以独占方式打开一个文件,然后将文件的句柄复制到另一个进程,比如复制到System进程,然后自己的进程就可以退出。在Ring3下只要句柄没有关闭,别人就删除不了文件。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
#include <windows.h> #include <stdio.h> void SetPrivilege() { HANDLE hToken; LUID destLuid; TOKEN_PRIVILEGES TokenPrivileges; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //获得进程访问令牌的句柄 LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &destLuid); //操作的类型为SE_DEBUG_NAME TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; TokenPrivileges.Privileges[0].Luid = destLuid; AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL); //提升权限 CloseHandle(hToken); //关闭句柄 } BOOL ProtectFile( IN LPCTSTR pszFilePath, IN DWORD dwProcessId, IN BOOL bFileCanBeRead ) { HANDLE hFile; HANDLE hProcess; // get the file handle hFile = CreateFile(pszFilePath, GENERIC_READ, (bFileCanBeRead ? FILE_SHARE_READ : 0), NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { return FALSE; } // open the process handle hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId); if (!hProcess) { printf("OpenProcess error/n"); CloseHandle(hFile); return FALSE; } // call duplicatehandle BOOL fOk = DuplicateHandle( GetCurrentProcess(), // source process handle hFile, // source handle hProcess, // target process handle NULL, // target handle, we don't care it 0, FALSE, DUPLICATE_SAME_ACCESS ); CloseHandle(hFile); CloseHandle(hProcess); return fOk; } void main() { SetPrivilege(); //提升进程权限 ProtectFile("C:\\1.txt",4,false); } |