public static SystemEnforcementMode GetLockdownPolicy(string path, SafeHandle handle)
{
try
{
if (hadMissingWldpAssembly)
{
return(GetDebugLockdownPolicy(path));
}
WLDP_HOST_INFORMATION pHostInformation = new WLDP_HOST_INFORMATION {
dwRevision = 1,
dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL
};
if (!string.IsNullOrEmpty(path))
{
pHostInformation.szSource = path;
if (handle != null)
{
IntPtr zero = IntPtr.Zero;
zero = handle.DangerousGetHandle();
pHostInformation.hSource = zero;
}
}
int pdwLockdownState = 0;
WldpNativeMethods.WldpGetLockdownPolicy(ref pHostInformation, ref pdwLockdownState, 0);
return(GetLockdownPolicyForResult(pdwLockdownState));
}
catch (DllNotFoundException)
{
hadMissingWldpAssembly = true;
return(GetDebugLockdownPolicy(path));
}
}
/// <summary>
/// Gets lockdown policy as applied to a COM object.
/// </summary>
/// <returns>True if the COM object is allowed, False otherwise.</returns>
internal static bool IsClassInApprovedList(Guid clsid)
{
// This method is called only if there is an AppLocker and/or WLDP system wide lock down enforcement policy.
if (s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None) != SystemEnforcementMode.Enforce)
{
// No WLDP policy implies only AppLocker policy enforcement. Disallow all COM object instantiation.
return(false);
}
// WLDP policy must be in system wide enforcement, look up COM Id in WLDP approval list.
try
{
WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION();
hostInformation.dwRevision = WldpNativeConstants.WLDP_HOST_INFORMATION_REVISION;
hostInformation.dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL;
int pIsApproved = 0;
int result = WldpNativeMethods.WldpIsClassInApprovedList(ref clsid, ref hostInformation, ref pIsApproved, 0);
if (result >= 0)
{
if (pIsApproved == 1)
{
// Hook for testability. If we've got an environmental override, say that ADODB.Parameter
// is not allowed.
// 0000050b-0000-0010-8000-00aa006d2ea4 = ADODB.Parameter
if (s_allowDebugOverridePolicy)
{
if (string.Equals(clsid.ToString(), "0000050b-0000-0010-8000-00aa006d2ea4", StringComparison.OrdinalIgnoreCase))
{
return(false);
}
}
return(true);
}
}
return(false);
}
catch (DllNotFoundException)
{
// Hook for testability. IsClassInApprovedList is only called when the system is in global lockdown mode,
// so this wouldn't be allowed in regular ConstrainedLanguage mode.
// f6d90f11-9c73-11d3-b32e-00c04f990bb4 = MSXML2.DOMDocument
if (string.Equals(clsid.ToString(), "f6d90f11-9c73-11d3-b32e-00c04f990bb4", StringComparison.OrdinalIgnoreCase))
{
return(true);
}
return(false);
}
}
internal static bool IsClassInApprovedList(Guid clsid)
{
try
{
WLDP_HOST_INFORMATION pHostInformation = new WLDP_HOST_INFORMATION {
dwRevision = 1,
dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL
};
int ptIsApproved = 0;
WldpNativeMethods.WldpIsClassInApprovedList(ref clsid, ref pHostInformation, ref ptIsApproved, 0);
return(ptIsApproved == 1);
}
catch (DllNotFoundException)
{
return(string.Equals(clsid.ToString(), "f6d90f11-9c73-11d3-b32e-00c04f990bb4", StringComparison.OrdinalIgnoreCase));
}
}
/// <summary>
/// Gets lockdown policy as applied to a COM object
/// </summary>
/// <returns>True if the COM object is allowed, False otherwise.</returns>
internal static bool IsClassInApprovedList(Guid clsid)
{
try
{
WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION();
hostInformation.dwRevision = WldpNativeConstants.WLDP_HOST_INFORMATION_REVISION;
hostInformation.dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL;
int pIsApproved = 0;
int result = WldpNativeMethods.WldpIsClassInApprovedList(ref clsid, ref hostInformation, ref pIsApproved, 0);
if (result >= 0)
{
if (pIsApproved == 1)
{
// Hook for testability. If we've got an environmental override, say that ADODB.Parameter
// is not allowed.
// 0000050b-0000-0010-8000-00aa006d2ea4 = ADODB.Parameter
if (s_wasSystemPolicyDebugPolicy)
{
if (String.Equals(clsid.ToString(), "0000050b-0000-0010-8000-00aa006d2ea4", StringComparison.OrdinalIgnoreCase))
{
return(false);
}
}
return(true);
}
}
return(false);
}
catch (DllNotFoundException)
{
// Hook for testability. IsClassInApprovedList is only called when the system is in global lockdown mode,
// so this wouldn't be allowed in regular ConstrainedLanguage mode.
// f6d90f11-9c73-11d3-b32e-00c04f990bb4 = MSXML2.DOMDocument
if (String.Equals(clsid.ToString(), "f6d90f11-9c73-11d3-b32e-00c04f990bb4", StringComparison.OrdinalIgnoreCase))
{
return(true);
}
return(false);
}
}
private static string GetKnownFolderPath(Guid knownFolderId)
{
IntPtr pszPath = IntPtr.Zero;
try
{
int hr = WldpNativeMethods.SHGetKnownFolderPath(knownFolderId, 0, IntPtr.Zero, out pszPath);
if (hr >= 0)
{
return(Marshal.PtrToStringAuto(pszPath));
}
throw new System.IO.IOException();
}
finally
{
if (pszPath != IntPtr.Zero)
{
Marshal.FreeCoTaskMem(pszPath);
}
}
}
private static SystemEnforcementMode GetWldpPolicy(string path, SafeHandle handle)
{
// If the WLDP assembly is missing (such as windows 7 or down OS), return default/None to skip WLDP valification
if (s_hadMissingWldpAssembly || !IO.File.Exists(IO.Path.Combine(Environment.SystemDirectory, "wldp.dll")))
{
s_hadMissingWldpAssembly = true;
return(s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None));
}
// If path is NULL, see if we have the cached system-wide lockdown policy.
if (String.IsNullOrEmpty(path))
{
if ((s_cachedWldpSystemPolicy != null) && (!InternalTestHooks.BypassAppLockerPolicyCaching))
{
return(s_cachedWldpSystemPolicy.Value);
}
}
try
{
WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION();
hostInformation.dwRevision = WldpNativeConstants.WLDP_HOST_INFORMATION_REVISION;
hostInformation.dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL;
if (!String.IsNullOrEmpty(path))
{
hostInformation.szSource = path;
if (handle != null)
{
IntPtr fileHandle = IntPtr.Zero;
fileHandle = handle.DangerousGetHandle();
hostInformation.hSource = fileHandle;
}
}
uint pdwLockdownState = 0;
int result = WldpNativeMethods.WldpGetLockdownPolicy(ref hostInformation, ref pdwLockdownState, 0);
if (result >= 0)
{
SystemEnforcementMode resultingLockdownPolicy = GetLockdownPolicyForResult(pdwLockdownState);
// If this is a query for the system-wide lockdown policy, cache it.
if (String.IsNullOrEmpty(path))
{
s_cachedWldpSystemPolicy = resultingLockdownPolicy;
}
return(resultingLockdownPolicy);
}
else
{
// API failure?
return(SystemEnforcementMode.Enforce);
}
}
catch (DllNotFoundException)
{
s_hadMissingWldpAssembly = true;
return(s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None));
}
}
