windows核心编程-windows完整性机制

进程的内核对象是等着别人拿着令牌访问我们的

令牌是我们拿着令牌区访问别人的内核对象的，与别的安全描述符权限比较

windows完整性机制：是对windows安全授权的一个补充

安全模块在拿token和安全描述符SECURITY_DESCRIPTOR比照之前，还会做一个完整性检查的工作

完整性等级低的不能访问完整性等级高的，如果没有设置，内核对象会设置默认的完整性等级medium。

让进程在一个低完整性等级下运行。

BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel, 
   PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy){}

pIntegrityLevel：完整性等级，高的完整性等级是3000，中的是2000......

pPolicy:策略等级

ValueMeaning

TOKEN_MANDATORY_POLICY_OFF

0x0

No mandatory integrity policy is enforced for the token.

TOKEN_MANDATORY_POLICY_NO_WRITE_UP

0x1

A process associated with the token cannot write to objects that have a greater mandatory integrity level.

TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN

0x2

A process created with the token has an integrity level that is the lesser of the parent-process integrity level and the executable-file integrity level.

TOKEN_MANDATORY_POLICY_VALID_MASK

0x3

A combination of TOKEN_MANDATORY_POLICY_NO_WRITE_UP andTOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN.

#include<windows.h>#include<tchar.h>#include"Aclapi.h"BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel,PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy) {HANDLE hToken = NULL;if (!OpenProcessToken(hProcess, TOKEN_READ, &hToken)) {return(FALSE);}BOOL bReturn = FALSE;// First, compute the size of the buffer to get the Integrity levelDWORD dwNeededSize = 0;if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwNeededSize)) {PTOKEN_MANDATORY_LABEL pTokenInfo = NULL;if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {// Second, allocate a memory block with the the required size pTokenInfo = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwNeededSize);if (pTokenInfo != NULL) {// And finally, ask for the integrity levelif (GetTokenInformation(hToken, TokenIntegrityLevel, pTokenInfo,dwNeededSize, &dwNeededSize)) {*pIntegrityLevel =*GetSidSubAuthority(pTokenInfo->Label.Sid,(*GetSidSubAuthorityCount(pTokenInfo->Label.Sid) - 1));bReturn = TRUE;}// Don't forget to free the memoryLocalFree(pTokenInfo);}}}// Try to get the policy if the integrity level was availableif (bReturn) {*pPolicy = TOKEN_MANDATORY_POLICY_OFF;dwNeededSize = sizeof(DWORD);GetTokenInformation(hToken, TokenMandatoryPolicy, pPolicy,dwNeededSize, &dwNeededSize);}// Look for the resource policy*pResourceIntegrityLevel = 0; // 0 means none explicitely set*pResourcePolicy = 0;PACL pSACL = NULL;PSECURITY_DESCRIPTOR pSD = NULL;DWORD dwResult = ERROR_SUCCESS;// Look for the no-read-up/no-write-up policy in the SACLif (hToken != NULL) {dwResult =GetSecurityInfo(hProcess, SE_KERNEL_OBJECT,LABEL_SECURITY_INFORMATION,NULL, NULL, NULL,&pSACL, &pSD);if (dwResult == ERROR_SUCCESS) {if (pSACL != NULL) {SYSTEM_MANDATORY_LABEL_ACE* pACE = NULL;if ((pSACL->AceCount > 0) && (GetAce(pSACL, 0, (PVOID*)&pACE))) {if (pACE != NULL) {SID* pSID = (SID*)(&pACE->SidStart);*pResourceIntegrityLevel = pSID->SubAuthority[0];*pResourcePolicy = pACE->Mask;}}}}// Cleanup memory allocated on our behalfif (pSD != NULL) LocalFree(pSD);}// Don't forget to close the token handle.CloseHandle(hToken);return(bReturn);}int _tmain(){DWORD IntergrityLevel,Policy,ResourceIntegrityLevel,ResourcePolicy;/*第一个参数，是进程句柄第二到第五个参数，是四个DWORD类型的指针*/GetProcessIntegrityLevel(GetCurrentProcess(),&IntergrityLevel,&Policy,&ResourceIntegrityLevel,&ResourcePolicy);_tprintf(L"IntegrityLevel=%0x\n", IntergrityLevel);_tprintf(L"Policy=%0x\n", Policy);_tprintf(L"ResourceIntegrityLevel=%0x\n", ResourceIntegrityLevel);_tprintf(L"ResourcePolicy=%0x\n", ResourcePolicy);_gettchar();return 0;}

完整性等级为medium，策略等级是3