-
Notifications
You must be signed in to change notification settings - Fork 121
/
GetProcessMitigationPolicyForWin8.cpp
157 lines (140 loc) · 6.01 KB
/
GetProcessMitigationPolicyForWin8.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#include <windows.h>
#pragma comment(lib,"Advapi32.lib")
#define ProcessMitigationPolicy 52
typedef int ProcessInformationClass;
typedef NTSTATUS(NTAPI * _NtQueryInformationProcess)(
HANDLE ProcessHandle,
ProcessInformationClass informationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
{
PROCESS_MITIGATION_POLICY Policy;
union
{
PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
// PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
// PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy;
// PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy;
// PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy;
// PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy;
// PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
// PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
BOOL EnableDebugPrivilege(BOOL fEnable)
{
BOOL fOk = FALSE;
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
return(fOk);
}
int main(int argc, char *argv[])
{
if (argc != 2)
{
printf("\nCheck the ProcessMitigationPolicy of the selected process.\n");
printf("Usage:\n");
printf(" %s <pid>\n", argv[0]);
return 0;
}
if (!EnableDebugPrivilege(TRUE))
{
printf("[!] AdjustTokenPrivileges Failed.<%d>\n", GetLastError());
return 0;
}
DWORD pid;
sscanf_s(argv[1], "%d", &pid);
printf("[*] TargetPID:%d\n", pid);
HANDLE hProcess;
hProcess = GetCurrentProcess();
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess == NULL)
{
printf("[!] OpenProcess Failed.<%d>\n", GetLastError());
return 0;
}
_NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("NtDll.dll"), "NtQueryInformationProcess");
if (!NtQueryInformationProcess)
{
printf("[!] Could not find NtQueryInformationProcess entry point in NTDLL.DLL\n");
return 0;
}
NTSTATUS status;
PROCESS_MITIGATION_POLICY_INFORMATION policyInfo;
policyInfo.Policy = ProcessASLRPolicy;
status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL);
if (status < 0)
{
printf("[!] NtQueryInformationProcess error\n");
return 0;
}
printf("ProcessASLRPolicy:\n");
printf(" EnableBottomUpRandomization %u\n", policyInfo.ASLRPolicy.EnableBottomUpRandomization);
printf(" EnableForceRelocateImages %u\n", policyInfo.ASLRPolicy.EnableForceRelocateImages);
printf(" EnableHighEntropy %u\n", policyInfo.ASLRPolicy.EnableHighEntropy);
printf(" DisallowStrippedImages %u\n", policyInfo.ASLRPolicy.DisallowStrippedImages);
policyInfo.Policy = ProcessStrictHandleCheckPolicy;
status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL);
if (status < 0)
{
printf("[!] NtQueryInformationProcess error\n");
return 0;
}
printf("ProcessStrictHandleCheckPolicy:\n");
printf(" HandleExceptionsPermanentlyEnabled %u\n", policyInfo.StrictHandleCheckPolicy.HandleExceptionsPermanentlyEnabled);
printf(" RaiseExceptionOnInvalidHandleReference %u\n", policyInfo.StrictHandleCheckPolicy.RaiseExceptionOnInvalidHandleReference);
policyInfo.Policy = ProcessSystemCallDisablePolicy;
status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL);
if (status < 0)
{
printf("[!] NtQueryInformationProcess error\n");
return 0;
}
printf("ProcessSystemCallDisablePolicy:\n");
printf(" DisallowWin32kSystemCalls %u\n", policyInfo.SystemCallDisablePolicy.DisallowWin32kSystemCalls);
policyInfo.Policy = ProcessExtensionPointDisablePolicy;
status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL);
if (status < 0)
{
printf("[!] NtQueryInformationProcess error\n");
return 0;
}
printf("ProcessExtensionPointDisablePolicy:\n");
printf(" DisableExtensionPoints %u\n", policyInfo.ExtensionPointDisablePolicy.DisableExtensionPoints);
policyInfo.Policy = ProcessDynamicCodePolicy;
status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL);
if (status < 0)
{
printf("[!] NtQueryInformationProcess error\n");
return 0;
}
printf("ProcessDynamicCodePolicy:\n");
printf(" ProhibitDynamicCode %u\n", policyInfo.DynamicCodePolicy.ProhibitDynamicCode);
policyInfo.Policy = ProcessSignaturePolicy;
status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL);
if (status < 0)
{
printf("[!] NtQueryInformationProcess error\n");
return 0;
}
printf("ProcessSignaturePolicy:\n");
printf(" MicrosoftSignedOnly %u\n", policyInfo.SignaturePolicy.MicrosoftSignedOnly);
return 0;
}