- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
模拟锁定文件的Rring 3下的程序代码,代码来自于看雪中的HWL发表的一份代码中,我只是看了下代码:
- #include <stdio.h>
- #include <Windows.h>
- void GetAllProcessA(int pids[],int *procount)
- {
- int i=0,c=0;
- HANDLE hProcess=0;
- for(i=8;i<19996;i+=4)
- {
- hProcess=OpenProcess(0x10,0,i);
- if (hProcess!=0)
- {
- pids[c]=i;
- CloseHandle(hProcess);
- c++;
- }
- }
- *procount=c;
- }
- int main()
- {
- #define SE_DEBUG_PRIVILEGE 0x14 //DEBUG 权限
- //源码中没有__stdcall,所以一直报checkesp.c line 14的错误
- typedef long (__stdcall *RTLADJUSTPRIVILEGE)(int, bool, bool, int*);
- typedef long (__stdcall *NTDUPLICATEOBJECT)(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,BOOLEAN,ULONG);
- int nEn = 0;
- int pids[4*260];
- int procsnum=0;
- char pFile[260];
- //得到函数的地址
- RTLADJUSTPRIVILEGE getdbg=(RTLADJUSTPRIVILEGE)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"RtlAdjustPrivilege");
- NTDUPLICATEOBJECT NtDuplicateObject=(NTDUPLICATEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"NtDuplicateObject");
- //提升进程权限
- getdbg(SE_DEBUG_PRIVILEGE , TRUE, FALSE,&nEn);//SE_DEBUG_PRIVILEGE =20
- //getdbg(20,1,0,&bRet);
- memset(pids,0,4*260);
- memset(pFile,0,260);
- printf("Input the file name you want to protect: ");
- scanf("%s",pFile);
- //新建文件
- //#define GENERIC_READ (0x80000000L)
- //HANDLE hsFile = CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0);
- HANDLE hsFile = CreateFileA(pFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- //SetHandleInformation(hsFile,0,2);
- SetHandleInformation(hsFile, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); //#define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x00000002
-
- //得到当前存活的进程id列表和进程数目,
- GetAllProcessA(pids,&procsnum);
- //遍历当前存活的进程
- for(int i=0;i<procsnum;i++)
- {
- HANDLE htFile=0;
- //HANDLE hProcess = OpenProcess(0x1F0FFF, 0, pids[i]);
- //#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
- //#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
- 0xFFFF)
- //#define SYNCHRONIZE (0x00100000L)
- //不知道原作者为什么要用这些魔幻数,而不用PROCESS_ALL_ACCESS
- HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pids[i]);
- if (hProcess!=0)
- {
- //NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4);
- NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4); //DUPLICATE_SAME_ATTRIBUTES = 4
- CloseHandle(hProcess);
- }
- }
- getchar();
- printf("OK!\n");
- getchar();
- return 0;
复制代码
代码分析:遍历当前进程,将文件句柄复制到每个进程中,从而实际锁定文件 |
|