防止用“结束进程”杀死用户进程。从Process Explorer [英] Prevent user process from being killed with "End Process" from Process Explorer
问题描述
我注意到,GoogleToolbarNotifier.exe无法从进程资源管理器中被杀死。它返回访问被拒绝。它以用户身份运行,运行正常优先级,并从程序文件运行。
I noticed that GoogleToolbarNotifier.exe cannot be killed from Process Explorer. It returns "Access Denied". It runs as the user, it runs "Normal" priority, and it runs from Program Files.
他们是如何做到的?
我认为可能有一种方法来修改ACL,或将进程标记为关键,但我似乎找不到任何东西。
I think there might be a way to modify the ACL, or mark the process as 'critical', but I cannot seem to locate anything.
更新:
我发现了一个有点挖掘的答案。 @Alex K.是正确的PROCESS_TERMINATE权限被删除的过程,但我想提供的代码中的答案:
I found the answer with a good bit of digging. @Alex K. was correct in that PROCESS_TERMINATE permission was removed for the process, but I wanted to supply the answer in code:
static const bool ProtectProcess()
{
HANDLE hProcess = GetCurrentProcess();
EXPLICIT_ACCESS denyAccess = {0};
DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
PACL pTempDacl = NULL;
DWORD dwErr = 0;
dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
// check dwErr...
dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
// check dwErr...
LocalFree( pTempDacl );
CloseHandle( hProcess );
return dwErr == ERROR_SUCCESS;
}
推荐答案
已在 权限上设置 。
http://msdn.microsoft.com/en-us/library/aa379578%28v=vs.85%29.aspx> SetKernelObjectSecurity
更改/在进程加载时删除ACL。
Presumably they call SetKernelObjectSecurity
to change/remove the ACLs when their process loads.
这篇关于防止用“结束进程”杀死用户进程。从Process Explorer的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!