private void LoadSecurity(RegistryKey regKey)
{
RegistrySecurity security = regKey.GetAccessControl();
this.Owner = security.GetOwner(typeof(NTAccount)).Value;
this.Access = RegistryControl.AccessRulesToString(security.GetAccessRules(true, false, typeof(NTAccount)));
this.Inherited = !security.AreAccessRulesProtected;
}
public void TakeOwnership(string regPath, RegistryHive registryHive)
{
var baseReg = RegistryKey.OpenBaseKey(registryHive, RegistryView.Registry64);
try {
/* Get the ID of the current user (aka Amin)
*/
WindowsIdentity id = WindowsIdentity.GetCurrent();
/* Add the TakeOwnership Privilege
*/
bool blRc = Natif.MySetPrivilege(Natif.TakeOwnership, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(Natif.TakeOwnership);
}
/* Add the Restore Privilege (must be done to change the owner)
*/
blRc = Natif.MySetPrivilege(Natif.Restore, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(Natif.Restore);
}
/* Open a registry which I don't own
*/
RegistryKey rkADSnapInsNodesTypes = baseReg.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
RegistrySecurity regSecTempo = rkADSnapInsNodesTypes.GetAccessControl(AccessControlSections.All);
/* Get the real owner
*/
IdentityReference oldId = regSecTempo.GetOwner(typeof(SecurityIdentifier));
SecurityIdentifier siTrustedInstaller = new SecurityIdentifier(oldId.ToString());
/* process user become the owner
*/
regSecTempo.SetOwner(id.User);
rkADSnapInsNodesTypes.SetAccessControl(regSecTempo);
/* Add the full control
*/
RegistryAccessRule regARFullAccess = new RegistryAccessRule(id.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
regSecTempo.AddAccessRule(regARFullAccess);
rkADSnapInsNodesTypes.SetAccessControl(regSecTempo);
/* Do something
*/
rkADSnapInsNodesTypes.CreateSubKey("dummy");
rkADSnapInsNodesTypes.DeleteSubKey("dummy");
}
catch (Exception excpt)
{
throw excpt;
}
}
protected override void ProcessRecord()
{
using (RegistryKey regKey = RegistryControl.GetRegistryKey(Path, false, false))
{
// レジストリキーの有無チェック
if (regKey == null)
{
// 全条件でキーの有無チェック
Console.Error.WriteLine("対象のレジストリキー (Path) 無し: {0}", Path.ToString());
return;
}
if (Target == Item.KEY)
{
retValue = true;
return;
}
// レジストリのパラメータ名/種類/値のチェック (長かったので別のメソッドに)
if (Target == Item.NAME || Target == Item.TYPE || Target == Item.VALUE)
{
CheckRegValue(regKey);
return;
}
// 所有者チェック
RegistrySecurity security = regKey.GetAccessControl();
if (Target == Item.OWNER)
{
string owner = security.GetOwner(typeof(NTAccount)).Value;
retValue = owner == Owner;
if (!retValue)
{
Console.Error.WriteLine("所有者名不一致: {0} / {1}", Owner, owner);
}
return;
}
// アクセス権チェック
if (Target == Item.ACCESS)
{
if (TestMode == Item.CONTAIN)
{
// Accessパラメータで指定したAccess文字列が、対象のレジストリキーに含まれているかチェック
// Access文字列は複数の場合は、全て対象のレジストリキーに含まれているかをチェック
string tempAccess = new RegistryKeyInfo(regKey, false, true).Access;
//string tempAccess = RegistryControl.AccessToString(regKey);
string[] tempAccessArray = tempAccess.Contains("/") ? tempAccess.Split('/') : new string[1] {
tempAccess
};
foreach (string ruleString in
Access.Contains("/") ? Access.Split('/') : new string[1] {
Access
})
{
retValue = tempAccessArray.Any(x => x.Equals(ruleString, StringComparison.OrdinalIgnoreCase));
if (!retValue)
{
Console.Error.WriteLine("指定のアクセス権無し: {0} / {1}", Access, tempAccess);
break;
}
}
}
else
{
string tempAccess = new RegistryKeyInfo(regKey, false, true).Access;
//string access = RegistryControl.AccessToString(regKey);
retValue = tempAccess == Access;
if (!retValue)
{
Console.Error.WriteLine("アクセス権不一致: {0} / {1}", Access, tempAccess);
}
}
return;
}
// 継承設定チェック
if (Target == Item.INHERIT)
{
//retValue = !security.AreAccessRulesProtected == IsInherit;
bool tempInherit = new RegistryKeyInfo(regKey, false, true).Inherited;
retValue = tempInherit == IsInherit;
if (!retValue)
{
Console.Error.WriteLine("継承設定不一致: {0} / {1}", IsInherit, tempInherit);
}
return;
}
}
}
public static void ByPassTamper()
{
try
{
// Get the ID of the current user
WindowsIdentity id = WindowsIdentity.GetCurrent();
// Add the TakeOwnership Privilege
bool blRc = TokenManipulation.MySetPrivilege(TokenManipulation.TakeOwnership, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(TokenManipulation.TakeOwnership);
}
/* Add the Restore Privilege (must be done to change the owner)
*/
blRc = TokenManipulation.MySetPrivilege(TokenManipulation.Restore, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(TokenManipulation.Restore);
}
// Open a registry which I don't own
RegistryKey OwnerShipByPass = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows Defender\Features", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
RegistrySecurity regSecTempo = OwnerShipByPass.GetAccessControl(AccessControlSections.All);
// Get the real owner
IdentityReference oldId = regSecTempo.GetOwner(typeof(SecurityIdentifier));
SecurityIdentifier siTrustedInstaller = new SecurityIdentifier(oldId.ToString());
//Console.WriteLine(oldId.ToString());
// process user become the owner
regSecTempo.SetOwner(id.User);
OwnerShipByPass.SetAccessControl(regSecTempo);
RegistryAccessRule regARFullAccess = new RegistryAccessRule(id.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
regSecTempo.AddAccessRule(regARFullAccess);
OwnerShipByPass.SetAccessControl(regSecTempo);
#region Write to Registry (Disable Defender and Tamper)
DisableFender(true, true); // disable tamper and defender
#endregion
// Put back the original owner
regSecTempo.SetOwner(siTrustedInstaller);
OwnerShipByPass.SetAccessControl(regSecTempo);
// Put back the original Rights
regSecTempo.RemoveAccessRule(regARFullAccess);
OwnerShipByPass.SetAccessControl(regSecTempo);
}
catch (Exception)
{
//MessageBox.Show(ex.ToString());
}
}
public static bool WriteTrustedRegistry(int regType, string regPath, bool blAdd)
{
try
{
WindowsIdentity current = WindowsIdentity.GetCurrent();
if (!Trust.MySetPrivilege("SeTakeOwnershipPrivilege", true))
{
Logger.Info("Failed to take ownership privilege");
return(false);
}
if (!Trust.MySetPrivilege("SeRestorePrivilege", true))
{
Logger.Info("Failed to restore ownership privilege");
return(false);
}
RegistryKey registryKey = (RegistryKey)null;
switch (regType)
{
case 0:
registryKey = Registry.ClassesRoot.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
break;
case 1:
registryKey = Registry.CurrentUser.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
break;
case 2:
registryKey = Registry.LocalMachine.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
break;
}
if (registryKey == null)
{
return(true);
}
RegistrySecurity accessControl = registryKey.GetAccessControl(AccessControlSections.All);
SecurityIdentifier securityIdentifier = new SecurityIdentifier(accessControl.GetOwner(typeof(SecurityIdentifier)).ToString());
accessControl.SetOwner((IdentityReference)current.User);
registryKey.SetAccessControl(accessControl);
RegistryAccessRule rule = new RegistryAccessRule((IdentityReference)current.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
accessControl.AddAccessRule(rule);
registryKey.SetAccessControl(accessControl);
registryKey.Close();
switch (regType)
{
case 0:
registryKey = Registry.ClassesRoot.OpenSubKey(regPath, true);
break;
case 1:
registryKey = Registry.CurrentUser.OpenSubKey(regPath, true);
break;
case 2:
registryKey = Registry.LocalMachine.OpenSubKey(regPath, true);
break;
}
if (blAdd)
{
registryKey.SetValue((string)null, (object)FixUpOle.olePath);
}
else
{
registryKey.SetValue((string)null, (object)"oleaut32.dll");
}
accessControl.SetOwner((IdentityReference)securityIdentifier);
registryKey.SetAccessControl(accessControl);
accessControl.RemoveAccessRule(rule);
registryKey.SetAccessControl(accessControl);
registryKey.Close();
return(true);
}
catch (Exception ex)
{
return(false);
}
}
