也谈隐藏盘符等windows 的管理员的策略实现

网上的文章都知道在HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer 文件夹下有控制隐藏驱动器隐藏控制面板的键值,通过改动这些键值来控制能否够改变windows的配置或者权限。或者掩藏或者显示什么。

（必需要又一次启动）那么谁来控制这个开关呢？

     通过自己的调试追踪到例如以下的栈

 # ChildEBP RetAddr Args to Child

00 0235f134 7602ed30 00000528 765aebe0 00000000 Sandboxdll!Mine_RegQueryValueExW+0xca [e: onggfworkranchesminshengclient_windowssrchooklibhook_advapi32.cpp @ 365]

WARNING: Stack unwind information not available. Following frames may be wrong.

01 0235f178 7602e977 00000528 765aebe0 0000ffff SHLWAPI!PathIsRelativeW+0xdf

02 0235f1bc 7602aed2 80000002 0235f210 765aebe0 SHLWAPI!SHRegGetValueW+0xe3

03 0235f1e0 7602b97e 80000002 0235f210 765aebe0 SHLWAPI!SHGetValueW+0x21

04 0235f41c 76024a79 00000000 765af510 765aebe0 SHLWAPI!Ordinal271+0x69

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32SHELL32.dll -

05 0235f43c 765aedb7 00000100 00000000 765aedc0 SHLWAPI!StrCmpNIW+0x40

06 0235f45c 766b1026 00000100 0235f4b8 00000004 SHELL32!SHRestricted+0x24

07 0235f474 766b07b3 00000000 02d80e68 00000000 SHELL32!Ordinal744+0x32a1

08 0235f494 766b0476 0235f4b8 02d36040 02d36010 SHELL32!Ordinal744+0x2a2e

09 0235f4e8 765685e5 02d80e68 00000001 0235f574 SHELL32!Ordinal744+0x26f1

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32explorerframe.dll -

0a 0235f538 7198d77d 02d36010 00000001 0235f574 SHELL32!OpenRegStream+0x1652

0b 0235f5b0 7198041e 02a5c2e0 01000000 80000000 explorerframe!Ordinal110+0xe380

0c 0235f5d0 765d619e 02a5c2f4 7fffffff 02a63668 explorerframe!Ordinal110+0x1021

0d 0235f5ec 765d6109 0235f628 00000000 02ac0fb8 SHELL32!SHCreateItemFromIDList+0x166

0e 0235f634 765caaa8 0235f64c 7602b6cf 02a63668 SHELL32!SHCreateItemFromIDList+0xd1

0f 0235f63c 7602b6cf 02a63668 0030e150 0235f6c0 SHELL32!Ordinal95+0x2274

10 0235f64c 771ab5e9 02ac0fb8 752c3f68 00294448 SHLWAPI!PathBuildRootW+0x4c

11 0235f6c0 771ae8d1 02ac0fb8 0030e150 752c3188 ntdll!RtlTestBit+0x21c

12 0235f820 75f81194 00294440 0235f86c 771db3f5 ntdll!RtlIsCriticalSectionLockedByThread+0x474

13 0235f82c 771db3f5 00294440 752c31c4 00000000 kernel32!BaseThreadInitThunk+0x12

14 0235f86c 771db3c8 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x63

15 0235f884 00000000 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x36

 

从 SHELL32.dll 的 函数 SHRestricted開始，转到读取策略注冊表键值上去的，我们来看看 SHRestricted 的逆向

.text:7387F02B _SHRestricted@4 proc near ; CODE XREF: CMenuItemsCache::RefreshCachedDarwinShortcuts(int)+Dp
.text:7387F02B                                         ; CDesktopBrowser::_ActivateView(void)+3Dp ...
.text:7387F02B
.text:7387F02B rest            = dword ptr  8
.text:7387F02B
.text:7387F02B                 mov     edi, edi
.text:7387F02D                 push    ebp
.text:7387F02E                 mov     ebp, esp
.text:7387F030                 push    offset ?g_lRestrictionsVersionNumber@@3JA ; long g_lRestrictionsVersionNumber
.text:7387F035                 push    9Ch
.text:7387F03A                 push    offset ?g_rgRestrictionItemValues@@3PAKA ; ulong * g_rgRestrictionItemValues
.text:7387F03F                 push    offset unk_7387F058
.text:7387F044                 push    0
.text:7387F046                 push    [ebp+rest]
.text:7387F049                 call    ds:__imp__SHRestrictionLookup@24 ; SHRestrictionLookup(x,x,x,x,x,x)
.text:7387F04F                 pop     ebp
.text:7387F050                 retn    4
.text:7387F050 _SHRestricted@4 endp

在当中调用了 SHLAPI.DLL 中的 SHRestrictionLookup

SHRestrictionLookup

函数例如以下：

int __stdcall SHRestrictionLookup(int a1, LPCWSTR pszDir, int a3, void *Dst, int a5, int a6)

{

  char *v6; // edi@7

  int v7; // ebx@1

  unsigned int v8; // eax@2

  int v9; // edx@3

 

  v7 = 0;

  if ( !g_bDllTerminating )

  {

    _ValidateRestrictionTable(Dst, a5, a6);

    v8 = 0;

    if ( (unsigned int)a5 > 0 )

    {

      v9 = a3;

      while ( a1 != *(_DWORD *)v9 )

      {

        ++v8;

        v9 += 12;

        if ( v8 >= a5 )

          return v7;

      }

      v6 = (char *)Dst + 4 * v8;

      v7 = *(_DWORD *)v6;

      if ( *(_DWORD *)v6 == -1 )

      {

        v7 = SHGetRestriction(pszDir, *(LPCWSTR *)(a3 + 12 * v8 + 4), *(LPCWSTR *)(a3 + 12 * v8 + 8));

        AcquireSRWLockExclusive(&g_csrwlockRestrictions);

        if ( *(_DWORD *)a6 == SHGlobalCounterGetValue(GLOBALCOUNTER_RESTRICTIONS) )

          *(_DWORD *)v6 = v7;

        ReleaseSRWLockExclusive(&g_csrwlockRestrictions);

      }

    }

  }

  return v7;

}

会从注冊表中获取值然后返回（假设没有获取 -1 没有获取）。否则直接读取出来

在MSDN 中：

Determines whether a specified administrator policy is in effect. In many cases, applications need to modify certain behaviors in order to comply with the policies enacted by system administrators.

检測指定的管理员策略是否有效。在非常多情况下。应用程序须要遵照系统管理员指定的策略依序改动某些行为。

系统行为是这个样子，假设我们的程序须要某些和系统行为不同，那么hook这个函数。而且返回和系统不同的值就能起到效果。