从Vista开始,微软引入了一个新的安全概念称作UIPI。UIPI是指低权限的进程不能对高权限的进程做以下的一些事情:
-
Perform a window handle validation of higher process privilege.
-
SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
-
Use thread hooks to attach to a higher privilege process.
-
Use Journal hooks to monitor a higher privilege process.
-
Perform dynamic link-library (DLL) injection to a higher privilege process
无论怎样,UIPI保护了高权限进程的界面和用户对象(User Object)不受到低权限恶意进程的更改。
通常,一个进程权限的高低取决于它的Integrity Level (IL)。
-------------------------------------------
实战:
现在有两个进程,进程代码基本完全一致,有一个进程将作为管理员模式运行,另一个则使用采取直接运行的方式。
在这种条件下,管理员模式运行的进程比后者的IL要高
进程代码:
高权限进程
/********获取进程的IL等级********/
HANDLE hToken = NULL;
OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken);
TOKEN_MANDATORY_LABEL* pIL;
DWORD dwRetLen = 0;
GetTokenInformation(hToken,TOKEN_INFORMATION_CLASS::TokenIntegrityLevel,NULL,0,&dwRetLen);
BYTE* pBuffer = new BYTE[dwRetLen];
GetTokenInformation(hToken,TOKEN_INFORMATION_CLASS::TokenIntegrityLevel,pBuffer,dwRetLen,&dwRetLen);
pIL = (TOKEN_MANDATORY_LABEL*)pBuffer;
DWORD* pRID= GetSidSubAuthority(pIL->Label.Sid,0);
printf_s("Process IL:<%08x>\n",*pRID);
/********创建窗口(即UI)********/
WNDCLASS wc = {0};
wc.hbrBackground = (HBRUSH)GetStockObject(GRAY_BRUSH);
wc.hCursor = ::LoadCursor((HINSTANCE)::GetModuleHandle(NULL),IDC_ARROW);
wc.hInstance = (HINSTANCE)::GetModuleHandle(NULL);
wc.lpszClassName = _T("CHighPrivilegeWindow");
wc.style = CS_HREDRAW | CS_VREDRAW;
wc.lpfnWndProc = HighPrevilegeWindowProc;
if(!RegisterClass(&wc)) return GetLastError();
HWND hMainWnd = CreateWindow(_T("CHighPrivilegeWindow"),_T("ProcessHighPrevilege"),WS_OVERLAPPEDWINDOW | WS_VISIBLE,0,0,1000,500,NULL,NULL,(HINSTANCE)GetModuleHandle(NULL),NULL);
if (!hMainWnd) return GetLastError();
::SetTimer(hMainWnd,1,1000,NULL); //启动一个定时器,每1秒更改一次低权限进程的窗口标题
BOOL bRet;
MSG msg;
while((bRet = GetMessage(&msg,NULL,0,0)))
{
if(bRet != -1)
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
else break;
}
return 0;
{UINT nTimerID = (UINT)wParam;if(nTimerID == 1){HWND hLowWnd = ::FindWindow(_T("CLowPrivilegeWindow"),_T("ProcessLowPrevilege"));if(hLowWnd){if(SendMessage(hLowWnd,WM_SETTEXT,(WPARAM)_tcslen(_T("Low_Set")),(LPARAM)_T("Low_Set")) == TRUE) //设定低权限窗口标题printf_s("Text set to Low Window\n");KillTimer(hWnd,1);}}}return 0;/********定时器响应********/
低权限进程
低权限进程则定时搜索高权限进程窗口,并更改高权限进程的窗口标题
{ UINT nTimerID = (UINT)wParam; if(nTimerID == 1) { HWND hHighWnd = ::FindWindow(_T("CHighPrivilegeWindow"),_T("ProcessHighPrevilege")); if(hHighWnd) { if(SendMessage(hHighWnd,WM_SETTEXT,(WPARAM)_tcslen(_T("High_Set")),(LPARAM)_T("High_Set")) == TRUE) //设定高权限的窗口标题 printf_s("Text set to High Window\n"); KillTimer(hWnd,1); } } } return 0;
![]()