参[6],讨论了向各种进程注入DLL时可能遭遇的各种问题,文中有很多优秀的参考资源。如果搞这些方向,把这篇里提到的各种参考捋一遍,经验值肯定暴涨。看了这篇,把ProcessHacker又装回来了,可以方便地查看目标进程的”Mitigation Policies”,
Process Explorer怎么看这个?
用ProcessHacker看到Calculator.exe的”Mitigation Policies”如下
————————————————————————–
ASLR (high entropy, force relocate, disallow stripped)
DEP (permanent)
Dynamic code (downgrade)
Indirect branch predicton
Signatures restricted (Store only)
Strict handle checks
————————————————————————–
“Signatures restricted (Store only)”太扎眼了,UWP果然有此限制。点中它,描述是
Image signature restrictions are enabled for this process. Only Windows Store signatures are allowed.
假设在UWP进程空间尝试加载DLL,该DLL没有”Windows Store signatures”,加载失败。
Calculator.exe的”Mitigation Policies”体现在如下注册表项
————————————————————————–
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe]
"MitigationOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
————————————————————————–
参[7],Powershell有cmblet获取、设置这些缓解措施,比如
Get-ProcessMitigation -Name Calculator.exe
Set-ProcessMitigation -Name Calculator.exe -Disable DEP -Force ON
DEP:
Enable : OFF // 0x2
EmulateAtlThunks : OFF
Override DEP : True // 0x4
Get-ProcessMitigation好像只能查全集,没法只查DEP子集。Set时”-Force ON”的效果是将”Override DEP”设为True,缺省为False。
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"
MitigationOptions REG_BINARY 060000000000000000000000000000000000000000000000
MitigationAuditOptions REG_BINARY 000000000000000000000000000000000000000000000000
EAFModules REG_SZ
MitigationOptions有个字节从0变成6。注意,不是一位一个含义,比如7对应
DEP:
Enable : ON
EmulateAtlThunks : ON
Override DEP : True
单个字节的最终效果应该用Get确认,以防掉坑。
Win10有GUI设置这些缓解措施
————————————————————————–
设置
更新和安全
Windows安全中心
应用和浏览器控制
Exploit Protection设置
程序设置
————————————————————————–
GUI设置反应到IFEO中。无法通过GUI调整”Override XXX”,Powershell可以,直接操作注册表也可以。”Override XXX”为True时,GUI中相应项灰掉,无法交互。
组策略里也有调整”Mitigation Policies”的地方
————————————————————————–
gpedit.msc
Computer Configuration
Administrative Templates
System
Mitigation Options
Process Mitigation Options
————————————————————————–
参[8],解释了各二进制位的含义,但举例有误
0x00000001 PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
0x00000100 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON
0x00020000 PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF
该组策略对应注册表项
————————————————————————–
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions]
"Calculator.exe"="??????????????1????????0???????0"
————————————————————————–
实际还会修改IFEO中的值,真正起作用的是IFEO。
不管是Powershell还是gpedit.msc,实测发现根本没法禁用Calculator.exe的DEP、ASLR,这些设置就像聋子的耳朵–摆设。
原始需求是临时禁用Calculator.exe的BinarySignature相关项,在其进程空间加载无数字签名的DLL,未能得手。
Set-ProcessMitigation -Name Calculator.exe -Disable MicrosoftSignedOnly,EnforceModuleDependencySigning -Force ON
Get-ProcessMitigation -Name Calculator.exe
BinarySignature:
MicrosoftSignedOnly : OFF
AllowStoreSignedBinaries : OFF
EnforceModuleDependencySigning : OFF
AuditMicrosoftSignedOnly : NOTSET
AuditStoreSigned : OFF
AuditEnforceModuleDependencySigning: NOTSET
Override MicrosoftSignedOnly : True
Override DependencySigning : True
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"
MitigationOptions REG_BINARY 000000000060000060000000006000000000000000000000
2017年有人在微软社区问如何禁用MicrosoftSignedOnly,无人回答。有没有Ring3方案满足原始需求?Ring0方案不考虑,当前用户是管理员,可以正常交互。
[6] Implementing Global Injection and Hooking in Windows – m417z [2022-04-17]
https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/
https://github.com/m417z/global-inject-demo
[7] Get-ProcessMitigation
https://docs.microsoft.com/en-us/powershell/module/processmitigations/get-processmitigation?view=windowsserver2022-ps
Set-ProcessMitigation
https://docs.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation?view=windowsserver2022-ps
Customize exploit protection
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection
[8] Override Process Mitigation Options to help enforce app-related security policies
https://docs.microsoft.com/en-us/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies
上述情形之外的任何使用形式,均需提前向绿盟科技(010-68438880-5462)申请版权授权。如擅自使用,绿盟科技保留追责权利。同时,如因擅自使用博客内容引发法律纠纷,由使用者自行承担全部法律责任,与绿盟科技无关。