Added new cmdlet and overhauled the New-WDACConfig

HotCakeX · May 24, 2024 · a9e93f9 · a9e93f9
1 parent 2c8be17
commit a9e93f9
Show file tree

Hide file tree

Showing 13 changed files with 393 additions and 596 deletions.
diff --git a/WDACConfig/WDACConfig Module Files/C#/WldpQuerySecurityPolicy.cs b/WDACConfig/WDACConfig Module Files/C#/WldpQuerySecurityPolicy.cs
@@ -0,0 +1,43 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace WDACConfig
+{
+    public enum WLDP_SECURE_SETTING_VALUE_TYPE
+    {
+        WldpBoolean = 0,
+        WldpInteger = 1,
+        WldpNone = 2,
+        WldpString = 3,
+        WldpFlag = 4
+    }
+
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    public struct UNICODE_STRING
+    {
+        public ushort Length;
+        public ushort MaximumLength;
+        public IntPtr Buffer;
+    }
+
+    public class WldpQuerySecurityPolicyWrapper
+    {
+        [DllImport("Wldp.dll", CharSet = CharSet.Unicode)]
+        public static extern int WldpQuerySecurityPolicy(
+            ref UNICODE_STRING Provider,
+            ref UNICODE_STRING Key,
+            ref UNICODE_STRING ValueName,
+            out WLDP_SECURE_SETTING_VALUE_TYPE ValueType,
+            IntPtr Value,
+            ref uint ValueSize);
+
+        public static UNICODE_STRING InitUnicodeString(string s)
+        {
+            UNICODE_STRING us;
+            us.Length = (ushort)(s.Length * 2);
+            us.MaximumLength = (ushort)((s.Length * 2) + 2);
+            us.Buffer = Marshal.StringToHGlobalUni(s);
+            return us;
+        }
+    }
+}
diff --git a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1
@@ -135,7 +135,6 @@ Function Edit-SignedWDACConfig {
             "$ModuleRootPath\Shared\Set-LogSize.psm1",
             "$ModuleRootPath\Shared\Test-FilePath.psm1",
             "$ModuleRootPath\Shared\Receive-CodeIntegrityLogs.psm1",
-            "$ModuleRootPath\Shared\Get-BlockRulesMeta.psm1",
             "$ModuleRootPath\Shared\New-SnapBackGuarantee.psm1",
             "$ModuleRootPath\Shared\New-StagingArea.psm1"
         )

diff --git a/WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1
@@ -108,7 +108,6 @@ Function Edit-WDACConfig {
             "$ModuleRootPath\Shared\Set-LogSize.psm1",
             "$ModuleRootPath\Shared\Test-FilePath.psm1",
             "$ModuleRootPath\Shared\Receive-CodeIntegrityLogs.psm1",
-            "$ModuleRootPath\Shared\Get-BlockRulesMeta.psm1",
             "$ModuleRootPath\Shared\New-SnapBackGuarantee.psm1",
             "$ModuleRootPath\Shared\New-StagingArea.psm1",
             "$ModuleRootPath\Shared\Set-LogPropertiesVisibility.psm1",
@@ -453,7 +452,7 @@ Function Edit-WDACConfig {
                 # Copy the Supplemental policy to the user's config directory since Staging Area is a temporary location
                 Copy-Item -Path $SuppPolicyPath -Destination $UserConfigDir -Force
 
-                Write-FinalOutput $SuppPolicyPath
+                &$WriteFinalOutput $SuppPolicyPath
             }
 
             if ($MergeSupplementalPolicies) {

diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1
@@ -0,0 +1,105 @@
+Function Get-CIPolicySetting {
+    [CmdletBinding()]
+    [OutputType([PSCustomObject])]
+    Param(
+        [Parameter(Mandatory = $true)][System.String]$Provider,
+        [Parameter(Mandatory = $true)][System.String]$Key,
+        [Parameter(Mandatory = $true)][System.String]$ValueName
+    )
+    Begin {
+        # Import the required C# type if it hasn't already been imported
+        if (-NOT ('WDACConfig.WldpQuerySecurityPolicy' -as [System.Type]) ) {
+            Add-Type -Path "$ModuleRootPath\C#\WldpQuerySecurityPolicy.cs"
+        }
+    }
+    Process {
+        try {
+            # Create UNICODE_STRING structures
+            $ProviderUS = [WDACConfig.WldpQuerySecurityPolicyWrapper]::InitUnicodeString($Provider)
+            $KeyUS = [WDACConfig.WldpQuerySecurityPolicyWrapper]::InitUnicodeString($Key)
+            $ValueNameUS = [WDACConfig.WldpQuerySecurityPolicyWrapper]::InitUnicodeString($ValueName)
+
+            # Prepare output variables
+            $ValueType = [WDACConfig.WLDP_SECURE_SETTING_VALUE_TYPE]::WldpNone
+            $ValueSize = [System.UInt64]1024
+            $Value = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($ValueSize)
+
+            $Result = [WDACConfig.WldpQuerySecurityPolicyWrapper]::WldpQuerySecurityPolicy([ref]$ProviderUS, [ref]$KeyUS, [ref]$ValueNameUS, [ref]$ValueType, $Value, [ref]$ValueSize)
+
+            $DecodedValue = $null
+
+            if ($Result -eq 0) {
+                switch ($ValueType) {
+                    'WldpBoolean' {
+                        $DecodedValue = [System.Runtime.InteropServices.Marshal]::ReadByte($Value) -ne 0
+                    }
+                    'WldpString' {
+                        $DecodedValue = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Value)
+                    }
+                    'WldpInteger' {
+                        $DecodedValue = [System.Runtime.InteropServices.Marshal]::ReadInt32($Value)
+                    }
+                }
+            }
+
+            Return [PSCustomObject]@{
+                Value      = $DecodedValue
+                ValueType  = $ValueType
+                ValueSize  = $ValueSize
+                Status     = $Result -eq 0 ? $true : $false
+                StatusCode = $Result
+            }
+        }
+        finally {
+            # Clean up
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProviderUS.Buffer)
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($KeyUS.Buffer)
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ValueNameUS.Buffer)
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($Value)
+        }
+    }
+    <#
+    .SYNOPSIS
+        Gets the secure settings value from the deployed CI policies.
+        If there is a policy with the same provider, key and value then it returns the following details:
+
+        Value = The actual value of the string
+        ValueType = The type of setting: WldpString, WldpInteger or WldpBoolean
+        ValueSize = the size of the retured value
+        Status = True/False depending on whether the setting exists on the system or not
+        StatusCode = 0 if the value exists on the system, non-zero if it doesn't.
+    .DESCRIPTION
+        Please use the following resources for more information
+
+        https://learn.microsoft.com/en-us/powershell/module/configci/set-cipolicysetting
+        https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings
+    .LINK
+        https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CIPolicySetting
+    .INPUTS
+        System.String
+    .OUTPUTS
+        PSCustomObject
+    .EXAMPLE
+        The following examples are for creating the secure settings in a Code Integrity policy
+
+        Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'WDACConfig' -ValueType 'Boolean' -Value '1' -ValueName 'IsUserModePolicy' -Key '{4a981f19-1f7f-4167-b4a6-915765e34fd6}'
+        Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'SomeProvider' -ValueType 'String' -Value 'HotCakeX' -ValueName 'Author' -Key '{495e96a3-f6e0-4e7e-bf48-e8b6085b824a}'
+        Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'Provider2' -ValueType 'DWord' -Value '66' -ValueName 'Role' -Key '{741b1fcf-e1ce-49e4-a274-5c367b46b00c}'
+    .EXAMPLE
+        The following examples are for using the Get-CIPolicySetting cmdlet to query the secure strings among the deployed policies on the system.
+
+        Get-CIPolicySetting -Provider 'WDACConfig' -Key '{4a981f19-1f7f-4167-b4a6-915765e34fd6}' -ValueName 'IsUserModePolicy'
+        Get-CIPolicySetting -Provider 'SomeProvider' -ValueName 'Author' -Key '{495e96a3-f6e0-4e7e-bf48-e8b6085b824a}'
+        Get-CIPolicySetting -Provider 'Provider2' -ValueName 'Role' -Key '{741b1fcf-e1ce-49e4-a274-5c367b46b00c}'
+    .NOTES
+        Note-1
+        Since these settings are secured by Secure Boot, in order to successfully query these settings, you must restart once after deploying the CI Policy on the system.
+
+        Note-2
+        DWord value is the same as integer or WldpInteger
+
+        Note-3
+        In order to set a Boolean value using the Set-CIPolicySetting cmdlet, you need to use 1 for True or 0 for False, that will create a valid policy XML file that is compliant with the CI Policy Schema.
+        #>
+}
+Export-ModuleMember -Function 'Get-CIPolicySetting'
diff --git a/WDACConfig/WDACConfig Module Files/Core/Invoke-WDACSimulation.psm1 b/WDACConfig/WDACConfig Module Files/Core/Invoke-WDACSimulation.psm1
@@ -15,7 +15,7 @@ Function Invoke-WDACSimulation {
                 # Ensure the selected path is a file path
                 if (Test-Path -LiteralPath $_ -PathType 'Leaf') {
                     # Ensure the selected file has a supported extension
-                    [System.IO.FileInfo]$SelectedFile = [FindWDACCompliantFiles]::SearchFiles($_)
+                    [System.IO.FileInfo]$SelectedFile = &$FindWDACCompliantFiles $_
                     # If the selected file has a supported extension, return $true
                     if ($SelectedFile) {
                         $true
@@ -169,7 +169,7 @@ Function Invoke-WDACSimulation {
             [System.IO.FileInfo]$CollectedFiles = Get-ChildItem -File -LiteralPath $FilePath
         }
         else {
-            [System.IO.FileInfo[]]$CollectedFiles = [FindWDACCompliantFiles]::SearchFiles($FolderPath)
+            [System.IO.FileInfo[]]$CollectedFiles = &$FindWDACCompliantFiles $FolderPath
         }
 
         # Make sure the selected directory contains files with the supported extensions