4.8 禁止执行指定程序 https://scz.617.cn/windows/201703092204.txt Q: 除了DACLs,有什么自带方案可以禁止执行指定程序?不考虑第三方HIPS之流。 A: bluerust gpedit.msc User Configuration Administrative Templates System Don't run specified windows applications -------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] "1"="victim_0.exe" "2"="victim_1.exe" -------------------------------------------------------------------------- 此设置仅阻止用户运行由Windows资源管理器进程启动的程序。它不会阻止用户运行 由系统进程或其他进程启动的程序,如任务管理器。另外,如果允许用户使用CMD, 此设置不会阻止用户在CMD中启动不允许经Windows资源管理器启动的程序。 换句话说,这个组策略只能对付父进程是资源管理器的进程。进程被禁时会弹框提示。 实测表明,祖先进程是资源管理器的都归它管,不只限于父进程是资源管理器。孙子 进程被禁时不弹提示框。 不能指定路径(否则无效),只能指定文件名。 Q: 如何通过映像劫持(IFEO)来禁止执行指定程序? A: bluerust 2017-03-09 22:04 Windows有个Image File Execution Options(IFEO)注册表选项,主要用途是存放 GlobalFlag以及让调试器能在程序启动时候自动Attach。参看: -------------------------------------------------------------------------- Image File Execution Options (IFEO) https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ Inside Image File Execution Options debugging - Gregg Miskelly [2005-02-21] https://blogs.msdn.microsoft.com/greggm/2005/02/21/inside-image-file-execution-options-debugging/ Image File Execution Options https://weblogs.asp.net/whaggard/image-file-execution-options (DLL有BreakOnDllLoad,EXE有Debugger) Registry Keys Affected by WOW64 https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253(v=vs.85).aspx Registry Reflection https://msdn.microsoft.com/en-us/library/windows/desktop/aa384235(v=vs.85).aspx -------------------------------------------------------------------------- windbg帮助"Preparing to Debug the Service Application"里说IFEO能用于DLL, 估计加载DLL的函数也处理了IFEO。 启用IFEO劫持: reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" /v "Debugger" /t REG_SZ /d "x:\\dumb.exe" /f 如果是64-bits系统,可能还得多加一条: reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" /v "Debugger" /t REG_SZ /d "x:\\dumb.exe" /f 为程序全名,含扩展名,比如calc.exe。 Gregg Miskelly提到: Where the operating system looks isn't dependant on the bit-ness of the application that is going to be debugged (which is what you would probably expect). Instead, it is dependent on the bit-ness of the application that called CreateProcess. Image File Execution Options在Windows 7和Windows Server 2008 R2上是Shared, 即同一物理拷贝的两处逻辑视图。 关于Shared、Reflected、Redirected可以简单理解成全同步、半同步、不同步。半 同步是在RegCloseKey()时进行。Win7和2008 R2不再支持半同步。 启用IFEO劫持后,当系统调用kernel32!CreateProcess()创建进程时, 如果没有指定DEBUG_PROCESS或DEBUG_ONLY_THIS_PROCESS,就会检查Debugger键值, 启动dumb.exe。正常情况下此处应该是一个调试器。如果dumb.exe啥也不做、立即退 出,则没有机会执行。 -------------------------------------------------------------------------- /* * cl dumb.c /Fedumb.exe /Zi /Fddumb.pdb /nologo /Os /Gd /Gs65536 /W3 /WX /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /link /RELEASE /opt:ref * cl dumb.c /Fedumb.exe /nologo /Os /Gd /Gs65536 /W3 /WX /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /link /RELEASE */ #include int CALLBACK WinMain ( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) { UNREFERENCED_PARAMETER(hInstance); UNREFERENCED_PARAMETER(hPrevInstance); UNREFERENCED_PARAMETER(lpCmdLine); UNREFERENCED_PARAMETER(nCmdShow); return( 0 ); } -------------------------------------------------------------------------- 例如: reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\dumb.exe" /f -------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe] "Debugger"="x:\\\\dumb.exe" -------------------------------------------------------------------------- 实测表明,下面这些都能满足原始需求: reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\cdb.exe -c q" /f reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\dumbzero.exe" /f reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\nonexist.exe" /f 其中dumbzero.exe是个0字节文件,nonexist.exe并不存在。 有人说Debugger键值数据用"C:\Windows\System32\systray.exe"更好,我没试过。