一个无hook自我保护(vb6)
本帖最后由 Xor 于 2011-8-19 16:08 编辑仅支持vista、7
Private Declare Function AddAccessDeniedAce Lib "advapi32.dll" (ByVal pAcl As Long, ByVal dwAceRevision As Long, ByVal AccessMask As Long, ByRef pSid As Any) As Long
Private Declare Function AddAccessAllowedAce Lib "advapi32.dll" (ByVal pAcl As Long, ByVal dwAceRevision As Long, ByVal AccessMask As Long, ByRef pSid As Any) As Long
Private Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End Enum
Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
Private Declare Sub FreeSid Lib "advapi32.dll" (ByRef pSid As Any)
Private Declare Function GetTokenInformation Lib "advapi32.dll" (ByVal TokenHandle As Long, ByRef TokenInformationClass As Integer, ByRef TokenInformation As Any, ByVal TokenInformationLength As Long, ByRef ReturnLength As Long) As Long
Private Declare Function LocalAlloc Lib "kernel32.dll" (ByVal wFlags As Long, ByVal wBytes As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long
Private Declare Function AllocateAndInitializeSid Lib "advapi32.dll" (ByRef pIdentifierAuthority As SID_IDENTIFIER_AUTHORITY, ByVal nSubAuthorityCount As Byte, ByVal nSubAuthority0 As Long, ByVal nSubAuthority1 As Long, ByVal nSubAuthority2 As Long, ByVal nSubAuthority3 As Long, ByVal nSubAuthority4 As Long, ByVal nSubAuthority5 As Long, ByVal nSubAuthority6 As Long, ByVal nSubAuthority7 As Long, ByRef lpPSid As Any) As Long
Private Type SID_IDENTIFIER_AUTHORITY
Value(6) As Byte
End Type
Private Const TOKEN_QUERY As Long = &H8
Private Const LMEM_FIXED As Long = &H0
Private Const LMEM_ZEROINIT As Long = &H40
Private Const LPTR As Long = (LMEM_FIXED + LMEM_ZEROINIT)
Private Const ACL_REVISION As Long = 2
Private Const DACL_SECURITY_INFORMATION As Long = &H4&
Private Const PROTECTED_DACL_SECURITY_INFORMATION As Long = (&H80000000)
Private Declare Function GetLastError Lib "kernel32.dll" () As Long
Private Type SID_AND_ATTRIBUTES
Sid As Long
Attributes As Long
End Type
Private Declare Function InitializeAcl Lib "advapi32.dll" (ByVal pAcl As Long, ByVal nAclLength As Long, ByVal dwAclRevision As Long) As Long
Private Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type
Public Function DisableProcessAccess(ByVal hProcess As Long, ByVal dwAccessDenied As Long, ByVal dwAccessAllowed As Long) As Boolean
Dim sia As SID_IDENTIFIER_AUTHORITY
Dim pSid As Long 'psid
Dim bSuccess As Boolean
Dim buf(1 To &H400) As Byte
Dim buf1(1 To &H400) As Byte
Dim pTokenUser As Long 'pToken_User
Dim pAcl As Long 'pAcl
pAcl = VarPtr(buf(1))
Dim TokenInfo As Long
Dim hToken As Long
Dim dwRetLen As Long
Dim dw As Long
bSuccess = AllocateAndInitializeSid(sia, 1, 0, 0, 0, 0, 0, 0, 0, 0, ByVal VarPtr(pSid))
Debug.Print GetLastError
If (Not bSuccess) Then GoTo Cleanup
bSuccess = OpenProcessToken(hProcess, TOKEN_QUERY, ByVal VarPtr(hToken))
'Debug.Print GetLastError
If (Not bSuccess) Then GoTo Cleanup
Call GetTokenInformation(hToken, ByVal 1, ByVal 0, 0, dwRetLen)
'Debug.Print GetLastError
TokenInfo = VarPtr(buf1(1))
bSuccess = GetTokenInformation(hToken, ByVal 1, ByVal TokenInfo, dwRetLen, dw)
'Debug.Print GetLastError
If (Not bSuccess) Then GoTo Cleanup
bSuccess = InitializeAcl(pAcl, &H400, ACL_REVISION)
'Debug.Print GetLastError
If (Not bSuccess) Then GoTo Cleanup
bSuccess = AddAccessDeniedAce(pAcl, ACL_REVISION, dwAccessDenied, ByVal pSid)
'Debug.Print GetLastError
If (Not bSuccess) Then GoTo Cleanup
bSuccess = AddAccessAllowedAce(pAcl, ACL_REVISION, dwAccessAllowed, ByVal pSid)
'Debug.Print GetLastError
If (Not bSuccess) Then GoTo Cleanup
If (SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION Or PROTECTED_DACL_SECURITY_INFORMATION, ByVal 0, ByVal 0, ByVal pAcl, ByVal 0) = 0) Then bSuccess = True
Debug.Print GetLastError
Cleanup:
If (hProcess <> 0) Then CloseHandle (hProcess)
If (pSid <> 0) Then Call FreeSid(ByVal pSid)
DisableProcessAccess = bSuccess
End Function
我只是试一下hide可不可以镶套,没想到某些人这么认真。。。 刚才用谷歌搜索了一下,发现只能防止常规内存读写,不能防杀。。。 Tesla.Angela 发表于 2011-8-17 21:25 static/image/common/back.gif
刚才用谷歌搜索了一下,发现只能防止常规内存读写,不能防杀。。。
可以防任务管理器呀 Xor 发表于 2011-8-17 21:30 static/image/common/back.gif
可以防任务管理器呀
好像还真的不可以。。。
另外这代码好像还是某论坛的某版主翻译的。。。 如果您要查看本帖隐藏内容请回复 版主竟然都要付费!算了不看了!:@ {:soso_e180:} {:soso_e111:} jackqiang,本帖隐藏的内容需要积分高于 1000 才可浏览,您当前积分为 18
气死了! jackqiang 发表于 2011-8-19 12:03 static/image/common/back.gif
jackqiang,本帖隐藏的内容需要积分高于 1000 才可浏览,您当前积分为 18
气死了!
直接百度搜索“DisableProcessAccess”即可。 貌似在好久之前就看到过了, 好像利用价值不是太大...... 如果只有WIN7能用,确实价值不是太大.......;P 马大哈 发表于 2011-8-22 20:07 static/image/common/back.gif
如果只有WIN7能用,确实价值不是太大.......
经我测试发现这玩意在任何系统都没用。。。 本帖最后由 Xor 于 2012-1-8 19:38 编辑
Tesla.Angela 发表于 2011-8-22 21:41 static/image/common/back.gif
经我测试发现这玩意在任何系统都没用。。。
奇怪,你的电脑都安装了什么?加强版Windows任务管理器?无敌防病毒装置?或者更靠谱点的——你在使用超级管理员账户?或者你点击了“显示所有进程”?不过把这段代码加到内核级防杀进程上,会有惊奇的效果——即使用最高权限启动某些杀进程工具,也不能杀之(不加这段代码就可以结束)。
Xor 发表于 2011-8-17 21:30
可以防任务管理器呀
貌似只能防改优先级。。 确实只能防改优先级
页:
[1]