西宁网站网站建设目前最火的自媒体平台
一、引言
某些业务场景下,我们会在计算机本地磁盘中创建文件夹目录,用于保存跟当前程序相关的业务数据(这很常见);极端情况下,为了防止客户篡改某些配置,我们设置不希望客户可以访问这些文件夹。于是有了如下所示的应用场景:如何给自己的文件夹加锁,并只允许指定的进程访问该文件夹!
如图所示:
当然,我们记住一个前提, 所有的安全保护措施都是只防君子,不防小人的!!
二、代码示例
- 以下代码某些功能待优化,只作为参考使用。
- ACL使用场景可能需要提权,建议使用管理员权限运行你的进程,或者你的IDE
#include <iostream>
#include <fstream>
#include <string>
#include <windows.h>#include <windows.h>
#include <aclapi.h>
#include <sddl.h>
#include <iostream>
#include <string>
#include <tlhelp32.h>#pragma comment(lib, "Advapi32.lib") // Link to Advapi32.lib// Function to get the SID of a specified user
std::wstring GetUserSID(DWORD processId) {HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, processId);if (hProcess == NULL) {std::cerr << "Failed to open process. Error: " << GetLastError() << std::endl;return L"";}HANDLE hToken;if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) {std::cerr << "Failed to open process token. Error: " << GetLastError() << std::endl;CloseHandle(hProcess);return L"";}DWORD tokenInfoLength = 0;GetTokenInformation(hToken, TokenUser, NULL, 0, &tokenInfoLength);PTOKEN_USER pTokenUser = (PTOKEN_USER)LocalAlloc(LPTR, tokenInfoLength);if (!GetTokenInformation(hToken, TokenUser, pTokenUser, tokenInfoLength, &tokenInfoLength)) {std::cerr << "Failed to get token information. Error: " << GetLastError() << std::endl;LocalFree(pTokenUser);CloseHandle(hToken);CloseHandle(hProcess);return L"";}LPWSTR sidString;if (ConvertSidToStringSidW(pTokenUser->User.Sid, &sidString)) {std::wstring result(sidString);LocalFree(sidString); // Free the string allocated by ConvertSidToStringSidLocalFree(pTokenUser);CloseHandle(hToken);CloseHandle(hProcess);return result; // Return the SID as a string}else {std::cerr << "Failed to convert SID to string. Error: " << GetLastError() << std::endl;LocalFree(pTokenUser);CloseHandle(hToken);CloseHandle(hProcess);return L"";}
}// Function to set directory access
void SetDirectoryAccess(const std::string& directoryPath, DWORD processId) {// Convert the directory path to a wide stringstd::wstring wDirectoryPath(directoryPath.begin(), directoryPath.end());// Create a security descriptorPSECURITY_DESCRIPTOR pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);if (pSD == nullptr) {std::cerr << "Failed to allocate memory for security descriptor." << std::endl;return;}// Initialize the security descriptorif (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) {std::cerr << "Failed to initialize security descriptor." << std::endl;LocalFree(pSD);return;}// Get the SID for the allowed processstd::wstring sidString = GetUserSID(processId); // Get the SID for the allowed processif (sidString.empty()) {std::cerr << "Failed to retrieve SID for the allowed process." << std::endl;LocalFree(pSD);return;}PSID pSID = nullptr;if (!ConvertStringSidToSid(sidString.c_str(), &pSID)) {std::cerr << "Failed to convert SID string to SID." << std::endl;LocalFree(pSD);return;}// Create an access maskDWORD accessMask = GENERIC_READ | GENERIC_WRITE; // Allow read and write access// Create an access control entry for the allowed processEXPLICIT_ACCESS ea;ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); // Initialize the structure to zeroea.grfAccessPermissions = accessMask; // Set the access permissionsea.grfAccessMode = SET_ACCESS; // Set the access modeea.grfInheritance = NO_INHERITANCE; // No inheritanceea.Trustee.TrusteeForm = TRUSTEE_IS_SID; // The trustee is a SIDea.Trustee.TrusteeType = TRUSTEE_IS_USER; // The trustee is a userea.Trustee.ptstrName = (LPWSTR)pSID; // Set the SIDPACL pACL = nullptr;// Call SetEntriesInAcl with the correct parametersif (SetEntriesInAcl(1, &ea, NULL, &pACL) != ERROR_SUCCESS) {std::cerr << "Failed to set entries in ACL." << std::endl;LocalFree(pSID);LocalFree(pSD);return;}// Create an access control entry for denying access to everyoneEXPLICIT_ACCESS denyAccess;ZeroMemory(&denyAccess, sizeof(EXPLICIT_ACCESS)); // Initialize the structure to zerodenyAccess.grfAccessPermissions = GENERIC_ALL; // Deny all accessdenyAccess.grfAccessMode = DENY_ACCESS; // Set the access mode to denydenyAccess.grfInheritance = NO_INHERITANCE; // No inheritancedenyAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME; // The trustee is a well-known groupdenyAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; // The trustee is a groupdenyAccess.Trustee.ptstrName = (LPWSTR)L"Everyone"; // Deny access to everyone// Add the deny entry to the ACLPACL pNewACL = nullptr;if (SetEntriesInAcl(1, &denyAccess, pACL, &pNewACL) != ERROR_SUCCESS) {std::cerr << "Failed to set deny entry in ACL." << std::endl;LocalFree(pSID);LocalFree(pSD);return;}// Set the DACL in the security descriptorif (!SetSecurityDescriptorDacl(pSD, TRUE, pNewACL, FALSE)) {std::cerr << "Failed to set DACL in security descriptor." << std::endl;LocalFree(pSID);LocalFree(pSD);return;}// Apply the security descriptor to the directoryif (SetNamedSecurityInfoW((LPWSTR)wDirectoryPath.c_str(),SE_FILE_OBJECT,DACL_SECURITY_INFORMATION, NULL, NULL, pNewACL, NULL) != ERROR_SUCCESS) {DWORD error = GetLastError(); // Get the last error codestd::cerr << "Failed to set security info on directory. Error code: " << error << std::endl;}else {std::cout << "Successfully set security info on directory." << std::endl;}// Clean upLocalFree(pSID);LocalFree(pSD);
}DWORD GetProcessIdByName(const std::wstring& processName) {HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hSnapshot == INVALID_HANDLE_VALUE) {return 0;}PROCESSENTRY32W pe32;pe32.dwSize = sizeof(PROCESSENTRY32W);if (Process32FirstW(hSnapshot, &pe32)) {do {if (processName == pe32.szExeFile) {CloseHandle(hSnapshot);return pe32.th32ProcessID;}} while (Process32NextW(hSnapshot, &pe32));}CloseHandle(hSnapshot);return 0; // Process not found
}bool test_read() {std::string filePath = "D:\\Video\\ProtectedDirectory\\test_file.txt";std::ifstream inFile(filePath);if (!inFile) {std::cerr << "Error: Could not create file at " << filePath << std::endl;return false;}std::string s;inFile >> s;inFile.close();std::cout << "File read successfully at " << filePath << ":" << s << std::endl;return true;
}bool test_write() {std::string filePath = "D:\\Video\\ProtectedDirectory\\test_file.txt";std::ofstream outFile(filePath);if (!outFile) {std::cerr << "Error: Could not create file at " << filePath << std::endl;return false;}outFile << "hello,world!" << std::endl;outFile.close();std::cout << "File read successfully at " << filePath << std::endl;return true;
}bool EnablePrivilege(LPCWSTR privilege) {HANDLE token;TOKEN_PRIVILEGES tp;LUID luid;if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token)) {std::cerr << "Failed to open process token. Error: " << GetLastError() << std::endl;return false;}if (!LookupPrivilegeValueW(NULL, privilege, &luid)) {std::cerr << "Failed to lookup privilege value. Error: " << GetLastError() << std::endl;CloseHandle(token);return false;}tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {std::cerr << "Failed to adjust token privileges. Error: " << GetLastError() << std::endl;CloseHandle(token);return false;}CloseHandle(token);return GetLastError() == ERROR_SUCCESS;
}int main() {std::string directoryPath = "D:\\Video\\ProtectedDirectory1"; // Specify the directory pathstd::wstring allowedProcessName = L"ConsoleApplication1.exe"; // Specify the allowed process name// Enable the SE_RESTORE_NAME privilegeif (!EnablePrivilege(SE_RESTORE_NAME)) {std::cerr << "Failed to enable privilege." << std::endl;return 1;}// Create the directory if it does not existif (CreateDirectoryA(directoryPath.c_str(), NULL) || GetLastError() == ERROR_ALREADY_EXISTS) {// Set the directory as hiddenif (!SetFileAttributesA(directoryPath.c_str(), FILE_ATTRIBUTE_HIDDEN)) {DWORD error = GetLastError();std::cerr << "Failed to set directory attributes. Error: " << error << std::endl;// Handle specific errorsif (error == ERROR_ACCESS_DENIED) {std::cerr << "Access denied. Please check your permissions." << std::endl;}else if (error == ERROR_FILE_NOT_FOUND) {std::cerr << "File not found. Please check the path." << std::endl;}// Add more error handling as needed}else {std::cout << "Directory attributes set to hidden successfully." << std::endl;}}else {std::cerr << "Failed to create directory. Error: " << GetLastError() << std::endl;return 1;}// Get the process ID of the allowed processDWORD processId = GetProcessIdByName(allowedProcessName);if (processId == 0) {std::wcerr << "Process not found: " << allowedProcessName << std::endl;return 1; // Exit if the process is not found}SetDirectoryAccess(directoryPath, processId);// 测试test_read();return 0;
}