DEMO: attackers can bypass AppLocker to execute arbitrary programs.

Recently, a new feature named AppLocker in Windows 7 is popular among anti-virus enthusiasts.

If you are a security expert, you will know what the program is allowed to do. It is very dangerous. You will also know what functions the program should have and what functions it should not have. What you want to get is a set, never-disturbing solution. Applocker is quite practical for security experts.

Figure 2

Applocker settings window

Don't know what AppLocker is, please see: http://edge.technet.com/Media/Windows-7--AppLocker-Chinese)

I checked a lot of information and found that this function can be bypassed, but it is much more reliable than the original group policy.

Traditional Group Policy software restricts SRP.) The parent process is verified by CreateProcess-> CreateProcessInternalW-> BasepCheckWinSaferRestrictions.

AppLockerSLPv2 in Windows 7) is jointly controlled by a driver discache and a system service AppIDSvc.

This program can bypass the AppLocker Software Restriction Policy SRPv2 on Windows 7 Ultimate Operating System under the Administrator account without elevation of permissions to execute any program,
Theoretically, it can also bypass the traditional group policy to limit SRP) to execute arbitrary programs.

Go to SkyDrive: http://cid-ad319598642e8326.skydrive.live.com/self.aspx/Public/Others/BypassRestrictions.zip to download the DEMO program

Or Kaka Forum: http://bbs.ikaka.com/showtopic-8687866.aspx

The source code will not be sent. Everyone knows the shortcut keys for viewing the source code.

See: http://technet.microsoft.com/en-us/library/ee844115 (WS.10). aspx