TONT 40603 应用程序和用户间的军备竞赛

没有脚后跟的阿基里斯。

原文链接:https://blogs.msdn.microsoft.com/oldnewthing/20040216-00/?p=40603

There is a constant struggle between people who write programs and the people who actually use them. For example, you often see questions like, “How do I make my program so the user can’t kill it?”

开发者和最终用户之间总有一种常态化的较量。例如,经常可以看到有人问这样的问题:『我应该怎么做才能让用户无法关掉我的程序呢?』

Now, imagine if there were a way to do this. Ask yourself, “What would the world be like if this were possible?”

现在呢,假设真的有那么一种方法能达成这个目的,再问问自己:『如果真的能这么做的话,这个世界会变成什么样子?』

Well, then there would be some program, say, xyz.exe, that is unkillable. Now suppose you’re the user. There’s this program xyz.exe that has gone haywire, so you want to exit it. But it won’t let you exit. So you try to kill it, but you can’t kill it either.

那么,就会有这么一类程序,比如xyz.exe,是无法被关掉的。现在,假设你是用户,然后这个xyz.exe出了问题发狂了,然后你想把它退出掉,而它不让你退出,所以你想关掉它,但同样无法做到。

This is just one of several arms races that you can imagine.

这只是多种军备竞赛中你所能想象到的场景之一罢了——

“I don’t want anybody to kill my process.” vs. “How do I kill this runaway process?”

『我不想让任何人关掉我的进程』与『我要怎样才能关掉这个发飙的进程?』

“I want to shove this critical dialog in the user’s face.” vs. “How do I stop programs from stealing focus?”

『我想把这个包含重大事项的对话框bia在用户脸上』与『我要怎样才能阻止其它程序窃取焦点?』

“I don’t want anybody to delete this file.” vs. “How do I delete this file that refuses to be deleted?”

『我不想让任何人删掉这个文件』与『我要怎样才能删掉这个拒绝自己被删除的文件?』

“How do I prevent this program from showing up in Task Manager?” vs. “How can I see all the programs that are running on my computer?”

『我要怎样才能不让我的程序出现在任务管理器里?』与『我要怎样才能看到当前运行的所有程序?』

Eventually you have to decide which side wins, and Windows has decided to keep users in control of their own programs and data, and keep administrators in control of their own computer. So users can kill any process they want (given sufficient privileges), they can stop any program from stealing focus, and they can delete any file they want (again, given sufficient privileges).

迟早你要决定让哪一边获胜,Windows则决定让用户对自己的应用程序和数据保留控制权,让系统管理员掌握对自己机器的控制权。因此用户可以任意关掉他们指定的进程(在权限足够的前提下),可以不再让窃取焦点的程序得逞,也可以删除任何指定的文件(同样是在权限足够的情况下)。

Programs can try to make themselves more difficult to kill (deny PROCESS_TERMINATE access, deny PROCESS_CREATE_THREAD access so people can’t CreateRemoteThread(EndProcess), deny PROCESS_VM_WRITE so people can’t scribble into your stack and make you doublefault, deny PROCESS_SUSPEND_RESUME so they can’t suspend you), but eventually you just can’t stop them from, say, elevating to Debug privilege, debugging your process, and moving EIP to “ExitProcess”.

应用程序们可以尝试让他们自己变得更难以被关掉(拒绝PROCESS_TERMINATE的权限,拒绝PROCESS_CREATE_THREAD的权限以使用户无法调用CreateRemoteThread(EndProcess),拒绝PROCESS_VM_WRITE的权限使用户无法到你的栈内存里乱搞、进而引发双重异常(double fault),拒绝PROCESS_SUSPEND_RESUME的权限使用户无法暂停你的进程),但说到底,你没有办法不让用户采取例如提权到调试模式,对你的进程开调试器,然后将EIP寄存器指向ExitProcess的做法。

Notice that you can kill CSRSS.EXE and WINLOGON.EXE if you like. Your computer will get very angry at you, but you can do it. (Save you work first!)

顺便一提,你可以试着关掉CSRSS.EXE和WINLOGON.EXE,你的系统会变得非常狂躁,但不会拦着你这么做。(记得先保存手头的工作!)

Another useful question to ask yourself: “What’s to prevent a virus from doing the same thing?” If there were a way to do these things, then a virus could take advantage of them and make itself invisible to Task Manager, undeletable, and unkillable. Clearly you don’t want that, do you?

这里还有一个有所裨益的问题可以自问:『如何不让病毒做到这一切?』如果真的有办法做到这些事(无法被关掉等),那病毒也可以利用这些机制来使其在任务管理器中隐身、无法被删除、无法被关掉。很明显那种事并不是你想看到的,对吧?

发表评论

电子邮件地址不会被公开。 必填项已用*标注

 剩余字数 ( Characters available )

注:请不要在评论中插入任何链接,否则将自动被识别为垃圾评论,博主将完全看不到。

Notice: please DO NOT add any links in your comment, otherwise it would be identified as SPAM automatically.

*