有没有一种方法可以识别 Windows 命令提示符,而不管文件名或位置如何?
我正在编写一个程序,以便在用户运行命令提示符(如果可能的话,还可以运行 regedit)时立即跟踪和终止。这是为了阻止用户运行我不希望他们运行的命令。
我已经编写了代码来查看进程何时启动并使用 QueryFullProcessImageName 检查其名称。问题是,如果有人要重命名命令提示符,那么我将无法再通过进程名称检测到它。我检测命令提示符的方式当前是“\cmd.exe”,但显然这不是很安全。
下面发布的是我的代码。为了简洁起见,我删除了所有错误检查。如果您需要更清晰的信息,请告诉我。谢谢!
TCHAR exeName[MAX_PATH];
DWORD exeNameSize = MAX_PATH;
//the pid comes into the function as a parameter
HANDLE handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid);
if (handle)
{
if (QueryFullProcessImageName(handle, 0, exeName, &exeNameSize))
{
tstring name = exeName;
/*
badProcs would contain the path identifiers such as
"\\cmd.exe" or "\\regedit.exe". This detection is
what I want to make better.
*/
for(int i=0; i < badProcs.size(); i++)
{
if(tstring::npos != name.find(badProcs.at(i)))
{
if(TerminateProcess(handle,0))
OutputDebugString(_T("Process should be dead\n\n"));
}
}
}
CloseHandle(handle);
}
一些附加信息:我写这篇文章的原因是为了控制其他桌面上发生的事情。我想做到这一点,以便当用户启动不同的桌面(通过任何专有程序)时,我可以控制他们是否有权访问给系统带来最大安全漏洞的项目。鉴于我只想控制其他桌面上的操作,我不想更改设置,因为担心会损坏目标桌面之外的数据。难道腐败就不用担心了吗?
我只对控制专有桌面感兴趣,而不是破坏用户在自己的空间中所做的事情。本质上,单独的桌面是用于公司工作的,我希望能够限制人们可以对公司信息等进行的操作。
I'm writing a program to immediately track and kill when a user runs command prompt (and regedit if that's possible). This is to stop users from running commands I would rather they not have.
I've already written code that sees when a process is launched and checks its name using QueryFullProcessImageName. The issue is that if someone were to rename command prompt then I could no longer detect it via process name. The way I detect command prompt is currently "\cmd.exe" but clearly this is not very secure.
Posted below is what I have for the code. I removed all error checking for brevity. Please let me know if you need more clarity. Thanks!
TCHAR exeName[MAX_PATH];
DWORD exeNameSize = MAX_PATH;
//the pid comes into the function as a parameter
HANDLE handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid);
if (handle)
{
if (QueryFullProcessImageName(handle, 0, exeName, &exeNameSize))
{
tstring name = exeName;
/*
badProcs would contain the path identifiers such as
"\\cmd.exe" or "\\regedit.exe". This detection is
what I want to make better.
*/
for(int i=0; i < badProcs.size(); i++)
{
if(tstring::npos != name.find(badProcs.at(i)))
{
if(TerminateProcess(handle,0))
OutputDebugString(_T("Process should be dead\n\n"));
}
}
}
CloseHandle(handle);
}
Some additional information: The reason I'm writing this is to control what goes on in other desktops. I want to make it so that when a user launches a different desktop (via whatever proprietary program) I can control whether or not they have access to items which present the biggest security holes to the system. Given that I only want to control actions does on the other desktop, I do not want to change settings for fear of corrupting data outside of the target desktop. Is corruption not something to worry about?
I'm only interested in controlling a proprietary desktop, not mucking with what users do in their own space. Essentially the separate desktop is for corporate work, and I want to be able to limit what people can do with company information, etc.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不。 Windows 有内部方法来实现这一点。阅读策略编辑器和/或文件访问控制。
如果您是管理员而“用户”不是,则策略(或简单的 ACL)将完成这项工作;如果“用户”也是管理员,他们将能够相当轻松地击败您的程序。
Don't. Windows has internal means for that. Read up on the policy editor, and/or file access control.
If you're admin and the "user" is not, policy (or simple ACL) will do the job; if the "user" is also an admin, they'll be able to defeat your program fairly easily.
阻止命令提示符和注册表编辑器的最佳方法是通过 Windows 注册表。即使您将可执行文件复制到其他位置,这些功能也能正常工作。
如果设置以下注册表项,则注册表编辑器和命令提示符都无法运行:
或对于整机
将此项设置为 1 将禁用 regedit,设置为 0 将启用它。
(本地机器变体也可以在这里工作)。
设置为 1 将禁用命令提示符和批处理文件,设置为 2 将仅禁用命令行,设置为 0 将启用它。
The best way to block the command prompt and registry editor is through the windows registry. These work even if you copy the executables to a different location.
Both the Registry Editor and Command Prompt cannot be run if the registry keys are set:
or for the whole machine
Setting this to 1 will disable regedit, and setting to 0 will enable it.
(the local machine varient works here as well).
Setting this to 1 will disable the command prompt and batch files, setting this to 2 will only disable the command line, and setting to 0 will enable it.