Skip to content

标题: Win10 Mitigation Policies简介(未解决)

创建: 2022-07-18 10:52 更新: 链接: https://scz.617.cn/windows/202207181052.txt

参[6],讨论了向各种进程注入DLL时可能遭遇的各种问题,文中有很多优秀的参考资 源。如果搞这些方向,把这篇里提到的各种参考捋一遍,经验值肯定暴涨。看了这篇, 把ProcessHacker又装回来了,可以方便地查看目标进程的"Mitigation Policies", Process Explorer怎么看这个?

用ProcessHacker看到Calculator.exe的"Mitigation Policies"如下


ASLR (high entropy, force relocate, disallow stripped) DEP (permanent) Dynamic code (downgrade) Indirect branch predicton Signatures restricted (Store only) Strict handle checks


"Signatures restricted (Store only)"太扎眼了,UWP果然有此限制。点中它,描 述是

Image signature restrictions are enabled for this process. Only Windows Store signatures are allowed.

假设在UWP进程空间尝试加载DLL,该DLL没有"Windows Store signatures",加载失 败。

Calculator.exe的"Mitigation Policies"体现在如下注册表项


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe] "MitigationOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00


参[7],Powershell有cmblet获取、设置这些缓解措施,比如

Get-ProcessMitigation -Name Calculator.exe Set-ProcessMitigation -Name Calculator.exe -Disable DEP -Force ON

DEP: Enable : OFF // 0x2 EmulateAtlThunks : OFF Override DEP : True // 0x4

Get-ProcessMitigation好像只能查全集,没法只查DEP子集。Set时"-Force ON"的效 果是将"Override DEP"设为True,缺省为False。

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

MitigationOptions    REG_BINARY    060000000000000000000000000000000000000000000000
MitigationAuditOptions    REG_BINARY    000000000000000000000000000000000000000000000000
EAFModules    REG_SZ

MitigationOptions有个字节从0变成6。注意,不是一位一个含义,比如7对应

DEP: Enable : ON EmulateAtlThunks : ON Override DEP : True

单个字节的最终效果应该用Get确认,以防掉坑。

Win10有GUI设置这些缓解措施


设置 更新和安全 Windows安全中心 应用和浏览器控制 Exploit Protection设置 程序设置


GUI设置反应到IFEO中。无法通过GUI调整"Override XXX",Powershell可以,直接操 作注册表也可以。"Override XXX"为True时,GUI中相应项灰掉,无法交互。

组策略里也有调整"Mitigation Policies"的地方


gpedit.msc Computer Configuration Administrative Templates System Mitigation Options Process Mitigation Options


参[8],解释了各二进制位的含义,但举例有误

0x00000001 PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE 0x00000100 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON 0x00020000 PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF

该组策略对应注册表项


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions] "Calculator.exe"="??????????????1????????0???????0"


实际还会修改IFEO中的值,真正起作用的是IFEO。

不管是Powershell还是gpedit.msc,实测发现根本没法禁用Calculator.exe的DEP、 ASLR,这些设置就像聋子的耳朵--摆设。

原始需求是临时禁用Calculator.exe的BinarySignature相关项,在其进程空间加载 无数字签名的DLL,未能得手。

Set-ProcessMitigation -Name Calculator.exe -Disable MicrosoftSignedOnly,EnforceModuleDependencySigning -Force ON Get-ProcessMitigation -Name Calculator.exe

BinarySignature: MicrosoftSignedOnly : OFF AllowStoreSignedBinaries : OFF EnforceModuleDependencySigning : OFF AuditMicrosoftSignedOnly : NOTSET AuditStoreSigned : OFF AuditEnforceModuleDependencySigning: NOTSET Override MicrosoftSignedOnly : True Override DependencySigning : True

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

MitigationOptions    REG_BINARY    000000000060000060000000006000000000000000000000

2017年有人在微软社区问如何禁用MicrosoftSignedOnly,无人回答。有没有Ring3方 案满足原始需求?Ring0方案不考虑,当前用户是管理员,可以正常交互。

[6] Implementing Global Injection and Hooking in Windows - m417z [2022-04-17] https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/ https://github.com/m417z/global-inject-demo

[7] Get-ProcessMitigation https://docs.microsoft.com/en-us/powershell/module/processmitigations/get-processmitigation?view=windowsserver2022-ps

Set-ProcessMitigation
https://docs.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation?view=windowsserver2022-ps

Customize exploit protection
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection

[8] Override Process Mitigation Options to help enforce app-related security policies https://docs.microsoft.com/en-us/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies