首页
社区
课程
招聘
未解决 [求助]关于ACL的问题,保护自身不被OpenProcess,不想上驱动,但是有的系统有效,有的系统无效,还请大佬指点,谢谢
发表于: 2020-7-29 16:26 2040

未解决 [求助]关于ACL的问题,保护自身不被OpenProcess,不想上驱动,但是有的系统有效,有的系统无效,还请大佬指点,谢谢

2020-7-29 16:26
2040

尝试了好几种代码,均来自网上,如果上驱动的话,直接注册一个回调过滤权限就行了,但是感觉不值当,能在ring3解决的问题还是轻易不弄驱动,下面的代码,有4种实现方式,每种在我的win10x64上都可以实现阻止其他进程OpenProcess自己,但是扔到Win7x64虚拟机里就完蛋了,形同虚设,不知道问题出在哪,返回值还都正确,有点懵,还请大佬指点指点。

#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <sddl.h>
#include <accctrl.h>
#include <aclapi.h>

BOOL ProtectProcess1()
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
    SECURITY_ATTRIBUTES sa;
    TCHAR * szSD = TEXT("D:P");
    TEXT("(D;OICI;GA;;;BG)");    
    TEXT("(D;OICI;GA;;;AN)");        
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.bInheritHandle = FALSE;
    if (!ConvertStringSecurityDescriptorToSecurityDescriptor(szSD, SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL))
    {
        return FALSE;
    }
    if (!SetKernelObjectSecurity(hProcess, DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor))
    {
        return FALSE;
    }
    return TRUE;
}

BOOL ProtectProcess2()
{
    HANDLE hProcess = GetCurrentProcess();
    EXPLICIT_ACCESS denyAccess = { 0 };
    DWORD dwAccessPermissions = GENERIC_WRITE | PROCESS_ALL_ACCESS | WRITE_DAC | DELETE | WRITE_OWNER | READ_CONTROL;
    BuildExplicitAccessWithName(&denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE);
    PACL pTempDacl = NULL;
    DWORD dwErr = 0;
    dwErr = SetEntriesInAcl(1, &denyAccess, NULL, &pTempDacl);

    dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL);
    // check dwErr...
    LocalFree(pTempDacl);
    CloseHandle(hProcess);
    return dwErr == ERROR_SUCCESS;
}

BOOL ProtectProcess3()
{
    HANDLE hProcess = GetCurrentProcess();
    PACL pEmptyDacl;
    DWORD dwErr;

    pEmptyDacl = (PACL)malloc(sizeof(ACL));

    if (!InitializeAcl(pEmptyDacl, sizeof(ACL), ACL_REVISION))
    {
        dwErr = GetLastError();
    }
    else
    {
        dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pEmptyDacl, NULL);
    }

    free(pEmptyDacl);
    return dwErr;
}


DWORD ProtectProcess4()
{
    // Returned to caller
    DWORD dwResult = (DWORD)-1;

    // Released on exit
    HANDLE hToken = NULL;
    PVOID pTokenInfo = NULL;

    PSID psidEveryone = NULL;
    PSID psidSystem = NULL;
    PSID psidAdmins = NULL;

    PACL pDacl = NULL;
    PSECURITY_DESCRIPTOR pSecDesc = NULL;

    __try
    {
        // Scratch
        DWORD dwSize = 0;
        BOOL bResult = FALSE;

        // If this fails, you can try to fallback to OpenThreadToken
        if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &hToken)) {
            dwResult = GetLastError();
            printf("%d",FALSE);
            __leave; /*failed*/
        }

        bResult = GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize);
        dwResult = GetLastError();
        printf("%d",bResult == FALSE && ERROR_INSUFFICIENT_BUFFER == dwResult);
        if (!(bResult == FALSE && ERROR_INSUFFICIENT_BUFFER == dwResult)) { __leave; /*failed*/ }

        if (dwSize) {
            pTokenInfo = HeapAlloc(GetProcessHeap(), 0, dwSize);
            dwResult = GetLastError();
            printf("%d",NULL != pTokenInfo);
            if (NULL == pTokenInfo) { __leave; /*failed*/ }
        }

        bResult = GetTokenInformation(hToken, TokenUser, pTokenInfo, dwSize, &dwSize);
        dwResult = GetLastError();
        printf("%d",bResult && pTokenInfo);
        if (!(bResult && pTokenInfo)) { __leave; /*failed*/ }

        PSID psidCurUser = ((TOKEN_USER*)pTokenInfo)->User.Sid;

        SID_IDENTIFIER_AUTHORITY sidEveryone = SECURITY_WORLD_SID_AUTHORITY;
        bResult = AllocateAndInitializeSid(&sidEveryone, 1,
            SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &psidEveryone);
        dwResult = GetLastError();
        printf("%d",bResult && psidEveryone);
        if (!(bResult && psidEveryone)) { __leave; /*failed*/ }

        SID_IDENTIFIER_AUTHORITY sidSystem = SECURITY_NT_AUTHORITY;
        bResult = AllocateAndInitializeSid(&sidSystem, 1,
            SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psidSystem);
        dwResult = GetLastError();
        printf("%d",bResult && psidSystem);
        if (!(bResult && psidSystem)) { __leave; /*failed*/ }

        SID_IDENTIFIER_AUTHORITY sidAdministrators = SECURITY_NT_AUTHORITY;
        bResult = AllocateAndInitializeSid(&sidAdministrators, 2,
            SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
            0, 0, 0, 0, 0, 0, &psidAdmins);
        dwResult = GetLastError();
        printf("%d",bResult && psidAdmins);
        if (!(bResult && psidAdmins)) { __leave; /*failed*/ }

        const PSID psidArray[] = {
            psidEveryone, /* Deny most rights to everyone */
            psidCurUser, /* Allow what was not denied */
            psidSystem, /* Full control */
            psidAdmins, /* Full control */
        };

        // Determine required size of the ACL
        dwSize = sizeof(ACL);

        // First the DENY, then the ALLOW
        dwSize += GetLengthSid(psidArray[0]);
        dwSize += sizeof(ACCESS_DENIED_ACE) - sizeof(DWORD);

        for (UINT i = 1; i < _countof(psidArray); i++) {
            // DWORD is the SidStart field, which is not used for absolute format
            dwSize += GetLengthSid(psidArray[i]);
            dwSize += sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD);
        }

        pDacl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwSize);
        dwResult = GetLastError();
        printf("%d",NULL != pDacl);
        if (NULL == pDacl) { __leave; /*failed*/ }

        bResult = InitializeAcl(pDacl, dwSize, ACL_REVISION);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        // Mimic Protected Process
        // http://www.microsoft.com/whdc/system/vista/process_vista.mspx
        // Protected processes allow PROCESS_TERMINATE, which is
        // probably not appropriate for high integrity software.
        static const DWORD dwPoison =
            /*READ_CONTROL |*/ WRITE_DAC | WRITE_OWNER |
            PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD |
            PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION |
            PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION |
            PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE |
            // In addition to protected process
            PROCESS_SUSPEND_RESUME | PROCESS_TERMINATE;
        bResult = AddAccessDeniedAce(pDacl, ACL_REVISION, dwPoison, psidArray[0]);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        // Standard and specific rights not explicitly denied
        static const DWORD dwAllowed = ~dwPoison & 0x1FFF;
        bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAllowed, psidArray[1]);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        // Because of ACE ordering, System will effectively have dwAllowed even
        // though the ACE specifies PROCESS_ALL_ACCESS (unless software uses
        // SeDebugPrivilege or SeTcbName and increases access).
        // As an exercise, check behavior of tools such as Process Explorer under XP,
        // Vista, and above. Vista and above should exhibit slightly different behavior
        // due to Restricted tokens.
        bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, PROCESS_ALL_ACCESS, psidArray[2]);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        // Because of ACE ordering, Administrators will effectively have dwAllowed
        // even though the ACE specifies PROCESS_ALL_ACCESS (unless the Administrator
        // invokes 'discretionary security' by taking ownership and increasing access).
        // As an exercise, check behavior of tools such as Process Explorer under XP,
        // Vista, and above. Vista and above should exhibit slightly different behavior
        // due to Restricted tokens.
        bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, PROCESS_ALL_ACCESS, psidArray[3]);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        pSecDesc = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
        dwResult = GetLastError();
        printf("%d",NULL != pSecDesc);
        if (NULL == pSecDesc) { __leave; /*failed*/ }

        // InitializeSecurityDescriptor initializes a security descriptor in
        // absolute format, rather than self-relative format. See
        // http://msdn.microsoft.com/en-us/library/aa378863(VS.85).aspx
        bResult = InitializeSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        bResult = SetSecurityDescriptorDacl(pSecDesc, TRUE, pDacl, FALSE);
        dwResult = GetLastError();
        printf("%d",TRUE == bResult);
        if (FALSE == bResult) { __leave; /*failed*/ }

        dwResult = SetSecurityInfo(
            GetCurrentProcess(),
            SE_KERNEL_OBJECT, // process object
            OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
            psidCurUser, // NULL, // Owner SID
            NULL, // Group SID
            pDacl,
            NULL // SACL
        );
        dwResult = GetLastError();
        printf("----%d",ERROR_SUCCESS == dwResult);
        if (ERROR_SUCCESS != dwResult) { __leave; /*failed*/ }

        dwResult = ERROR_SUCCESS;
    }
    __finally
    {
        if (NULL != pSecDesc) {
            HeapFree(GetProcessHeap(), 0, pSecDesc);
            pSecDesc = NULL;
        }
        if (NULL != pDacl) {
            HeapFree(GetProcessHeap(), 0, pDacl);
            pDacl = NULL;
        }
        if (psidAdmins) {
            FreeSid(psidAdmins);
            psidAdmins = NULL;
        }
        if (psidSystem) {
            FreeSid(psidSystem);
            psidSystem = NULL;
        }
        if (psidEveryone) {
            FreeSid(psidEveryone);
            psidEveryone = NULL;
        }
        if (NULL != pTokenInfo) {
            HeapFree(GetProcessHeap(), 0, pTokenInfo);
            pTokenInfo = NULL;
        }
        if (NULL != hToken) {
            CloseHandle(hToken);
            hToken = NULL;
        }
    }

    return dwResult;
}



int main()
{
    ProtectProcess1();
    printf("now is ProtectProcess1\r\n"); getchar();

    ProtectProcess2();
    printf("now is ProtectProcess2\r\n"); getchar();

    ProtectProcess3();
    printf("now is ProtectProcess3\r\n"); getchar();

    ProtectProcess4();
    printf("now is ProtectProcess4\r\n"); getchar();

    getchar();

    return 0;
}

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//