一个无hook自我保护（vb6）

Xor

仅支持vista、7

Private Declare Function AddAccessDeniedAce Lib "advapi32.dll" (ByVal pAcl As Long, ByVal dwAceRevision As Long, ByVal AccessMask As Long, ByRef pSid As Any) As Long
Private Declare Function AddAccessAllowedAce Lib "advapi32.dll" (ByVal pAcl As Long, ByVal dwAceRevision As Long, ByVal AccessMask As Long, ByRef pSid As Any) As Long
Private Enum SE_OBJECT_TYPE
          SE_UNKNOWN_OBJECT_TYPE = 0
          SE_FILE_OBJECT
          SE_SERVICE
          SE_PRINTER
          SE_REGISTRY_KEY
          SE_LMSHARE
          SE_KERNEL_OBJECT
          SE_WINDOW_OBJECT
          SE_DS_OBJECT
          SE_DS_OBJECT_ALL
          SE_PROVIDER_DEFINED_OBJECT
          SE_WMIGUID_OBJECT
  End Enum
  
  
Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
Private Declare Sub FreeSid Lib "advapi32.dll" (ByRef pSid As Any)
Private Declare Function GetTokenInformation Lib "advapi32.dll" (ByVal TokenHandle As Long, ByRef TokenInformationClass As Integer, ByRef TokenInformation As Any, ByVal TokenInformationLength As Long, ByRef ReturnLength As Long) As Long
Private Declare Function LocalAlloc Lib "kernel32.dll" (ByVal wFlags As Long, ByVal wBytes As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long
Private Declare Function AllocateAndInitializeSid Lib "advapi32.dll" (ByRef pIdentifierAuthority As SID_IDENTIFIER_AUTHORITY, ByVal nSubAuthorityCount As Byte, ByVal nSubAuthority0 As Long, ByVal nSubAuthority1 As Long, ByVal nSubAuthority2 As Long, ByVal nSubAuthority3 As Long, ByVal nSubAuthority4 As Long, ByVal nSubAuthority5 As Long, ByVal nSubAuthority6 As Long, ByVal nSubAuthority7 As Long, ByRef lpPSid As Any) As Long
Private Type SID_IDENTIFIER_AUTHORITY
        Value(6) As Byte
End Type
Private Const TOKEN_QUERY As Long = &H8
Private Const LMEM_FIXED As Long = &H0
Private Const LMEM_ZEROINIT As Long = &H40
Private Const LPTR As Long = (LMEM_FIXED + LMEM_ZEROINIT)
Private Const ACL_REVISION As Long = 2
Private Const DACL_SECURITY_INFORMATION As Long = &H4&
Private Const PROTECTED_DACL_SECURITY_INFORMATION As Long = (&H80000000)
Private Declare Function GetLastError Lib "kernel32.dll" () As Long
Private Type SID_AND_ATTRIBUTES
        Sid As Long
        Attributes As Long
End Type

  Private Declare Function InitializeAcl Lib "advapi32.dll" (ByVal pAcl As Long, ByVal nAclLength As Long, ByVal dwAclRevision As Long) As Long
Private Type ACL
        AclRevision As Byte
        Sbz1 As Byte
        AclSize As Integer
        AceCount As Integer
        Sbz2 As Integer
End Type
  
  

Public Function DisableProcessAccess(ByVal hProcess As Long, ByVal dwAccessDenied As Long, ByVal dwAccessAllowed As Long) As Boolean
        Dim sia As SID_IDENTIFIER_AUTHORITY
        Dim pSid As Long 'psid
        Dim bSuccess As Boolean
        Dim buf(1 To &H400) As Byte
        Dim buf1(1 To &H400) As Byte
        Dim pTokenUser As Long 'pToken_User
        Dim pAcl As Long 'pAcl
        pAcl = VarPtr(buf(1))
        Dim TokenInfo As Long
        Dim hToken As Long
        Dim dwRetLen As Long
        Dim dw As Long
        bSuccess = AllocateAndInitializeSid(sia, 1, 0, 0, 0, 0, 0, 0, 0, 0, ByVal VarPtr(pSid))
        Debug.Print GetLastError
        
        If (Not bSuccess) Then GoTo Cleanup
        bSuccess = OpenProcessToken(hProcess, TOKEN_QUERY, ByVal VarPtr(hToken))
        'Debug.Print GetLastError
        
        If (Not bSuccess) Then GoTo Cleanup
        Call GetTokenInformation(hToken, ByVal 1, ByVal 0, 0, dwRetLen)
        'Debug.Print GetLastError
        TokenInfo = VarPtr(buf1(1))
        bSuccess = GetTokenInformation(hToken, ByVal 1, ByVal TokenInfo, dwRetLen, dw)
        'Debug.Print GetLastError
        
        If (Not bSuccess) Then GoTo Cleanup
        bSuccess = InitializeAcl(pAcl, &H400, ACL_REVISION)
        'Debug.Print GetLastError
        
        If (Not bSuccess) Then GoTo Cleanup
        bSuccess = AddAccessDeniedAce(pAcl, ACL_REVISION, dwAccessDenied, ByVal pSid)
        'Debug.Print GetLastError
        
        If (Not bSuccess) Then GoTo Cleanup
        bSuccess = AddAccessAllowedAce(pAcl, ACL_REVISION, dwAccessAllowed, ByVal pSid)
        'Debug.Print GetLastError
        
        If (Not bSuccess) Then GoTo Cleanup
        If (SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION Or PROTECTED_DACL_SECURITY_INFORMATION, ByVal 0, ByVal 0, ByVal pAcl, ByVal 0) = 0) Then bSuccess = True
        Debug.Print GetLastError
Cleanup:
        If (hProcess <> 0) Then CloseHandle (hProcess)
        If (pSid <> 0) Then Call FreeSid(ByVal pSid)
        DisableProcessAccess = bSuccess
End Function
我只是试一下hide可不可以镶套，没想到某些人这么认真。。。

Tesla.Angela

刚才用谷歌搜索了一下，发现只能防止常规内存读写，不能防杀。。。

Xor

Tesla.Angela 发表于 2011-8-17 21:25
刚才用谷歌搜索了一下，发现只能防止常规内存读写，不能防杀。。。

可以防任务管理器呀

Tesla.Angela

Xor 发表于 2011-8-17 21:30
可以防任务管理器呀

好像还真的不可以。。。
另外这代码好像还是某论坛的某版主翻译的。。。

yyking

如果您要查看本帖隐藏内容请回复

乔丹二世

版主竟然都要付费！算了不看了！:@

jackqiang

{:soso_e180:}

jackqiang

{:soso_e111:} jackqiang，本帖隐藏的内容需要积分高于 1000 才可浏览，您当前积分为 18

气死了！

Tesla.Angela

jackqiang 发表于 2011-8-19 12:03
jackqiang，本帖隐藏的内容需要积分高于 1000 才可浏览，您当前积分为 18

气死了！

直接百度搜索“DisableProcessAccess”即可。

xiaoly99

貌似在好久之前就看到过了, 好像利用价值不是太大......

马大哈

如果只有WIN7能用,确实价值不是太大.......;P

Tesla.Angela

马大哈 发表于 2011-8-22 20:07
如果只有WIN7能用,确实价值不是太大.......

经我测试发现这玩意在任何系统都没用。。。

Xor

Tesla.Angela 发表于 2011-8-22 21:41
经我测试发现这玩意在任何系统都没用。。。

奇怪，你的电脑都安装了什么？加强版Windows任务管理器？无敌防病毒装置？或者更靠谱点的——你在使用超级管理员账户？或者你点击了“显示所有进程”？不过把这段代码加到内核级防杀进程上，会有惊奇的效果——即使用最高权限启动某些杀进程工具，也不能杀之（不加这段代码就可以结束）。

yxd199512041

Xor 发表于 2011-8-17 21:30
可以防任务管理器呀

貌似只能防改优先级。。

乔丹二世

确实只能防改优先级