#include <Windows.h> #include <WinSafer.h> #include <stdio.h> #include <sddl.h> bool _IsNewProcessLaunched() { // Create the restricted token. SAFER_LEVEL_HANDLE hLevel = NULL; if (!SaferCreateLevel(SAFER_SCOPEID_USER, SAFER_LEVELID_NORMALUSER, SAFER_LEVEL_OPEN, &hLevel, NULL)) { return false; } HANDLE hRestrictedToken = NULL; if (!SaferComputeTokenFromLevel(hLevel, NULL, &hRestrictedToken, 0, NULL)) { SaferCloseLevel(hLevel); return false; } SaferCloseLevel(hLevel); // Set the token to medium integrity. TOKEN_MANDATORY_LABEL tml = { 0 }; tml.Label.Attributes = SE_GROUP_INTEGRITY; // alternatively, use CreateWellKnownSid(WinMediumLabelSid) instead... if (!ConvertStringSidToSid(TEXT("S-1-16-8192"), &(tml.Label.Sid))) { CloseHandle(hRestrictedToken); return false; } if (!SetTokenInformation(hRestrictedToken, TokenIntegrityLevel, &tml, sizeof(tml) + GetLengthSid(tml.Label.Sid))) { LocalFree(tml.Label.Sid); CloseHandle(hRestrictedToken); return false; } LocalFree(tml.Label.Sid); // Create startup info WCHAR lp[] = L"winsta0\default"; STARTUPINFO si = { 0 }; si.cb = sizeof(si); si.lpDesktop = lp; PROCESS_INFORMATION pi = { 0 }; // Get the current executable's name TCHAR exePath[MAX_PATH + 1] = { 0 }; GetModuleFileName(NULL, exePath, MAX_PATH); // Start the new (non-elevated) restricted process if (!CreateProcessAsUser(hRestrictedToken, exePath, NULL, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { CloseHandle(hRestrictedToken); return false; } CloseHandle(hRestrictedToken); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return true; } void main() { _IsNewProcessLaunched(); getchar(); }
相关链接:Removing Administrator Privilages from Process
"S-1-16-8192" 是指中等完整性级别。 见:2.4.2.4 Well-Known SID Structures
SID介绍见: SID Components