今天在分析一款木马的时候,发现做了进程保护,没加驱动,也没做hook,能做进程保护,感觉非常奇怪,原来是这么一回事,mark一下吧!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
#include "stdafx.h" #include <windows.h> #include <Aclapi.h> #pragma comment(lib,"Advapi32.lib") BOOL Ring3ProtectProcess() { HANDLE hProcess = ::GetCurrentProcess(); SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY; PSID pSid; BOOL bSus = FALSE; bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid); if(!bSus) goto Cleanup; HANDLE hToken; bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken); if(!bSus) goto Cleanup; DWORD dwReturnLength; ::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength); if(dwReturnLength > 0x400) goto Cleanup; LPVOID TokenInformation; TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了 DWORD dw; bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw); if(!bSus) goto Cleanup; PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation; BYTE Buf[0x200]; PACL pAcl = (PACL)&Buf; bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION); if(!bSus) goto Cleanup; bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0xFFFFFFFF,pSid); if(!bSus) goto Cleanup; bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid); if(!bSus) goto Cleanup; if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0) bSus = TRUE; Cleanup: if(hProcess != NULL) ::CloseHandle(hProcess); if(pSid != NULL) ::FreeSid(pSid); return bSus; } int _tmain(int argc, _TCHAR* argv[]) { Ring3ProtectProcess(); printf("......"); getchar(); return 0; } |
转载请注明:exchen's blog » Ring3下实现进程保护,不用hook