JOBOBJECT_END_OF_JOB_TIME_INFORMATION结构体
typedef struct _JOBOBJECT_END_OF_JOB_TIME_INFORMATION {DWORD EndOfJobTimeAction;} JOBOBJECT_END_OF_JOB_TIME_INFORMATION, PJOBOBJECT_END_OF_JOB_TIME_INFORMATION;
- JOB_OBJECT_TERMINATE_AT_END_OF_JOB:
如果这个值被赋予EndOfJobTimeAction,那么当Job的用户时间耗尽的时候,Job中的进程自动终止。
- JOB_OBJECT_POST_AT_END_OF_JOB:
如果这个值被赋予EndOfJobTimeAction,那么当Job的用户时间耗尽的时候,Job中的作业有可能会继续运行。如果这个作业没有和小端口做联系的话,那么作业中的进程依然终止。
JOBOBJECT_SECURITY_LIMIT_INFORMATION
typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION {DWORD SecurityLimitFlags;//表示结构体中,其他几个成员变量中,那个成员变量起作用。HANDLE JobToken;PTOKEN_GROUPS SidsToDisable;PTOKEN_PRIVILEGES PrivilegesToDelete;PTOKEN_GROUPS RestrictedSids;} JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION;
- SecurityLimitFlags: JOB_OBJECT_SECURITY_FILTER_TOKENS
表示SidsToDisable、PrivilegesToDelete、RestrictedSids三个变量中,至少有一个不是NULL JOB_OBJECT_SECURITY_NO_ADMIN 作业中的进程,不能使用管理员令牌
JOB_OBJECT_SECURITY_ONLY_TOKEN 强制作业中的进程,使用结构体中JobToken参数给定的令牌。
JOB_OBJECT_SECURITY_RESTRICTED_TOKEN 作业中的进程使用的令牌,必须有CreateRestrictedToken函数创建,否则就不行!
windows中的权限
SID 就相当于身份证号
token 令牌,令牌上面,有你的身份证号,当然也有可能有其他身份证号,还有,你能干那些事。特权。
Privilege 特权。
SecurityDescriptor 安全描述符?
job通知的接收
#include<Windows.h>#include<tchar.h>BOOL WatchJob(HANDLE hJob, LPTHREAD_START_ROUTINE Proc);DWORD WINAPI ThreadProc(LPVOID lParam);/*int _tmain(){HANDLE hJob = CreateJobObject(NULL, L"ydm");STARTUPINFO si;PROCESS_INFORMATION pi;ZeroMemory(&si, sizeof(si));si.cb = sizeof(si);ZeroMemory(&pi, sizeof(pi));CreateProcess(L"C:\\Users\\Administrator\\Desktop\\TSTCON32.EXE", NULL, NULL,NULL, FALSE, 0, NULL, NULL, &si, &pi);BOOL re=AssignProcessToJobObject(hJob, pi.hProcess);//........//设置了一些限制。//我现在要查看我的作业中施加了那些限制?JOBOBJECT_EXTENDED_LIMIT_INFORMATION info = { 0 };re=QueryInformationJobObject(hJob, JobObjectExtendedLimitInformation, &info,sizeof(info),NULL);return 0;}int _tmain(){HANDLE hJob = CreateJobObject(NULL, L"ydm");STARTUPINFO si;PROCESS_INFORMATION pi;ZeroMemory(&si, sizeof(si));si.cb = sizeof(si);ZeroMemory(&pi, sizeof(pi));CreateProcess(L"C:\\Users\\Administrator\\Desktop\\TSTCON32.EXE", NULL, NULL,NULL, FALSE, 0, NULL, NULL, &si, &pi);BOOL re = AssignProcessToJobObject(hJob, pi.hProcess);//........//设置了一些限制。//我现在要查看我的作业中施加了那些限制?JOBOBJECT_EXTENDED_LIMIT_INFORMATION info = { 0 };re = QueryInformationJobObject(hJob, JobObjectExtendedLimitInformation, &info, sizeof(info), NULL);return 0;}
完成端口:监听某个可以进行Overlapped操作的内核对象上的事件。
我们可以监视到的作业中的事件:
JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS Indicates that a process associated with the job exited with an exit code that indicates an abnormal exit (see the list following this table).The value of lpOverlapped is the identifier of the exiting process.
JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT Indicates that the active process limit has been exceeded. The value of lpOverlapped is NULL.
JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO Indicates that the active process count has been decremented to 0. For example, if the job currently has two active processes, the system sends this message after they both terminate. The value of lpOverlapped is NULL.
JOB_OBJECT_MSG_END_OF_JOB_TIME Indicates that the JOB_OBJECT_POST_AT_END_OF_JOB option is in effect and the end-of-job time limit has been reached. Upon posting this message, the time limit is canceled and the job’s processes can continue to run. The value of lpOverlapped is NULL.
JOB_OBJECT_MSG_END_OF_PROCESS_TIME Indicates that a process has exceeded a per-process time limit. The system sends this message after the process termination has been requested. The value of lpOverlapped is the identifier of the process that exceeded its limit.
JOB_OBJECT_MSG_EXIT_PROCESS Indicates that a process associated with the job has exited. The value of lpOverlapped is the identifier of the exiting process.
JOB_OBJECT_MSG_JOB_MEMORY_LIMIT Indicates that a process associated with the job caused the job to exceed the job-wide memory limit (if one is in effect). The value of lpOverlapped specifies the identifier of the process that has attempted to exceed the limit. The system does not send this message if the process has not yet reported its process identifier.
JOB_OBJECT_MSG_NEW_PROCESS Indicates that a process has been added to the job. Processes added to a job at the time a completion port is associated are also reported. The value of lpOverlapped is the identifier of the process added to the job.
JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT Indicates that a process associated with the job has exceeded its memory limit (if one is in effect). The value of lpOverlapped is the identifier of the process that has exceeded its limit. The system does not send this message if the process has not yet reported its process identifier.
JOBOBJECT_EXTENDED_LIMIT_INFORMATION
typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION {JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation;IO_COUNTERS IoInfo;SIZE_T ProcessMemoryLimit;SIZE_T JobMemoryLimit;SIZE_T PeakProcessMemoryUsed;SIZE_T PeakJobMemoryUsed;} JOBOBJECT_EXTENDED_LIMIT_INFORMATION, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION;
这个比较简单,大家看一下都明白了!
LimitFlags这个变量来说明,我们要设置哪一个变量的值。
JOBOBJECT_BASIC_UI_RESTRICTIONS
typedef struct _JOBOBJECT_BASIC_UI_RESTRICTIONS {DWORD UIRestrictionsClass;} JOBOBJECT_BASIC_UI_RESTRICTIONS, *PJOBOBJECT_BASIC_UI_RESTRICTIONS;
这个变量赋予不同的值,会产生不同的限制。
用户界面的限制类。该成员可以是以下值中的一个或多个
| 参数 | 解释 | 中文解释 |
|---|---|---|
| JOB_OBJECT_UILIMIT_DESKTOP |
0x00000040 | Prevents processes associated with the job from creating desktops and switching desktops using the CreateDesktop and SwitchDesktop functions.
| 防止与作业关联的进程使用 CreateDesktop 和 SwitchDesktop 函数创建桌面和切换桌面。 |
| JOB_OBJECT_UILIMIT_DISPLAYSETTINGS
0x00000010 | Prevents processes associated with the job from calling the ChangeDisplaySettings function. | 防止与作业关联的进程调用 ChangeDisplaySettings 函数。 |
| JOB_OBJECT_UILIMIT_EXITWINDOWS
0x00000080 | Prevents processes associated with the job from calling the ExitWindows or ExitWindowsEx function. | 防止与作业关联的进程调用 ExitWindows 或 ExitWindowsEx 函数。 |
| JOB_OBJECT_UILIMIT_GLOBALATOMS
0x00000020 | Prevents processes associated with the job from accessing global atoms. When this flag is used, each job has its own atom table. | 防止与作业关联的进程访问全局原子。使用此标志时,每个作业都有自己的原子表。 |
| JOB_OBJECT_UILIMIT_HANDLES
0x00000001 | Prevents processes associated with the job from using USER handles owned by processes not associated with the same job.
| 防止与作业关联的进程使用不与同一作业关联的进程拥有的 USER 句柄。 |
| JOB_OBJECT_UILIMIT_READCLIPBOARD
0x00000002 | Prevents processes associated with the job from reading data from the clipboard. | 防止与作业关联的进程从剪贴板读取数据。 |
| JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS
0x00000008 | Prevents processes associated with the job from changing system parameters by using the SystemParametersInfo function.
| 使用 SystemParametersInfo 函数防止与作业关联的进程更改系统参数。 |
| JOB_OBJECT_UILIMIT_WRITECLIPBOARD
0x00000004 | Prevents processes associated with the job from writing data to the clipboard. | 防止与作业关联的进程将数据写入剪贴板。 |
创建一个桌面
int _tmain(){HANDLE hJob = CreateJobObject(NULL, L"ydm");JOBOBJECT_BASIC_UI_RESTRICTIONS info = { 0 };info.UIRestrictionsClass = JOB_OBJECT_UILIMIT_DESKTOP;AssignProcessToJobObject(hJob, GetCurrentProcess());SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &info, sizeof(info));HDESK hDesk = CreateDesktop(L"hello", NULL, NULL, 0, GENERIC_ALL, NULL);HDESK hDesk_old = GetThreadDesktop(GetCurrentThreadId());SwitchDesktop(hDesk);SetThreadDesktop(hDesk);MessageBox(NULL, L"abc", L"abc", 0);SwitchDesktop(hDesk_old);CloseDesktop(hDesk);_gettchar();return 0;}
遍历系统句柄,并施加限制条件
代码中施加限制条件后,就不能遍历系统句柄,去掉施加条件就可以变量系统句柄
SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &info, sizeof(info));
BOOL CALLBACK EnumWindowsProc(__in HWND hwnd,__in LPARAM lParam){_tprintf(L"%d\n", hwnd);return TRUE;}int _tmain(){HANDLE hJob = CreateJobObject(NULL, L"ydm");JOBOBJECT_BASIC_UI_RESTRICTIONS info = { 0 };info.UIRestrictionsClass = JOB_OBJECT_UILIMIT_HANDLES;AssignProcessToJobObject(hJob, GetCurrentProcess());//施加限制条件后,就不能遍历系统句柄,去掉施加条件就可以变量系统句柄SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &info, sizeof(info));EnumWindows(EnumWindowsProc, 10);_gettchar();return 0;}
若有收获,就点个赞吧
0 人点赞
