尝试设置 ProcessStrictHandleCheckPolicy returns 87 - 函数不正确
Trying to set ProcessStrictHandleCheckPolicy returns 87 - Incorrect Function
我正在尝试在 Windows 10 上使用 SetProcessMitigationPolicy 来启用 ProcessStrictHandleCheckPolicy:
The process will receive a fatal error if it manipulates a handle that is not valid.
As a general rule, strict handle checking cannot be turned off once it is turned on. Therefore, when calling the SetProcessMitigationPolicy function with this policy, the values of the RaiseExceptionOnInvalidHandleReference and HandleExceptionsPermanentlyEnabled substructure members must be the same. It is not possible to enable invalid handle exceptions only temporarily.
我可以启用其他一些缓解措施:
ProcessDynamicCodePolicy:进程的动态代码策略。开启后,进程无法生成动态代码或修改现有的可执行代码。ProcessExtensionPointDisablePolicy:包含遗留扩展点 DLL 的进程缓解策略设置。ProcessSignaturePolicy:可以将图像加载限制为由 Windows 商店签署的那些图像的进程策略,或 Microsoft Windows Store 和 Windows 硬件质量实验室 (WHQL)。ProcessFontDisablePolicy:关于进程字体加载的策略。开启后,进程无法加载非系统字体。ProcessImageLoadPolicy:关于进程镜像加载的策略,决定了允许映射到进程中的可执行镜像的类型。开启后,无法从某些位置加载图像,例如远程设备或具有低强制标签的文件。
但是ProcessStrictHandleCheckPolicy:
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy;
policy.RaiseExceptionOnInvalidHandleReference = 1;
policy.HandleExceptionsPermanentlyEnabled = 1;
BOOL res = SetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, policy, sizeof(policy));
if (!res)
RaiseLastWin32Error();
失败,错误代码 87:
ERROR_INVALID_PARAMETER
The parameter is incorrect
怎么了?
奖金聊天
ProcessDynamicCodePolicy 策略阻止嵌入式 Web 浏览器 运行 Javascript:
ProhibitDynamicCode:设置(0x1)防止进程生成动态代码或修改已有的可执行代码;否则保留未设置 (0x0)。AllowThreadOptOut:设置 (0x1) 以允许线程通过使用 ThreadInformation 调用 SetThreadInformation 函数来选择退出对动态代码生成的限制参数设置为 ThreadDynamicCodePolicy;否则保持不变 (0x0)。您不应将 AllowThreadOptOut 和 ThreadDynamicCodePolicy 设置一起使用以提供强大的安全性。这些设置仅旨在使应用程序能够更轻松地调整其代码以实现完整的动态代码限制。
更多红利用户
我其实是在Delphi,所以语法和上面的不一样C/C++/C#伪代码:
type
//ProcessStrictHandleCheckPolicy - The process will receive a fatal error if it manipulates an invalid handle. Useful for preventing downstream problems in a process due to handle misuse.
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY = record
Flags: DWORD;
//DWORD RaiseExceptionOnInvalidHandleReference : 1;
//DWORD HandleExceptionsPermanentlyEnabled : 1;
//DWORD ReservedFlags : 30;
end;
procedure SetMitigationPolicy;
var
policy: PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY;
res: BOOL;
begin
policy.Flags := [=12=]000002;
res := SetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, @policy, sizeof(policy));
if not res then
RaiseLastWin32Error;
end;
这并没有改变问题:
- 有时当我 post Delphi 代码时,它并不严格 Delphi 相关,我收到评论说我应该包含 Delphi 标签
- 有时当我 post Delphi 代码时,它并不严格 Delphi 相关,我收到评论说我不应该包含 Delphi 标签
掷骰子
不包含 delphi delphi-xe6 标签。
红利阅读
来自 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY 文档:
As a general rule, strict handle checking cannot be turned off once it is turned on. Therefore, when calling the SetProcessMitigationPolicy function with this policy, the values of the RaiseExceptionOnInvalidHandleReference and HandleExceptionsPermanentlyEnabled substructure members must be the same. It is not possible to enable invalid handle exceptions only temporarily.
当你写道:
policy.Flags := [=10=]000002;
你只设置了HandleExceptionsPermanentlyEnabled标志,没有设置RaiseExceptionOnInvalidHandleReference标志。应该是这个,它设置了两个标志:
policy.Flags := [=11=]000003;
我相当确定您实际上从未 运行 您的 C++ 代码,因为它无法编译。如果您修复了明显的编译错误,那么它将 运行 成功。
#define _WIN32_WINNT 0x0602
#include <Windows.h>
#include <Processthreadsapi.h>
#include <iostream>
int main()
{
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = { 0 };
policy.RaiseExceptionOnInvalidHandleReference = 1;
policy.HandleExceptionsPermanentlyEnabled = 1;
BOOL res = SetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, &policy,
sizeof(policy));
DWORD err = 0;
if (!res)
err = GetLastError();
std::cout << res << ", " << err;
}
此程序按预期输出 1, 0。如果你加上
policy.Flags = 0x00000002;
紧接在调用SetProcessMitigationPolicy之前,则输出为0, 87。
我正在尝试在 Windows 10 上使用 SetProcessMitigationPolicy 来启用 ProcessStrictHandleCheckPolicy:
The process will receive a fatal error if it manipulates a handle that is not valid.
As a general rule, strict handle checking cannot be turned off once it is turned on. Therefore, when calling the SetProcessMitigationPolicy function with this policy, the values of the RaiseExceptionOnInvalidHandleReference and HandleExceptionsPermanentlyEnabled substructure members must be the same. It is not possible to enable invalid handle exceptions only temporarily.
我可以启用其他一些缓解措施:
ProcessDynamicCodePolicy:进程的动态代码策略。开启后,进程无法生成动态代码或修改现有的可执行代码。ProcessExtensionPointDisablePolicy:包含遗留扩展点 DLL 的进程缓解策略设置。ProcessSignaturePolicy:可以将图像加载限制为由 Windows 商店签署的那些图像的进程策略,或 Microsoft Windows Store 和 Windows 硬件质量实验室 (WHQL)。ProcessFontDisablePolicy:关于进程字体加载的策略。开启后,进程无法加载非系统字体。ProcessImageLoadPolicy:关于进程镜像加载的策略,决定了允许映射到进程中的可执行镜像的类型。开启后,无法从某些位置加载图像,例如远程设备或具有低强制标签的文件。
但是ProcessStrictHandleCheckPolicy:
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy;
policy.RaiseExceptionOnInvalidHandleReference = 1;
policy.HandleExceptionsPermanentlyEnabled = 1;
BOOL res = SetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, policy, sizeof(policy));
if (!res)
RaiseLastWin32Error();
失败,错误代码 87:
ERROR_INVALID_PARAMETER
The parameter is incorrect
怎么了?
奖金聊天
ProcessDynamicCodePolicy 策略阻止嵌入式 Web 浏览器 运行 Javascript:
ProhibitDynamicCode:设置(0x1)防止进程生成动态代码或修改已有的可执行代码;否则保留未设置 (0x0)。AllowThreadOptOut:设置 (0x1) 以允许线程通过使用 ThreadInformation 调用 SetThreadInformation 函数来选择退出对动态代码生成的限制参数设置为 ThreadDynamicCodePolicy;否则保持不变 (0x0)。您不应将 AllowThreadOptOut 和 ThreadDynamicCodePolicy 设置一起使用以提供强大的安全性。这些设置仅旨在使应用程序能够更轻松地调整其代码以实现完整的动态代码限制。
更多红利用户
我其实是在Delphi,所以语法和上面的不一样C/C++/C#伪代码:
type
//ProcessStrictHandleCheckPolicy - The process will receive a fatal error if it manipulates an invalid handle. Useful for preventing downstream problems in a process due to handle misuse.
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY = record
Flags: DWORD;
//DWORD RaiseExceptionOnInvalidHandleReference : 1;
//DWORD HandleExceptionsPermanentlyEnabled : 1;
//DWORD ReservedFlags : 30;
end;
procedure SetMitigationPolicy;
var
policy: PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY;
res: BOOL;
begin
policy.Flags := [=12=]000002;
res := SetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, @policy, sizeof(policy));
if not res then
RaiseLastWin32Error;
end;
这并没有改变问题:
- 有时当我 post Delphi 代码时,它并不严格 Delphi 相关,我收到评论说我应该包含 Delphi 标签
- 有时当我 post Delphi 代码时,它并不严格 Delphi 相关,我收到评论说我不应该包含 Delphi 标签
掷骰子
不包含 delphi delphi-xe6 标签。
红利阅读
来自 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY 文档:
As a general rule, strict handle checking cannot be turned off once it is turned on. Therefore, when calling the SetProcessMitigationPolicy function with this policy, the values of the RaiseExceptionOnInvalidHandleReference and HandleExceptionsPermanentlyEnabled substructure members must be the same. It is not possible to enable invalid handle exceptions only temporarily.
当你写道:
policy.Flags := [=10=]000002;
你只设置了HandleExceptionsPermanentlyEnabled标志,没有设置RaiseExceptionOnInvalidHandleReference标志。应该是这个,它设置了两个标志:
policy.Flags := [=11=]000003;
我相当确定您实际上从未 运行 您的 C++ 代码,因为它无法编译。如果您修复了明显的编译错误,那么它将 运行 成功。
#define _WIN32_WINNT 0x0602
#include <Windows.h>
#include <Processthreadsapi.h>
#include <iostream>
int main()
{
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = { 0 };
policy.RaiseExceptionOnInvalidHandleReference = 1;
policy.HandleExceptionsPermanentlyEnabled = 1;
BOOL res = SetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, &policy,
sizeof(policy));
DWORD err = 0;
if (!res)
err = GetLastError();
std::cout << res << ", " << err;
}
此程序按预期输出 1, 0。如果你加上
policy.Flags = 0x00000002;
紧接在调用SetProcessMitigationPolicy之前,则输出为0, 87。