ZwSetInformationObject NtSetInformationObject 함수를 이용해서 핸들을 보호할 수 있다.


ProcessHacker 소스를 보다가 찾음



typedef enum _OBJECT_INFORMATION_CLASS
{
	ObjectBasicInformation,
	ObjectNameInformation,
	ObjectTypeInformation,
	ObjectTypesInformation,
	ObjectHandleFlagInformation,
	ObjectSessionInformation,
	MaxObjectInfoClass
} OBJECT_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI* NTSETINFORMATIONOBJECT)(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG);
typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
{
	BOOLEAN Inherit;
	BOOLEAN ProtectFromClose;
} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;

/////


OBJECT_HANDLE_FLAG_INFORMATION handleFlagInfo;
handleFlagInfo.Inherit = FALSE;
handleFlagInfo.ProtectFromClose = TRUE;

NtSetInformationObject(hFile, ObjectHandleFlagInformation, &handleFlagInfo, sizeof(OBJECT_HANDLE_FLAG_INFORMATION));



< 프로세스 해커로 확인하는 모습 >



...
handleFlagInfo.ProtectFromClose = TRUE;
NtSetInformationObject(hFile, ObjectHandleFlagInformation, &handleFlagInfo, sizeof(OBJECT_HANDLE_FLAG_INFORMATION));


ProtectFromClose TRUE로 넣으면 Handle 종료를 보호함







저작자 표시 비영리 변경 금지
Posted by Gogil

댓글을 달아 주세요

  1. 미친감자 2014/11/21 15:51  댓글주소  수정/삭제  댓글쓰기

    네이티브 함수에 이런게 있었군요~~좋은 정보 감사 감사^^