1. 进程实例句柄: hInstance .将进程数据加载到内存基地址 2. 进程命令行. 获取命令行指针: PTSTR GetCommandLine(); 3. 环境变量: GetEnvironmentStrings(),FreeEnvironmentStrings() DWORD GetEnvironmentVariable(PCTSTR pszName,PTSTR pszValue,DWORD cchValue); 4. 进程关联性 5. 错误模式UINT SetErrorMode(UINT fuErrorMode); 6. 进程所在驱动器和目录. 被该进程所有线程共享. DWORD GetCurrentDirectory(DWORD cchCurDir,PTSTR pszCurDir); BOOL SetCurrentDirectory(PCTSTR pszCurDir); 7. 进程创建 BOOL CreateProcess( PCTSTR pszApplicationName, //可执行文件名称 PTSTR pszCommandLine, //传入的命令行,非常量字符串 PSECURITY_ATTRIBUTES psaProcess, //NULL, 默认 PSECURITY_ATTRIBUTES psaThread, //NULL, 默认 BOOL bInheritHandles, //FALSE DWORD fdwCreate, //NULL 默认打开界面方式 PVOID pvEnvironment, //GETenvironment()或者默认 PCTSTR pszCurDir, //exe的目录或者NULL PSTARTUPINFO psiStartInfo, //ps初始为大小带入 PPROCESS_INFORMATION ppiProcInfo); //进程id和句柄等信息构成的结构体 8. 进程枚举函数: EnumProcesses(pids, sizeof(pids), &pSize) 第一个参数: dword类型数组, 第2个参数该数组字节数, 第3个参数存储返回的pid值*大小字节数. 枚举后的进程id复制到pids数组中.如pNum = pSize / sizeof(DWORD);for (int i = 0; i < pNum; i++) printf("%d ", pids[i]); 打开进程 : HANDLE WINAPI OpenProcess( _In_ DWORD dwDesiredAccess, _In_ BOOL bInheritHandle, _In_ DWORD dwProcessId ); 得到进程id句柄后,枚举进程模块EnumProcessModules(参数和枚举进程类似). 获取进程名: GetModuleBaseName(参数和枚举进程类似)
进程权限问题安全token, sid,安全描述符,所有者标识. acl,ace luid
安全令牌, 筛选的令牌 token 相关api:
v OpenProcessToken 3个参数1.进程句柄,访问方式,token句柄地址
v OpenThreadToken 类似
v AdjustTokenGroups
v AdjustTokenPrivileges
v GetTokenInformation
v SetTokenInformation
主要是特权问题:
1.获取进程token信息:
首先定义缓冲区:
PTOKEN_PRIVILEGES pTokeninfo = (PTOKEN_PRIVILEGES)malloc(1000);
返回的长度: DWORD dwLength;
获取信息:
GetTokenInformation(hToken,TokenPrivileges,pTokeninfo,buffsize,&dwLength);
遍历获取信息,和该结构体有关 TokenPrivileges
for (iCount=0;iCount<pTokeninfo->PrivilegeCount;iCount++)
{
//重复使用缓冲区前清空缓冲区
memset(PrivilegeDisplayName,'�',sizeof(PrivilegeDisplayName));
memset(PrivilegeName,'�',sizeof(PrivilegeName));
NameLength=sizeof(PrivilegeName)/sizeof(TCHAR);
DisplayNameLength=sizeof(PrivilegeDisplayName)/sizeof(TCHAR);
LookupPrivilegeName(NULL, //本地系统
&(pTokeninfo->Privileges[iCount].Luid), //luid地址
PrivilegeName, //存放特权字符串首地址
&NameLength //返回多长到缓存区中
);
LookupPrivilegeDisplayName(NULL,
PrivilegeName, //英文特权名称
PrivilegeDisplayName, //目标语言特权名称
&DisplayNameLength, //返回多长
&langID); //语言id}
2.提权(激活权限): 这里所谓的提权只是将进程禁用的原有的权限进行激活,不能将原来不存在的权限赋予给它.所以非管理员权限运行的程序一般没有SE_DEBUG_NAME权限,所以无法通过这种方式进行提权.
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tH);
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&NewTUid.Privileges[0].Luid);
NewTUid.PrivilegeCount=1;
NewTUid.Privileges->Attributes=SE_PRIVILEGE_ENABLED;
//参数说明: 1,本进程token句柄,2,不禁用.3新token地址,该token包含了想要的特权 //4,token结构大小.56参数全为0,没用.
AdjustTokenPrivileges(tH,FALSE,&NewTUid,sizeof(NewTUid),NULL,NULL);
3.以管理员权限执行一个子进程
SHELLEXECUTEINFO se={sizeof(SHELLEXECUTEINFO)};//这个结构体只需要初始化4个参数
se.lpVerb=TEXT("runas");//硬编码了
se.lpFile=TEXT("F:\c_project\练习\release\安全性.exe");//exe路径
se.nShow=SW_SHOWNORMAL;//正常显示
ShellExecuteEx(&se);//调用
二.获取进程信息类
#pragma once #ifndef __PRO_H_ #define __PRO_H_ #include "stdafx.h" class process { public: //提供进程id进行获取信息或者提供进程名获取信息 process(DWORD processId); process(WCHAR* processName); ~process(); void getProcessPath(WCHAR* processName); void getProcessExePath(WCHAR* exePath); DWORD getProcessParentId(); DWORD getProcessNumThreads(); DWORD getProcessId(); HANDLE getProcessHandle(); void setProcessInfo(); void setModulesPath(); void showProcessInfo(); static DWORD findProcessNameById(DWORD processId,WCHAR* processName); static DWORD findProcessIdByName(WCHAR* processName); static HANDLE getProcessHandle(DWORD flags, DWORD processId); void setProcessHandle(DWORD desireAccess); private: WCHAR processName[MAX_PATH]; WCHAR exePath[MAX_PATH]; DWORD processId; HANDLE hHandle; DWORD numThreads; DWORD th32ParentProcessID; DWORD numModules; WCHAR moduleNames[20][MAX_PATH]; //默认最多获取20个模块名字 }; process::process(DWORD processId) { memset((void*)(this->exePath), 0, sizeof(this->exePath)); memset((void*)(this->processName), 0, sizeof(this->processName)); this->numThreads = 0; this->processId = processId; this->hHandle = INVALID_HANDLE_VALUE; this->th32ParentProcessID = 0; for (int i=0;i<20;i++) { memset(this->moduleNames[i], 0, sizeof(this->moduleNames[i])); } setProcessInfo(); setModulesPath(); lstrcpy(this->exePath, this->moduleNames[0]); } process::process(WCHAR * processName) { memset((void*)(this->exePath), 0, sizeof(this->exePath)); memset((void*)(this->processName), 0, sizeof(this->processName)); wcscpy(this->processName, processName); this->numThreads = 0; this->processId = 0; this->hHandle = INVALID_HANDLE_VALUE; this->th32ParentProcessID = 0; for (int i = 0; i < 20; i++) { memset(this->moduleNames[i], 0, sizeof(this->moduleNames[i])); } setProcessInfo(); setModulesPath(); lstrcpy(this->exePath, this->moduleNames[0]); } process::~process() { memset((void*)(this->exePath), 0, sizeof(this->exePath)); memset((void*)(this->processName), 0, sizeof(this->processName)); if (this->hHandle!=INVALID_HANDLE_VALUE) { CloseHandle(hHandle); } this->numThreads = 0; this->processId = processId; this->hHandle = INVALID_HANDLE_VALUE; this->th32ParentProcessID = 0; for (int i = 0; i < 20; i++) { memset(this->moduleNames[i], 0, sizeof(this->moduleNames[i])); } } inline void process::getProcessPath(WCHAR* processName) { wcscpy(processName, this->processName); } inline void process::getProcessExePath(WCHAR * exePath) { wcscpy(exePath, this->exePath); } inline DWORD process::getProcessParentId() { return this->th32ParentProcessID; } inline DWORD process::getProcessNumThreads() { return this->numThreads; } inline DWORD process::getProcessId() { return this->processId; } inline HANDLE process::getProcessHandle() { return this->hHandle; } inline void process::setProcessInfo() { /************************************************************************/ /* 循环遍历进程快照,先判断是否提供进程id进行寻找 ,否则判断是否提供进程名进行寻找 如果都没提供就直接退出 关注: 进程路径, 进程id,父进程id,进程线程数 */ /************************************************************************/ PROCESSENTRY32W process; HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); process.dwSize = sizeof(PROCESSENTRY32W); DWORD result = 0; if (this->processId!=0) { result = Process32FirstW(hProcessSnap, &process); do { if (result) { if (process.th32ProcessID == this->processId) { //_tcscpy(this->exePath, process.szExeFile); this->numThreads = process.cntThreads; wcscpy(this->processName, process.szExeFile); this->th32ParentProcessID = process.th32ParentProcessID; break; } } else { break; } } while (Process32NextW(hProcessSnap, &process)); } else if(this->processName!=NULL) { result = Process32FirstW(hProcessSnap, &process); do { if (result) { if (lstrcmpW(this->processName,process.szExeFile)==0) { this->numThreads = process.cntThreads; this->processId = process.th32ProcessID; this->th32ParentProcessID = process.th32ParentProcessID; break; } } else { break; } } while (Process32NextW(hProcessSnap, &process)); } CloseHandle(hProcessSnap); } void process::setModulesPath() { MODULEENTRY32W me; me.dwSize = sizeof(MODULEENTRY32W); HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, this->processId); if (Module32FirstW(hSnap,&me)) { lstrcpy(this->moduleNames[0], me.szExePath); for (int i=1;i<20;i++) { lstrcpy(this->moduleNames[i], me.szExePath); if (!Module32NextW(hSnap, &me)) { break; } } } CloseHandle(hSnap); } DWORD process::findProcessNameById(DWORD processId,WCHAR* processName) { //向外提供的查询信息函数,processName用于接收信息,获取成功返回1,否则返回0 PROCESSENTRY32W process; HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); process.dwSize = sizeof(PROCESSENTRY32W); do { if (Process32FirstW(hProcessSnap, &process)) { if (process.th32ProcessID == processId) { CloseHandle(hProcessSnap); wcscpy(processName, process.szExeFile); return 1; } } } while (Process32NextW(hProcessSnap,&process)); CloseHandle(hProcessSnap); return 0; } DWORD process::findProcessIdByName(WCHAR * processName) { PROCESSENTRY32W process; HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); process.dwSize = sizeof(PROCESSENTRY32W); do { if (Process32FirstW(hProcessSnap, &process)) { if (lstrcmp(processName,process.szExeFile) == 0) { CloseHandle(hProcessSnap); return process.th32ProcessID; } } } while (Process32NextW(hProcessSnap, &process)); CloseHandle(hProcessSnap); return NULL; } HANDLE process::getProcessHandle(DWORD flags, DWORD processId) { //先激活权限 HANDLE hToken; LUID newLuid; TOKEN_PRIVILEGES tr; tr.PrivilegeCount = 1; tr.Privileges->Attributes = SE_PRIVILEGE_ENABLED; OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &newLuid); tr.Privileges->Luid = newLuid; AdjustTokenPrivileges(hToken, FALSE, &tr, sizeof(tr), 0, 0); if (GetLastError() == ERROR_SUCCESS) { CloseHandle(hToken); return INVALID_HANDLE_VALUE; } CloseHandle(hToken); return OpenProcess(flags,0,processId); } void process::setProcessHandle(DWORD desireAccess) { //先激活权限 HANDLE hToken; LUID newLuid; TOKEN_PRIVILEGES tr; tr.PrivilegeCount = 1; tr.Privileges->Attributes = SE_PRIVILEGE_ENABLED; OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &newLuid); tr.Privileges->Luid = newLuid; AdjustTokenPrivileges(hToken, FALSE, &tr, sizeof(tr), 0, 0); this->hHandle = OpenProcess(desireAccess, 0, this->processId); CloseHandle(hToken); } inline void process::showProcessInfo() { wprintf(L"进程名:%ls ", this->processName); wprintf(L"进程路径:%ls ", this->exePath); wprintf(L"进程句柄:%d ", (DWORD)this->hHandle); wprintf(L"进程id:%d ", this->processId); wprintf(L"父进程id:%d ", this->th32ParentProcessID); wprintf(L"创建的线程数:%d ", this->numThreads); wprintf(L"加载的模块: "); for (int i=1;i<20;i++) { if (lstrlen(this->moduleNames[i])) { wprintf(L"%ls ", this->moduleNames[i]); } } } #endif // __PRO_H_