.NET Protect Process

[dEEpEst]

VB.NET:

Class ProcessElevation
<DllImport("kernel32.dll")> _
Public Shared Function GetCurrentProcess() As IntPtr
End Function
<DllImport("advapi32.dll", SetLastError:=True)> _
Private Shared Function SetKernelObjectSecurity(ByVal Handle As IntPtr, ByVal securityInformation As Integer, <[In]()> ByVal pSecurityDescriptor As Byte()) As Boolean
End Function
<DllImport("advapi32.dll", SetLastError:=True)> _
Private Shared Function GetKernelObjectSecurity(ByVal Handle As IntPtr, ByVal securityInformation As Integer, <Out()> ByVal pSecurityDescriptor As Byte(), ByVal nLength As UInteger, ByRef lpnLengthNeeded As UInteger) As Boolean
End Function
<Flags()> _
Public Enum ProcessAccessRights
PROCESS_CREATE_PROCESS = &H80
PROCESS_CREATE_THREAD = &H2
PROCESS_DUP_HANDLE = &H40
PROCESS_QUERY_INFORMATION = &H400
PROCESS_QUERY_LIMITED_INFORMATION = &H1000
PROCESS_SET_INFORMATION = &H200
PROCESS_SET_QUOTA = &H100
PROCESS_SUSPEND_RESUME = &H800
PROCESS_TERMINATE = &H1
PROCESS_VM_OPERATION = &H8
PROCESS_VM_READ = &H10
PROCESS_VM_WRITE = &H20
DELETE = &H10000
READ_CONTROL = &H20000
SYNCHRONIZE = &H100
WRITE_DAC = &H40000
ITE_OWNER = &H80000
STANDARD_RIGHTS_REQUIRED = &HF0000
PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
End Enum

Public Shared Sub Kanka()
Dim hProcess As IntPtr = GetCurrentProcess() 'get the handle of the current process as this is the one we want to protect
Dim dal = ParseProcDescriptor(hProcess)
dal.DiscretionaryAcl.InsertAce(0, New CommonAce(AceFlags.None, AceQualifier.AccessDenied, CInt(ProcessAccessRights.PROCESS_ALL_ACCESS), New SecurityIdentifier(WellKnownSidType.WorldSid, Nothing), False, Nothing))
EditProcDescriptor(hProcess, dal)
End Sub

Public Shared Function ParseProcDescriptor(ByVal processHandle As IntPtr) As RawSecurityDescriptor
Const dal_SECURITY_INFORMATION As Integer = &H4
Dim buff As Byte() = New Byte(-1) {}
Dim setblock As UInteger
GetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, buff, 0, setblock)
If setblock < 0 OrElse setblock > Short.MaxValue Then
Throw New Win32Exception()
End If
If Not GetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, InlineAssignHelper(buff, New Byte(setblock - 1) {}), setblock, setblock) Then
Throw New Win32Exception()
End If
Return New RawSecurityDescriptor(buff, 0)
End Function
Public Shared Sub EditProcDescriptor(ByVal processHandle As IntPtr, ByVal dal As RawSecurityDescriptor)
Const dal_SECURITY_INFORMATION As Integer = &H4
Dim rawsd As Byte() = New Byte(dal.BinaryLength - 1) {}
dal.GetBinaryForm(rawsd, 0)
If Not SetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, rawsd) Then
Throw New Win32Exception()
End If
End Sub
Private Shared Function InlineAssignHelper(Of T)(ByRef app As T, ByVal ret As T) As T
app = ret
Return ret
End Function
End Class




C#:

class ProcessElevation
{
    [DllImport("kernel32.dll")]
    public static IntPtr GetCurrentProcess()
    {
    }
    [DllImport("advapi32.dll", SetLastError = true)]
    private static bool SetKernelObjectSecurity(IntPtr Handle, int securityInformation,     [In()]
byte[] pSecurityDescriptor)
    {
    }
    [DllImport("advapi32.dll", SetLastError = true)]
    private static bool GetKernelObjectSecurity(IntPtr Handle, int securityInformation,     [Out()]
byte[] pSecurityDescriptor, uint nLength, ref uint lpnLengthNeeded)
    {
    }
    [Flags()]
    public enum ProcessAccessRights
    {
        PROCESS_CREATE_PROCESS = 0x80,
        PROCESS_CREATE_THREAD = 0x2,
        PROCESS_DUP_HANDLE = 0x40,
        PROCESS_QUERY_INFORMATION = 0x400,
        PROCESS_QUERY_LIMITED_INFORMATION = 0x1000,
        PROCESS_SET_INFORMATION = 0x200,
        PROCESS_SET_QUOTA = 0x100,
        PROCESS_SUSPEND_RESUME = 0x800,
        PROCESS_TERMINATE = 0x1,
        PROCESS_VM_OPERATION = 0x8,
        PROCESS_VM_READ = 0x10,
        PROCESS_VM_WRITE = 0x20,
        DELETE = 0x10000,
        READ_CONTROL = 0x20000,
        SYNCHRONIZE = 0x100,
        WRITE_DAC = 0x40000,
        ITE_OWNER = 0x80000,
        STANDARD_RIGHTS_REQUIRED = 0xf0000,
        PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff)
    }
    public static void Kanka()
    {
        IntPtr hProcess = GetCurrentProcess();
        object dal = ParseProcDescriptor(hProcess);
        dal.DiscretionaryAcl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessDenied, (int)ProcessAccessRights.PROCESS_ALL_ACCESS, new SecurityIdentifier(WellKnownSidType.WorldSid, null), false, null));
        EditProcDescriptor(hProcess, dal);
    }
    public static RawSecurityDescriptor ParseProcDescriptor(IntPtr processHandle)
    {
        const int dal_SECURITY_INFORMATION = 0x4;
        byte[] buff = new byte[-1] {  };
        uint setblock;
        GetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, buff, 0, setblock);
        if (setblock < 0 || setblock > short.MaxValue) {
            throw new Win32Exception();
        }
        if (!GetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, InlineAssignHelper(buff, new byte[setblock - 1] {  }), setblock, setblock)) {
            throw new Win32Exception();
        }
        return new RawSecurityDescriptor(buff, 0);
    }
    public static void EditProcDescriptor(IntPtr processHandle, RawSecurityDescriptor dal)
    {
        const int dal_SECURITY_INFORMATION = 0x4;
        byte[] rawsd = new byte[dal.BinaryLength - 1] {  };
        dal.GetBinaryForm(rawsd, 0);
        if (!SetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, rawsd)) {
            throw new Win32Exception();
        }
    }
    private static T InlineAssignHelper<T>(ref T app, T ret)
    {
        app = ret;
        return ret;
    }
}

 

[N900]

This only works with Win 7 and not after that.