Rendre un process inkillable via SetSecurityInfo

Signaler
Messages postés
362
Date d'inscription
mardi 18 décembre 2001
Statut
Membre
Dernière intervention
24 août 2012
-
Messages postés
2676
Date d'inscription
vendredi 28 juin 2002
Statut
Membre
Dernière intervention
13 janvier 2016
-
bonjour

je voudrai rendre mon process inkillable via SetSecurityInfo, mais je ne trouve pas beaucoup d'info la dessus...


 


Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long

Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDescriptor As Long) As Long

Private Enum SE_OBJECT_TYPE ' je n'ai aucune info sur ces constantes ....
       SE_UNKNOWN_OBJECT_TYPE = 0
       SE_FILE_OBJECT
       SE_SERVICE
       SE_PRINTER
       SE_REGISTRY_KEY
       SE_LMSHARE
       SE_KERNEL_OBJECT
       SE_WINDOW_OBJECT
       SE_DS_OBJECT
       SE_DS_OBJECT_ALL
       SE_PROVIDER_DEFINED_OBJECT
       SE_WMIGUID_OBJECT
End Enum

2 réponses

Messages postés
2676
Date d'inscription
vendredi 28 juin 2002
Statut
Membre
Dernière intervention
13 janvier 2016
20
salut,

un exemple :
Option Explicit

Private Const SYNCHRONIZE As Long = &H100000
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)

Private Const SE_KERNEL_OBJECT As Long = 6&
Private Const DENY_ACCESS As Long = 3
Private Const WRITE_DAC As Long = &H40000
Private Const SID_REVISION As Long = 1
Private Const PROCESS_TERMINATE As Long = (&H1)
Private Const NO_INHERITANCE As Long = 0
Private Const DACL_SECURITY_INFORMATION As Long = &H4&

Private Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End Enum
Private Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End Enum

Private Type SID
   Revision As Byte
   SubAuthorityCount As Byte
   IdentifierAuthority(5) As Byte
   SubAuthority As Long
End Type
Private Type TRUSTEE
    pMultipleTrustee As Long
    MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
    TrusteeForm As TRUSTEE_FORM
    TrusteeType As TRUSTEE_TYPE
    ptstrName As Long
End Type
Private Type EXPLICIT_ACCESS
    grfAccessPermissions As Long
    grfAccessMode As Long
    grfInheritance As Long
    myTrustee As TRUSTEE
End Type

Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetLastError Lib "kernel32.dll" () As Long
Private Declare Function SetEntriesInAcl Lib "ADVAPI32.dll" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "ADVAPI32.dll" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32.dll" (ByVal hMem As Long) As Long

Public Function SetPermissions(ByVal pid As Long)
     Dim dwErr As Long
     Dim hpWriteDAC As Long
     Dim pDacl As Long
    
     If pid = 0 Then
        hpWriteDAC = -1
     Else
        hpWriteDAC = OpenProcess(WRITE_DAC, 0, pid)
     End If
     dwErr = GetLastError()

     Dim world As SID
     With world
        .Revision = SID_REVISION
        .SubAuthorityCount = 1
        'SECURITY_WORLD_SID_AUTHORITY
        .IdentifierAuthority(5) = 1
        .SubAuthority = 0
     End With

     Dim ea As EXPLICIT_ACCESS
     With ea
         .grfAccessPermissions = PROCESS_ALL_ACCESS 'PROCESS_TERMINATE Or WRITE_DAC
         .grfAccessMode = DENY_ACCESS
         .grfInheritance = NO_INHERITANCE
         With .myTrustee
             .pMultipleTrustee = 0
             .MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE
             .TrusteeForm = TRUSTEE_IS_SID
             .TrusteeType = TRUSTEE_IS_USER
             .ptstrName = VarPtr(world.Revision)
         End With
     End With
     dwErr = SetEntriesInAcl(1, ea, 0, pDacl)
     dwErr = SetSecurityInfo(hpWriteDAC, SE_KERNEL_OBJECT, _
                            DACL_SECURITY_INFORMATION, _
                            0, 0, pDacl, 0)

     LocalFree (pDacl)
     SetPermissions = dwErr
End Function

seule chose :
si un processus voulant killer a le privilège SE_DEBUG alors cette protection ne marche pas...

ShareVB
Messages postés
2676
Date d'inscription
vendredi 28 juin 2002
Statut
Membre
Dernière intervention
13 janvier 2016
20
salut,

un exemple :
Option Explicit

Private Const SYNCHRONIZE As Long = &H100000
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)

Private Const SE_KERNEL_OBJECT As Long = 6&
Private Const DENY_ACCESS As Long = 3
Private Const WRITE_DAC As Long = &H40000
Private Const SID_REVISION As Long = 1
Private Const PROCESS_TERMINATE As Long = (&H1)
Private Const NO_INHERITANCE As Long = 0
Private Const DACL_SECURITY_INFORMATION As Long = &H4&

Private Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End Enum
Private Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End Enum

Private Type SID
   Revision As Byte
   SubAuthorityCount As Byte
   IdentifierAuthority(5) As Byte
   SubAuthority As Long
End Type
Private Type TRUSTEE
    pMultipleTrustee As Long
    MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
    TrusteeForm As TRUSTEE_FORM
    TrusteeType As TRUSTEE_TYPE
    ptstrName As Long
End Type
Private Type EXPLICIT_ACCESS
    grfAccessPermissions As Long
    grfAccessMode As Long
    grfInheritance As Long
    myTrustee As TRUSTEE
End Type

Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetLastError Lib "kernel32.dll" () As Long
Private Declare Function SetEntriesInAcl Lib "ADVAPI32.dll" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "ADVAPI32.dll" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32.dll" (ByVal hMem As Long) As Long

Public Function SetPermissions(ByVal pid As Long)
     Dim dwErr As Long
     Dim hpWriteDAC As Long
     Dim pDacl As Long
    
     If pid = 0 Then
        hpWriteDAC = -1
     Else
        hpWriteDAC = OpenProcess(WRITE_DAC, 0, pid)
     End If
     dwErr = GetLastError()

     Dim world As SID
     With world
        .Revision = SID_REVISION
        .SubAuthorityCount = 1
        'SECURITY_WORLD_SID_AUTHORITY
        .IdentifierAuthority(5) = 1
        .SubAuthority = 0
     End With

     Dim ea As EXPLICIT_ACCESS
     With ea
         .grfAccessPermissions = PROCESS_ALL_ACCESS 'PROCESS_TERMINATE Or WRITE_DAC
         .grfAccessMode = DENY_ACCESS
         .grfInheritance = NO_INHERITANCE
         With .myTrustee
             .pMultipleTrustee = 0
             .MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE
             .TrusteeForm = TRUSTEE_IS_SID
             .TrusteeType = TRUSTEE_IS_USER
             .ptstrName = VarPtr(world.Revision)
         End With
     End With
     dwErr = SetEntriesInAcl(1, ea, 0, pDacl)
     dwErr = SetSecurityInfo(hpWriteDAC, SE_KERNEL_OBJECT, _
                            DACL_SECURITY_INFORMATION, _
                            0, 0, pDacl, 0)

     LocalFree (pDacl)
     SetPermissions = dwErr
End Function

seule chose :
si un processus voulant killer a le privilège SE_DEBUG alors cette protection ne marche pas...

ShareVB