也谈隐藏盘符等windows 的管理员的策略实现

最新推荐文章于 2022-07-07 14:10:58 发布

枫舞的季节

最新推荐文章于 2022-07-07 14:10:58 发布

阅读量1.4k

点赞数

分类专栏：系统编程文章标签： windows策略隐藏盘符

本文链接：https://blog.csdn.net/justin_bkdrong/article/details/35569847

版权

系统编程专栏收录该内容

13 篇文章 0 订阅

订阅专栏

网上的文章都知道在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 目录下有控制隐藏驱动器隐藏控制面板的键值,通过修改这些键值来控制是否可以改变windows的配置或者权限，或者掩藏或者显示什么。（必须要重新启动）那么谁来控制这个开关呢？

通过自己的调试追踪到如下的栈

# ChildEBP RetAddr Args to Child

00 0235f134 7602ed30 00000528 765aebe0 00000000 Sandboxdll!Mine_RegQueryValueExW+0xca [e:\ronggf\work\branches\minsheng\client_windows\src\hooklib\hook_advapi32.cpp @ 365]

WARNING: Stack unwind information not available. Following frames may be wrong.

01 0235f178 7602e977 00000528 765aebe0 0000ffff SHLWAPI!PathIsRelativeW+0xdf

02 0235f1bc 7602aed2 80000002 0235f210 765aebe0 SHLWAPI!SHRegGetValueW+0xe3

03 0235f1e0 7602b97e 80000002 0235f210 765aebe0 SHLWAPI!SHGetValueW+0x21

04 0235f41c 76024a79 00000000 765af510 765aebe0 SHLWAPI!Ordinal271+0x69

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\SHELL32.dll -

05 0235f43c 765aedb7 00000100 00000000 765aedc0 SHLWAPI!StrCmpNIW+0x40

06 0235f45c 766b1026 00000100 0235f4b8 00000004 SHELL32!SHRestricted+0x24

07 0235f474 766b07b3 00000000 02d80e68 00000000 SHELL32!Ordinal744+0x32a1

08 0235f494 766b0476 0235f4b8 02d36040 02d36010 SHELL32!Ordinal744+0x2a2e

09 0235f4e8 765685e5 02d80e68 00000001 0235f574 SHELL32!Ordinal744+0x26f1

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\explorerframe.dll -

0a 0235f538 7198d77d 02d36010 00000001 0235f574 SHELL32!OpenRegStream+0x1652

0b 0235f5b0 7198041e 02a5c2e0 01000000 80000000 explorerframe!Ordinal110+0xe380

0c 0235f5d0 765d619e 02a5c2f4 7fffffff 02a63668 explorerframe!Ordinal110+0x1021

0d 0235f5ec 765d6109 0235f628 00000000 02ac0fb8 SHELL32!SHCreateItemFromIDList+0x166

0e 0235f634 765caaa8 0235f64c 7602b6cf 02a63668 SHELL32!SHCreateItemFromIDList+0xd1

0f 0235f63c 7602b6cf 02a63668 0030e150 0235f6c0 SHELL32!Ordinal95+0x2274

10 0235f64c 771ab5e9 02ac0fb8 752c3f68 00294448 SHLWAPI!PathBuildRootW+0x4c

11 0235f6c0 771ae8d1 02ac0fb8 0030e150 752c3188 ntdll!RtlTestBit+0x21c

12 0235f820 75f81194 00294440 0235f86c 771db3f5 ntdll!RtlIsCriticalSectionLockedByThread+0x474

13 0235f82c 771db3f5 00294440 752c31c4 00000000 kernel32!BaseThreadInitThunk+0x12

14 0235f86c 771db3c8 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x63

15 0235f884 00000000 771ad63e 00294440 00000000 ntdll!RtlInitializeExceptionChain+0x36

从 SHELL32.dll 的函数 SHRestricted开始，转到读取策略注册表键值上去的，我们来看看 SHRestricted 的逆向

.text:7387F02B _SHRestricted@4 proc near ; CODE XREF: CMenuItemsCache::RefreshCachedDarwinShortcuts(int)+Dp
.text:7387F02B                                         ; CDesktopBrowser::_ActivateView(void)+3Dp ...
.text:7387F02B
.text:7387F02B rest            = dword ptr 8
.text:7387F02B
.text:7387F02B                 mov     edi, edi
.text:7387F02D                 push    ebp
.text:7387F02E                 mov     ebp, esp
.text:7387F030                 push    offset ?g_lRestrictionsVersionNumber@@3JA ; long g_lRestrictionsVersionNumber
.text:7387F035                 push    9Ch
.text:7387F03A                 push    offset ?g_rgRestrictionItemValues@@3PAKA ; ulong * g_rgRestrictionItemValues
.text:7387F03F                 push    offset unk_7387F058
.text:7387F044                 push    0
.text:7387F046                 push    [ebp+rest]
.text:7387F049                 call    ds:__imp__SHRestrictionLookup@24 ; SHRestrictionLookup(x,x,x,x,x,x)
.text:7387F04F                 pop     ebp
.text:7387F050                 retn    4
.text:7387F050 _SHRestricted@4 endp

在其中调用了 SHLAPI.DLL 中的 SHRestrictionLookup

SHRestrictionLookup

函数如下：

int __stdcall SHRestrictionLookup(int a1, LPCWSTR pszDir, int a3, void *Dst, int a5, int a6)

{

char *v6; // edi@7

int v7; // ebx@1

unsigned int v8; // eax@2

int v9; // edx@3

v7 = 0;

if ( !g_bDllTerminating )

{

_ValidateRestrictionTable(Dst, a5, a6);

v8 = 0;

if ( (unsigned int)a5 > 0 )

{

v9 = a3;

while ( a1 != *(_DWORD *)v9 )

{

++v8;

v9 += 12;

if ( v8 >= a5 )

return v7;

}

v6 = (char *)Dst + 4 * v8;

v7 = *(_DWORD *)v6;

if ( *(_DWORD *)v6 == -1 )

{

v7 = SHGetRestriction(pszDir, *(LPCWSTR *)(a3 + 12 * v8 + 4), *(LPCWSTR *)(a3 + 12 * v8 + 8));

AcquireSRWLockExclusive(&g_csrwlockRestrictions);

if ( *(_DWORD *)a6 == SHGlobalCounterGetValue(GLOBALCOUNTER_RESTRICTIONS) )

*(_DWORD *)v6 = v7;

ReleaseSRWLockExclusive(&g_csrwlockRestrictions);

}

return v7;

}

会从注册表中获取值然后返回（如果没有获取 -1 没有获取），否则直接读取出来

在MSDN 中：

Determines whether a specified administrator policy is in effect. In many cases, applications need to modify certain behaviors in order to comply with the policies enacted by system administrators.

检测指定的管理员策略是否有效。在很多情况下，应用程序需要遵照系统管理员指定的策略依序修改某些行为。

系统行为是这个样子，如果我们的程序需要某些和系统行为不同，那么hook这个函数，并且返回和系统不同的值就能起到效果。