有什么方法可以从驱动程序中检测到此进程受到保护吗？

免责声明：以下过程取决于从combase.dll文件的PDB 符号中提取的未记录数据结构。像往常一样，这在未来的 Windows 操作系统版本中可能不起作用。

这是用于检测受保护进程的示例 C 代码。该程序在其第一个参数中接受一个有效的进程 ID。此代码需要与ntdll.lib库链接。在用户模式下，对于某些进程，此代码可能需要以管理员身份运行。

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#include <stdlib.h>

typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
    size_t Size;
    PROCESS_BASIC_INFORMATION BasicInfo;
    union {
        unsigned int Flags;
        struct {
            unsigned int IsProtectedProcess : 1;
            unsigned int IsWow64Process : 1;
            unsigned int IsProcessDeleting : 1;
            unsigned int IsCrossSessionCreate : 1;
            unsigned int IsFrozen : 1;
            unsigned int IsBackground : 1;
            unsigned int IsStronglyNamed : 1;
            unsigned int IsSecureProcess : 1;
            unsigned int IsSubsystemProcess : 1;
            unsigned int SpareBits : 23;
        };
    };
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; /* size: 0x0040 */

int main(int argc, char *argv[])
{
    if (argc < 2)
        return;

    void *hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, atoi(argv[1]));
    if (hProcess != NULL)
    {
        unsigned int ret;
        PROCESS_EXTENDED_BASIC_INFORMATION pInfo;
        memset(&pInfo, 0, sizeof pInfo);

        NTSTATUS Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pInfo, sizeof pInfo, &ret);
        if (Status == 0)
            printf("Protected: %d\n", pInfo.IsProtectedProcess);
        CloseHandle(hProcess);
    }
    else
        printf("OpenProcess error: %d\n", GetLastError());
}

要添加或更改进程缓解策略标志，程序使用使用SetProcessMitigationPolicy()函数的NtSetInformationProcess()函数（从 中检索KernelBase.dll）。这是启用动态代码策略的示例 C 代码。

#include <Windows.h>
#include <winternl.h>

typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
    PROCESS_MITIGATION_POLICY Policy;
    union {
        PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
        PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
        PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
        PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
        PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
        PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
        PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
        PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy;
        PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy;
        PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy;
        PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy;
        PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
        PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy;
    };
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION; /* size: 0x0008 */

int main(void)
{
    PROCESS_MITIGATION_POLICY_INFORMATION PolicyInfo = { 0 };
    PolicyInfo.Policy = ProcessDynamicCodePolicy;
    PolicyInfo.DynamicCodePolicy.ProhibitDynamicCode = TRUE;

    NTSTATUS Status = NtSetInformationProcess(
        GetCurrentProcess(),
        52, /* ProcessMitigationPolicy */
        &PolicyInfo,
        sizeof PolicyInfo);
}

可以使用此方法启用任何一项策略。使用Zw替代Nt函数以在内核模式下使用。所有这些未记录的结构也可以在ProcessHacker/phnt存储库中找到。