防止用户进程被“结束进程"杀死来自进程浏览器
我注意到 GoogleToolbarNotifier.exe 无法从 Process Explorer 中删除.它返回拒绝访问".它以用户身份运行,运行正常"优先级,并从程序文件运行.
I noticed that GoogleToolbarNotifier.exe cannot be killed from Process Explorer. It returns "Access Denied". It runs as the user, it runs "Normal" priority, and it runs from Program Files.
他们是怎么做到的?
我认为可能有一种方法可以修改 ACL,或者将进程标记为关键",但我似乎找不到任何东西.
I think there might be a way to modify the ACL, or mark the process as 'critical', but I cannot seem to locate anything.
更新:
我通过一些挖掘找到了答案.@Alex K. 是正确的,因为该过程删除了 PROCESS_TERMINATE 权限,但我想在代码中提供答案:
I found the answer with a good bit of digging. @Alex K. was correct in that PROCESS_TERMINATE permission was removed for the process, but I wanted to supply the answer in code:
static const bool ProtectProcess()
{
HANDLE hProcess = GetCurrentProcess();
EXPLICIT_ACCESS denyAccess = {0};
DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
PACL pTempDacl = NULL;
DWORD dwErr = 0;
dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
// check dwErr...
dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
// check dwErr...
LocalFree( pTempDacl );
CloseHandle( hProcess );
return dwErr == ERROR_SUCCESS;
}
推荐答案
当运行我的副本时,在 Terminate 权限上设置了 Deny(进程资源管理器显示了这一点).
When running my copy of that has Deny set on the Terminate permission (Process Explorer shows this).
大概他们调用 SetKernelObjectSecurity 在进程加载时更改/删除 ACL.
Presumably they call SetKernelObjectSecurity to change/remove the ACLs when their process loads.
相关文章