来自Win32应用程序的x64图像上的OpenProcess [英] OpenProcess on x64 images from Win32 app
问题描述
这很奇怪。先前,在运行Windows 7 x64的操作系统中,我无法针对64位进程调用Win32 OpenProcess。 Google徘徊了一下,并得出了根本的结论,那就是不会发生。
This is weird. Earlier, running Windows 7 x64, I had trouble calling the Win32 OpenProcess against 64-bit processes. Googled around a bit, and came to the sinking conclusion this just wasn't gonna happen.
然后发生了一件有趣的事情。我针对explorer.exe和圣鲤鱼的进程ID尝试了它,它起作用了!开始向它抛出其他进程ID,这简直是个荒谬的事情。
Then a funny thing happened. I tried it against the process ID for explorer.exe, and holy carp, it worked! Started throwing other process IDs at it, and it's just a darned crapshoot.
事实证明,我可以针对许多x64进程调用OpenProcess-资源管理器, itype,ipoint,taskhost,cmd,mstsc等...
As it turns out, I can call OpenProcess against a good number of x64 processes -- explorer, itype, ipoint, taskhost, cmd, mstsc, ..., etc.
其他弹出5(访问被拒绝)-winlogon,csrss,services,svchost ,mdm,...
And others pop a 5 (Access is denied) -- winlogon, csrss, services, svchost, mdm, ...
我正在使用Process Explorer确认位和进程ID。另外,在64位进程上调用GetModuleFileNameEx总是会失败,因此可以对32/64进行双重检查。
I'm confirming the "bitness" and process ID using Process Explorer. Plus, calling GetModuleFileNameEx on 64-bit processes always fails, so that offers a double-check for 32/64.
这是代码:
' Get a handle to the process.
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, ProcessID)
If hProcess Then
' Grab the filename for base module.
nChars = GetModuleFileNameEx(hProcess, 0, Buffer, Len(Buffer))
' If running in x64, http://winprogger.com/?p=26
If Err.LastDllError = ERROR_PARTIAL_COPY Then
nChars = GetProcessImageFileName(hProcess, Buffer, Len(Buffer))
End If
' Truncate and return buffer.
If nChars Then
GetProcessFileName = Left$(Buffer, nChars)
End If
Call CloseHandle(hProcess)
Else
Debug.Print "LastDllError:"; Err.LastDllError
End If
结束。只想在进程中查询诸如文件名或进程时间之类的内容。任何人都知道我可以打开的内容和我不能打开的内容之间有何区别?
Nothing fancy. Just want to query the processes for things like filename or process times. Anyone have any idea what differentiates between the ones I can open and the ones I can't?
其他信息:以管理员身份运行进程。 UAC已关闭。是的,它是一个32位应用程序。我使用PROCESS_QUERY_LIMITED_INFORMATION并没有更好的结果。
Extra info: Running process as administrator. UAC turned off. Yes, it's a 32-bit app. I have had no better results using PROCESS_QUERY_LIMITED_INFORMATION.
谢谢...卡尔
推荐答案
您引用的进程(winlogon,csrss等)是关键的系统进程和服务。它们以不同的特权帐户运行。即使您以管理员身份运行,您也不是这些进程的所有者,因此不会向您授予其进程的ACL中的任何权限。尝试打开将导致访问被拒绝。
The processes that you cited (winlogon, csrss, etc.) are critical system processes and services. They run under a different, privileged account. Even though you are running as administrator, you are not the owner of those processes and hence you are not granted any rights in their ACL. Attempting to open will result in access denied.
但是,管理员组的成员确实具有SeDebugPrivilege。基本上,这是对OpenProcess和OpenThread的替代,即使您未在ACL中被授予任何权限,它也允许您打开所有访问权限。
However, members of the administrators group do have SeDebugPrivilege. This is basically an override on OpenProcess and OpenThread that will allow you to open for all access, even if you are not granted any permission in the ACL.
SeDebugPrivilege显然是一个拥有非常危险的特权-您可以绕过访问检查并修改/检查其他用户的进程。默认情况下,它以管理员令牌的形式出现,但默认情况下未启用。您需要在调用OpenProcess之前启用此特权。
SeDebugPrivilege is obviously a very dangerous privilege to have - you can bypass access checks and modify/inspect other user's processes. While it is present in an administrators's token by default, it is not enabled by default. You need to enable this privilege before calling OpenProcess.
此 MSDN文章提供了有关如何启用和禁用令牌中特权的示例代码。
This MSDN article gives sample code on how to enable and disable privileges in your token.
这篇关于来自Win32应用程序的x64图像上的OpenProcess的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
