Win10 Mitigation Policies简介(未解决)
2022-7-20 16:11:58 Author: mp.weixin.qq.com(查看原文) 阅读量:8 收藏

创建: 2022-07-18 10:52
http://scz.617.cn:8/windows/202207181052.txt

参[6],讨论了向各种进程注入DLL时可能遭遇的各种问题,文中有很多优秀的参考资源。如果搞这些方向,把这篇里提到的各种参考捋一遍,经验值肯定暴涨。看了这篇,把ProcessHacker又装回来了,可以方便地查看目标进程的"Mitigation Policies",Process Explorer怎么看这个?

用ProcessHacker看到Calculator.exe的"Mitigation Policies"如下

ASLR (high entropy, force relocate, disallow stripped)
DEP (permanent)
Dynamic code (downgrade)
Indirect branch predicton
Signatures restricted (Store only)
Strict handle checks

"Signatures restricted (Store only)"太扎眼了,UWP果然有此限制。点中它,描述是

Image signature restrictions are enabled for this process. Only Windows Store signatures are allowed.

假设在UWP进程空间尝试加载DLL,该DLL没有"Windows Store signatures",加载失败。

Calculator.exe的"Mitigation Policies"体现在如下注册表项

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe]
"MitigationOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

参[7],Powershell有cmblet获取、设置这些缓解措施,比如

Get-ProcessMitigation -Name Calculator.exe
Set-ProcessMitigation -Name Calculator.exe -Disable DEP -Force ON

DEP:
    Enable                             : OFF    // 0x2
    EmulateAtlThunks                   : OFF
    Override DEP                       : True   // 0x4

Get-ProcessMitigation好像只能查全集,没法只查DEP子集。Set时"-Force ON"的效果是将"Override DEP"设为True,缺省为False。

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

    MitigationOptions    REG_BINARY    060000000000000000000000000000000000000000000000
    MitigationAuditOptions    REG_BINARY    000000000000000000000000000000000000000000000000
    EAFModules    REG_SZ

MitigationOptions有个字节从0变成6。注意,不是一位一个含义,比如7对应

DEP:
    Enable                             : ON
    EmulateAtlThunks                   : ON
    Override DEP                       : True

单个字节的最终效果应该用Get确认,以防掉坑。

Win10有GUI设置这些缓解措施

设置
  更新和安全
    Windows安全中心
      应用和浏览器控制
        Exploit Protection设置
          程序设置

GUI设置反应到IFEO中。无法通过GUI调整"Override XXX",Powershell可以,直接操作注册表也可以。"Override XXX"为True时,GUI中相应项灰掉,无法交互。

组策略里也有调整"Mitigation Policies"的地方

gpedit.msc
  Computer Configuration
    Administrative Templates
      System
        Mitigation Options
          Process Mitigation Options

参[8],解释了各二进制位的含义,但举例有误

0x00000001  PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
0x00000100  PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON
0x00020000  PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF

该组策略对应注册表项

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions]
"Calculator.exe"="??????????????1????????0???????0"

实际还会修改IFEO中的值,真正起作用的是IFEO。

不管是Powershell还是gpedit.msc,实测发现根本没法禁用Calculator.exe的DEP、ASLR,这些设置就像聋子的耳朵--摆设。

原始需求是临时禁用Calculator.exe的BinarySignature相关项,在其进程空间加载无数字签名的DLL,未能得手。

Set-ProcessMitigation -Name Calculator.exe -Disable MicrosoftSignedOnly,EnforceModuleDependencySigning -Force ON
Get-ProcessMitigation -Name Calculator.exe

BinarySignature:
    MicrosoftSignedOnly                : OFF
    AllowStoreSignedBinaries           : OFF
    EnforceModuleDependencySigning     : OFF
    AuditMicrosoftSignedOnly           : NOTSET
    AuditStoreSigned                   : OFF
    AuditEnforceModuleDependencySigning: NOTSET
    Override MicrosoftSignedOnly       : True
    Override DependencySigning         : True

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

    MitigationOptions    REG_BINARY    000000000060000060000000006000000000000000000000

2017年有人在微软社区问如何禁用MicrosoftSignedOnly,无人回答。有没有Ring3方案满足原始需求?Ring0方案不考虑,当前用户是管理员,可以正常交互。

[6]
Implementing Global Injection and Hooking in Windows - m417z [2022-04-17]
https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/
https://github.com/m417z/global-inject-demo

[7]
Get-ProcessMitigation
https://docs.microsoft.com/en-us/powershell/module/processmitigations/get-processmitigation?view=windowsserver2022-ps

Set-ProcessMitigation
https://docs.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation?view=windowsserver2022-ps

Customize exploit protection
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection

[8]
Override Process Mitigation Options to help enforce app-related security policies
https://docs.microsoft.com/en-us/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies


文章来源: http://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486048&idx=1&sn=b761f919db6d1b6d4407781f7bb57e05&chksm=fab2c95fcdc5404954eafb60e229e8092fa76b24d4812d98d5db607566b3bf5d0000ab249e20#rd
如有侵权请联系:admin#unsafe.sh