Win32API.OpenFileMapping 从 IE 工具栏引发访问冲突异常

发布于 2024-10-14 09:26:34 字数 400 浏览 2 评论 0原文

我们正在尝试内存映射文件技术跨进程共享一些信息

但是当我们在我们的组件之一（IE 工具栏）中使用它时，当 IE 在保护模式下运行时，它会抛出访问冲突异常。

有人可以在这方面帮助我吗？

如果有任何替代方案可以在多个进程中共享内存，使 IE 在保护模式下运行时不会出现任何问题，也请分享

详细场景已经解释此处谢谢

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

陌若浮生 2024-10-21 09:26:34

还没有回复？？？

无论如何，我找到了解决方案，我们需要先了解问题。

当 IE 在保护模式下运行时，它实际上会将 IE 进程置于低完整性级别，以避免使用 IE 中的安全对象。因此，如果在高完整性进程（例如从控制台或窗口应用程序）中创建内核对象（内存映射文件），那么当其处于保护模式时，将无法从 IE 访问它。

因此，要完成这项工作，必须将内核对象从高完整性级别进程标记为低完整性级别，该对象也可以从低完整性级别进程访问，尽管这也会使该对象容易受到攻击。

经过长时间的研究，我发现（此处）以下 VC++ 代码将内核对象设置为低完整性级别：

LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)";

bool SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE type = SE_KERNEL_OBJECT)    
{
    bool bRet = false;
    DWORD dwErr = ERROR_SUCCESS;
    PSECURITY_DESCRIPTOR pSD = NULL;
    PACL pSacl = NULL;
    BOOL fSaclPresent = FALSE;
    BOOL fSaclDefaulted = FALSE;

      if ( ConvertStringSecurityDescriptorToSecurityDescriptorW (LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ) )
      {
        if ( GetSecurityDescriptorSacl (
               pSD, &fSaclPresent, &pSacl, &fSaclDefaulted ) )
          {
          dwErr = SetSecurityInfo (
                    hObject, type, LABEL_SECURITY_INFORMATION,
                    NULL, NULL, NULL, pSacl );

          bRet = (ERROR_SUCCESS == dwErr);
          }

        LocalFree ( pSD );
        }

      return bRet;
    }

为了使其可以在 C# 中使用，我在 Windows 上进行了转换API 转换为 C# 如下；

    public const int LABEL_SECURITY_INFORMATION = 0x00000010;

    public enum SE_OBJECT_TYPE
        {
            SE_UNKNOWN_OBJECT_TYPE = 0,
            SE_FILE_OBJECT,
            SE_SERVICE,
            SE_PRINTER,
            SE_REGISTRY_KEY,
            SE_LMSHARE,
            SE_KERNEL_OBJECT,
            SE_WINDOW_OBJECT,
            SE_DS_OBJECT,
            SE_DS_OBJECT_ALL,
            SE_PROVIDER_DEFINED_OBJECT,
            SE_WMIGUID_OBJECT,
            SE_REGISTRY_WOW64_32KEY
        }

public static bool SetLowIntegrityLevel(IntPtr hObject)
        {
            bool bResult = false;
            IntPtr pSD = IntPtr.Zero;
            IntPtr pSacl = IntPtr.Zero;
            IntPtr lpbSaclPresent = IntPtr.Zero;
            IntPtr lpbSaclDefaulted = IntPtr.Zero;
            uint securityDescriptorSize = 0;

            if (ConvertStringSecurityDescriptorToSecurityDescriptorW("S:(ML;;NW;;;LW)", 1, ref pSD, ref securityDescriptorSize))
            {
                if (GetSecurityDescriptorSacl(pSD, out lpbSaclPresent, out pSacl, out lpbSaclDefaulted))
                {
                    int result = SetSecurityInfo(hObject, 
                                                  SE_OBJECT_TYPE.SE_KERNEL_OBJECT, 
                                                  LABEL_SECURITY_INFORMATION, 
                                                  IntPtr.Zero, 
                                                  IntPtr.Zero, 
                                                  IntPtr.Zero, 
                                                  pSacl);
                    bResult = (result == 0);
                }
                LocalFree(pSD);
            }

            return bResult;
        }

[DllImport("Advapi32.dll", EntryPoint = "SetSecurityInfo")]
        public static extern int SetSecurityInfo(IntPtr hFileMappingObject,
                                                    SE_OBJECT_TYPE objectType,
                                                    Int32 securityInfo,
                                                    IntPtr psidOwner,
                                                    IntPtr psidGroup,
                                                    IntPtr pDacl,
                                                    IntPtr pSacl);

        [DllImport("advapi32.dll", EntryPoint = "GetSecurityDescriptorSacl")]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern Boolean GetSecurityDescriptorSacl(
            IntPtr pSecurityDescriptor,
            out IntPtr lpbSaclPresent,
            out IntPtr pSacl,
            out IntPtr lpbSaclDefaulted);

        [DllImport("advapi32.dll", EntryPoint = "ConvertStringSecurityDescriptorToSecurityDescriptorW")]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern Boolean ConvertStringSecurityDescriptorToSecurityDescriptorW(
            [MarshalAs(UnmanagedType.LPWStr)] String strSecurityDescriptor,
            UInt32 sDRevision,
            ref IntPtr securityDescriptor,
            ref UInt32 securityDescriptorSize);

        [DllImport("kernel32.dll", EntryPoint = "LocalFree")]
        public static extern UInt32 LocalFree(IntPtr hMem);

No Reply Yet???

Anyway I found the Solution, We need to understand the problem first.

When IE is running in Protected Mode its actually take IE process to Low-Integrity level to avoid usage of secure objects from IE. So if a Kernal Object (Memory Map File) is created in Highty-Integrity Process (e.g. from a console or window application) then it would not be accessed from the IE when its in protected mode.

So make this work one has to mark the Kernal Object to Low-Integrity level from the high-Integrity process, this object will be accessible from low-integrity level processes as well though it will make the object vulnerable as well.

after a long research i found(here) the following VC++ code to set a kernal object to the low-integrity level:

LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)";

bool SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE type = SE_KERNEL_OBJECT)    
{
    bool bRet = false;
    DWORD dwErr = ERROR_SUCCESS;
    PSECURITY_DESCRIPTOR pSD = NULL;
    PACL pSacl = NULL;
    BOOL fSaclPresent = FALSE;
    BOOL fSaclDefaulted = FALSE;

      if ( ConvertStringSecurityDescriptorToSecurityDescriptorW (LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ) )
      {
        if ( GetSecurityDescriptorSacl (
               pSD, &fSaclPresent, &pSacl, &fSaclDefaulted ) )
          {
          dwErr = SetSecurityInfo (
                    hObject, type, LABEL_SECURITY_INFORMATION,
                    NULL, NULL, NULL, pSacl );

          bRet = (ERROR_SUCCESS == dwErr);
          }

        LocalFree ( pSD );
        }

      return bRet;
    }

to make it workable in C# I converted above windows Apis into C# as follow;

    public const int LABEL_SECURITY_INFORMATION = 0x00000010;

    public enum SE_OBJECT_TYPE
        {
            SE_UNKNOWN_OBJECT_TYPE = 0,
            SE_FILE_OBJECT,
            SE_SERVICE,
            SE_PRINTER,
            SE_REGISTRY_KEY,
            SE_LMSHARE,
            SE_KERNEL_OBJECT,
            SE_WINDOW_OBJECT,
            SE_DS_OBJECT,
            SE_DS_OBJECT_ALL,
            SE_PROVIDER_DEFINED_OBJECT,
            SE_WMIGUID_OBJECT,
            SE_REGISTRY_WOW64_32KEY
        }

public static bool SetLowIntegrityLevel(IntPtr hObject)
        {
            bool bResult = false;
            IntPtr pSD = IntPtr.Zero;
            IntPtr pSacl = IntPtr.Zero;
            IntPtr lpbSaclPresent = IntPtr.Zero;
            IntPtr lpbSaclDefaulted = IntPtr.Zero;
            uint securityDescriptorSize = 0;

            if (ConvertStringSecurityDescriptorToSecurityDescriptorW("S:(ML;;NW;;;LW)", 1, ref pSD, ref securityDescriptorSize))
            {
                if (GetSecurityDescriptorSacl(pSD, out lpbSaclPresent, out pSacl, out lpbSaclDefaulted))
                {
                    int result = SetSecurityInfo(hObject, 
                                                  SE_OBJECT_TYPE.SE_KERNEL_OBJECT, 
                                                  LABEL_SECURITY_INFORMATION, 
                                                  IntPtr.Zero, 
                                                  IntPtr.Zero, 
                                                  IntPtr.Zero, 
                                                  pSacl);
                    bResult = (result == 0);
                }
                LocalFree(pSD);
            }

            return bResult;
        }

[DllImport("Advapi32.dll", EntryPoint = "SetSecurityInfo")]
        public static extern int SetSecurityInfo(IntPtr hFileMappingObject,
                                                    SE_OBJECT_TYPE objectType,
                                                    Int32 securityInfo,
                                                    IntPtr psidOwner,
                                                    IntPtr psidGroup,
                                                    IntPtr pDacl,
                                                    IntPtr pSacl);

        [DllImport("advapi32.dll", EntryPoint = "GetSecurityDescriptorSacl")]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern Boolean GetSecurityDescriptorSacl(
            IntPtr pSecurityDescriptor,
            out IntPtr lpbSaclPresent,
            out IntPtr pSacl,
            out IntPtr lpbSaclDefaulted);

        [DllImport("advapi32.dll", EntryPoint = "ConvertStringSecurityDescriptorToSecurityDescriptorW")]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern Boolean ConvertStringSecurityDescriptorToSecurityDescriptorW(
            [MarshalAs(UnmanagedType.LPWStr)] String strSecurityDescriptor,
            UInt32 sDRevision,
            ref IntPtr securityDescriptor,
            ref UInt32 securityDescriptorSize);

        [DllImport("kernel32.dll", EntryPoint = "LocalFree")]
        public static extern UInt32 LocalFree(IntPtr hMem);

回复收藏 0 原文

~没有更多了~