zoukankan      html  css  js  c++  java
  • 也谈隐藏盘符等windows 的管理员的策略实现

    网上的文章都知道在HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer 文件夹下有控制隐藏驱动器隐藏控制面板的键值,通过改动这些键值来控制能否够改变windows的配置或者权限。或者掩藏或者显示什么。

    (必需要又一次启动)那么谁来控制这个开关呢?

         通过自己的调试追踪到例如以下的栈

     # ChildEBP RetAddr Args to Child
    00 0235f134 7602ed30 00000528 765aebe0 00000000 Sandboxdll!Mine_RegQueryValueExW+0xca [e: onggfworkranchesminshengclient_windowssrchooklibhook_advapi32.cpp @ 365]
    WARNING: Stack unwind information not available. Following frames may be wrong.
    01 0235f178 7602e977 00000528 765aebe0 0000ffff SHLWAPI!PathIsRelativeW+0xdf
    02 0235f1bc 7602aed2 80000002 0235f210 765aebe0 SHLWAPI!SHRegGetValueW+0xe3
    03 0235f1e0 7602b97e 80000002 0235f210 765aebe0 SHLWAPI!SHGetValueW+0x21
    04 0235f41c 76024a79 00000000 765af510 765aebe0 SHLWAPI!Ordinal271+0x69
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32SHELL32.dll -
    05 0235f43c 765aedb7 00000100 00000000 765aedc0 SHLWAPI!StrCmpNIW+0x40
    06 0235f45c 766b1026 00000100 0235f4b8 00000004 SHELL32!SHRestricted+0x24
    07 0235f474 766b07b3 00000000 02d80e68 00000000 SHELL32!Ordinal744+0x32a1
    08 0235f494 766b0476 0235f4b8 02d36040 02d36010 SHELL32!Ordinal744+0x2a2e
    09 0235f4e8 765685e5 02d80e68 00000001 0235f574 SHELL32!Ordinal744+0x26f1
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32explorerframe.dll -
    0a 0235f538 7198d77d 02d36010 00000001 0235f574 SHELL32!OpenRegStream+0x1652
    0b 0235f5b0 7198041e 02a5c2e0 01000000 80000000 explorerframe!Ordinal110+0xe380
    0c 0235f5d0 765d619e 02a5c2f4 7fffffff 02a63668 explorerframe!Ordinal110+0x1021
    0d 0235f5ec 765d6109 0235f628 00000000 02ac0fb8 SHELL32!SHCreateItemFromIDList+0x166
    0e 0235f634 765caaa8 0235f64c 7602b6cf 02a63668 SHELL32!SHCreateItemFromIDList+0xd1
    0f 0235f63c 7602b6cf 02a63668 0030e150 0235f6c0 SHELL32!Ordinal95+0x2274
    10 0235f64c 771ab5e9 02ac0fb8 752c3f68 00294448 SHLWAPI!PathBuildRootW+0x4c
    11 0235f6c0 771ae8d1 02ac0fb8 0030e150 752c3188 ntdll!RtlTestBit+0x21c
    12 0235f820 75f81194 00294440 0235f86c 771db3f5 ntdll!RtlIsCriticalSectionLockedByThread+0x474
    13 0235f82c 771db3f5 00294440 752c31c4 00000000 kernel32!BaseThreadInitThunk+0x12
    14 0235f86c 771db3c8 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x63
    15 0235f884 00000000 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x36
     
    从 SHELL32.dll 的 函数 SHRestricted開始,转到读取策略注冊表键值上去的,我们来看看 SHRestricted 的逆向

    .text:7387F02B _SHRestricted@4 proc near ; CODE XREF: CMenuItemsCache::RefreshCachedDarwinShortcuts(int)+Dp
    .text:7387F02B                                         ; CDesktopBrowser::_ActivateView(void)+3Dp ...
    .text:7387F02B
    .text:7387F02B rest            = dword ptr  8
    .text:7387F02B
    .text:7387F02B                 mov     edi, edi
    .text:7387F02D                 push    ebp
    .text:7387F02E                 mov     ebp, esp
    .text:7387F030                 push    offset ?g_lRestrictionsVersionNumber@@3JA ; long g_lRestrictionsVersionNumber
    .text:7387F035                 push    9Ch
    .text:7387F03A                 push    offset ?g_rgRestrictionItemValues@@3PAKA ; ulong * g_rgRestrictionItemValues
    .text:7387F03F                 push    offset unk_7387F058
    .text:7387F044                 push    0
    .text:7387F046                 push    [ebp+rest]
    .text:7387F049                 call    ds:__imp__SHRestrictionLookup@24 ; SHRestrictionLookup(x,x,x,x,x,x)
    .text:7387F04F                 pop     ebp
    .text:7387F050                 retn    4
    .text:7387F050 _SHRestricted@4 endp

    在当中调用了 SHLAPI.DLL 中的 SHRestrictionLookup

    SHRestrictionLookup

    函数例如以下:

    int __stdcall SHRestrictionLookup(int a1, LPCWSTR pszDir, int a3, void *Dst, int a5, int a6)
    {
      char *v6; // edi@7
      int v7; // ebx@1
      unsigned int v8; // eax@2
      int v9; // edx@3
     
      v7 = 0;
      if ( !g_bDllTerminating )
      {
        _ValidateRestrictionTable(Dst, a5, a6);
        v8 = 0;
        if ( (unsigned int)a5 > 0 )
        {
          v9 = a3;
          while ( a1 != *(_DWORD *)v9 )
          {
            ++v8;
            v9 += 12;
            if ( v8 >= a5 )
              return v7;
          }
          v6 = (char *)Dst + 4 * v8;
          v7 = *(_DWORD *)v6;
          if ( *(_DWORD *)v6 == -1 )
          {
            v7 = SHGetRestriction(pszDir, *(LPCWSTR *)(a3 + 12 * v8 + 4), *(LPCWSTR *)(a3 + 12 * v8 + 8));
            AcquireSRWLockExclusive(&g_csrwlockRestrictions);
            if ( *(_DWORD *)a6 == SHGlobalCounterGetValue(GLOBALCOUNTER_RESTRICTIONS) )
              *(_DWORD *)v6 = v7;
            ReleaseSRWLockExclusive(&g_csrwlockRestrictions);
          }
        }
      }
      return v7;
    }

    会从注冊表中获取值然后返回(假设没有获取 -1 没有获取)。否则直接读取出来

    在MSDN 中:

    Determines whether a specified administrator policy is in effect. In many cases, applications need to modify certain behaviors in order to comply with the policies enacted by system administrators.

    检測指定的管理员策略是否有效。在非常多情况下。应用程序须要遵照系统管理员指定的策略依序改动某些行为。

    系统行为是这个样子,假设我们的程序须要某些和系统行为不同,那么hook这个函数。而且返回和系统不同的值就能起到效果。

  • 相关阅读:
    POJ1125-Stockbroker Grapevine【Floyd】(模板题)
    Codeforces 862B (二分图染色)
    hdu3047 Zjnu Stadium【带权并查集】
    HDU1532 网络流最大流【EK算法】(模板题)
    hdu 2063 过山车【匈牙利算法】(经典)
    HDU-2066-一个人的旅行 【Dijkstra】
    HDU 3625 Examining the Rooms【第一类斯特灵数】
    HDU4372-Count the Buildings【第一类Stirling数】+【组合数】
    HDU 6114 Chess【逆元+组合数】(组合数模板题)
    HDU1211 密文解锁 【扩展欧几里得】【逆元】
  • 原文地址:https://www.cnblogs.com/jhcelue/p/6792804.html
Copyright © 2011-2022 走看看