Created
March 10, 2023 15:12
-
-
Save ericlaw1979/451424bf3a095321153387c38ddf5efe to your computer and use it in GitHub Desktop.
C# sample code to deny TerminateProcess rights to non-admin peers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Security.AccessControl; | |
| using System.Security.Principal; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| class Program | |
| { | |
| public class ProcessSecurity : NativeObjectSecurity { | |
| public ProcessSecurity(SafeHandle processHandle) | |
| : base(false, ResourceType.KernelObject, processHandle, AccessControlSections.Access) {} | |
| public void AddAccessRule(ProcessAccessRule rule) | |
| { | |
| base.AddAccessRule(rule); | |
| } | |
| public void SaveChanges(SafeHandle processHandle) | |
| { | |
| Persist(processHandle, AccessControlSections.Access); | |
| } | |
| public override Type AccessRightType | |
| { | |
| get { return typeof(ProcessAccessRights); } | |
| } | |
| public override AccessRule AccessRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type) | |
| { | |
| return new ProcessAccessRule(identityReference, (ProcessAccessRights)accessMask, isInherited, inheritanceFlags, propagationFlags, type); | |
| } | |
| public override Type AccessRuleType { | |
| get { return typeof(ProcessAccessRule); } | |
| } | |
| public override AuditRule AuditRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, | |
| PropagationFlags propagationFlags, AuditFlags flags) { | |
| throw new NotImplementedException(); | |
| } | |
| public override Type AuditRuleType { | |
| get { throw new NotImplementedException(); } | |
| } | |
| } | |
| public class ProcessAccessRule : AccessRule | |
| { | |
| public ProcessAccessRule(IdentityReference identityReference, ProcessAccessRights accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type) | |
| : base(identityReference, (int)accessMask, isInherited, inheritanceFlags, propagationFlags, type) { } | |
| public ProcessAccessRights ProcessAccessRights { get { return (ProcessAccessRights)AccessMask; } } | |
| } | |
| [Flags] | |
| public enum ProcessAccessRights | |
| { | |
| Terminate = 1 | |
| } | |
| static void Main(string[] args) | |
| { | |
| var hCurrentProcess = Process.GetCurrentProcess().SafeHandle; | |
| var processSecurity = new ProcessSecurity(hCurrentProcess); | |
| SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); | |
| // Create a rule to deny process termination. | |
| ProcessAccessRule rule = new ProcessAccessRule(sid, ProcessAccessRights.Terminate, false, | |
| InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny); | |
| processSecurity.AddAccessRule(rule); | |
| processSecurity.SaveChanges(hCurrentProcess); | |
| // Keep the process running until the user hits a key. | |
| Console.WriteLine("Press any key to exit... \n(Try terminating via taskkill.exe, observe it doesn't work unless you run as administrator.)"); | |
| Console.ReadKey(); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment