#include <Windows.h> #include <WinSafer.h> #include <stdio.h> #include <sddl.h> bool _IsNewProcessLaunched() { // Create the restricted token. SAFER_LEVEL_HANDLE hLevel = NULL; if (!SaferCreateLevel(SAFER_SCOPEID_USER, SAFER_LEVELID_NORMALUSER, SAFER_LEVEL_OPEN, &hLevel, NULL)) { return false; } HANDLE hRestrictedToken = NULL; if (!SaferComputeTokenFromLevel(hLevel, NULL, &hRestrictedToken, 0, NULL)) { SaferCloseLevel(hLevel); return false; } SaferCloseLevel(hLevel); // Set the token to medium integrity. TOKEN_MANDATORY_LABEL tml = { 0 }; tml.Label.Attributes = SE_GROUP_INTEGRITY; // alternatively, use CreateWellKnownSid(WinMediumLabelSid) instead... if (!ConvertStringSidToSid(TEXT("S-1-16-8192"), &(tml.Label.Sid))) { CloseHandle(hRestrictedToken); return false; } if (!SetTokenInformation(hRestrictedToken, TokenIntegrityLevel, &tml, sizeof(tml) + GetLengthSid(tml.Label.Sid))) { LocalFree(tml.Label.Sid); CloseHandle(hRestrictedToken); return false; } LocalFree(tml.Label.Sid); // Create startup info WCHAR lp[] = L"winsta0\\default"; STARTUPINFO si = { 0 }; si.cb = sizeof(si); si.lpDesktop = lp; PROCESS_INFORMATION pi = { 0 }; // Get the current executable's name TCHAR exePath[MAX_PATH + 1] = { 0 }; GetModuleFileName(NULL, exePath, MAX_PATH); // Start the new (non-elevated) restricted process if (!CreateProcessAsUser(hRestrictedToken, exePath, NULL, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { CloseHandle(hRestrictedToken); return false; } CloseHandle(hRestrictedToken); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return true; } void main() { _IsNewProcessLaunched(); getchar(); }
相关链接:Removing Administrator Privilages from Process
"S-1-16-8192" 是指中等完整性级别。 见:2.4.2.4 Well-Known SID Structures
SID介绍见: SID Components
原文链接: https://www.cnblogs.com/strive-sun/p/14340726.html
欢迎关注
微信关注下方公众号,第一时间获取干货硬货;公众号内回复【pdf】免费获取数百本计算机经典书籍;
也有高质量的技术群,里面有嵌入式、搜广推等BAT大佬
原创文章受到原创版权保护。转载请注明出处:https://www.ccppcoding.com/archives/404713
非原创文章文中已经注明原地址,如有侵权,联系删除
关注公众号【高性能架构探索】,第一时间获取最新文章
转载文章受原作者版权保护。转载请注明原作者出处!
