订阅
内核钩子实例
手工加载exe到内存(loadEXE.cpp)
进程防注
作者:admin 日期:2009-09-28
只给出一个代码有兴趣的朋友自己测试一下
BOOL Lock_CurrentProcess()
{
HANDLE hProcess = ::GetCurrentProcess();
SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
PSID pSid;
BOOL bSus = FALSE;
bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid);
if(!bSus) goto Cleanup;
HANDLE hToken;
bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);
if(!bSus) goto Cleanup;
DWORD dwReturnLength;
::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);
if(dwReturnLength > 0x400) goto Cleanup;
LPVOID TokenInformation;
TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了
DWORD dw;
bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw);
if(!bSus) goto Cleanup;
PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;
BYTE Buf[0x200];
PACL pAcl = (PACL)&Buf;
bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION);
if(!bSus) goto Cleanup;
bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0x000000FA,pSid);
if(!bSus) goto Cleanup;
bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid);
if(!bSus) goto Cleanup;
if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)
bSus = TRUE;
Cleanup:
if(hProcess != NULL)
::CloseHandle(hProcess);
if(pSid != NULL)
::FreeSid(pSid);
return bSus;
}
BOOL Lock_CurrentProcess()
{
HANDLE hProcess = ::GetCurrentProcess();
SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
PSID pSid;
BOOL bSus = FALSE;
bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid);
if(!bSus) goto Cleanup;
HANDLE hToken;
bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);
if(!bSus) goto Cleanup;
DWORD dwReturnLength;
::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);
if(dwReturnLength > 0x400) goto Cleanup;
LPVOID TokenInformation;
TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了
DWORD dw;
bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw);
if(!bSus) goto Cleanup;
PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;
BYTE Buf[0x200];
PACL pAcl = (PACL)&Buf;
bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION);
if(!bSus) goto Cleanup;
bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0x000000FA,pSid);
if(!bSus) goto Cleanup;
bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid);
if(!bSus) goto Cleanup;
if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)
bSus = TRUE;
Cleanup:
if(hProcess != NULL)
::CloseHandle(hProcess);
if(pSid != NULL)
::FreeSid(pSid);
return bSus;
}
文章来自: 
Tags: 评论: 0 | 查看次数: 6854
