模拟锁定文件

模拟锁定文件的Rring 3下的程序代码,代码来自于看雪中的HWL发表的一份代码中,我仅仅是看了下代码:

<code>#include &lt;stdio.h&gt;</code>

<code>#include &lt;Windows.h&gt;</code>

<code></code>

<code>void GetAllProcessA(int pids[],int *procount)</code>

<code>{</code>

<code>int i=0,c=0;</code>

<code>HANDLE hProcess=0;</code>

<code>for(i=8;i&lt;19996;i+=4)</code>

<code>hProcess=OpenProcess(0x10,0,i);</code>

<code>if (hProcess!=0)</code>

<code>pids[c]=i;</code>

<code>CloseHandle(hProcess);</code>

<code>c++;</code>

<code>}</code>

<code>*procount=c;</code>

<code>int main()</code>

<code>#define SE_DEBUG_PRIVILEGE 0x14 //DEBUG 权限</code>

<code>//源码中没有__stdcall,所以一直报checkesp.c line 14的错误</code>

<code>typedef long (__stdcall *RTLADJUSTPRIVILEGE)(int, bool, bool, int*);</code>

<code>typedef long (__stdcall *NTDUPLICATEOBJECT)(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,BOOLEAN,ULONG);</code>

<code>int nEn = 0;</code>

<code>int pids[4*260];</code>

<code>int procsnum=0;</code>

<code>char pFile[260];</code>

<code>//得到函数的地址</code>

<code>RTLADJUSTPRIVILEGE getdbg=(RTLADJUSTPRIVILEGE)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"RtlAdjustPrivilege");</code>

<code>NTDUPLICATEOBJECT NtDuplicateObject=(NTDUPLICATEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"NtDuplicateObject");</code>

<code>//提升进程权限</code>

<code>getdbg(SE_DEBUG_PRIVILEGE , TRUE, FALSE,&amp;nEn);//SE_DEBUG_PRIVILEGE =20</code>

<code>//getdbg(20,1,0,&amp;bRet);</code>

<code>memset(pids,0,4*260);</code>

<code>memset(pFile,0,260);</code>

<code>printf("Input the file name you want to protect: ");</code>

<code>scanf("%s",pFile);</code>

<code>//新建文件</code>

<code>//#define GENERIC_READ (0x80000000L)</code>

<code>//HANDLE hsFile = CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0);</code>

<code>HANDLE hsFile = CreateFileA(pFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);</code>

<code>//SetHandleInformation(hsFile,0,2);</code>

<code>SetHandleInformation(hsFile, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); //#define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x00000002</code>

<code>//得到当前存活的进程id列表和进程数目,</code>

<code>GetAllProcessA(pids,&amp;procsnum);</code>

<code>//遍历当前存活的进程</code>

<code>for(int i=0;i&lt;procsnum;i++)</code>

<code>HANDLE htFile=0;</code>

<code>//HANDLE hProcess = OpenProcess(0x1F0FFF, 0, pids[i]);</code>

<code>//#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)</code>

<code>//#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \</code>

<code>0xFFFF)</code>

<code>//#define SYNCHRONIZE (0x00100000L)</code>

<code>//不知道原作者为什么要用这些魔幻数,而不用PROCESS_ALL_ACCESS</code>

<code>HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pids[i]);</code>

<code>//NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &amp;htFile, 0, 0, 4);</code>

<code>NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &amp;htFile, 0, 0, 4); //DUPLICATE_SAME_ATTRIBUTES = 4</code>

<code>getchar();</code>

<code>printf("OK!\n");</code>

<code>return 0;</code>

代码分析:

遍历当前进程,将文件句柄拷贝到每一个进程中,从而实际锁定文件