如何限制/授予对子进程内存的读/写访问权限? [英] How to restrict/grant read/write access to child process's memory?
问题描述
是否可以通过编程方式调整进程的特权,以便如果以后在任何时候创建子进程,该进程始终(永远)不会对该进程的内存进行写访问?
Is it possible to programmatically adjust a process's privilege so that if it creates a child process at any point later on, it will always(never) have write access to that process's memory?
我创建了一个由两个不同进程加载的dll.在我的代码中的某个时候,我创建了一个过程.我观察到,根据哪个进程加载了我的dll,我可以访问子进程的内存的PAGE_EXECUTE_WRITECOPY或0.我的猜测是,加载过程必须设置一些导致这种现象的限制,因为我对这两个过程都没有做任何不同的事情.我在Process Explorer中查看了该进程的安全性信息,但无法发现两者之间的任何区别. hToken值由调用我的API的调用者提供给我.这是造成这种情况的人吗?如何测试以确认是否可以?
I have created a dll which is loaded by two different processes. At some point in my code I create a process. I have observed that depending upon which process loads my dll, I either have PAGE_EXECUTE_WRITECOPY or 0 access to the child process's memory. My guess is that the loading process must have put some restrictions which result in this behaviour because I am not doing anything different for either process. I looked at the process's security information in Process Explorer but could not spot any difference between the two. The hToken value is given to me by the caller who calls my API. Is this the one causing this. How can I test to confirm if so?
CreateProcessAsUserW(hToken, exe, cmd_line, NULL, NULL,
false,
CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS | EXTENDED_STARTUPINFO_PRESENT | CREATE_BREAKAWAY_FROM_JOB,
NULL, NULL,
&si, &pi);
MEMORY_BASIC_INFORMATION buffer;
// 'address' is some valid address
SIZE_T num = VirtualQueryEx(pi.hProcess_handle, address,&buffer,sizeof(MEMORY_BASIC_INFORMATION));
if(num > 0)
{
DWORD access = buffer.AllocationProtect; // 0x0 or 0x80 depending on which process loads dll
DWORD state = buffer.State;
DWORD type = buffer.Type;
}
推荐答案
内存保护常量对于内存的每一页与句柄(是否继承)无关.
The Memory Protection Constant for each page of memory has nothing to do with handles, inherited or not.
调用VirtualQuery需要某些进程访问权限,如果您没有访问权限,则VirtualQueryEx将失败.
Calling VirtualQuery requires certain process access rights, if you don't have them then VirtualQueryEx will fail.
0不是AllocationProtect的有效值,因此,我认为问题的根源是VirtualQuery失败,原因是地址错误或您没有所需的进程访问权限.
0 is not a valid value for AllocationProtect, therefore I believe the source of your problem is the VirtualQuery failing either because the address is wrong or because you do not have the required process access right.
这篇关于如何限制/授予对子进程内存的读/写访问权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
