问题
Is it possible to programmatically adjust a process's privilege so that if it creates a child process at any point later on, it will always(never) have write access to that process's memory?
I have created a dll which is loaded by two different processes. At some point in my code I create a process. I have observed that depending upon which process loads my dll, I either have PAGE_EXECUTE_WRITECOPY or 0 access to the child process's memory. My guess is that the loading process must have put some restrictions which result in this behaviour because I am not doing anything different for either process. I looked at the process's security information in Process Explorer but could not spot any difference between the two. The hToken value is given to me by the caller who calls my API. Is this the one causing this. How can I test to confirm if so?
CreateProcessAsUserW(hToken, exe, cmd_line, NULL, NULL,
false,
CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS | EXTENDED_STARTUPINFO_PRESENT | CREATE_BREAKAWAY_FROM_JOB,
NULL, NULL,
&si, &pi);
MEMORY_BASIC_INFORMATION buffer;
// 'address' is some valid address
SIZE_T num = VirtualQueryEx(pi.hProcess_handle, address,&buffer,sizeof(MEMORY_BASIC_INFORMATION));
if(num > 0)
{
DWORD access = buffer.AllocationProtect; // 0x0 or 0x80 depending on which process loads dll
DWORD state = buffer.State;
DWORD type = buffer.Type;
}
来源:https://stackoverflow.com/questions/19932599/how-to-restrict-grant-read-write-access-to-child-processs-memory