Skip to content

4.8 禁止执行指定程序

https://scz.617.cn/windows/201703092204.txt

Q:

除了DACLs,有什么自带方案可以禁止执行指定程序?不考虑第三方HIPS之流。

A: bluerust

gpedit.msc User Configuration Administrative Templates System Don't run specified windows applications

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] "1"="victim_0.exe" "2"="victim_1.exe"

此设置仅阻止用户运行由Windows资源管理器进程启动的程序。它不会阻止用户运行 由系统进程或其他进程启动的程序,如任务管理器。另外,如果允许用户使用CMD, 此设置不会阻止用户在CMD中启动不允许经Windows资源管理器启动的程序。

换句话说,这个组策略只能对付父进程是资源管理器的进程。进程被禁时会弹框提示。

实测表明,祖先进程是资源管理器的都归它管,不只限于父进程是资源管理器。孙子 进程被禁时不弹提示框。

不能指定路径(否则无效),只能指定文件名。

Q:

如何通过映像劫持(IFEO)来禁止执行指定程序?

A: bluerust 2017-03-09 22:04

Windows有个Image File Execution Options(IFEO)注册表选项,主要用途是存放 GlobalFlag以及让调试器能在程序启动时候自动Attach。参看:

Image File Execution Options (IFEO) https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/

Inside Image File Execution Options debugging - Gregg Miskelly [2005-02-21] https://blogs.msdn.microsoft.com/greggm/2005/02/21/inside-image-file-execution-options-debugging/

Image File Execution Options https://weblogs.asp.net/whaggard/image-file-execution-options (DLL有BreakOnDllLoad,EXE有Debugger)

Registry Keys Affected by WOW64 https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253(v=vs.85).aspx

Registry Reflection https://msdn.microsoft.com/en-us/library/windows/desktop/aa384235(v=vs.85).aspx

windbg帮助"Preparing to Debug the Service Application"里说IFEO能用于DLL, 估计加载DLL的函数也处理了IFEO。

启用IFEO劫持:

reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" /v "Debugger" /t REG_SZ /d "x:\\dumb.exe" /f

如果是64-bits系统,可能还得多加一条:

reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" /v "Debugger" /t REG_SZ /d "x:\\dumb.exe" /f

为程序全名,含扩展名,比如calc.exe。

Gregg Miskelly提到:

Where the operating system looks isn't dependant on the bit-ness of the application that is going to be debugged (which is what you would probably expect). Instead, it is dependent on the bit-ness of the application that called CreateProcess.

Image File Execution Options在Windows 7和Windows Server 2008 R2上是Shared, 即同一物理拷贝的两处逻辑视图。

关于Shared、Reflected、Redirected可以简单理解成全同步、半同步、不同步。半 同步是在RegCloseKey()时进行。Win7和2008 R2不再支持半同步。

启用IFEO劫持后,当系统调用kernel32!CreateProcess()创建进程时, 如果没有指定DEBUG_PROCESS或DEBUG_ONLY_THIS_PROCESS,就会检查Debugger键值, 启动dumb.exe。正常情况下此处应该是一个调试器。如果dumb.exe啥也不做、立即退 出,则没有机会执行。

/ * cl dumb.c /Fedumb.exe /Zi /Fddumb.pdb /nologo /Os /Gd /Gs65536 /W3 /WX /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /link /RELEASE /opt:ref * cl dumb.c /Fedumb.exe /nologo /Os /Gd /Gs65536 /W3 /WX /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /link /RELEASE /

include

int CALLBACK WinMain ( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) {

UNREFERENCED_PARAMETER(hInstance);
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
UNREFERENCED_PARAMETER(nCmdShow);

return( 0 );

}

例如:

reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\dumb.exe" /f

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe] "Debugger"="x:\\dumb.exe"

实测表明,下面这些都能满足原始需求:

reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\cdb.exe -c q" /f reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\dumbzero.exe" /f reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\victim.exe" /v "Debugger" /t REG_SZ /d "x:\\nonexist.exe" /f

其中dumbzero.exe是个0字节文件,nonexist.exe并不存在。

有人说Debugger键值数据用"C:\Windows\System32\systray.exe"更好,我没试过。