Skip to content
Navigation Menu
{{ message }}
forked from wyrover/book-code
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWin.JobLock.cpp
More file actions
385 lines (335 loc) · 14 KB
/
Copy pathWin.JobLock.cpp
File metadata and controls
385 lines (335 loc) · 14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
/*
A Microsoft Windows Process Lockdown Tool using Job Objects
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
https://github.com/nccgroup/WindowsJobLock
Released under AGPL see LICENSE for more information
*/
#include "stdafx.h"
#include "XGetopt.h"
#include "Wtsapi32.h"
// Global
BOOL bListProcesses=FALSE;
HANDLE hProcess = NULL;
TCHAR *strProcess = NULL;
DWORD dwPID = 0;
TCHAR *strName = NULL;
DWORD dwProcessLimit = 0;
DWORD dwJobMemory = 0;
DWORD dwProcessMemory = 0;
BOOL bKillProcOnJobClose = FALSE;
BOOL bBreakAwayOK = FALSE;
BOOL bSilentBreakAwayOK = FALSE;
BOOL bUILimitDesktop = FALSE;
BOOL bUILimitDispSettings = FALSE;
BOOL bUILimitExitWindows = FALSE;
BOOL bUILimitUserHandles = FALSE;
BOOL bUILimitGlobalAtoms = FALSE;
BOOL bUILimitReadClip = FALSE;
BOOL bUILimitSystemParams = FALSE;
BOOL bUILimitWriteClip = FALSE;
HANDLE hJob = NULL;
//
// Function : FindProcess
// Purpose : Find a process by name
//
DWORD FindProcess(TCHAR *strName)
{
DWORD dwPIDArray[2048], dwCount = 0, dwRet;
PWTS_PROCESS_INFO ppProcessInfo;
if(WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE,0,1,&ppProcessInfo,&dwRet)){
for(dwCount=0;dwCount<dwRet;dwCount++){
if(strName == NULL){
_ftprintf(stdout,L"[i] %s (%d) in session %d\n",ppProcessInfo[dwCount].pProcessName,ppProcessInfo[dwCount].ProcessId,ppProcessInfo[dwCount].SessionId);
} else {
if(lstrcmp(ppProcessInfo[dwCount].pProcessName,strName) == 0 ){
return ppProcessInfo[dwCount].ProcessId;
}
}
}
}
return FALSE;
}
//
// Function : FindProcess
// Purpose : Find as processes name by PID
//
BOOL FindProcessName(DWORD dwPID, TCHAR *strName)
{
DWORD dwPIDArray[2048], dwCount = 0, dwRet;
PWTS_PROCESS_INFO ppProcessInfo;
if(WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE,0,1,&ppProcessInfo,&dwRet)){
for(dwCount=0;dwCount<dwRet;dwCount++){
if(ppProcessInfo[dwCount].ProcessId== dwPID ){
_tcscpy_s(strName,MAX_PATH,ppProcessInfo[dwCount].pProcessName);
return TRUE;
}
}
}
return FALSE;
}
BOOL BuildAndDeploy()
{
TCHAR strFinalName[MAX_PATH] = { 0 };
JOBOBJECT_EXTENDED_LIMIT_INFORMATION jelInfo = { 0 };
JOBOBJECT_BASIC_UI_RESTRICTIONS jbuiRestrictions = { 0 };
jelInfo.BasicLimitInformation.LimitFlags = 0;
jbuiRestrictions.UIRestrictionsClass = 0;
// Risk of truncation in theory
if(strName != NULL){
_tcscpy_s(strFinalName,MAX_PATH,L"Local\\");
_tcscat_s(strFinalName,MAX_PATH,strName);
hJob = CreateJobObject(NULL,strFinalName);
} else {
hJob = CreateJobObject(NULL,NULL);
}
_ftprintf(stdout,L"[i] Final job name - %s\n",strName == NULL ? L"NONAME" : strFinalName);
if(hJob == NULL){
if(GetLastError() == ERROR_INVALID_HANDLE){
_ftprintf(stdout,L"[!] Couldn't create job %s due to a object name conflict\n",strFinalName);
} else if (GetLastError() ==ERROR_ALREADY_EXISTS){
_ftprintf(stdout,L"[!] Couldn't create job %s due to a job already existing with that name\n",strFinalName);
} else {
_ftprintf(stdout,L"[!] Couldn't create job %s due to an unknown error %d\n",GetLastError());
}
return FALSE;
}
if(dwProcessLimit){
jelInfo.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
jelInfo.BasicLimitInformation.ActiveProcessLimit = dwProcessLimit;
}
if(dwJobMemory){
jelInfo.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_JOB_MEMORY;
jelInfo.JobMemoryLimit = dwJobMemory;
}
if(dwProcessMemory){
jelInfo.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_PROCESS_MEMORY;
jelInfo.ProcessMemoryLimit = dwProcessMemory;
}
if(bKillProcOnJobClose) jelInfo.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
if(bBreakAwayOK) jelInfo.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_BREAKAWAY_OK;
if(bSilentBreakAwayOK) jelInfo.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK;
if(bUILimitDesktop) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DESKTOP;
if(bUILimitDispSettings) jbuiRestrictions.UIRestrictionsClass|= JOB_OBJECT_UILIMIT_DISPLAYSETTINGS;
if(bUILimitExitWindows) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_EXITWINDOWS;
if(bUILimitGlobalAtoms) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_GLOBALATOMS;
if(bUILimitUserHandles) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_HANDLES;
if(bUILimitReadClip) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_READCLIPBOARD;
if(bUILimitSystemParams) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS;
if(bUILimitWriteClip) jbuiRestrictions.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
if(!SetInformationJobObject(hJob,JobObjectExtendedLimitInformation,&jelInfo,sizeof(jelInfo))){
_ftprintf(stdout,L"[!] Couldn't set job extended limits to job object %s due to an error %d\n",(_tcslen(strFinalName) ==0 ) ? L"Unknown" : strFinalName, GetLastError());
return FALSE;
} else {
_ftprintf(stdout,L"[*] Applied job exended limits to job object\n");
}
if(!SetInformationJobObject(hJob,JobObjectBasicUIRestrictions,&jbuiRestrictions,sizeof(jbuiRestrictions))){
_ftprintf(stdout,L"[!] Couldn't set UI limits to job object %s due to an error %d\n",(_tcslen(strFinalName) ==0 ) ? L"Unknown" : strFinalName, GetLastError());
return FALSE;
} else {
_ftprintf(stdout,L"[*] Applied UI limits to job object\n");
}
// Duplicate the handle into the target process
if(!DuplicateHandle(GetCurrentProcess(),hJob,hProcess,NULL,JOB_OBJECT_QUERY,TRUE,NULL)){
_ftprintf(stdout,L"[!] Couldn't duplicate job handle into target process due to an error %d\n",GetLastError());
return FALSE;
} else {
_ftprintf(stdout,L"[*] Duplicated handle of job (with restricted access) into target process!\n");
}
// Now assign the process to the job object
if(!AssignProcessToJobObject(hJob,hProcess)){
// this is where I wanted to be lazy
if(GetLastError() == ERROR_ACCESS_DENIED){ // Windows 7 and Server 2008 R2 and below
_ftprintf(stdout,L"[!] Couldn't apply job object to %s Looks like a job object has already been applied\n", strProcess);
return FALSE;
} else {
_ftprintf(stdout,L"[!] Couldn't apply job object to %s due to an error %d - %d\n", strProcess, GetLastError(),sizeof(jbuiRestrictions));
}
} else {
_ftprintf(stdout,L"[*] Applied job object to process!\n");
}
return TRUE;
}
//
// Function : PrintSettings
// Purpose : Print the settings we will apply
//
void PrintSettings()
{
fprintf(stdout,"[i] Process Limit - %s - %d\n", dwProcessLimit > 0 ? "True " : "False", dwProcessLimit);
fprintf(stdout,"[i] Job Memory Limit - %s - %d\n", dwJobMemory > 0 ? "True " : "False", dwJobMemory);
fprintf(stdout,"[i] Process Memory Limit - %s - %d\n", dwProcessMemory > 0 ? "True " : "False", dwProcessMemory);
fprintf(stdout,"[i] Kill Process on Job Close - %s\n", bKillProcOnJobClose == TRUE ? "True ": "False");
fprintf(stdout,"[i] Break Away from Job OK - %s\n", bBreakAwayOK == TRUE ? "True ": "False");
fprintf(stdout,"[i] Silent Break Away from Job OK - %s\n", bSilentBreakAwayOK == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit Desktop Operations - %s\n", bUILimitDesktop == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit Display Changes - %s\n", bUILimitDispSettings == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit Exit Windows - %s\n", bUILimitExitWindows == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit Global Atoms - %s\n", bUILimitGlobalAtoms == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit User Handles - %s\n", bUILimitUserHandles == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit Reading of Clipboard - %s\n", bUILimitReadClip == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit System Parameter Change - %s\n", bUILimitSystemParams == TRUE ? "True ": "False");
fprintf(stdout,"[i] Limit Writing to Clipboard - %s\n", bUILimitWriteClip == TRUE ? "True ": "False");
}
//
// Function : PrintHelp
// Purpose : Print the help out
//
void PrintHelp(TCHAR *strExe){
_ftprintf(stdout,L" i.e. %s [-h] \n",strExe);
fprintf (stdout,"\n");
fprintf (stdout," [.General Settings / Options.]\n");
fprintf (stdout," -g - Get process list\n");
fprintf (stdout," -P <name> - Process name to apply the job to\n");
fprintf (stdout," -p <PID> - PID to apply the job to\n");
fprintf (stdout," -n <name> - What the job will be called (optional)\n");
fprintf (stdout," [.Process Limits.]\n");
// JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags - JOB_OBJECT_LIMIT_ACTIVE_PROCESS
fprintf (stdout," -l <number> - Limit the number of process to this many\n");
fprintf (stdout," [.Memory.]\n");
// JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags - JOB_OBJECT_LIMIT_JOB_MEMORY
fprintf (stdout," -m <bytes> - Limit the total memory in bytes for the entire job\n");
// JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags - JOB_OBJECT_LIMIT_PROCESS_MEMORY
fprintf (stdout," -M <bytes> - Limit the total memory in bytes for each process in the job\n");
fprintf (stdout," [.Process Control.]\n");
// JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags - JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE
fprintf (stdout," -k - Kill all process when the job handle dies\n");
// JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags - JOB_OBJECT_LIMIT_BREAKAWAY_OK
fprintf (stdout," -B - Allow child process to be created with CREATE_BREAKAWAY_FROM_JOB (weak security)\n");
// JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags - JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK
fprintf (stdout," -b - Allow child process which aren't part of the job (weak security)\n");
fprintf (stdout," [.UI Security Controls.]\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_DESKTOP
fprintf (stdout," -d - Prevent processes within the job from switching or creating desktops\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_DISPLAYSETTINGS
fprintf (stdout," -D - Prevent processes within the job from calling the change display setting function\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_EXITWINDOWS
fprintf (stdout," -x - Prevent processes within job from calling the exit Windows function\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_GLOBALATOMS
fprintf (stdout," -a - Prevent processes within job from accessing global atoms\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_HANDLES
fprintf (stdout," -u - Prevent processes within job from using user handles\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_READCLIPBOARD
fprintf (stdout," -c - Prevent processes within job from reading the clipboard\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS
fprintf (stdout," -s - Prevent processes within job from changing system parameters\n");
// JOBOBJECT_BASIC_UI_RESTRICTIONS - JOB_OBJECT_UILIMIT_WRITECLIPBOARD
fprintf (stdout," -C - Prevent processes within job from writing the clipboard\n");
fprintf (stdout,"\n");
ExitProcess(1);
}
//
// Function : _tmain
// Purpose : entry point
//
int _tmain(int argc, _TCHAR* argv[])
{
DWORD dwPID = 0;
char chOpt;
TCHAR strProcName[MAX_PATH];
printf("[*] A Microsoft Windows Process Lockdown Tool using Job Objects - https://github.com/nccgroup/WindowsJobLock\n");
printf("[*] NCC Group Plc - http://www.nccgroup.com/ \n");
printf("[*] -h for help \n");
// Extract all the options
while ((chOpt = getopt(argc, argv, _T("P:p:l:m:M:n:gkBbdDxaucsCh"))) != EOF)
switch(chOpt)
{
case _T('g'):
bListProcesses = TRUE;
break;
case _T('P'):
strProcess = optarg;
break;
case _T('p'):
dwPID = _tstoi(optarg);
break;
case _T('l'):
dwProcessLimit = _tstoi(optarg);
break;
case _T('m'):
dwJobMemory = _tstoi(optarg);
break;
case _T('M'):
dwProcessMemory = _tstoi(optarg);
break;
case _T('n'):
strName = optarg;
break;
case _T('k'):
bKillProcOnJobClose = TRUE;
break;
case _T('B'):
bBreakAwayOK = TRUE;
break;
case _T('b'):
bSilentBreakAwayOK= TRUE;
break;
case _T('d'):
bUILimitDesktop = TRUE;
break;
case _T('D'):
bUILimitDispSettings = TRUE;
break;
case _T('x'):
bUILimitExitWindows = TRUE;
break;
case _T('a'):
bUILimitGlobalAtoms = TRUE;
break;
case _T('u'):
bUILimitUserHandles = TRUE;
break;
case _T('c'):
bUILimitReadClip = TRUE;
break;
case _T('s'):
bUILimitSystemParams = TRUE;
break;
case _T('C'):
bUILimitWriteClip = TRUE;
break;
case _T('h'):
PrintHelp(argv[0]);
return 0;
default:
fwprintf(stderr,L"[!] No handler - %c\n", chOpt);
break;
}
if(bListProcesses) {
FindProcess(NULL);
return 0;
}
if(strProcess!=NULL){
dwPID = FindProcess(strProcess);
}
if(dwPID == 0){
if(strProcess != NULL) {
_ftprintf(stderr,L"[!] Could not find the process %s\n",strProcess);
} else {
_ftprintf(stderr,L"[!] You need to specify a PID or valid process name (use -g to list processes)\n");
}
return -1;
}
if(!FindProcessName(dwPID,strProcName)){
_ftprintf(stderr,L"[!] Could not find the name of the process for PID %d!\n",dwPID);
return -1;
} else {
// this is so I can be lazy later
strProcess = strProcName;
}
hProcess = OpenProcess(PROCESS_SET_QUOTA|PROCESS_TERMINATE|PROCESS_DUP_HANDLE,false,dwPID);
if(hProcess == NULL || hProcess == INVALID_HANDLE_VALUE){
_ftprintf(stderr,L"[!] Could not open process %s (PID %d) - %d\n",strProcName,dwPID,GetLastError());
return -1;
} else {
_ftprintf(stdout,L"[*] Opened process %s\n",strProcName);
}
PrintSettings();
if(!BuildAndDeploy()){
_ftprintf(stderr,L"[!] Failed to build and deploy job object to %s..\n",strProcName);
return -1;
} else {
_ftprintf(stdout,L"[*] Successfully built and deployed job object to %s!\n",strProcName);
}
return 0;
}
You can’t perform that action at this time.