-
Notifications
You must be signed in to change notification settings - Fork 115
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added new cmdlet and overhauled the New-WDACConfig
Added new cmdlet and overhauled the New-WDACConfig
- Loading branch information
Showing
13 changed files
with
393 additions
and
596 deletions.
There are no files selected for viewing
43 changes: 43 additions & 0 deletions
43
WDACConfig/WDACConfig Module Files/C#/WldpQuerySecurityPolicy.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
using System; | ||
using System.Runtime.InteropServices; | ||
|
||
namespace WDACConfig | ||
{ | ||
public enum WLDP_SECURE_SETTING_VALUE_TYPE | ||
{ | ||
WldpBoolean = 0, | ||
WldpInteger = 1, | ||
WldpNone = 2, | ||
WldpString = 3, | ||
WldpFlag = 4 | ||
} | ||
|
||
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] | ||
public struct UNICODE_STRING | ||
{ | ||
public ushort Length; | ||
public ushort MaximumLength; | ||
public IntPtr Buffer; | ||
} | ||
|
||
public class WldpQuerySecurityPolicyWrapper | ||
{ | ||
[DllImport("Wldp.dll", CharSet = CharSet.Unicode)] | ||
public static extern int WldpQuerySecurityPolicy( | ||
ref UNICODE_STRING Provider, | ||
ref UNICODE_STRING Key, | ||
ref UNICODE_STRING ValueName, | ||
out WLDP_SECURE_SETTING_VALUE_TYPE ValueType, | ||
IntPtr Value, | ||
ref uint ValueSize); | ||
|
||
public static UNICODE_STRING InitUnicodeString(string s) | ||
{ | ||
UNICODE_STRING us; | ||
us.Length = (ushort)(s.Length * 2); | ||
us.MaximumLength = (ushort)((s.Length * 2) + 2); | ||
us.Buffer = Marshal.StringToHGlobalUni(s); | ||
return us; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
105 changes: 105 additions & 0 deletions
105
WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
Function Get-CIPolicySetting { | ||
[CmdletBinding()] | ||
[OutputType([PSCustomObject])] | ||
Param( | ||
[Parameter(Mandatory = $true)][System.String]$Provider, | ||
[Parameter(Mandatory = $true)][System.String]$Key, | ||
[Parameter(Mandatory = $true)][System.String]$ValueName | ||
) | ||
Begin { | ||
# Import the required C# type if it hasn't already been imported | ||
if (-NOT ('WDACConfig.WldpQuerySecurityPolicy' -as [System.Type]) ) { | ||
Add-Type -Path "$ModuleRootPath\C#\WldpQuerySecurityPolicy.cs" | ||
} | ||
} | ||
Process { | ||
try { | ||
# Create UNICODE_STRING structures | ||
$ProviderUS = [WDACConfig.WldpQuerySecurityPolicyWrapper]::InitUnicodeString($Provider) | ||
$KeyUS = [WDACConfig.WldpQuerySecurityPolicyWrapper]::InitUnicodeString($Key) | ||
$ValueNameUS = [WDACConfig.WldpQuerySecurityPolicyWrapper]::InitUnicodeString($ValueName) | ||
|
||
# Prepare output variables | ||
$ValueType = [WDACConfig.WLDP_SECURE_SETTING_VALUE_TYPE]::WldpNone | ||
$ValueSize = [System.UInt64]1024 | ||
$Value = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($ValueSize) | ||
|
||
$Result = [WDACConfig.WldpQuerySecurityPolicyWrapper]::WldpQuerySecurityPolicy([ref]$ProviderUS, [ref]$KeyUS, [ref]$ValueNameUS, [ref]$ValueType, $Value, [ref]$ValueSize) | ||
|
||
$DecodedValue = $null | ||
|
||
if ($Result -eq 0) { | ||
switch ($ValueType) { | ||
'WldpBoolean' { | ||
$DecodedValue = [System.Runtime.InteropServices.Marshal]::ReadByte($Value) -ne 0 | ||
} | ||
'WldpString' { | ||
$DecodedValue = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Value) | ||
} | ||
'WldpInteger' { | ||
$DecodedValue = [System.Runtime.InteropServices.Marshal]::ReadInt32($Value) | ||
} | ||
} | ||
} | ||
|
||
Return [PSCustomObject]@{ | ||
Value = $DecodedValue | ||
ValueType = $ValueType | ||
ValueSize = $ValueSize | ||
Status = $Result -eq 0 ? $true : $false | ||
StatusCode = $Result | ||
} | ||
} | ||
finally { | ||
# Clean up | ||
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProviderUS.Buffer) | ||
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($KeyUS.Buffer) | ||
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($ValueNameUS.Buffer) | ||
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($Value) | ||
} | ||
} | ||
<# | ||
.SYNOPSIS | ||
Gets the secure settings value from the deployed CI policies. | ||
If there is a policy with the same provider, key and value then it returns the following details: | ||
Value = The actual value of the string | ||
ValueType = The type of setting: WldpString, WldpInteger or WldpBoolean | ||
ValueSize = the size of the retured value | ||
Status = True/False depending on whether the setting exists on the system or not | ||
StatusCode = 0 if the value exists on the system, non-zero if it doesn't. | ||
.DESCRIPTION | ||
Please use the following resources for more information | ||
https://learn.microsoft.com/en-us/powershell/module/configci/set-cipolicysetting | ||
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings | ||
.LINK | ||
https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CIPolicySetting | ||
.INPUTS | ||
System.String | ||
.OUTPUTS | ||
PSCustomObject | ||
.EXAMPLE | ||
The following examples are for creating the secure settings in a Code Integrity policy | ||
Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'WDACConfig' -ValueType 'Boolean' -Value '1' -ValueName 'IsUserModePolicy' -Key '{4a981f19-1f7f-4167-b4a6-915765e34fd6}' | ||
Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'SomeProvider' -ValueType 'String' -Value 'HotCakeX' -ValueName 'Author' -Key '{495e96a3-f6e0-4e7e-bf48-e8b6085b824a}' | ||
Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'Provider2' -ValueType 'DWord' -Value '66' -ValueName 'Role' -Key '{741b1fcf-e1ce-49e4-a274-5c367b46b00c}' | ||
.EXAMPLE | ||
The following examples are for using the Get-CIPolicySetting cmdlet to query the secure strings among the deployed policies on the system. | ||
Get-CIPolicySetting -Provider 'WDACConfig' -Key '{4a981f19-1f7f-4167-b4a6-915765e34fd6}' -ValueName 'IsUserModePolicy' | ||
Get-CIPolicySetting -Provider 'SomeProvider' -ValueName 'Author' -Key '{495e96a3-f6e0-4e7e-bf48-e8b6085b824a}' | ||
Get-CIPolicySetting -Provider 'Provider2' -ValueName 'Role' -Key '{741b1fcf-e1ce-49e4-a274-5c367b46b00c}' | ||
.NOTES | ||
Note-1 | ||
Since these settings are secured by Secure Boot, in order to successfully query these settings, you must restart once after deploying the CI Policy on the system. | ||
Note-2 | ||
DWord value is the same as integer or WldpInteger | ||
Note-3 | ||
In order to set a Boolean value using the Set-CIPolicySetting cmdlet, you need to use 1 for True or 0 for False, that will create a valid policy XML file that is compliant with the CI Policy Schema. | ||
#> | ||
} | ||
Export-ModuleMember -Function 'Get-CIPolicySetting' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.