windows 使用 Process Explorer 中的“End Process”防止用户进程被杀死
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6185975/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Prevent user process from being killed with "End Process" from Process Explorer
提问by Blazes
I noticed that GoogleToolbarNotifier.exe cannot be killed from Process Explorer. It returns "Access Denied". It runs as the user, it runs "Normal" priority, and it runs from Program Files.
我注意到 GoogleToolbarNotifier.exe 不能从 Process Explorer 中终止。它返回“拒绝访问”。它以用户身份运行,运行“正常”优先级,并从程序文件运行。
How did they do it?
他们是如何做到的呢?
I think there might be a way to modify the ACL, or mark the process as 'critical', but I cannot seem to locate anything.
我认为可能有一种方法可以修改 ACL,或将过程标记为“关键”,但我似乎找不到任何东西。
Update:
更新:
I found the answer with a good bit of digging. @Alex K. was correct in that PROCESS_TERMINATE permission was removed for the process, but I wanted to supply the answer in code:
我通过一些挖掘找到了答案。@Alex K. 是正确的,因为该过程删除了 PROCESS_TERMINATE 权限,但我想在代码中提供答案:
static const bool ProtectProcess()
{
HANDLE hProcess = GetCurrentProcess();
EXPLICIT_ACCESS denyAccess = {0};
DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
PACL pTempDacl = NULL;
DWORD dwErr = 0;
dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
// check dwErr...
dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
// check dwErr...
LocalFree( pTempDacl );
CloseHandle( hProcess );
return dwErr == ERROR_SUCCESS;
}
采纳答案by Alex K.
When running my copy of that has Denyset on the Terminatepermission (Process Explorer shows this).
在运行我的副本时,在终止权限上设置了拒绝(进程资源管理器显示了这一点)。
Presumably they call SetKernelObjectSecurityto change/remove the ACLs when their process loads.
据推测,SetKernelObjectSecurity当他们的进程加载时,他们会调用更改/删除 ACL。
回答by Harry Johnston
The code given in the question is misleading. It constructs a DACL with no allow entries and one deny entry; that might make sense if you were applying the DACL to a file with inheritance enabled, but in this case the deny entry is redundant. In the Windows access control model, if a DACL exists but contains no matching ACE, access is implicitly denied.
问题中给出的代码具有误导性。它构造了一个没有允许条目和一个拒绝条目的 DACL;如果您将 DACL 应用于启用了继承的文件,这可能有意义,但在这种情况下,拒绝条目是多余的。在 Windows 访问控制模型中,如果 DACL 存在但不包含匹配的 ACE,则隐式拒绝访问。
Here's my version, which applies an empty DACL, denying all access. (Note that it returns an error code rather than a boolean.)
这是我的版本,它应用了一个空的 DACL,拒绝所有访问。(请注意,它返回错误代码而不是布尔值。)
DWORD ProtectProcess(void)
{
HANDLE hProcess = GetCurrentProcess();
PACL pEmptyDacl;
DWORD dwErr;
// using malloc guarantees proper alignment
pEmptyDacl = (PACL)malloc(sizeof(ACL));
if (!InitializeAcl(pEmptyDacl, sizeof(ACL), ACL_REVISION))
{
dwErr = GetLastError();
}
else
{
dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, pEmptyDacl, NULL);
}
free(pEmptyDacl);
return dwErr;
}
回答by Raghav Guar
I have tried to do it with the help of writing windows services ..and then making some changes
我试图在编写 Windows 服务的帮助下做到这一点......然后进行一些更改
here is the link to write a simple windows service http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948
这是编写简单 Windows 服务的链接 http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948
and we can update Servicabase.cpp file with the following two statements..
我们可以使用以下两个语句更新 Servicabase.cpp 文件..
fCanStop=FALSE; fCanShutdown=FALSE;
fCanStop=FALSE; fCanShutdown=FALSE;
