标题: Win10 Mitigation Policies简介(未解决)

创建: 2022-07-18 10:52
更新:
链接: https://scz.617.cn/windows/202207181052.txt

参[6]，讨论了向各种进程注入DLL时可能遭遇的各种问题，文中有很多优秀的参考资
源。如果搞这些方向，把这篇里提到的各种参考捋一遍，经验值肯定暴涨。看了这篇，
把ProcessHacker又装回来了，可以方便地查看目标进程的"Mitigation Policies"，
Process Explorer怎么看这个？

用ProcessHacker看到Calculator.exe的"Mitigation Policies"如下

--------------------------------------------------------------------------
ASLR (high entropy, force relocate, disallow stripped)
DEP (permanent)
Dynamic code (downgrade)
Indirect branch predicton
Signatures restricted (Store only)
Strict handle checks
--------------------------------------------------------------------------

"Signatures restricted (Store only)"太扎眼了，UWP果然有此限制。点中它，描
述是

Image signature restrictions are enabled for this process. Only Windows
Store signatures are allowed.

假设在UWP进程空间尝试加载DLL，该DLL没有"Windows Store signatures"，加载失
败。

Calculator.exe的"Mitigation Policies"体现在如下注册表项

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe]
"MitigationOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00
--------------------------------------------------------------------------

参[7]，Powershell有cmblet获取、设置这些缓解措施，比如

Get-ProcessMitigation -Name Calculator.exe
Set-ProcessMitigation -Name Calculator.exe -Disable DEP -Force ON

DEP:
    Enable                             : OFF    // 0x2
    EmulateAtlThunks                   : OFF
    Override DEP                       : True   // 0x4

Get-ProcessMitigation好像只能查全集，没法只查DEP子集。Set时"-Force ON"的效
果是将"Override DEP"设为True，缺省为False。

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

    MitigationOptions    REG_BINARY    060000000000000000000000000000000000000000000000
    MitigationAuditOptions    REG_BINARY    000000000000000000000000000000000000000000000000
    EAFModules    REG_SZ

MitigationOptions有个字节从0变成6。注意，不是一位一个含义，比如7对应

DEP:
    Enable                             : ON
    EmulateAtlThunks                   : ON
    Override DEP                       : True

单个字节的最终效果应该用Get确认，以防掉坑。

Win10有GUI设置这些缓解措施

--------------------------------------------------------------------------
设置
  更新和安全
    Windows安全中心
      应用和浏览器控制
        Exploit Protection设置
          程序设置
--------------------------------------------------------------------------

GUI设置反应到IFEO中。无法通过GUI调整"Override XXX"，Powershell可以，直接操
作注册表也可以。"Override XXX"为True时，GUI中相应项灰掉，无法交互。

组策略里也有调整"Mitigation Policies"的地方

--------------------------------------------------------------------------
gpedit.msc
  Computer Configuration
    Administrative Templates
      System
        Mitigation Options
          Process Mitigation Options
--------------------------------------------------------------------------

参[8]，解释了各二进制位的含义，但举例有误

0x00000001  PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
0x00000100  PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON
0x00020000  PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF

该组策略对应注册表项

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions]
"Calculator.exe"="??????????????1????????0???????0"
--------------------------------------------------------------------------

实际还会修改IFEO中的值，真正起作用的是IFEO。

不管是Powershell还是gpedit.msc，实测发现根本没法禁用Calculator.exe的DEP、
ASLR，这些设置就像聋子的耳朵--摆设。

原始需求是临时禁用Calculator.exe的BinarySignature相关项，在其进程空间加载
无数字签名的DLL，未能得手。

Set-ProcessMitigation -Name Calculator.exe -Disable MicrosoftSignedOnly,EnforceModuleDependencySigning -Force ON
Get-ProcessMitigation -Name Calculator.exe

BinarySignature:
    MicrosoftSignedOnly                : OFF
    AllowStoreSignedBinaries           : OFF
    EnforceModuleDependencySigning     : OFF
    AuditMicrosoftSignedOnly           : NOTSET
    AuditStoreSigned                   : OFF
    AuditEnforceModuleDependencySigning: NOTSET
    Override MicrosoftSignedOnly       : True
    Override DependencySigning         : True

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

    MitigationOptions    REG_BINARY    000000000060000060000000006000000000000000000000

2017年有人在微软社区问如何禁用MicrosoftSignedOnly，无人回答。有没有Ring3方
案满足原始需求？Ring0方案不考虑，当前用户是管理员，可以正常交互。

[6] Implementing Global Injection and Hooking in Windows - m417z [2022-04-17]
    https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/
    https://github.com/m417z/global-inject-demo

[7] Get-ProcessMitigation
    https://docs.microsoft.com/en-us/powershell/module/processmitigations/get-processmitigation?view=windowsserver2022-ps

    Set-ProcessMitigation
    https://docs.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation?view=windowsserver2022-ps

    Customize exploit protection
    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection

[8] Override Process Mitigation Options to help enforce app-related security policies
    https://docs.microsoft.com/en-us/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies