OpenProcess
添加了一个新的规则属性,该属性在打开进程时触发。
HIPS 仅在调用 OpenProcess 或 DuplicateHandle 时,仅针对 lsass.exe 发送 OpenProcess 事件,并且仅使用 PROCESS_VM_WRITE 和/或 PROCESS_VM_READ 进程访问权限(当已打开的进程具有上述访问权限时)
属性 |
类型 |
说明 |
示例 |
|---|---|---|---|
AccessRight |
|
可能的值为: •1—PROCESS_TERMINATE •2—PROCESS_CREATE_THREAD •8—PROCESS_VM_OPERATION •16—PROCESS_VM_READ •32—PROCESS_VM_WRITE •64—PROCESS_DUP_HANDLE •128—PROCESS_CREATE_PROCESS •256—PROCESS_SET_QUOTA •512—PROCESS_SET_INFORMATION •1024—PROCESS_QUERY_INFORMATION •2048—PROCESS_SUSPEND_RESUME •4096—PROCESS_QUERY_LIMITED_INFORMATION •65536—DELETE •131072—READ_CONTROL •262144—WRITE_DAC •524288—WRITE_OWNER •1048576—SYNCHRONIZE •2097151—PROCESS_ALL_ACCESS |
示例
<operations> <operation type="OpenProcess"> <condition component="OpenProcess" property="AccessRight" condition="contains" value="PROCESS_VM_READ" /> </operation> </operations> |
支持的行动
•OpenProcess