IE保护程序

  编了个小程序，该程序使你在浏览网页时被流氓软件，恶意脚本等等攻击的可能性降低，这里主要是使用了受限令牌开启IE浏览器。

1 通过指定禁用安全标示符（deny-only security identifier，deny-only SID）限制访问需要被保护的资源。
2 通过指定受限SID实现额外的访问检查。
3 通过删除权限。

声明：大部分代码来源于网络，我只是进行少部分的修改。

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <crtdbg.h>
void ProtectIE()
{
HANDLE hCurrentProcessToken = NULL;
HANDLE hProcess = ::GetCurrentProcess();
OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hCurrentProcessToken);
DWORD dwTokenInfoLen = 0;

SID_IDENTIFIER_AUTHORITY sid_Auth;
SID_AND_ATTRIBUTES sid_and_attr;
sid_and_attr.Attributes = 0;
PSID &adminGroupSID = sid_and_attr.Sid;
sid_Auth.Value[0] = 0;
sid_Auth.Value[1] = 0;
sid_Auth.Value[2] = 0;
sid_Auth.Value[3] = 0;
sid_Auth.Value[4] = 0;
sid_Auth.Value[5] = 5;

BOOL bRet = FALSE;
//! 初始化一个 Administrator Group 的 SID , SECURITY_BUILTIN_DOMAIN_RID/*0x20
bRet = ::AllocateAndInitializeSid(&sid_Auth, 0x2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &adminGroupSID);

_ASSERTE(bRet);
//! 获取当前进程 token 的 privileges
bRet = ::GetTokenInformation(hCurrentProcessToken, TokenPrivileges, NULL, 0, &dwTokenInfoLen);

TOKEN_PRIVILEGES *pTokenPrivileges = (TOKEN_PRIVILEGES *)new BYTE[dwTokenInfoLen];
TOKEN_PRIVILEGES *pTokenPrivileges4Delete = (TOKEN_PRIVILEGES *)new BYTE[dwTokenInfoLen];
bRet = ::GetTokenInformation(hCurrentProcessToken, TokenPrivileges, pTokenPrivileges, dwTokenInfoLen, &dwTokenInfoLen);
_ASSERTE(bRet);
PSID userGroupSID;
//! 初始化一个User Group 的 SID
bRet = ::AllocateAndInitializeSid(&sid_Auth, 0x2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &userGroupSID);
_ASSERTE(bRet);

DWORD dwLUIDCount = 0;

//! 获取 User Group account 的 privileges
// PLUID pLUIDs = GetAllPrivilegeLUIDs(userGroupSID, dwLUIDCount);
LUID SeChangeNotifyPrivilege = { 0 };
LookupPrivilegeValue(0, // local system
    SE_CHANGE_NOTIFY_NAME,
    &SeChangeNotifyPrivilege);

dwLUIDCount=1;
///*!
//找到当前进程 token 的有而User Group account没有的 privileges
LUID_AND_ATTRIBUTES *pTokenLUID = pTokenPrivileges->Privileges;
size_t nCnt = 0;
for(size_t i = 0; i < pTokenPrivileges->PrivilegeCount; ++i)
{

bool bFound = false;
for(size_t j = 0; j < dwLUIDCount; ++j)
{
   if(memcmp(&(pTokenLUID->Luid), &SeChangeNotifyPrivilege, sizeof(LUID)) == 0)
   {
    bFound = true;
    break;
   }
}
if(!bFound)
{
   (pTokenPrivileges4Delete->Privileges)[nCnt] = *pTokenLUID;
   ++nCnt;
}

++pTokenLUID;
}
pTokenPrivileges4Delete->PrivilegeCount = nCnt;

///*!
//此时 pTokenPrivileges4Delete 保存了当前进程 token 有
//而User Group account没有的 privileges
//
HANDLE hRestrictedToken = NULL;
///*!
//CreateRestrictedToken 将删除 pTokenPrivileges4Delete 中有的 privileges
//
//! 注意 sid_and_attr 的 Attributes 被 CreateRestrictedToken 忽略
bRet = ::CreateRestrictedToken(hCurrentProcessToken, 0, 0x1, &sid_and_attr, pTokenPrivileges4Delete->PrivilegeCount,
          pTokenPrivileges4Delete->Privileges, 0, NULL, &hRestrictedToken);

_ASSERTE(bRet);
bRet = ::CloseHandle(hCurrentProcessToken);
_ASSERTE(bRet);

//!此时受限的Token已经创建
// CreateProcessAsUser(hRestrictedToken, argv[1]);
STARTUPINFO startupInfo= { sizeof (STARTUPINFO) };
PROCESS_INFORMATION processInfo;

CreateProcessAsUser(hRestrictedToken,
    "C://Program Files//Internet Explorer//IEXPLORE.EXE",
    NULL, // cmd line
    NULL, // process attributes
    NULL, // thread attributes
    FALSE, // don't inherit handles
    NULL, // flags
    NULL, // inherit environment
    NULL, &startupInfo,
    &processInfo);

bRet = ::CloseHandle(hRestrictedToken);
_ASSERTE(bRet);

::FreeSid(userGroupSID);
::FreeSid(adminGroupSID);

//delete [] pLUIDs;
delete [] (BYTE*)pTokenPrivileges;
delete [] (BYTE*)pTokenPrivileges4Delete;
}

main()
{
ProtectIE();
exit(1);
}