也談隱藏盤符等windows 的管理員的策略實現

標籤：des   os   cti   for   io   管理   

      網上的文章都知道在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 目錄下有控制隱藏磁碟機隱藏控制台的索引值,通過修改這些索引值來控制是否可以改變windows的配置或者許可權，或者掩藏或者顯示什麼。（必須要重新啟動）那麼誰來控制這個開關呢？

     通過自己的調試追蹤到如下的棧

 # ChildEBP RetAddr Args to Child00 0235f134 7602ed30 00000528 765aebe0 00000000 Sandboxdll!Mine_RegQueryValueExW+0xca [e:\ronggf\work\branches\minsheng\client_windows\src\hooklib\hook_advapi32.cpp @ 365]WARNING: Stack unwind information not available. Following frames may be wrong.01 0235f178 7602e977 00000528 765aebe0 0000ffff SHLWAPI!PathIsRelativeW+0xdf02 0235f1bc 7602aed2 80000002 0235f210 765aebe0 SHLWAPI!SHRegGetValueW+0xe303 0235f1e0 7602b97e 80000002 0235f210 765aebe0 SHLWAPI!SHGetValueW+0x2104 0235f41c 76024a79 00000000 765af510 765aebe0 SHLWAPI!Ordinal271+0x69*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\SHELL32.dll -05 0235f43c 765aedb7 00000100 00000000 765aedc0 SHLWAPI!StrCmpNIW+0x4006 0235f45c 766b1026 00000100 0235f4b8 00000004 SHELL32!SHRestricted+0x2407 0235f474 766b07b3 00000000 02d80e68 00000000 SHELL32!Ordinal744+0x32a108 0235f494 766b0476 0235f4b8 02d36040 02d36010 SHELL32!Ordinal744+0x2a2e09 0235f4e8 765685e5 02d80e68 00000001 0235f574 SHELL32!Ordinal744+0x26f1*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\explorerframe.dll -0a 0235f538 7198d77d 02d36010 00000001 0235f574 SHELL32!OpenRegStream+0x16520b 0235f5b0 7198041e 02a5c2e0 01000000 80000000 explorerframe!Ordinal110+0xe3800c 0235f5d0 765d619e 02a5c2f4 7fffffff 02a63668 explorerframe!Ordinal110+0x10210d 0235f5ec 765d6109 0235f628 00000000 02ac0fb8 SHELL32!SHCreateItemFromIDList+0x1660e 0235f634 765caaa8 0235f64c 7602b6cf 02a63668 SHELL32!SHCreateItemFromIDList+0xd10f 0235f63c 7602b6cf 02a63668 0030e150 0235f6c0 SHELL32!Ordinal95+0x227410 0235f64c 771ab5e9 02ac0fb8 752c3f68 00294448 SHLWAPI!PathBuildRootW+0x4c11 0235f6c0 771ae8d1 02ac0fb8 0030e150 752c3188 ntdll!RtlTestBit+0x21c12 0235f820 75f81194 00294440 0235f86c 771db3f5 ntdll!RtlIsCriticalSectionLockedByThread+0x47413 0235f82c 771db3f5 00294440 752c31c4 00000000 kernel32!BaseThreadInitThunk+0x1214 0235f86c 771db3c8 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x6315 0235f884 00000000 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x36 從 SHELL32.dll 的 函數 SHRestricted開始，轉到讀取策略註冊表索引值上去的，我們來看看 SHRestricted 的逆向

.text:7387F02B [email protected] proc near ; CODE XREF: CMenuItemsCache::RefreshCachedDarwinShortcuts(int)+Dp
.text:7387F02B ; CDesktopBrowser::_ActivateView(void)+3Dp ...
.text:7387F02B
.text:7387F02B rest = dword ptr 8
.text:7387F02B
.text:7387F02B mov edi, edi
.text:7387F02D push ebp
.text:7387F02E mov ebp, esp
.text:7387F030 push offset [email protected]@3JA ; long g_lRestrictionsVersionNumber
.text:7387F035 push 9Ch
.text:7387F03A push offset [email protected]@3PAKA ; ulong * g_rgRestrictionItemValues
.text:7387F03F push offset unk_7387F058
.text:7387F044 push 0
.text:7387F046 push [ebp+rest]
.text:7387F049 call ds:[email protected] ; SHRestrictionLookup(x,x,x,x,x,x)
.text:7387F04F pop ebp
.text:7387F050 retn 4
.text:7387F050 [email protected] endp

在其中調用了 SHLAPI.DLL 中的 SHRestrictionLookup

SHRestrictionLookup

函數如下：

int __stdcall SHRestrictionLookup(int a1, LPCWSTR pszDir, int a3, void *Dst, int a5, int a6){  char *v6; // [email protected]  int v7; // [email protected]  unsigned int v8; // [email protected]  int v9; // [email protected]   v7 = 0;  if ( !g_bDllTerminating )  {    _ValidateRestrictionTable(Dst, a5, a6);    v8 = 0;    if ( (unsigned int)a5 > 0 )    {      v9 = a3;      while ( a1 != *(_DWORD *)v9 )      {        ++v8;        v9 += 12;        if ( v8 >= a5 )          return v7;      }      v6 = (char *)Dst + 4 * v8;      v7 = *(_DWORD *)v6;      if ( *(_DWORD *)v6 == -1 )      {        v7 = SHGetRestriction(pszDir, *(LPCWSTR *)(a3 + 12 * v8 + 4), *(LPCWSTR *)(a3 + 12 * v8 + 8));        AcquireSRWLockExclusive(&g_csrwlockRestrictions);        if ( *(_DWORD *)a6 == SHGlobalCounterGetValue(GLOBALCOUNTER_RESTRICTIONS) )          *(_DWORD *)v6 = v7;        ReleaseSRWLockExclusive(&g_csrwlockRestrictions);      }    }  }  return v7;}

會從註冊表中擷取值然後返回（如果沒有擷取 -1 沒有擷取），否則直接讀取出來

在MSDN 中：

Determines whether a specified administrator policy is in effect. In many cases, applications need to modify certain behaviors in order to comply with the policies enacted by system administrators.

檢測指定的管理員策略是否有效。在很多情況下，應用程式需要遵照系統管理員指定的策略依序修改某些行為。

系統行為是這個樣子，如果我們的程式需要某些和系統行為不同，那麼hook這個函數，並且返回和系統不同的值就能起到效果。