以独占方式打开一个文件,然后将文件的句柄复制到另一个进程,比如复制到System进程,然后自己的进程就可以退出。
在Ring3下只要句柄没有关闭,别人就删除不了文件。
#include <windows.h>
#include <stdio.h>
void SetPrivilege()
{
HANDLE hToken;
LUID destLuid;
TOKEN_PRIVILEGES TokenPrivileges;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //获得进程访问令牌的句柄
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &destLuid); //操作的类型为SE_DEBUG_NAME
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[0].Luid = destLuid;
AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL); //提升权限
CloseHandle(hToken); //关闭句柄
}
BOOL ProtectFile(
IN LPCTSTR pszFilePath,
IN DWORD dwProcessId,
IN BOOL bFileCanBeRead
)
{
HANDLE hFile;
HANDLE hProcess;
// get the file handle
hFile = CreateFile(
pszFilePath,
GENERIC_READ,
(bFileCanBeRead ? FILE_SHARE_READ : 0),
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hFile == INVALID_HANDLE_VALUE)
{
return FALSE;
}
// open the process handle
hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId);
if (!hProcess)
{
printf("OpenProcess error/n");
CloseHandle(hFile);
return FALSE;
}
// call duplicatehandle
BOOL fOk = DuplicateHandle(
GetCurrentProcess(), // source process handle
hFile, // source handle
hProcess, // target process handle
NULL, // target handle, we don't care it
0,
FALSE,
DUPLICATE_SAME_ACCESS
);
CloseHandle(hFile);
CloseHandle(hProcess);
return fOk;
}
void main()
{
SetPrivilege(); //提升进程权限
ProtectFile("C://1.txt",4,false);
}