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } printf("\\Device\\PhysicalMemory chmoded\n"); cleanup: if (Section) NtClose(Section); if (SecDesc) LocalFree(SecDesc); 怎么没有起作用？ 2011-4-20 09:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
qiluword 雪币： 225 活跃值： (294) 能力值： ( LV2，RANK：10 ) 在线值：发帖 50 回帖 209 粉丝 0 关注私信	qiluword 2 楼 Hook NtOpenSection 不彻底. 2011-4-19 17:49 0
qiluword 雪币： 225 活跃值： (294) 能力值： ( LV2，RANK：10 ) 在线值：发帖 50 回帖 209 粉丝 0 关注私信	qiluword 3 楼 HANDLE Section; DWORD Res; NTSTATUS ntS; PACL OldDacl=NULL, NewDacl=NULL; PSECURITY_DESCRIPTOR SecDesc=NULL; EXPLICIT_ACCESS Access; OBJECT_ATTRIBUTES ObAttributes; INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory"); BOOL mode; memset(&Access, 0, sizeof(EXPLICIT_ACCESS)); InitializeObjectAttributes(&ObAttributes, &ObName, OBJ_CASE_INSENSITIVE \| OBJ_KERNEL_HANDLE, NULL, NULL); // open handle de \Device\PhysicalMemory ntS = NtOpenSection(&Section, WRITE_DAC \| READ_CONTROL, &ObAttributes); if (ntS != STATUS_SUCCESS) { printf("error: NtOpenSection (code: %x)\n", ntS); goto cleanup; } // retrieve a copy of the security descriptor Res = GetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &OldDacl, NULL, &SecDesc); if (Res != ERROR_SUCCESS) { printf("error: GetSecurityInfo (code: %lu)\n", Res); goto cleanup; } Access.grfAccessPermissions = 0； // :P Access.grfAccessMode = DENY_ACCESS; Access.grfInheritance = NO_INHERITANCE; Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; // change these informations to grant access to a group or other user Access.Trustee.TrusteeForm = TRUSTEE_IS_NAME; Access.Trustee.TrusteeType = TRUSTEE_IS_USER; Access.Trustee.ptstrName = "CURRENT_USER"; // create the new ACL Res = SetEntriesInAcl(1, &Access, NULL, &NewDacl); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } // update ACL Res = SetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl, NULL); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } printf("\\Device\\PhysicalMemory chmoded\n"); cleanup: if (Section) NtClose(Section); if (SecDesc) LocalFree(SecDesc); 怎么没有起作用？ 2011-4-20 09:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复