Use hash rules to build a Software Firewall

Green Corps

Before reading the program, I would like to ask my comrades-in-law how do you prohibit the specified program from running? Are the following two methods available?

Method A: Group Policy (you can specify run or disable run)
Run the "gpedit. msc" command to open the Group Policy console and expand "user configuration-management template-System" in the disabled program function of the Group Policy ",
The policy "run only licensed Windows Applications" and "do not run specified windows programs" on the right can help you a lot.
When a user tries to run programs that are not allowed, "……" is displayed. The restriction is canceled. Contact the system administrator ." Dialog box.

Method B: Image hijacking
For example, if you run QQ to start ctfmon, the system will not prompt you.
You can also start a VBS or BAT to verify the password before running the specified program.
Reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsqq.exe"/v debugger/t reg_sz/d "C: WINDOWSsystem32ctfmon.exe"/f

If your answer is Yes, congratulations! You are a master in the WIIN team!

But today we found a better method. Not original. Is to use Hash rules.

A. Start -- run -- spcpol. msc

Open "Local Security Settings", select "Software Restriction Policy"> "create new policy", and click "Other Rules ", the content of the rule will be displayed in the right area (do not change the original rules, do not believe you have to clean up the crashed System)

B. Right-click on the right side of the page and select "New Path rule" to open the "New Path rule" dialog box.

In the path text box of the "New Path rule" dialog box, enter "? : *. *. The security level is set to "not allowed". OK.
Then, set the security level of the following directories to "not allowed"
1 )? : System Volume Information
2) C: Disable ENRS and Settings * Local SettingSTemporary Internet Files
3 )? : Recycled
4 )? : RECYCLER
5) C: WindowsDownloaded Program Files
6) C: Windowssystem
7) C: WindowsTsaks
8) C: WindowsTemp
9) C: Windowssystme32Com
10) C: Windowssystme32drivers
11) C: Disable ENRS and Settings * Local SettingSTemp
12) C: Program FilesCommon Files

C. Right-click on the right side of the page, select "new hash rule", and click "Browse" to go to the "C: windowssystme32et.exeworkflow file. Select" open ", set the security level to" unauthorized ", and enter" "“net.exe.

D. If you do not set the system or the absolute System of the security software, you can add the "C: Windowssystme32 rundll32.exe" hash rule and set it to "not allowed ".

 

E. If you want to be completely automatic, consider the following:
1. Use VBS or BAT to read the "forbidden list" and write the variables, mainly the full path of the program.
2. Use sendkeys of VBS to simulate the keyboard operation GPEDIT. MSC to add these variables.
3. Copy the Registry. pol of the Local Machine from vbs or bat, and remotely log on to and overwrite the files of the target machine.

F. manually configure the programs and paths to be restricted (not allowed) on your machine, or specify the program running in the path (not limited ).
Then select "show system files, show all files ".
Copy C: WINDOWSsystem32GroupPolicygpt. ini by directory
C: WINDOWSsystem32GroupPolicyMachineRegistry. pol
Finally, copy the Registry. pol file.

This method is suitable for batch Copy. Copy the Registry. pol file to another machine. To remove all settings, delete the Registry. pol file.
After configuring the policy on the server, synchronize the Registry. pol and gpt. ini files to the same directory of the client, and then run gpupdate/force to refresh the Group Policy.

 

Let's explain the old rules.

Many people know about the path rules in group policies. The following describes the hash rules:

The so-called Hash rule is simply to extract the feature information of a file, such as version and Hash, and then determine whether the file is the same.

Due to the relationship between the identification principle, the advantage of object hash recognition is that, No matter why the file name is changed, it can be correctly identified as long as it is the same file. However, its advantages are also its disadvantages. If hash rules are used to implement the above functions, for example, when WindowsUpdate updates the protected system file, the file version has changed, the security policy will stop the operation and cause system errors. In short, it is easy to cause compatibility issues. Therefore, the "new hash rule" is generally not used ".

Create a hash rule:

Choose "Local Computer Configuration"> "windows Settings"> "Security Settings"> "Software Restriction Policy", right-click other rules, and choose "New hash rule, select "unlimited" in the security level ".

Note:

1. path rules-are not allowed (the program will not run regardless of the user's access permissions ).
Hash rules-are unrestricted (program access is determined by user access ).

2. path rules are used to close the door. Any program that meets the "path" condition cannot come in and run.
Hash rules are used to send keys to programs. Because the level of the hash rule is higher than that of the path rule, programs that comply with the hash rule can run.
For example, under normal circumstances, the c: windowssystem32 directory contains only 14 program files suffixed with. COM. If there are many program files, it is likely to be a virus. We will separate the 14. COM programs that come with the system into Hash rules and create a path rule for c: windowssystem32 *. com. In this way, none of the 14. COM programs can be run.

Partial hash and path settings:
The hash is better than the path (the hash is not restricted and the path is not allowed)

I. C: Directory

Hash ----- NTDETECT. COM
Path ----- C :*.*

II. C: directory under Program Files

1. C: Program FilesCommon FilesMicrosoft SharedMSInfo
Scattered columns ---msinfo32.exe
Path ----- C: Program FilesCommon Files
2. C: Under Program FilesInternet Explorer
Hash -----iedw.exe
Hash ----- IEXPLORE. EXE
Path ----- C: Program FilesInternet Explorer
3. C: Under Program FilesWinRAR
Hash ----- RarExt. dll
Hash -----winrar.exe
Path ----- C: Program FilesWinRAR

C: WINDOWS Directory

In windows, make nine necessary [hash] [not limited]
Exclusive assumer.exe] path [EXP ?? RER .*]
Hash hh.exe] path [hh .*]
Scattered column notepad.exe] path [n * tepad .*]
Discrete region regedit.exe] path [reged * t .*]
Scatter worker taskman.exe] path [taskman .*]
Scatter fig path [tw * k_16.exe]
Scatter fig 2.exe path [tw * k_32 .*]
Scattered column worker winhelp.exe] path [w *? He * p .*]
Scattered column 【winhlp32.exe] path [w *? H * p32 .*]
Path C: WINDOWS *. exe
Path C: WINDOWS *.*

IV. C: directory under WINDOWSsystem32

1,
C: WINDOWSsystem32drivers path
C: WINDOWSsystem32config path
The following two hashes need to find C: WINDOWSsystem32wbem in this path.
Scatter wmiprvse.exe
Scatter wmiapsrv.exe
C: WINDOWSsystem32wbem path

2. C: 14 files suffixed with COM under windowssystem32:
Hash
[More.com]
[Chcp.com]
[Command.com]
[Diskcomp.com]
[Diskcopy.com]
[Format.com]
[Graftabl.com]
[Graphics.com]
[Kb16.com]
[Loadfix.com]
[Mode.com]
[Tree.com]
[Win.com]
[Edit.com]
Path
C: windowssystem32 *. com

3. C: windowsSYSTEM32 files containing the following files:
Hash path
【Csrss.exe] csr *.*
【Winlogon.exe] win * g *.*
【Services.exe] serv *.*
【Svchost.exe] svch * t .*
【Spoolsv.exe] sp * sv .*
Cmd.exe] cmd .*
Using notepad.exe] n * tepad .*
【Alg.exe]? G .*
【Conime.exe] c * n * me .*
【Dllhost.exe] dllh * st .*
【Dxdiag.exe] dxd *.*
Using progman.exe] pr * gman .*
【Regedt32.exe] regedt32 .*
【Runas.exe] runa *.*
【Taskmgr.exe] task *.*
Login user.exe] use ?. *
【Sndvol32.exe] sndv *.*
【Lsass.exe] lsas *.*
【Smss.exe] smss .*
【Rundll32.exe] rund *.*
Create a path for each hash

 

Appendix: Detailed creation of some path rules and hash rules --

00: NTDETECT. COM with unlimited hash
01 the path % USERPROFILE % Desktop \ *. * is not allowed \*.*
Disable the running of all files on the current user's desktop
02 PATH % USERPROFILE % Local SettingsTemp *. * Not Allowed *.*
Disable the running of all files in the temporary file directory of the current user, excluding subdirectories.
03 The PATH % USERPROFILE % Local SettingsTemporary Internet Files *. * is not allowed *.*
Disable the running of all files in the temporary file directory of the current user, excluding subdirectories.
04 path *. BAT not allowed
Prohibit batch file running in any path
05 path *. SCR not allowed
Disable the running of. scr (screen saver) files in any path
06 path not allowed C :*.*
Disable C: Run all files in the root directory
07 path not allowed C: Program Files *.*
There should be no executable files in this directory! Disable the running of all files in directories of this level without subdirectories
08 the path does not allow C: Program FilesCommon Files *.*
There should be no executable files in this directory! Disable the running of all files in directories of this level without subdirectories
09 path not allowed C: WINDOWSTemp *.*
Disable WINDOWS temporary file directory,