模拟锁定文件的Rring 3下的程序代码,代码来自于看雪中的HWL发表的一份代码中,我仅仅是看了下代码:
<code>#include <stdio.h></code>
<code>#include <Windows.h></code>
<code></code>
<code>void GetAllProcessA(int pids[],int *procount)</code>
<code>{</code>
<code>int i=0,c=0;</code>
<code>HANDLE hProcess=0;</code>
<code>for(i=8;i<19996;i+=4)</code>
<code>hProcess=OpenProcess(0x10,0,i);</code>
<code>if (hProcess!=0)</code>
<code>pids[c]=i;</code>
<code>CloseHandle(hProcess);</code>
<code>c++;</code>
<code>}</code>
<code>*procount=c;</code>
<code>int main()</code>
<code>#define SE_DEBUG_PRIVILEGE 0x14 //DEBUG 权限</code>
<code>//源码中没有__stdcall,所以一直报checkesp.c line 14的错误</code>
<code>typedef long (__stdcall *RTLADJUSTPRIVILEGE)(int, bool, bool, int*);</code>
<code>typedef long (__stdcall *NTDUPLICATEOBJECT)(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,BOOLEAN,ULONG);</code>
<code>int nEn = 0;</code>
<code>int pids[4*260];</code>
<code>int procsnum=0;</code>
<code>char pFile[260];</code>
<code>//得到函数的地址</code>
<code>RTLADJUSTPRIVILEGE getdbg=(RTLADJUSTPRIVILEGE)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"RtlAdjustPrivilege");</code>
<code>NTDUPLICATEOBJECT NtDuplicateObject=(NTDUPLICATEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"NtDuplicateObject");</code>
<code>//提升进程权限</code>
<code>getdbg(SE_DEBUG_PRIVILEGE , TRUE, FALSE,&nEn);//SE_DEBUG_PRIVILEGE =20</code>
<code>//getdbg(20,1,0,&bRet);</code>
<code>memset(pids,0,4*260);</code>
<code>memset(pFile,0,260);</code>
<code>printf("Input the file name you want to protect: ");</code>
<code>scanf("%s",pFile);</code>
<code>//新建文件</code>
<code>//#define GENERIC_READ (0x80000000L)</code>
<code>//HANDLE hsFile = CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0);</code>
<code>HANDLE hsFile = CreateFileA(pFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);</code>
<code>//SetHandleInformation(hsFile,0,2);</code>
<code>SetHandleInformation(hsFile, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); //#define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x00000002</code>
<code>//得到当前存活的进程id列表和进程数目,</code>
<code>GetAllProcessA(pids,&procsnum);</code>
<code>//遍历当前存活的进程</code>
<code>for(int i=0;i<procsnum;i++)</code>
<code>HANDLE htFile=0;</code>
<code>//HANDLE hProcess = OpenProcess(0x1F0FFF, 0, pids[i]);</code>
<code>//#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)</code>
<code>//#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \</code>
<code>0xFFFF)</code>
<code>//#define SYNCHRONIZE (0x00100000L)</code>
<code>//不知道原作者为什么要用这些魔幻数,而不用PROCESS_ALL_ACCESS</code>
<code>HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pids[i]);</code>
<code>//NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4);</code>
<code>NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4); //DUPLICATE_SAME_ATTRIBUTES = 4</code>
<code>getchar();</code>
<code>printf("OK!\n");</code>
<code>return 0;</code>
代码分析:
遍历当前进程,将文件句柄拷贝到每一个进程中,从而实际锁定文件