今天在分析一款木马的时候,发现做了进程保护,没加驱动,也没做hook,能做进程保护,感觉非常奇怪,原来是这么一回事,mark一下吧!
#include "stdafx.h" #include <windows.h> #include <Aclapi.h> #pragma comment(lib,"Advapi32.lib") BOOL Ring3ProtectProcess() { HANDLE hProcess = ::GetCurrentProcess(); SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY; PSID pSid; BOOL bSus = FALSE; bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid); if(!bSus) goto Cleanup; HANDLE hToken; bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken); if(!bSus) goto Cleanup; DWORD dwReturnLength; ::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength); if(dwReturnLength > 0x400) goto Cleanup; LPVOID TokenInformation; TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了 DWORD dw; bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw); if(!bSus) goto Cleanup; PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation; BYTE Buf[0x200]; PACL pAcl = (PACL)&Buf; bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION); if(!bSus) goto Cleanup; bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0xFFFFFFFF,pSid); if(!bSus) goto Cleanup; bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid); if(!bSus) goto Cleanup; if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0) bSus = TRUE; Cleanup: if(hProcess != NULL) ::CloseHandle(hProcess); if(pSid != NULL) ::FreeSid(pSid); return bSus; } int _tmain(int argc, _TCHAR* argv[]) { Ring3ProtectProcess(); printf("......"); getchar(); return 0; }
OpenProcess没法获取它的句柄了,自然也就结束不了进程,也没法对它进行注入!
不过我只在Win7 x86环境试成功,XP系统没成功,不知道啥原因,其他系统还没测试.