windows C++ 和进程内存保护
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1448302/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
C++ and process memory protection
提问by user175908
I know that WinAPI has built-in hacking functions.
我知道 WinAPI 具有内置的黑客功能。
I even used them in C# with Pinvoke... To hack Minesweeper... It was easy... So...
我什至在 C# 中用 Pinvoke 使用它们......破解扫雷......这很容易......所以......
How i could protect my application from process memory editing, deny DLL injecting and other hacking ways. HOW?!
我如何保护我的应用程序免受进程内存编辑、拒绝 DLL 注入和其他黑客攻击。如何?!
Hope WinAPI has something like void DontTouchMeOrIWillTerminateYou(bool protect)...
希望 WinAPI 有类似 void DontTouchMeOrIWillTerminateYou(bool protect)...
回答by Martin v. L?wis
Access control in Windows is on a per-object basis. If you want to protect the process object, you need to set the ACL of the process object, either when the process is created (through lpProcessAttributes of CreateProcess), or afterwards (through SetKernelObjectSecurity). If you add a "deny all" entry to the ACL, attempts to open the process by an attacker will fail.
Windows 中的访问控制是基于每个对象的。如果要保护进程对象,则需要在创建进程时(通过 CreateProcess 的 lpProcessAttributes)或之后(通过SetKernelObjectSecurity)设置进程对象的 ACL 。如果向 ACL 添加“拒绝全部”条目,则攻击者尝试打开该进程将失败。
Of course, the owner of the process (and thus any malicious code run by the user) can change the ACL back to what it was - malicious code may not be prepared to do so, though. To prevent attacks from user space effectively, you need to run the process as a non-interactive user (e.g. as LocalSystem).
当然,进程的所有者(以及用户运行的任何恶意代码)可以将 ACL 更改回原来的状态——尽管恶意代码可能不准备这样做。为了有效地防止来自用户空间的攻击,您需要以非交互式用户(例如,作为 LocalSystem)运行该进程。
No amount of protection can prevent attacks from kernel space, so anybody who can install drivers can also hack any process on the system.
再多的保护也无法阻止来自内核空间的攻击,因此任何可以安装驱动程序的人也可以入侵系统上的任何进程。
回答by sbk
Hacking? No. It's called debugging (for the most part)
黑客?不。它被称为调试(在大多数情况下)
And the short answer to your question is "No, you cannot do that". I hear that in Vista and later there are some OS processes that you cannot debug (DRM processes and the likes), but I'm not sure if you can make your processes run that way.
对您的问题的简短回答是“不,您不能那样做”。我听说在 Vista 和更高版本中,有些操作系统进程无法调试(DRM 进程等),但我不确定您是否可以让进程以这种方式运行。
The real question is why you want to do that, and don't you have more important things to worry about (say, performance and usability, not to mention correctness of your software)?
真正的问题是您为什么要这样做,难道您没有更重要的事情要担心(例如,性能和可用性,更不用说您软件的正确性了)?
回答by Nick Dandoulakis
About memory editing, a trivial way to detect it would be to keep a checksum to some of your data.
关于内存编辑,检测它的一种简单方法是保留一些数据的校验和。
回答by ChrisW
Don't deploy/run your process on a machine controlled by the end-user: instead, run your process on your own machine, and let end-users communicate with your process via the internet.
不要在最终用户控制的机器上部署/运行您的流程:相反,在您自己的机器上运行您的流程,并让最终用户通过互联网与您的流程进行通信。
