Ring3下实现进程保护,不用hook
生活随笔
收集整理的這篇文章主要介紹了
Ring3下实现进程保护,不用hook
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
今天在分析一款木馬的時(shí)候,發(fā)現(xiàn)做了進(jìn)程保護(hù),沒(méi)加驅(qū)動(dòng),也沒(méi)做hook,能做進(jìn)程保護(hù),感覺(jué)非常奇怪,原來(lái)是這么一回事,mark一下吧!
#include "stdafx.h"#include <windows.h> #include <Aclapi.h>#pragma comment(lib,"Advapi32.lib")BOOL Ring3ProtectProcess() {HANDLE hProcess = ::GetCurrentProcess();SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;PSID pSid;BOOL bSus = FALSE;bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid);if(!bSus) goto Cleanup;HANDLE hToken;bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);if(!bSus) goto Cleanup;DWORD dwReturnLength;::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);if(dwReturnLength > 0x400) goto Cleanup;LPVOID TokenInformation;TokenInformation = ::LocalAlloc(LPTR,0x400);//這里就引用SDK的函數(shù)不引用CRT的了DWORD dw;bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw);if(!bSus) goto Cleanup;PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;BYTE Buf[0x200];PACL pAcl = (PACL)&Buf;bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION);if(!bSus) goto Cleanup;bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0xFFFFFFFF,pSid);if(!bSus) goto Cleanup;bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid);if(!bSus) goto Cleanup;if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)bSus = TRUE; Cleanup:if(hProcess != NULL)::CloseHandle(hProcess);if(pSid != NULL)::FreeSid(pSid);return bSus; }int _tmain(int argc, _TCHAR* argv[]) {Ring3ProtectProcess(); printf("......");getchar();return 0; }
OpenProcess沒(méi)法獲取它的句柄了,自然也就結(jié)束不了進(jìn)程,也沒(méi)法對(duì)它進(jìn)行注入!
不過(guò)我只在Win7 x86環(huán)境試成功,XP系統(tǒng)沒(méi)成功,不知道啥原因,其他系統(tǒng)還沒(méi)測(cè)試.
總結(jié)
以上是生活随笔為你收集整理的Ring3下实现进程保护,不用hook的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: linux环境禁用apache目录浏览功
- 下一篇: VMware Vix API 操作虚拟机