티스토리 뷰

프로세스 실행 권한을 알아봅시다.

Windows OS에서 실행되는 Process의 Integrity Level을 체크해 봅시다.

Integrity Level이란?
https://msdn.microsoft.com/en-us/library/bb625957.aspx

 

구현

* Windows SDK 8.1 설치 및 사용 유무에 따라 코딩이 다릅니다. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#include "stdafx.h" 
#include <windows.h> 
#include <Tlhelp32.h> 
#include <process.h> 
#define WIN81SDK 0 
#ifndef WIN81SDK 
    typedef struct _TOKEN_MANDATORY_LABEL 
    { 
        SID_AND_ATTRIBUTES Label; 
    } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; 
    
    #define ECURITY_MANDATORY_UNTRUSTED_RID 0x00000000 
    #define SECURITY_MANDATORY_LOW_RID 0x00001000 
    #define SECURITY_MANDATORY_MEDIUM_RID 0x00002000 
    #define SECURITY_MANDATORY_MEDIUM_PLUS_RID SECURITY_MANDATORY_MEDIUM_RID + 0x100 
    #define SECURITY_MANDATORY_HIGH_RID 0X00003000 
    #define SECURITY_MANDATORY_SYSTEM_RID 0x00004000
    #define SECURITY_MANDATORY_PROTECTED_PROCESS_RID 0x00005000 
    #define TokenIsAppContainer (TOKEN_INFORMATION_CLASS)29
    #define TokenIntegrityLevel (TOKEN_INFORMATION_CLASS)25 
#endif    
 
BOOL SetPrivilege(LPCTSTR lpszPrivilege)
{
    TOKEN_PRIVILEGES TokenPrivileges;
    TOKEN_PRIVILEGES PreviousTokenPrivileges;
    LUID luid;
    HANDLE hToken = NULL;
    DWORD dwPreviousTokenPrivilegesSize = sizeof(TOKEN_PRIVILEGES);
 
    if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 
    {
        return FALSE;
    }
 
    if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
    {
        return FALSE;
    }
 
    TokenPrivileges.PrivilegeCount = 1;
    TokenPrivileges.Privileges[0].Luid = luid;
    TokenPrivileges.Privileges[0].Attributes = 0;
 
    if(ERROR_NOT_ALL_ASSIGNED == AdjustTokenPrivileges(hToken, 
                                    FALSE, 
                                    &TokenPrivileges, 
                                    sizeof(TOKEN_PRIVILEGES), 
                                    &PreviousTokenPrivileges, 
                                    &dwPreviousTokenPrivilegesSize)) 
    {
        return FALSE;
    }
 
    PreviousTokenPrivileges.PrivilegeCount = 1;
    PreviousTokenPrivileges.Privileges[0].Luid = luid;
    PreviousTokenPrivileges.Privileges[0].Attributes |= SE_PRIVILEGE_ENABLED;
 
    if(ERROR_NOT_ALL_ASSIGNED == AdjustTokenPrivileges(hToken, 
                                    FALSE, 
                                    &PreviousTokenPrivileges, 
                                    dwPreviousTokenPrivilegesSize, NULLNULL))
    {
        return FALSE;
    }
 
    ifNULL != hToken )
    {
        ::CloseHandle(hToken);
    }
    return TRUE;
}
 
void ShowProcessIntegrityLevel(TCHAR* szProccessName, HANDLE hProcess, DWORD dwProcessId)
{
    HANDLE hToken = NULL;
    DWORD dwLengthNeeded = 0x00;
    DWORD dwError = ERROR_SUCCESS;
    PTOKEN_MANDATORY_LABEL pTIL = NULL;
    DWORD dwIntegrityLevel = 0x00;
 
    if ( FALSE == OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) 
    {
        return;
    }
 
    // Get the Integrity level.
    if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL0&dwLengthNeeded))
    {
        dwError = GetLastError();
        if (dwError == ERROR_INSUFFICIENT_BUFFER)
        {
            pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0,dwLengthNeeded);
            if (pTIL != NULL)
            {
                if( GetTokenInformation(hToken, 
                                TokenIntegrityLevel, 
                                pTIL, 
                                dwLengthNeeded, 
                                &dwLengthNeeded))
                {
                    dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, 
                                            (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));
            
                    if(dwIntegrityLevel < SECURITY_MANDATORY_LOW_RID)
                    {
                        wprintf(L"[%d][%s][%x]  Error \n",dwProcessId,szProccessName,dwIntegrityLevel);
                    }
                    else if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
                    {
                        // Low Integrity        
                        DWORD dwAppContainer = 0;
                        DWORD dwDummy = 0;
 
                        if (::GetTokenInformation(hToken, 
                                    TokenIsAppContainer, 
                                    &dwAppContainer, 
                                    sizeof(dwAppContainer), 
                                    &dwDummy))
                        {
                            if( dwAppContainer == 1 )
                            {
                                wprintf(L"[%d][%s]    This Process AppContanier \r\n",dwProcessId,szProccessName);
                            }
                            else
                            {
                                wprintf(L"[%d][%s]    Low Process \r\n",dwProcessId,szProccessName);
                            }
                        }
                    }
                    else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && 
                                dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
                    {
                        // Medium Integrity
                        wprintf(L"[%d][%s][%x]  Medium Process\r\n",dwProcessId,
                                                        szProccessName,dwIntegrityLevel);
                    }
                    else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID && 
                                dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID )
                    {
                        // High Integrity
                        wprintf(L"[%d][%s][%x]  High Integrity Process\r\n",dwProcessId,
                                                        szProccessName,dwIntegrityLevel);
                    }
                    else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
                    {
                        // System Integrity
                        wprintf(L"[%d][%s][%x]  System Integrity Process\r\n",dwProcessId,
                                                        szProccessName,dwIntegrityLevel);
                    }
                    else
                    {
                        wprintf(L"[%d][%s][%d] /2t ==================== Process\r\n",dwProcessId,
                                                        szProccessName,dwIntegrityLevel);
                    }
                }
                LocalFree(pTIL);
            }
        }
    }
    CloseHandle(hToken);
}
 
cs

사용법

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
int _tmain(int argc, _TCHAR* argv[])
{
    SetPrivilege(SE_DEBUG_NAME); 
    HANDLE hModuleShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 
    if(hModuleShot == NULL || hModuleShot == INVALID_HANDLE_VALUE)
    {
         return FALSE;
    }
    
    PROCESSENTRY32W pe;
    SecureZeroMemory(&pe, sizeof(PROCESSENTRY32W));
    pe.dwSize = sizeof(PROCESSENTRY32W);
 
    if(!Process32First(hModuleShot, &pe))
    {
        CloseHandle(hModuleShot); 
        return FALSE;
    } 
    
    do 
    { 
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID);
        if( hProcess != NULL && hProcess != INVALID_HANDLE_VALUE)
        {
            ShowProcessIntegrityLevel(pe.szExeFile,hProcess,pe.th32ProcessID); 
            CloseHandle(hProcess); 
        }
        else
        { 
            //wprintf(L"[%s][%d] Open FAIL Process\r\n",pe.szExeFile,pe.th32ProcessID);
        }
    } while(Process32Next(hModuleShot, &pe));
    
    CloseHandle(hModuleShot);
    hModuleShot = NULL
    system("pause"); 
    return 0
}        
cs

 

 

동작 확인

[PID][PROCESSNAME][LEVEL]

 

댓글
댓글쓰기 폼
공지사항
최근에 달린 댓글
Total
65,461
Today
3
Yesterday
9