强制完整性级别值 0x2010 代表什么?
What does mandatory integrity level value of 0x2010 stand for?
我是 运行 我的用户模式进程中的以下代码片段,它在 Windows 用户帐户登录到工作站时启动。或者,换句话说,它的路径放在 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 注册表项中。
代码应该确定我的用户进程的 mandatory integrity level。它是这样的:
DWORD getMIL()
{
//Try to get integrity level
//-1 Unknown
//SECURITY_MANDATORY_UNTRUSTED_RID 0x00000000 Untrusted.
//SECURITY_MANDATORY_LOW_RID 0x00001000 Low integrity.
//SECURITY_MANDATORY_MEDIUM_RID 0x00002000 Medium integrity.
//SECURITY_MANDATORY_MEDIUM_PLUS_RID SECURITY_MANDATORY_MEDIUM_RID + 0x100 Medium high integrity.
//SECURITY_MANDATORY_HIGH_RID 0X00003000 High integrity.
//SECURITY_MANDATORY_SYSTEM_RID 0x00004000 System integrity.
//SECURITY_MANDATORY_PROTECTED_PROCESS_RID 0x00005000 Protected process.
DWORD dwIntgtyLvl = -1;
HANDLE hToken;
if(OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hToken))
{
DWORD dwSizeIntgtyLvl = 0;
if(!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, dwSizeIntgtyLvl, &dwSizeIntgtyLvl) &&
::GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
BYTE* pbIntgtyLvl = new BYTE[dwSizeIntgtyLvl];
if(pbIntgtyLvl)
{
TOKEN_MANDATORY_LABEL* pTML = (TOKEN_MANDATORY_LABEL*)pbIntgtyLvl;
DWORD dwSizeIntgtyLvl2;
if(GetTokenInformation(hToken, TokenIntegrityLevel, pTML, dwSizeIntgtyLvl, &dwSizeIntgtyLvl2) &&
dwSizeIntgtyLvl2 <= dwSizeIntgtyLvl)
{
dwIntgtyLvl = *GetSidSubAuthority(pTML->Label.Sid,
(DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTML->Label.Sid)-1));
}
//Free mem
delete[] pbIntgtyLvl;
pbIntgtyLvl = NULL;
}
}
::CloseHandle(hToken);
}
return dwIntgtyLvl;
}
在正常的事件流中,我希望获得 SECURITY_MANDATORY_MEDIUM_RID 的 0x2000 的值,或 SECURITY_MANDATORY_HIGH_RID 的 0x3000 的值,但如果我有一个Windows 用户帐户已经登录,如果我随后切换用户,并使用另一个用户帐户登录,上述方法将为我获取强制完整性级别的 0x2010 值。
有人知道这个值代表什么吗?
它在 Windows Integrity Mechanism Design 的 MSDN 页面底部进行了描述:
The RIDs are separated by intervals of 0x1000 to allow for definition of additional levels in the future. The separation also allows assigning an integrity level to a process that is slightly higher than medium: for example, to meet specific system design goals.
...
Applications that are launched with UIAccess rights for a standard
user are assigned a slightly higher integrity level value in the
access token. The access token integrity level for the UIAccess
application for a standard user is the value of medium integrity
level, plus an increment of 0x10. The higher integrity level for
UIAccess applications prevents other processes on the same desktop at
the medium integrity level from opening the UIAccess process object
您没有考虑到完整性级别使用值范围,其中 token/process 可以在其完整性级别的值范围内分配一个值。您只是在寻找特定的值。
不受信任的完整性可以是 SECURITY_MANDATORY_UNTRUSTED_RID(含)和 SECURITY_MANDATORY_LOW_RID(不含)之间的任何值。
低完整性可以是 SECURITY_MANDATORY_LOW_RID(含)和 SECURITY_MANDATORY_MEDIUM_RID(不含)之间的任何值。
中等完整性可以是 SECURITY_MANDATORY_MEDIUM_RID(含)和 SECURITY_MANDATORY_HIGH_RID(不含)之间的任何值。这就是您在示例中看到的内容。
高完整性可以是 SECURITY_MANDATORY_HIGH_RID(含)和 SECURITY_MANDATORY_SYSTEM_RID(不含)之间的任何值。
等于或高于 SECURITY_MANDATORY_SYSTEM_RID 的任何值都为系统保留。
文档中有一个 table 显示:
Windows Integrity Mechanism Design
Table 2 Defined integrity levels and corresponding values
Value Description Symbol
0x0000 Untrusted level SECURITY_MANDATORY_UNTRUSTED_RID
0x1000 Low integrity level SECURITY_MANDATORY_LOW_RID
0x2000 Medium integrity level SECURITY_MANDATORY_MEDIUM_RID
0x3000 High integrity level SECURITY_MANDATORY_HIGH_RID
0x4000 System integrity level SECURITY_MANDATORY_SYSTEM_RID
这是一个命名列表:
Well-known SIDs
| SID | Name | DEC | HEX | BIN |
|-------------- |----------------------------------- |------- |------ |----------------: |
| S-1-16-0 | Untrusted Mandatory Level | 0 | 0000 | 0 |
| S-1-16-4096 | Low Mandatory Level | 512 | 0200 | 1000000000 |
| S-1-16-8192 | Medium Mandatory Level | 8192 | 2000 | 10000000000000 |
| S-1-16-8448 | Medium Plus Mandatory Level | 8448 | 2100 | 10000100000000 |
| S-1-16-12288 | High Mandatory Level | 12288 | 3000 | 11000000000000 |
| S-1-16-16384 | System Mandatory Level | 16384 | 4000 | 100000000000000 |
| S-1-16-20480 | Protected Process Mandatory Level | 20480 | 5000 | 101000000000000 |
| S-1-16-28672 | Secure Process Mandatory Level | 28672 | 7000 | 111000000000000 |
但是,正如在其他答案中所说,两个列出的项目之间的值是有效的,如果你必须命名它们,你应该选择较低的值名称,(例如 511 应该命名为 untrusted plus 而不是 Low Mandatory).
进程只能与具有相同或较低完整性级别的系统对象进行交互。
我是 运行 我的用户模式进程中的以下代码片段,它在 Windows 用户帐户登录到工作站时启动。或者,换句话说,它的路径放在 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 注册表项中。
代码应该确定我的用户进程的 mandatory integrity level。它是这样的:
DWORD getMIL()
{
//Try to get integrity level
//-1 Unknown
//SECURITY_MANDATORY_UNTRUSTED_RID 0x00000000 Untrusted.
//SECURITY_MANDATORY_LOW_RID 0x00001000 Low integrity.
//SECURITY_MANDATORY_MEDIUM_RID 0x00002000 Medium integrity.
//SECURITY_MANDATORY_MEDIUM_PLUS_RID SECURITY_MANDATORY_MEDIUM_RID + 0x100 Medium high integrity.
//SECURITY_MANDATORY_HIGH_RID 0X00003000 High integrity.
//SECURITY_MANDATORY_SYSTEM_RID 0x00004000 System integrity.
//SECURITY_MANDATORY_PROTECTED_PROCESS_RID 0x00005000 Protected process.
DWORD dwIntgtyLvl = -1;
HANDLE hToken;
if(OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hToken))
{
DWORD dwSizeIntgtyLvl = 0;
if(!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, dwSizeIntgtyLvl, &dwSizeIntgtyLvl) &&
::GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
BYTE* pbIntgtyLvl = new BYTE[dwSizeIntgtyLvl];
if(pbIntgtyLvl)
{
TOKEN_MANDATORY_LABEL* pTML = (TOKEN_MANDATORY_LABEL*)pbIntgtyLvl;
DWORD dwSizeIntgtyLvl2;
if(GetTokenInformation(hToken, TokenIntegrityLevel, pTML, dwSizeIntgtyLvl, &dwSizeIntgtyLvl2) &&
dwSizeIntgtyLvl2 <= dwSizeIntgtyLvl)
{
dwIntgtyLvl = *GetSidSubAuthority(pTML->Label.Sid,
(DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTML->Label.Sid)-1));
}
//Free mem
delete[] pbIntgtyLvl;
pbIntgtyLvl = NULL;
}
}
::CloseHandle(hToken);
}
return dwIntgtyLvl;
}
在正常的事件流中,我希望获得 SECURITY_MANDATORY_MEDIUM_RID 的 0x2000 的值,或 SECURITY_MANDATORY_HIGH_RID 的 0x3000 的值,但如果我有一个Windows 用户帐户已经登录,如果我随后切换用户,并使用另一个用户帐户登录,上述方法将为我获取强制完整性级别的 0x2010 值。
有人知道这个值代表什么吗?
它在 Windows Integrity Mechanism Design 的 MSDN 页面底部进行了描述:
The RIDs are separated by intervals of 0x1000 to allow for definition of additional levels in the future. The separation also allows assigning an integrity level to a process that is slightly higher than medium: for example, to meet specific system design goals.
...
Applications that are launched with UIAccess rights for a standard user are assigned a slightly higher integrity level value in the access token. The access token integrity level for the UIAccess application for a standard user is the value of medium integrity level, plus an increment of 0x10. The higher integrity level for UIAccess applications prevents other processes on the same desktop at the medium integrity level from opening the UIAccess process object
您没有考虑到完整性级别使用值范围,其中 token/process 可以在其完整性级别的值范围内分配一个值。您只是在寻找特定的值。
不受信任的完整性可以是 SECURITY_MANDATORY_UNTRUSTED_RID(含)和 SECURITY_MANDATORY_LOW_RID(不含)之间的任何值。
低完整性可以是 SECURITY_MANDATORY_LOW_RID(含)和 SECURITY_MANDATORY_MEDIUM_RID(不含)之间的任何值。
中等完整性可以是 SECURITY_MANDATORY_MEDIUM_RID(含)和 SECURITY_MANDATORY_HIGH_RID(不含)之间的任何值。这就是您在示例中看到的内容。
高完整性可以是 SECURITY_MANDATORY_HIGH_RID(含)和 SECURITY_MANDATORY_SYSTEM_RID(不含)之间的任何值。
等于或高于 SECURITY_MANDATORY_SYSTEM_RID 的任何值都为系统保留。
文档中有一个 table 显示:
Windows Integrity Mechanism Design
Table 2 Defined integrity levels and corresponding values Value Description Symbol 0x0000 Untrusted level SECURITY_MANDATORY_UNTRUSTED_RID 0x1000 Low integrity level SECURITY_MANDATORY_LOW_RID 0x2000 Medium integrity level SECURITY_MANDATORY_MEDIUM_RID 0x3000 High integrity level SECURITY_MANDATORY_HIGH_RID 0x4000 System integrity level SECURITY_MANDATORY_SYSTEM_RID
这是一个命名列表: Well-known SIDs
| SID | Name | DEC | HEX | BIN |
|-------------- |----------------------------------- |------- |------ |----------------: |
| S-1-16-0 | Untrusted Mandatory Level | 0 | 0000 | 0 |
| S-1-16-4096 | Low Mandatory Level | 512 | 0200 | 1000000000 |
| S-1-16-8192 | Medium Mandatory Level | 8192 | 2000 | 10000000000000 |
| S-1-16-8448 | Medium Plus Mandatory Level | 8448 | 2100 | 10000100000000 |
| S-1-16-12288 | High Mandatory Level | 12288 | 3000 | 11000000000000 |
| S-1-16-16384 | System Mandatory Level | 16384 | 4000 | 100000000000000 |
| S-1-16-20480 | Protected Process Mandatory Level | 20480 | 5000 | 101000000000000 |
| S-1-16-28672 | Secure Process Mandatory Level | 28672 | 7000 | 111000000000000 |
但是,正如在其他答案中所说,两个列出的项目之间的值是有效的,如果你必须命名它们,你应该选择较低的值名称,(例如 511 应该命名为 untrusted plus 而不是 Low Mandatory).
进程只能与具有相同或较低完整性级别的系统对象进行交互。