如何确定流程的完整性级别？

Question

我最近需要获取进程的完整性级别，我从 MSDN 找到了帮助。示例代码如下所示：

if (GetTokenInformation(hToken, TokenIntegrityLevel, 
     pTIL, dwLengthNeeded, &dwLengthNeeded))
 {
  dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, 
    (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));

  if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
  {
   // Low Integrity
   wprintf(L"Low Process");
  }
  else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && 
       dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
  {
   // Medium Integrity
   wprintf(L"Medium Process");
  }
  else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
  {
   // High Integrity
   wprintf(L"High Integrity Process");
  }
  else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
  {
   // System Integrity
   wprintf(L"System Integrity Process");
  }
 }

众所周知，

SECURITY_MANDATORY_LOW_RID == 0x00001000L
SECURITY_MANDATORY_MEDIUM_RID == 0x00002000L
SECURITY_MANDATORY_HIGH_RID == 0x00003000L
SECURITY_MANDATORY_SYSTEM_RID == 0x00004000L.

我的问题是：
如果这个示例代码是正确的，那么如果进程 A 具有 of ，那么它的完整性级别是dwIntegrityLevel多少0x00004100L？SECURITY_MANDATORY_HIGH_RID和SECURITY_MANDATORY_SYSTEM_RID？是否意味着有SECURITY_MANDATORY_SYSTEM_RID级别的进程也有级别SECURITY_MANDATORY_HIGH_RID？

如果示例代码是错误的，那么确定进程完整性级别的正确方法是什么？

Answer 1

请注意 WinNT.h 中的等效声明：

#define SECURITY_MANDATORY_MEDIUM_PLUS_RID  (SECURITY_MANDATORY_MEDIUM_RID + 0x100)

听起来您遇到了一个 SYSTEM_PLUS 进程。