'2018/01'에 해당되는 글 1건

  1. 2018.01.30 프로세스 실행 권한을 알아 봅시다.
Windows/API2018.01.30 15:46

[개요]

Windows OS에서 실행되는 Process의 Integrity Level을 체크해 봅시다. 

Integrity Level이란?

https://msdn.microsoft.com/en-us/library/bb625957.aspx


[코딩]

* Windows SDK 8.1 설치 및 사용 유무에 따라 코딩이 다릅니다. 

#include "stdafx.h" #include <windows.h> #include <Tlhelp32.h> #include <process.h> #define WIN81SDK 0 #ifndef WIN81SDK typedef struct _TOKEN_MANDATORY_LABEL { SID_AND_ATTRIBUTES Label; } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; #define ECURITY_MANDATORY_UNTRUSTED_RID 0x00000000 #define SECURITY_MANDATORY_LOW_RID 0x00001000 #define SECURITY_MANDATORY_MEDIUM_RID 0x00002000 #define SECURITY_MANDATORY_MEDIUM_PLUS_RID SECURITY_MANDATORY_MEDIUM_RID + 0x100 #define SECURITY_MANDATORY_HIGH_RID 0X00003000 #define SECURITY_MANDATORY_SYSTEM_RID 0x00004000 #define SECURITY_MANDATORY_PROTECTED_PROCESS_RID 0x00005000 #define TokenIsAppContainer (TOKEN_INFORMATION_CLASS)29 #define TokenIntegrityLevel (TOKEN_INFORMATION_CLASS)25 #endif    

BOOL SetPrivilege(LPCTSTR lpszPrivilege)
{
	TOKEN_PRIVILEGES TokenPrivileges;
	TOKEN_PRIVILEGES PreviousTokenPrivileges;
	LUID luid;
	HANDLE hToken = NULL;
	DWORD dwPreviousTokenPrivilegesSize = sizeof(TOKEN_PRIVILEGES);

	if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
		return FALSE;
	}

	if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) {
		return FALSE;
	}

	TokenPrivileges.PrivilegeCount = 1;
	TokenPrivileges.Privileges[0].Luid = luid;
	TokenPrivileges.Privileges[0].Attributes = 0;

	if(ERROR_NOT_ALL_ASSIGNED == AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &PreviousTokenPrivileges, &dwPreviousTokenPrivilegesSize)) {
		return FALSE;
	}

	PreviousTokenPrivileges.PrivilegeCount = 1;
	PreviousTokenPrivileges.Privileges[0].Luid = luid;
	PreviousTokenPrivileges.Privileges[0].Attributes |= SE_PRIVILEGE_ENABLED;

	if(ERROR_NOT_ALL_ASSIGNED==AdjustTokenPrivileges(hToken, FALSE, &PreviousTokenPrivileges, dwPreviousTokenPrivilegesSize, NULL, NULL))
	{
		return FALSE;
	}

	::CloseHandle(hToken);

	return TRUE;
}

void ShowProcessIntegrityLevel(TCHAR* szProccessName, HANDLE hProcess, DWORD dwProcessId)
{
	HANDLE hToken;
	
	DWORD dwLengthNeeded;
	DWORD dwError = ERROR_SUCCESS;
	
	PTOKEN_MANDATORY_LABEL pTIL = NULL;
	DWORD dwIntegrityLevel;


	if (OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) 
	{
		// Get the Integrity level.
		if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLengthNeeded))
		{
			dwError = GetLastError();
			if (dwError == ERROR_INSUFFICIENT_BUFFER)
			{
				pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0,dwLengthNeeded);
				if (pTIL != NULL)
				{
					if (GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLengthNeeded, &dwLengthNeeded))
					{
						dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid,	(DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));
						if(dwIntegrityLevel < SECURITY_MANDATORY_LOW_RID)
						{
							wprintf(L"[%d][%s][%x]  Error \n",dwProcessId,szProccessName,dwIntegrityLevel);
						}
						else if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
						{
							// Low Integrity		
							DWORD dwAppContainer = 0;
							DWORD dwDummy = 0;
							if (::GetTokenInformation(hToken, TokenIsAppContainer, &dwAppContainer, sizeof(dwAppContainer), &dwDummy))
							{
								if( dwAppContainer == 1 )
								{
									wprintf(L"[%d][%s]	This Process AppContanier \r\n",dwProcessId,szProccessName);
								}
								else
								{
									wprintf(L"[%d][%s]	Low Process \r\n",dwProcessId,szProccessName);
								}
							}
						}
						else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
						{
							// Medium Integrity
							wprintf(L"[%d][%s][%x]  Medium Process\r\n",dwProcessId,szProccessName,dwIntegrityLevel);
						}
						else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID && dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID )
						{
							// High Integrity
							wprintf(L"[%d][%s][%x]  High Integrity Process\r\n",dwProcessId,szProccessName,dwIntegrityLevel);
						}
						else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
						{
							// System Integrity
							wprintf(L"[%d][%s][%x]  System Integrity Process\r\n",dwProcessId,szProccessName,dwIntegrityLevel);
						}
						else
						{
							wprintf(L"[%d][%s][%d] /2t ==================== Process\r\n",dwProcessId,szProccessName,dwIntegrityLevel);
						}
					}
					LocalFree(pTIL);
				}
			}
		}
		CloseHandle(hToken);
	}
}

[사용법]

int _tmain(int argc, _TCHAR* argv[]) { SetPrivilege(SE_DEBUG_NAME); HANDLE hModuleShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if(hModuleShot == NULL || hModuleShot == INVALID_HANDLE_VALUE) { return FALSE; } PROCESSENTRY32W pe; ZeroMemory(&pe, sizeof(PROCESSENTRY32W)); pe.dwSize = sizeof(PROCESSENTRY32W); if(!Process32First(hModuleShot, &pe)) { CloseHandle(hModuleShot); return FALSE; } do { HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID); if( hProcess != NULL && hProcess != INVALID_HANDLE_VALUE) { ShowProcessIntegrityLevel(pe.szExeFile,hProcess,pe.th32ProcessID); CloseHandle(hProcess); } else { //wprintf(L"[%s][%d] Open FAIL Process\r\n",pe.szExeFile,pe.th32ProcessID); } } while(Process32Next(hModuleShot, &pe)); CloseHandle(hModuleShot); hModuleShot = NULL; system("pause"); return 0; }        


Posted by 최우림 -=HaeJuK=-

티스토리 툴바