防止用户进程被进程资源管理器中的“结束进程”杀死
[英]Prevent user process from being killed with “End Process” from Process Explorer
问题描述
I noticed that GoogleToolbarNotifier.exe cannot be killed from Process Explorer.
我注意到 GoogleToolbarNotifier.exe 无法从 Process Explorer 中被杀死。 It returns "Access Denied".它返回“拒绝访问”。 It runs as the user, it runs "Normal" priority, and it runs from Program Files.它以用户身份运行,运行“正常”优先级,并从 Program Files 运行。
How did they do it?他们是如何做到的呢?
I think there might be a way to modify the ACL, or mark the process as 'critical', but I cannot seem to locate anything.我认为可能有一种方法可以修改 ACL,或者将进程标记为“关键”,但我似乎找不到任何东西。
Update:更新:
I found the answer with a good bit of digging.我通过大量挖掘找到了答案。 @Alex K. was correct in that PROCESS_TERMINATE permission was removed for the process, but I wanted to supply the answer in code: @Alex K. 是正确的,因为该过程的 PROCESS_TERMINATE 权限已被删除,但我想在代码中提供答案:
static const bool ProtectProcess()
{
HANDLE hProcess = GetCurrentProcess();
EXPLICIT_ACCESS denyAccess = {0};
DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
PACL pTempDacl = NULL;
DWORD dwErr = 0;
dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
// check dwErr...
dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
// check dwErr...
LocalFree( pTempDacl );
CloseHandle( hProcess );
return dwErr == ERROR_SUCCESS;
}
3 个解决方案
解决方案1
10 2012-05-13 23:00:20
The code given in the question is misleading.问题中给出的代码具有误导性。 It constructs a DACL with no allow entries and one deny entry;它构造了一个没有允许条目和一个拒绝条目的 DACL; that might make sense if you were applying the DACL to a file with inheritance enabled, but in this case the deny entry is redundant.如果您将 DACL 应用于启用了 inheritance 的文件,这可能是有意义的,但在这种情况下,拒绝条目是多余的。 In the Windows access control model, if a DACL exists but contains no matching ACE, access is implicitly denied .在 Windows 访问控制 model 中,如果 DACL 存在但不包含匹配的 ACE,则访问被隐式拒绝。
Here's my version, which applies an empty DACL, denying all access.这是我的版本,它应用一个空的 DACL,拒绝所有访问。 (Note that it returns an error code rather than a boolean.) (请注意,它返回错误代码而不是 boolean。)
DWORD ProtectProcess(void)
{
HANDLE hProcess = GetCurrentProcess();
PACL pEmptyDacl;
DWORD dwErr;
// using malloc guarantees proper alignment
pEmptyDacl = (PACL)malloc(sizeof(ACL));
if (!InitializeAcl(pEmptyDacl, sizeof(ACL), ACL_REVISION))
{
dwErr = GetLastError();
}
else
{
dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, pEmptyDacl, NULL);
}
free(pEmptyDacl);
return dwErr;
}
解决方案2
9 已采纳 2011-05-31 10:27:37
When running my copy of that has Deny set on the Terminate permission (Process Explorer shows this).当运行我的副本时,在Terminate权限上设置了拒绝(进程资源管理器显示了这一点)。
Presumably they call SetKernelObjectSecurity to change/remove the ACLs when their process loads.大概他们调用SetKernelObjectSecurity以在其进程加载时更改/删除 ACL。
解决方案3
-4 2013-09-12 09:01:54
I have tried to do it with the help of writing windows services..and then making some changes我试图在编写 windows 服务的帮助下做到这一点..然后进行一些更改
here is the link to write a simple windows service http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948这里是写一个简单的windows服务http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948的链接
and we can update Servicabase.cpp file with the following two statements..我们可以使用以下两个语句更新 Servicbase.cpp 文件。
fCanStop=FALSE; fCanStop=假; fCanShutdown=FALSE; fCanShutdown=假;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.