进程的内核对象是等着别人拿着令牌访问我们的

    令牌是我们拿着令牌区访问别人的内核对象的,与别的安全描述符权限比较

    windows完整性机制:是对windows安全授权的一个补充

    安全模块在拿token和安全描述符SECURITY_DESCRIPTOR比照之前,还会做一个完整性检查的工作

    完整性等级低的不能访问完整性等级高的,如果没有设置,内核对象会设置默认的完整性等级medium。

    让进程在一个低完整性等级下运行。

    1. BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel, 
    2.    PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy){}

    pIntegrityLevel:完整性等级,高的完整性等级是3000,中的是2000

    Value Description Symbol
    0x0000 Untrusted level SECURITY_MANDATORY_UNTRUSTED_RID
    0x1000 Low integrity level SECURITY_MANDATORY_LOW_RID
    0x2000 Medium integrity level SECURITY_MANDATORY_MEDIUM_RID
    0x3000 High integrity level SECURITY_MANDATORY_HIGH_RID
    0x4000 System integrity level SECURITY_MANDATORY_SYSTEM_RID

    pPolicy:策略等级

    Value Meaning
    TOKEN_MANDATORY_POLICY_OFF
    0x0    		 No mandatory integrity policy is enforced for the token.
    TOKEN_MANDATORY_POLICY_NO_WRITE_UP
    0x1    		 A process associated with the token cannot write to objects that have a greater mandatory integrity level.
    TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN
    0x2    		 A process created with the token has an integrity level that is the lesser of the parent-process integrity level and the executable-file integrity level.
    TOKEN_MANDATORY_POLICY_VALID_MASK
    0x3    		 A combination of TOKEN_MANDATORY_POLICY_NO_WRITE_UP and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN.

    完整代码如下

    1. #include<Windows.h>
    2. #include<tchar.h>
    3. #include"Aclapi.h"
    5. BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel, 
    6.    PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy) {
    8.    HANDLE hToken = NULL;
    9.    if (!OpenProcessToken(hProcess, TOKEN_READ, &hToken)) {
    10.       return(FALSE);
    11.    }
    13.    BOOL bReturn = FALSE;
    15.    // First, compute the size of the buffer to get the Integrity level
    16.    DWORD dwNeededSize = 0;
    17.    if (!GetTokenInformation(
    18.       hToken, TokenIntegrityLevel, NULL, 0, &dwNeededSize)) {
    20.       PTOKEN_MANDATORY_LABEL pTokenInfo = NULL;
    21.       if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
    22.          // Second, allocate a memory block with the the required size 
    23.          pTokenInfo = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwNeededSize);
    24.          if (pTokenInfo != NULL) {
    25.             // And finally, ask for the integrity level
    26.             if (GetTokenInformation(hToken, TokenIntegrityLevel, pTokenInfo, 
    27.                dwNeededSize, &dwNeededSize)) {
    29.                *pIntegrityLevel = 
    30.                   *GetSidSubAuthority(
    31.                      pTokenInfo->Label.Sid, 
    32.                      (*GetSidSubAuthorityCount(pTokenInfo->Label.Sid)-1)
    33.                      );
    34.                bReturn = TRUE;
    35.             }
    37.             // Don't forget to free the memory
    38.             LocalFree(pTokenInfo);
    39.          }
    40.       }
    41.    }
    43.    // Try to get the policy if the integrity level was available
    44.    if (bReturn) {
    45.       *pPolicy = TOKEN_MANDATORY_POLICY_OFF;
    46.       dwNeededSize = sizeof(DWORD);
    47.       GetTokenInformation(hToken, TokenMandatoryPolicy, pPolicy, 
    48.          dwNeededSize, &dwNeededSize);
    49.    }
    51.    // Look for the resource policy
    52.    *pResourceIntegrityLevel = 0; // 0 means none explicitely set
    53.    *pResourcePolicy = 0;
    55.    PACL pSACL = NULL;
    56.    PSECURITY_DESCRIPTOR pSD = NULL;
    57.    DWORD dwResult = ERROR_SUCCESS;
    59.    // Look for the no-read-up/no-write-up policy in the SACL
    60.    if (hToken != NULL) {
    61.       dwResult = 
    62.          GetSecurityInfo(
    63.             hProcess, SE_KERNEL_OBJECT,
    64.             LABEL_SECURITY_INFORMATION,
    65.             NULL, NULL, NULL, 
    66.             &pSACL, &pSD
    67.           );
    68.       if (dwResult == ERROR_SUCCESS) {
    69.          if (pSACL != NULL) {
    70.             SYSTEM_MANDATORY_LABEL_ACE* pACE = NULL;
    71.             if ((pSACL->AceCount > 0) && (GetAce(pSACL, 0, (PVOID*)&pACE))) {
    72.                if (pACE != NULL) {
    73.                   SID* pSID = (SID*)(&pACE->SidStart);
    74.                   *pResourceIntegrityLevel = pSID->SubAuthority[0];
    75.                   *pResourcePolicy = pACE->Mask;
    76.                }
    77.             }
    78.          }
    79.       }
    81.       // Cleanup memory allocated on our behalf
    82.       if (pSD != NULL) LocalFree(pSD); 
    83.    }
    86.    // Don't forget to close the token handle.
    87.    CloseHandle(hToken);
    89.    return(bReturn);   
    90. }
    92. int _tmain()
    93. {
    94.     DWORD IntegrityLevel,Policy,ResourceIntegrityLevel,ResourcePolicy;
    96.     /*
    97.     第一个参数,是进程句柄
    98.     第二到第五个参数,是四个DWORD类型的指针
    99.     */
    100.     GetProcessIntegrityLevel(GetCurrentProcess(),&IntegrityLevel,
    101.         &Policy,&ResourceIntegrityLevel,&ResourcePolicy);
    103.     _tprintf(L"IntegrityLevel=%0X\n",IntegrityLevel);
    104.     _tprintf(L"Policy=%0X\n",Policy);
    105.     _tprintf(L"ResourceIntegrityLevel=%0X\n",ResourceIntegrityLevel);
    106.     _tprintf(L"ResourcePolicy=%0X\n",ResourcePolicy);
    108.     _gettchar();
    110.     return 0;
    111. }

    内存内核对象
    令牌