-
-
未解决 [求助]关于ACL的问题,保护自身不被OpenProcess,不想上驱动,但是有的系统有效,有的系统无效,还请大佬指点,谢谢
-
发表于: 2020-7-29 16:26 2040
-
尝试了好几种代码,均来自网上,如果上驱动的话,直接注册一个回调过滤权限就行了,但是感觉不值当,能在ring3解决的问题还是轻易不弄驱动,下面的代码,有4种实现方式,每种在我的win10x64上都可以实现阻止其他进程OpenProcess自己,但是扔到Win7x64虚拟机里就完蛋了,形同虚设,不知道问题出在哪,返回值还都正确,有点懵,还请大佬指点指点。
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <sddl.h>
#include <accctrl.h>
#include <aclapi.h>
BOOL ProtectProcess1()
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
SECURITY_ATTRIBUTES sa;
TCHAR * szSD = TEXT("D:P");
TEXT("(D;OICI;GA;;;BG)");
TEXT("(D;OICI;GA;;;AN)");
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(szSD, SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL))
{
return FALSE;
}
if (!SetKernelObjectSecurity(hProcess, DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor))
{
return FALSE;
}
return TRUE;
}
BOOL ProtectProcess2()
{
HANDLE hProcess = GetCurrentProcess();
EXPLICIT_ACCESS denyAccess = { 0 };
DWORD dwAccessPermissions = GENERIC_WRITE | PROCESS_ALL_ACCESS | WRITE_DAC | DELETE | WRITE_OWNER | READ_CONTROL;
BuildExplicitAccessWithName(&denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE);
PACL pTempDacl = NULL;
DWORD dwErr = 0;
dwErr = SetEntriesInAcl(1, &denyAccess, NULL, &pTempDacl);
dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL);
// check dwErr...
LocalFree(pTempDacl);
CloseHandle(hProcess);
return dwErr == ERROR_SUCCESS;
}
BOOL ProtectProcess3()
{
HANDLE hProcess = GetCurrentProcess();
PACL pEmptyDacl;
DWORD dwErr;
pEmptyDacl = (PACL)malloc(sizeof(ACL));
if (!InitializeAcl(pEmptyDacl, sizeof(ACL), ACL_REVISION))
{
dwErr = GetLastError();
}
else
{
dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pEmptyDacl, NULL);
}
free(pEmptyDacl);
return dwErr;
}
DWORD ProtectProcess4()
{
// Returned to caller
DWORD dwResult = (DWORD)-1;
// Released on exit
HANDLE hToken = NULL;
PVOID pTokenInfo = NULL;
PSID psidEveryone = NULL;
PSID psidSystem = NULL;
PSID psidAdmins = NULL;
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSecDesc = NULL;
__try
{
// Scratch
DWORD dwSize = 0;
BOOL bResult = FALSE;
// If this fails, you can try to fallback to OpenThreadToken
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &hToken)) {
dwResult = GetLastError();
printf("%d",FALSE);
__leave; /*failed*/
}
bResult = GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize);
dwResult = GetLastError();
printf("%d",bResult == FALSE && ERROR_INSUFFICIENT_BUFFER == dwResult);
if (!(bResult == FALSE && ERROR_INSUFFICIENT_BUFFER == dwResult)) { __leave; /*failed*/ }
if (dwSize) {
pTokenInfo = HeapAlloc(GetProcessHeap(), 0, dwSize);
dwResult = GetLastError();
printf("%d",NULL != pTokenInfo);
if (NULL == pTokenInfo) { __leave; /*failed*/ }
}
bResult = GetTokenInformation(hToken, TokenUser, pTokenInfo, dwSize, &dwSize);
dwResult = GetLastError();
printf("%d",bResult && pTokenInfo);
if (!(bResult && pTokenInfo)) { __leave; /*failed*/ }
PSID psidCurUser = ((TOKEN_USER*)pTokenInfo)->User.Sid;
SID_IDENTIFIER_AUTHORITY sidEveryone = SECURITY_WORLD_SID_AUTHORITY;
bResult = AllocateAndInitializeSid(&sidEveryone, 1,
SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &psidEveryone);
dwResult = GetLastError();
printf("%d",bResult && psidEveryone);
if (!(bResult && psidEveryone)) { __leave; /*failed*/ }
SID_IDENTIFIER_AUTHORITY sidSystem = SECURITY_NT_AUTHORITY;
bResult = AllocateAndInitializeSid(&sidSystem, 1,
SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psidSystem);
dwResult = GetLastError();
printf("%d",bResult && psidSystem);
if (!(bResult && psidSystem)) { __leave; /*failed*/ }
SID_IDENTIFIER_AUTHORITY sidAdministrators = SECURITY_NT_AUTHORITY;
bResult = AllocateAndInitializeSid(&sidAdministrators, 2,
SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0, &psidAdmins);
dwResult = GetLastError();
printf("%d",bResult && psidAdmins);
if (!(bResult && psidAdmins)) { __leave; /*failed*/ }
const PSID psidArray[] = {
psidEveryone, /* Deny most rights to everyone */
psidCurUser, /* Allow what was not denied */
psidSystem, /* Full control */
psidAdmins, /* Full control */
};
// Determine required size of the ACL
dwSize = sizeof(ACL);
// First the DENY, then the ALLOW
dwSize += GetLengthSid(psidArray[0]);
dwSize += sizeof(ACCESS_DENIED_ACE) - sizeof(DWORD);
for (UINT i = 1; i < _countof(psidArray); i++) {
// DWORD is the SidStart field, which is not used for absolute format
dwSize += GetLengthSid(psidArray[i]);
dwSize += sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD);
}
pDacl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwSize);
dwResult = GetLastError();
printf("%d",NULL != pDacl);
if (NULL == pDacl) { __leave; /*failed*/ }
bResult = InitializeAcl(pDacl, dwSize, ACL_REVISION);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
// Mimic Protected Process
// http://www.microsoft.com/whdc/system/vista/process_vista.mspx
// Protected processes allow PROCESS_TERMINATE, which is
// probably not appropriate for high integrity software.
static const DWORD dwPoison =
/*READ_CONTROL |*/ WRITE_DAC | WRITE_OWNER |
PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD |
PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION |
PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION |
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE |
// In addition to protected process
PROCESS_SUSPEND_RESUME | PROCESS_TERMINATE;
bResult = AddAccessDeniedAce(pDacl, ACL_REVISION, dwPoison, psidArray[0]);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
// Standard and specific rights not explicitly denied
static const DWORD dwAllowed = ~dwPoison & 0x1FFF;
bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAllowed, psidArray[1]);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
// Because of ACE ordering, System will effectively have dwAllowed even
// though the ACE specifies PROCESS_ALL_ACCESS (unless software uses
// SeDebugPrivilege or SeTcbName and increases access).
// As an exercise, check behavior of tools such as Process Explorer under XP,
// Vista, and above. Vista and above should exhibit slightly different behavior
// due to Restricted tokens.
bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, PROCESS_ALL_ACCESS, psidArray[2]);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
// Because of ACE ordering, Administrators will effectively have dwAllowed
// even though the ACE specifies PROCESS_ALL_ACCESS (unless the Administrator
// invokes 'discretionary security' by taking ownership and increasing access).
// As an exercise, check behavior of tools such as Process Explorer under XP,
// Vista, and above. Vista and above should exhibit slightly different behavior
// due to Restricted tokens.
bResult = AddAccessAllowedAce(pDacl, ACL_REVISION, PROCESS_ALL_ACCESS, psidArray[3]);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
pSecDesc = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
dwResult = GetLastError();
printf("%d",NULL != pSecDesc);
if (NULL == pSecDesc) { __leave; /*failed*/ }
// InitializeSecurityDescriptor initializes a security descriptor in
// absolute format, rather than self-relative format. See
// http://msdn.microsoft.com/en-us/library/aa378863(VS.85).aspx
bResult = InitializeSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
bResult = SetSecurityDescriptorDacl(pSecDesc, TRUE, pDacl, FALSE);
dwResult = GetLastError();
printf("%d",TRUE == bResult);
if (FALSE == bResult) { __leave; /*failed*/ }
dwResult = SetSecurityInfo(
GetCurrentProcess(),
SE_KERNEL_OBJECT, // process object
OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
psidCurUser, // NULL, // Owner SID
NULL, // Group SID
pDacl,
NULL // SACL
);
dwResult = GetLastError();
printf("----%d",ERROR_SUCCESS == dwResult);
if (ERROR_SUCCESS != dwResult) { __leave; /*failed*/ }
dwResult = ERROR_SUCCESS;
}
__finally
{
if (NULL != pSecDesc) {
HeapFree(GetProcessHeap(), 0, pSecDesc);
pSecDesc = NULL;
}
if (NULL != pDacl) {
HeapFree(GetProcessHeap(), 0, pDacl);
pDacl = NULL;
}
if (psidAdmins) {
FreeSid(psidAdmins);
psidAdmins = NULL;
}
if (psidSystem) {
FreeSid(psidSystem);
psidSystem = NULL;
}
if (psidEveryone) {
FreeSid(psidEveryone);
psidEveryone = NULL;
}
if (NULL != pTokenInfo) {
HeapFree(GetProcessHeap(), 0, pTokenInfo);
pTokenInfo = NULL;
}
if (NULL != hToken) {
CloseHandle(hToken);
hToken = NULL;
}
}
return dwResult;
}
int main()
{
ProtectProcess1();
printf("now is ProtectProcess1\r\n"); getchar();
ProtectProcess2();
printf("now is ProtectProcess2\r\n"); getchar();
ProtectProcess3();
printf("now is ProtectProcess3\r\n"); getchar();
ProtectProcess4();
printf("now is ProtectProcess4\r\n"); getchar();
getchar();
return 0;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
