Ring3下实现进程保护,不用hook

今天在分析一款木马的时候,发现做了进程保护,没加驱动,也没做hook,能做进程保护,感觉非常奇怪,原来是这么一回事,mark一下吧!

#include "stdafx.h"

#include <windows.h>
#include <Aclapi.h>

#pragma comment(lib,"Advapi32.lib")

BOOL Ring3ProtectProcess()
{
	HANDLE hProcess = ::GetCurrentProcess();
	SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
	PSID pSid;
	BOOL bSus = FALSE;
	bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid);
	if(!bSus) goto Cleanup;
	HANDLE hToken;
	bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);
	if(!bSus) goto Cleanup;
	DWORD dwReturnLength;
	::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);
	if(dwReturnLength > 0x400) goto Cleanup;
	LPVOID TokenInformation;
	TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了
	DWORD dw;
	bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw);
	if(!bSus) goto Cleanup;
	PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;
	BYTE Buf[0x200];
	PACL pAcl = (PACL)&Buf;
	bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION);
	if(!bSus) goto Cleanup;
	bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0xFFFFFFFF,pSid);
	if(!bSus) goto Cleanup;
	bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid);
	if(!bSus) goto Cleanup;
	if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)
		bSus = TRUE;
Cleanup:
	if(hProcess != NULL)
		::CloseHandle(hProcess);
	if(pSid != NULL)
		::FreeSid(pSid);
	return bSus;
}


int _tmain(int argc, _TCHAR* argv[])
{
	Ring3ProtectProcess(); 
	printf("......");
	getchar();
	return 0;
}


OpenProcess没法获取它的句柄了,自然也就结束不了进程,也没法对它进行注入!

不过我只在Win7 x86环境试成功,XP系统没成功,不知道啥原因,其他系统还没测试.

你可能感兴趣的:(Ring3下实现进程保护,不用hook)