模拟锁定文件的Rring 3下的程序代码,代码来自于看雪中的HWL发表的一份代码中,我仅仅是看了下代码:
#include <stdio.h>
#include <Windows.h>
void GetAllProcessA(int pids[],int *procount)
{
int i=0,c=0;
HANDLE hProcess=0;
for(i=8;i<19996;i+=4)
{
hProcess=OpenProcess(0x10,0,i);
if (hProcess!=0)
{
pids[c]=i;
CloseHandle(hProcess);
c++;
}
}
*procount=c;
}
int main()
{
#define SE_DEBUG_PRIVILEGE 0x14 //DEBUG 权限
//源码中没有__stdcall,所以一直报checkesp.c line 14的错误
typedef long (__stdcall *RTLADJUSTPRIVILEGE)(int, bool, bool, int*);
typedef long (__stdcall *NTDUPLICATEOBJECT)(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,BOOLEAN,ULONG);
int nEn = 0;
int pids[4*260];
int procsnum=0;
char pFile[260];
//得到函数的地址
RTLADJUSTPRIVILEGE getdbg=(RTLADJUSTPRIVILEGE)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"RtlAdjustPrivilege");
NTDUPLICATEOBJECT NtDuplicateObject=(NTDUPLICATEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"NtDuplicateObject");
//提升进程权限
getdbg(SE_DEBUG_PRIVILEGE , TRUE, FALSE,&nEn);//SE_DEBUG_PRIVILEGE =20
//getdbg(20,1,0,&bRet);
memset(pids,0,4*260);
memset(pFile,0,260);
printf("Input the file name you want to protect: ");
scanf("%s",pFile);
//新建文件
//#define GENERIC_READ (0x80000000L)
//HANDLE hsFile = CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0);
HANDLE hsFile = CreateFileA(pFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
//SetHandleInformation(hsFile,0,2);
SetHandleInformation(hsFile, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); //#define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x00000002
//得到当前存活的进程id列表和进程数目,
GetAllProcessA(pids,&procsnum);
//遍历当前存活的进程
for(int i=0;i<procsnum;i++)
{
HANDLE htFile=0;
//HANDLE hProcess = OpenProcess(0x1F0FFF, 0, pids[i]);
//#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
//#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
0xFFFF)
//#define SYNCHRONIZE (0x00100000L)
//不知道原作者为什么要用这些魔幻数,而不用PROCESS_ALL_ACCESS
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pids[i]);
if (hProcess!=0)
{
//NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4);
NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4); //DUPLICATE_SAME_ATTRIBUTES = 4
CloseHandle(hProcess);
}
}
getchar();
printf("OK!\n");
getchar();
return 0;
}
代码分析:
遍历当前进程,将文件句柄拷贝到每一个进程中,从而实际锁定文件
posted on 2017-08-09 08:30  yutingliuyl  阅读(171)  评论(0编辑  收藏  举报