-
-
未解决 [求助]关于ACL的问题,保护自身不被OpenProcess,不想上驱动,但是有的系统有效,有的系统无效,还请大佬指点,谢谢
-
发表于: 2020-7-29 16:26 2040
-
尝试了好几种代码,均来自网上,如果上驱动的话,直接注册一个回调过滤权限就行了,但是感觉不值当,能在ring3解决的问题还是轻易不弄驱动,下面的代码,有4种实现方式,每种在我的win10x64上都可以实现阻止其他进程OpenProcess自己,但是扔到Win7x64虚拟机里就完蛋了,形同虚设,不知道问题出在哪,返回值还都正确,有点懵,还请大佬指点指点。
#include "stdafx.h" #include <stdio.h> #include <windows.h> #include <sddl.h> #include <accctrl.h> #include <aclapi.h> BOOL ProtectProcess1() { HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()); SECURITY_ATTRIBUTES sa; TCHAR * szSD = TEXT("D:P"); TEXT("(D;OICI;GA;;;BG)"); TEXT("(D;OICI;GA;;;AN)"); sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.bInheritHandle = FALSE; if (!ConvertStringSecurityDescriptorToSecurityDescriptor(szSD, SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL)) { return FALSE; } if (!SetKernelObjectSecurity(hProcess, DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor)) { return FALSE; } return TRUE; } BOOL ProtectProcess2() { HANDLE hProcess = GetCurrentProcess(); EXPLICIT_ACCESS denyAccess = { 0 }; DWORD dwAccessPermissions = GENERIC_WRITE | PROCESS_ALL_ACCESS | WRITE_DAC | DELETE | WRITE_OWNER | READ_CONTROL; BuildExplicitAccessWithName(&denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE); PACL pTempDacl = NULL; DWORD dwErr = 0; dwErr = SetEntriesInAcl(1, &denyAccess, NULL, &pTempDacl); dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL); // check dwErr... LocalFree(pTempDacl); CloseHandle(hProcess); return dwErr == ERROR_SUCCESS; } BOOL ProtectProcess3() { HANDLE hProcess = GetCurrentProcess(); PACL pEmptyDacl; DWORD dwErr; pEmptyDacl = (PACL)malloc(sizeof(ACL)); if (!InitializeAcl(pEmptyDacl, sizeof(ACL), ACL_REVISION)) { dwErr = GetLastError(); } else { dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pEmptyDacl, NULL); } free(pEmptyDacl); return dwErr; } DWORD ProtectProcess4() { // Returned to caller DWORD dwResult = (DWORD)-1; // Released on exit HANDLE hToken = NULL; PVOID pTokenInfo = NULL; PSID psidEveryone = NULL; PSID psidSystem = NULL; PSID psidAdmins = NULL; PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSecDesc = NULL; __try { // Scratch DWORD dwSize = 0; BOOL bResult = FALSE; // If this fails, you can try to fallback to OpenThreadToken if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &hToken)) { dwResult = GetLastError(); printf("%d",FALSE); __leave; /*failed*/ } bResult = GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize); dwResult = GetLastError(); printf("%d",bResult == FALSE && ERROR_INSUFFICIENT_BUFFER == dwResult); if (!(bResult == FALSE && ERROR_INSUFFICIENT_BUFFER == dwResult)) { __leave; /*failed*/ } if (dwSize) { pTokenInfo = HeapAlloc(GetProcessHeap(), 0, dwSize); dwResult = GetLastError(); printf("%d",NULL != pTokenInfo); if (NULL == pTokenInfo) { __leave; /*failed*/ } } bResult = GetTokenInformation(hToken, TokenUser, pTokenInfo, dwSize, &dwSize); dwResult = GetLastError(); printf("%d",bResult && pTokenInfo); if (!(bResult && pTokenInfo)) { __leave; /*failed*/ } PSID psidCurUser = ((TOKEN_USER*)pTokenInfo)->User.Sid; SID_IDENTIFIER_AUTHORITY sidEveryone = SECURITY_WORLD_SID_AUTHORITY; bResult = AllocateAndInitializeSid(&sidEveryone, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &psidEveryone); dwResult = GetLastError(); printf("%d",bResult && psidEveryone); if (!(bResult && psidEveryone)) { __leave; /*failed*/ } SID_IDENTIFIER_AUTHORITY sidSystem = SECURITY_NT_AUTHORITY; bResult = AllocateAndInitializeSid(&sidSystem, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psidSystem); dwResult = GetLastError(); printf("%d",bResult && psidSystem); if (!(bResult && psidSystem)) { __leave; /*failed*/ } SID_IDENTIFIER_AUTHORITY sidAdministrators = SECURITY_NT_AUTHORITY; bResult = AllocateAndInitializeSid(&sidAdministrators, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &psidAdmins); dwResult = GetLastError(); printf("%d",bResult && psidAdmins); if (!(bResult && psidAdmins)) { __leave; /*failed*/ } const PSID psidArray[] = { psidEveryone, /* Deny most rights to everyone */ psidCurUser, /* Allow what was not denied */ psidSystem, /* Full control */ psidAdmins, /* Full control */ }; // Determine required size of the ACL dwSize = sizeof(ACL); // First the DENY, then the ALLOW dwSize += GetLengthSid(psidArray[0]); dwSize += sizeof(ACCESS_DENIED_ACE) - sizeof(DWORD); for (UINT i = 1; i < _countof(psidArray); i++) { // DWORD is the SidStart field, which is not used for absolute format dwSize += GetLengthSid(psidArray[i]); dwSize += sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD); } pDacl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwSize); dwResult = GetLastError(); printf("%d",NULL != pDacl); if (NULL == pDacl) { __leave; /*failed*/ } bResult = InitializeAcl(pDacl, dwSize, ACL_REVISION); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } // Mimic Protected Process // http://www.microsoft.com/whdc/system/vista/process_vista.mspx // Protected processes allow PROCESS_TERMINATE, which is // probably not appropriate for high integrity software. static const DWORD dwPoison = /*READ_CONTROL |*/ WRITE_DAC | WRITE_OWNER | PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | // In addition to protected process PROCESS_SUSPEND_RESUME | PROCESS_TERMINATE; bResult = AddAccessDeniedAce(pDacl, ACL_REVISION, dwPoison, psidArray[0]); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } // Standard and specific rights not explicitly denied static const DWORD dwAllowed = ~dwPoison & 0x1FFF; bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAllowed, psidArray[1]); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } // Because of ACE ordering, System will effectively have dwAllowed even // though the ACE specifies PROCESS_ALL_ACCESS (unless software uses // SeDebugPrivilege or SeTcbName and increases access). // As an exercise, check behavior of tools such as Process Explorer under XP, // Vista, and above. Vista and above should exhibit slightly different behavior // due to Restricted tokens. bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, PROCESS_ALL_ACCESS, psidArray[2]); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } // Because of ACE ordering, Administrators will effectively have dwAllowed // even though the ACE specifies PROCESS_ALL_ACCESS (unless the Administrator // invokes 'discretionary security' by taking ownership and increasing access). // As an exercise, check behavior of tools such as Process Explorer under XP, // Vista, and above. Vista and above should exhibit slightly different behavior // due to Restricted tokens. bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, PROCESS_ALL_ACCESS, psidArray[3]); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } pSecDesc = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH); dwResult = GetLastError(); printf("%d",NULL != pSecDesc); if (NULL == pSecDesc) { __leave; /*failed*/ } // InitializeSecurityDescriptor initializes a security descriptor in // absolute format, rather than self-relative format. See // http://msdn.microsoft.com/en-us/library/aa378863(VS.85).aspx bResult = InitializeSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } bResult = SetSecurityDescriptorDacl(pSecDesc, TRUE, pDacl, FALSE); dwResult = GetLastError(); printf("%d",TRUE == bResult); if (FALSE == bResult) { __leave; /*failed*/ } dwResult = SetSecurityInfo( GetCurrentProcess(), SE_KERNEL_OBJECT, // process object OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, psidCurUser, // NULL, // Owner SID NULL, // Group SID pDacl, NULL // SACL ); dwResult = GetLastError(); printf("----%d",ERROR_SUCCESS == dwResult); if (ERROR_SUCCESS != dwResult) { __leave; /*failed*/ } dwResult = ERROR_SUCCESS; } __finally { if (NULL != pSecDesc) { HeapFree(GetProcessHeap(), 0, pSecDesc); pSecDesc = NULL; } if (NULL != pDacl) { HeapFree(GetProcessHeap(), 0, pDacl); pDacl = NULL; } if (psidAdmins) { FreeSid(psidAdmins); psidAdmins = NULL; } if (psidSystem) { FreeSid(psidSystem); psidSystem = NULL; } if (psidEveryone) { FreeSid(psidEveryone); psidEveryone = NULL; } if (NULL != pTokenInfo) { HeapFree(GetProcessHeap(), 0, pTokenInfo); pTokenInfo = NULL; } if (NULL != hToken) { CloseHandle(hToken); hToken = NULL; } } return dwResult; } int main() { ProtectProcess1(); printf("now is ProtectProcess1\r\n"); getchar(); ProtectProcess2(); printf("now is ProtectProcess2\r\n"); getchar(); ProtectProcess3(); printf("now is ProtectProcess3\r\n"); getchar(); ProtectProcess4(); printf("now is ProtectProcess4\r\n"); getchar(); getchar(); return 0; }
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: