Ring3下实现进程保护,不用hook
生活随笔
收集整理的這篇文章主要介紹了
Ring3下实现进程保护,不用hook
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
今天在分析一款木馬的時候,發現做了進程保護,沒加驅動,也沒做hook,能做進程保護,感覺非常奇怪,原來是這么一回事,mark一下吧!
#include "stdafx.h"#include <windows.h> #include <Aclapi.h>#pragma comment(lib,"Advapi32.lib")BOOL Ring3ProtectProcess() {HANDLE hProcess = ::GetCurrentProcess();SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;PSID pSid;BOOL bSus = FALSE;bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid);if(!bSus) goto Cleanup;HANDLE hToken;bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);if(!bSus) goto Cleanup;DWORD dwReturnLength;::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);if(dwReturnLength > 0x400) goto Cleanup;LPVOID TokenInformation;TokenInformation = ::LocalAlloc(LPTR,0x400);//這里就引用SDK的函數不引用CRT的了DWORD dw;bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw);if(!bSus) goto Cleanup;PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;BYTE Buf[0x200];PACL pAcl = (PACL)&Buf;bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION);if(!bSus) goto Cleanup;bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0xFFFFFFFF,pSid);if(!bSus) goto Cleanup;bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid);if(!bSus) goto Cleanup;if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)bSus = TRUE; Cleanup:if(hProcess != NULL)::CloseHandle(hProcess);if(pSid != NULL)::FreeSid(pSid);return bSus; }int _tmain(int argc, _TCHAR* argv[]) {Ring3ProtectProcess(); printf("......");getchar();return 0; }
OpenProcess沒法獲取它的句柄了,自然也就結束不了進程,也沒法對它進行注入!
不過我只在Win7 x86環境試成功,XP系統沒成功,不知道啥原因,其他系統還沒測試.
總結
以上是生活随笔為你收集整理的Ring3下实现进程保护,不用hook的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux环境禁用apache目录浏览功
- 下一篇: VMware Vix API 操作虚拟机