进程的内核对象是等着别人拿着令牌访问我们的
令牌是我们拿着令牌区访问别人的内核对象的,与别的安全描述符权限比较
windows完整性机制:是对windows安全授权的一个补充
安全模块在拿token和安全描述符SECURITY_DESCRIPTOR比照之前,还会做一个完整性检查的工作
完整性等级低的不能访问完整性等级高的,如果没有设置,内核对象会设置默认的完整性等级medium。
让进程在一个低完整性等级下运行。
BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel,
PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy){}
pIntegrityLevel:完整性等级,高的完整性等级是3000,中的是2000
Value | Description | Symbol |
---|---|---|
0x0000 | Untrusted level | SECURITY_MANDATORY_UNTRUSTED_RID |
0x1000 | Low integrity level | SECURITY_MANDATORY_LOW_RID |
0x2000 | Medium integrity level | SECURITY_MANDATORY_MEDIUM_RID |
0x3000 | High integrity level | SECURITY_MANDATORY_HIGH_RID |
0x4000 | System integrity level | SECURITY_MANDATORY_SYSTEM_RID |
pPolicy:策略等级
Value | Meaning |
---|---|
TOKEN_MANDATORY_POLICY_OFF 0x0 |
No mandatory integrity policy is enforced for the token. |
TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 |
A process associated with the token cannot write to objects that have a greater mandatory integrity level. |
TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 |
A process created with the token has an integrity level that is the lesser of the parent-process integrity level and the executable-file integrity level. |
TOKEN_MANDATORY_POLICY_VALID_MASK 0x3 |
A combination of TOKEN_MANDATORY_POLICY_NO_WRITE_UP and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN. |
完整代码如下
#include<Windows.h>
#include<tchar.h>
#include"Aclapi.h"
BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel,
PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy) {
HANDLE hToken = NULL;
if (!OpenProcessToken(hProcess, TOKEN_READ, &hToken)) {
return(FALSE);
}
BOOL bReturn = FALSE;
// First, compute the size of the buffer to get the Integrity level
DWORD dwNeededSize = 0;
if (!GetTokenInformation(
hToken, TokenIntegrityLevel, NULL, 0, &dwNeededSize)) {
PTOKEN_MANDATORY_LABEL pTokenInfo = NULL;
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
// Second, allocate a memory block with the the required size
pTokenInfo = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwNeededSize);
if (pTokenInfo != NULL) {
// And finally, ask for the integrity level
if (GetTokenInformation(hToken, TokenIntegrityLevel, pTokenInfo,
dwNeededSize, &dwNeededSize)) {
*pIntegrityLevel =
*GetSidSubAuthority(
pTokenInfo->Label.Sid,
(*GetSidSubAuthorityCount(pTokenInfo->Label.Sid)-1)
);
bReturn = TRUE;
}
// Don't forget to free the memory
LocalFree(pTokenInfo);
}
}
}
// Try to get the policy if the integrity level was available
if (bReturn) {
*pPolicy = TOKEN_MANDATORY_POLICY_OFF;
dwNeededSize = sizeof(DWORD);
GetTokenInformation(hToken, TokenMandatoryPolicy, pPolicy,
dwNeededSize, &dwNeededSize);
}
// Look for the resource policy
*pResourceIntegrityLevel = 0; // 0 means none explicitely set
*pResourcePolicy = 0;
PACL pSACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
DWORD dwResult = ERROR_SUCCESS;
// Look for the no-read-up/no-write-up policy in the SACL
if (hToken != NULL) {
dwResult =
GetSecurityInfo(
hProcess, SE_KERNEL_OBJECT,
LABEL_SECURITY_INFORMATION,
NULL, NULL, NULL,
&pSACL, &pSD
);
if (dwResult == ERROR_SUCCESS) {
if (pSACL != NULL) {
SYSTEM_MANDATORY_LABEL_ACE* pACE = NULL;
if ((pSACL->AceCount > 0) && (GetAce(pSACL, 0, (PVOID*)&pACE))) {
if (pACE != NULL) {
SID* pSID = (SID*)(&pACE->SidStart);
*pResourceIntegrityLevel = pSID->SubAuthority[0];
*pResourcePolicy = pACE->Mask;
}
}
}
}
// Cleanup memory allocated on our behalf
if (pSD != NULL) LocalFree(pSD);
}
// Don't forget to close the token handle.
CloseHandle(hToken);
return(bReturn);
}
int _tmain()
{
DWORD IntegrityLevel,Policy,ResourceIntegrityLevel,ResourcePolicy;
/*
第一个参数,是进程句柄
第二到第五个参数,是四个DWORD类型的指针
*/
GetProcessIntegrityLevel(GetCurrentProcess(),&IntegrityLevel,
&Policy,&ResourceIntegrityLevel,&ResourcePolicy);
_tprintf(L"IntegrityLevel=%0X\n",IntegrityLevel);
_tprintf(L"Policy=%0X\n",Policy);
_tprintf(L"ResourceIntegrityLevel=%0X\n",ResourceIntegrityLevel);
_tprintf(L"ResourcePolicy=%0X\n",ResourcePolicy);
_gettchar();
return 0;
}
内存内核对象
令牌