1. 首页
  2. 问答
  3. 有没有办法修改C#中的进程DACL

有没有办法修改C#中的进程DACL

2009-12-15 44 views
6

我有遗留的C++代码,它改变了进程DACL,并试图使用.NET 3.5中的托管代码类。我在网上找到了代码,在那里有人创建了一个SetAclOnServices类来扩展NativeObjectSecurity类的服务。我认为我可以实现这一点,只是将ResourceType.Service更改为ResourceType.KernelObject,但是当我调用GetAccessControl时,它会失败并显示File Not Found错误。有没有办法修改C#中的进程DACL

来源

2009-12-15 Marcy Black

回答

10

圣诞快乐。

public class ProcessSecurity : NativeObjectSecurity 
{ 
    public ProcessSecurity(SafeHandle processHandle) 
     : base(false, ResourceType.KernelObject, processHandle, AccessControlSections.Access) 
    { 

    } 

    public void AddAccessRule(ProcessAccessRule rule) 
    { 
     base.AddAccessRule(rule); 
    } 

    // this is not a full impl- it only supports writing DACL changes 
    public void SaveChanges(SafeHandle processHandle) 
    { 
     Persist(processHandle, AccessControlSections.Access); 
    } 

    public override Type AccessRightType 
    { 
     get { return typeof(ProcessAccessRights); } 
    } 

    public override AccessRule AccessRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type) 
    { 
     return new ProcessAccessRule(identityReference, (ProcessAccessRights)accessMask, isInherited, inheritanceFlags, propagationFlags, type); 
    } 

    public override Type AccessRuleType 
    { 
     get { return typeof(ProcessAccessRule); } 
    } 

    public override AuditRule AuditRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags) 
    { 
     throw new NotImplementedException(); 
    } 

    public override Type AuditRuleType 
    { 
     get { throw new NotImplementedException(); } 
    } 
} 

public class ProcessAccessRule : AccessRule 
{ 
    public ProcessAccessRule(IdentityReference identityReference, ProcessAccessRights accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type) 
     : base(identityReference, (int)accessMask, isInherited, inheritanceFlags, propagationFlags, type) 
    { 
    } 

    public ProcessAccessRights ProcessAccessRights { get { return (ProcessAccessRights)AccessMask; } } 
} 

[Flags] 
public enum ProcessAccessRights 
{ 
    STANDARD_RIGHTS_REQUIRED = (0x000F0000), 
    DELETE = (0x00010000), // Required to delete the object. 
    READ_CONTROL = (0x00020000), // Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right. 
    WRITE_DAC = (0x00040000), // Required to modify the DACL in the security descriptor for the object. 
    WRITE_OWNER = (0x00080000), // Required to change the owner in the security descriptor for the object. 

    PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF, //All possible access rights for a process object. 
    PROCESS_CREATE_PROCESS = (0x0080), // Required to create a process. 
    PROCESS_CREATE_THREAD = (0x0002), // Required to create a thread. 
    PROCESS_DUP_HANDLE = (0x0040), // Required to duplicate a handle using DuplicateHandle. 
    PROCESS_QUERY_INFORMATION = (0x0400), // Required to retrieve certain information about a process, such as its token, exit code, and priority class (see OpenProcessToken, GetExitCodeProcess, GetPriorityClass, and IsProcessInJob). 
    PROCESS_QUERY_LIMITED_INFORMATION = (0x1000), 
    PROCESS_SET_INFORMATION = (0x0200), // Required to set certain information about a process, such as its priority class (see SetPriorityClass). 
    PROCESS_SET_QUOTA = (0x0100), // Required to set memory limits using SetProcessWorkingSetSize. 
    PROCESS_SUSPEND_RESUME = (0x0800), // Required to suspend or resume a process. 
    PROCESS_TERMINATE = (0x0001), // Required to terminate a process using TerminateProcess. 
    PROCESS_VM_OPERATION = (0x0008), // Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory). 
    PROCESS_VM_READ = (0x0010), // Required to read memory in a process using ReadProcessMemory. 
    PROCESS_VM_WRITE = (0x0020), // Required to write to memory in a process using WriteProcessMemory. 
    SYNCHRONIZE = (0x00100000), // Required to wait for the process to terminate using the wait functions. 
}

来源

2009-12-16 00:18:59 nitzmahone

+0

谢谢,祝你圣诞快乐!我已经实现了这一点,添加一个SafeHandle类,我的进程安全描述符可以被修改,但它似乎没有做我想做的事情。我试图否认程序正确终止。我在添加拒绝规则之前和之后得到安全描述符,它看起来应该可以工作,但我仍然可以终止程序。我是否需要在进程安全描述符上设置访问控制? – 2009-12-16 19:35:54

+0

这可能与您是所有者这一事实有关 - 可能存在一些未公开的特殊情况,用于处理ACL的自动特权扩展。拒绝ACE *应该总是优先于允许。也许尝试改变主人看看是否有任何影响。 – nitzmahone 2009-12-16 20:54:45

+0

对不起,是的 - 您需要添加对受保护的Persist方法的调用,才能将ACL写入进程。我没有仔细查看NativeObjectSecurity。我添加了一个“SaveChanges”方法,将进程句柄传递给Persist,并且这样做了。 – nitzmahone 2009-12-16 21:14:35

相关问题

 相关问题