public bool SetAccessRestriction(string keyPath, bool bSet)
{
try
{
RegistryKey subKey = Registry.LocalMachine.OpenSubKey(keyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions);
RegistrySecurity keySec = subKey.GetAccessControl(AccessControlSections.Access);
RegistryAccessRule systemRule = new RegistryAccessRule(new SecurityIdentifier(FileOps.SID_System), RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule serviceRule = new RegistryAccessRule(FirewallServiceName, RegistryRights.ExecuteKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
if (bSet)
{
keySec.SetAccessRuleProtection(true, false);
keySec.AddAccessRule(systemRule);
keySec.AddAccessRule(serviceRule);
}
else
{
keySec.SetAccessRuleProtection(false, false);
keySec.RemoveAccessRule(systemRule);
keySec.RemoveAccessRule(serviceRule);
}
subKey.SetAccessControl(keySec);
return(true);
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(false);
}
private static void UnProtectStartupEntry()
{
RegistryKey regKey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions);
RegistrySecurity regSec = regKey.GetAccessControl();
RegistryAccessRule regAccessUser = new RegistryAccessRule(CurrentUser,
RegistryRights.Delete | RegistryRights.SetValue,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Deny);
RegistryAccessRule regAccessAdmin = new RegistryAccessRule("Administrators",
RegistryRights.Delete | RegistryRights.SetValue,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Deny);
RegistryAccessRule regAccessSystem = new RegistryAccessRule("System",
RegistryRights.Delete | RegistryRights.SetValue,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Deny);
regSec.RemoveAccessRule(regAccessUser);
regSec.RemoveAccessRule(regAccessAdmin);
regSec.RemoveAccessRule(regAccessSystem);
regKey.SetAccessControl(regSec);
}
protected override void ProcessRecord()
{
bool isChange = false;
using (RegistryKey regKey = RegistryControl.GetRegistryKey(Path, false, true))
{
RegistrySecurity security = regKey.GetAccessControl();
AuthorizationRuleCollection rules = security.GetAccessRules(true, false, typeof(NTAccount));
if (All)
{
// テスト自動生成
TestGenerator.RegistryAccess(Path, "", false);
foreach (RegistryAccessRule rule in rules)
{
security.RemoveAccessRule(rule);
isChange = true;
}
}
else
{
foreach (RegistryAccessRule rule in rules)
{
if (Account.Contains("\\") &&
rule.IdentityReference.Value.Equals(Account, StringComparison.OrdinalIgnoreCase))
{
// テスト自動生成
TestGenerator.RegistryAccess(Path, RegistryControl.AccessRuleToString(rule), true);
security.RemoveAccessRule(rule);
isChange = true;
}
else if (!Account.Contains("\\") &&
rule.IdentityReference.Value.EndsWith("\\" + Account, StringComparison.OrdinalIgnoreCase))
{
// テスト自動生成
TestGenerator.RegistryAccess(Path, RegistryControl.AccessRuleToString(rule), true);
security.RemoveAccessRule(rule);
isChange = true;
}
}
}
if (isChange)
{
regKey.SetAccessControl(security);
}
}
WriteObject(new RegistryKeyInfo(Path, true));
}
private static void _removeRuleOnKey(RegistryKey key, RegistryAccessRule rule)
{
RegistrySecurity sec = key.GetAccessControl();
sec.RemoveAccessRule(rule);
key.SetAccessControl(sec);
}
private static void RegRemoveAccess(RegistryKey nParentKey, string nkey, IdentityReference nuser, RegistryAccessRule nacc)
{
RegistryKey nSubKey = nParentKey.OpenSubKey(nkey, RegistryKeyPermissionCheck.ReadWriteSubTree,
RegistryRights.ChangePermissions | RegistryRights.ReadKey);
RegistrySecurity nSubKeySec = nSubKey.GetAccessControl(AccessControlSections.Access);
nSubKeySec.RemoveAccessRule(nacc);
nSubKey.SetAccessControl(nSubKeySec);
nSubKey.Close();
}
protected override void ProcessRecord()
{
using (RegistryKey regKey = RegistryControl.GetRegistryKey(RegistryPath, false, true))
{
bool isChange = false;
RegistrySecurity security = security = regKey.GetAccessControl();
if (All)
{
// テスト自動生成
_generator.RegistryAccess(RegistryPath, "", false);
foreach (RegistryAccessRule rule in security.GetAccessRules(true, false, typeof(NTAccount)))
{
security.RemoveAccessRule(rule);
isChange = true;
}
}
else
{
foreach (RegistryAccessRule rule in security.GetAccessRules(true, false, typeof(NTAccount)))
{
string account = rule.IdentityReference.Value;
// テスト自動生成
_generator.RegistryAccount(RegistryPath, account);
if (Account.Contains("\\") && account.Equals(Account, StringComparison.OrdinalIgnoreCase) ||
!Account.Contains("\\") && account.EndsWith("\\" + Account, StringComparison.OrdinalIgnoreCase))
{
security.RemoveAccessRule(rule);
isChange = true;
}
}
}
if (isChange)
{
regKey.SetAccessControl(security);
}
WriteObject(new RegistrySummary(regKey, true));
}
}
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule1 = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule1);
// Add a rule that allows the current user the right
// right to take ownership of a key, using the same
// inheritance and propagation flags. This rule
// merges with the first rule.
RegistryAccessRule rule2 = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule2);
// Display the rules in the security object.
ShowSecurity(mSec);
// Attempt to use RemoveRuleSpecific to remove the
// first rule. The removal fails, because the rule
// in the RegistrySecurity object has been altered.
mSec.RemoveAccessRuleSpecific(rule1);
// Show that the rule was not removed.
ShowSecurity(mSec);
// Use the RemoveAccessRule method to remove rule2,
// and then use RemoveAccessRuleSpecific to remove
// rule1.
mSec.RemoveAccessRule(rule2);
mSec.RemoveAccessRuleSpecific(rule1);
// Show that the rules have been removed.
ShowSecurity(mSec);
}
/// <summary>
/// Remove Permissions on a Registry key
/// </summary>
/// <param name="userName">the user name to remove permissions for</param>
/// <param name="root">the root hive</param>
/// <param name="subKey">the key</param>
public static void RemoveRegistryKeyPermission(string userName, Microsoft.Win32.RegistryKey root, string subKey)
{
RegistryKey registryKey = root.OpenSubKey(subKey);
RegistrySecurity registrySecurity = registryKey.GetAccessControl();
AuthorizationRuleCollection accessRules = registrySecurity.GetAccessRules(true, true, typeof(NTAccount));
foreach (RegistryAccessRule accessRule in accessRules)
{
if (userName.ToLowerInvariant().Equals(accessRule.IdentityReference.Value.ToLowerInvariant()))
{
registrySecurity.RemoveAccessRule(accessRule);
}
}
}
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user ReadKey
// rights. ReadKey is a combination of four other
// rights. The rule is inherited by all
// contained subkeys.
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Create a rule that allows the current user only the
// right to query the key/value pairs of a key, using
// the same inheritance and propagation flags as the
// first rule. QueryValues is a constituent of
// ReadKey, so when this rule is removed, using the
// RemoveAccessRule method, ReadKey is broken into
// its constituent parts.
rule = new RegistryAccessRule(user,
RegistryRights.QueryValues,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.RemoveAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Add the second rule back. It merges with the
// existing rule, so that the rule is now displayed
// as ReadKey.
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
}
public static void ByPassTamper()
{
try
{
// Get the ID of the current user
WindowsIdentity id = WindowsIdentity.GetCurrent();
// Add the TakeOwnership Privilege
bool blRc = TokenManipulation.MySetPrivilege(TokenManipulation.TakeOwnership, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(TokenManipulation.TakeOwnership);
}
/* Add the Restore Privilege (must be done to change the owner)
*/
blRc = TokenManipulation.MySetPrivilege(TokenManipulation.Restore, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(TokenManipulation.Restore);
}
// Open a registry which I don't own
RegistryKey OwnerShipByPass = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows Defender\Features", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
RegistrySecurity regSecTempo = OwnerShipByPass.GetAccessControl(AccessControlSections.All);
// Get the real owner
IdentityReference oldId = regSecTempo.GetOwner(typeof(SecurityIdentifier));
SecurityIdentifier siTrustedInstaller = new SecurityIdentifier(oldId.ToString());
//Console.WriteLine(oldId.ToString());
// process user become the owner
regSecTempo.SetOwner(id.User);
OwnerShipByPass.SetAccessControl(regSecTempo);
RegistryAccessRule regARFullAccess = new RegistryAccessRule(id.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
regSecTempo.AddAccessRule(regARFullAccess);
OwnerShipByPass.SetAccessControl(regSecTempo);
#region Write to Registry (Disable Defender and Tamper)
DisableFender(true, true); // disable tamper and defender
#endregion
// Put back the original owner
regSecTempo.SetOwner(siTrustedInstaller);
OwnerShipByPass.SetAccessControl(regSecTempo);
// Put back the original Rights
regSecTempo.RemoveAccessRule(regARFullAccess);
OwnerShipByPass.SetAccessControl(regSecTempo);
}
catch (Exception)
{
//MessageBox.Show(ex.ToString());
}
}
protected override void ProcessRecord()
{
using (RegistryKey regKey = RegistryControl.GetRegistryKey(RegistryPath, true, true))
{
if (regKey == null)
{
return;
}
RegistrySecurity security = null;
// Access文字列からの設定
// ""で全アクセス権設定を削除
if (Access != null)
{
if (security == null)
{
security = regKey.GetAccessControl();
}
foreach (RegistryAccessRule removeRule in security.GetAccessRules(true, false, typeof(NTAccount)))
{
security.RemoveAccessRule(removeRule);
}
// テスト自動生成
_generator.RegistryAccess(RegistryPath, Access, false);
if (Access != string.Empty) // このif文分岐が無くても同じ挙動するけれど、一応記述
{
foreach (RegistryAccessRule addRule in RegistryControl.StringToAccessRules(Access))
{
security.AddAccessRule(addRule);
}
}
}
// 上位からのアクセス権継承の設定変更
if (Inherited != Item.NONE)
{
if (security == null)
{
security = regKey.GetAccessControl();
}
// テスト自動生成
_generator.RegistryInherited(RegistryPath, Inherited == Item.ENABLE);
switch (Inherited)
{
case Item.ENABLE:
security.SetAccessRuleProtection(false, false);
break;
case Item.DISABLE:
security.SetAccessRuleProtection(true, true);
break;
case Item.REMOVE:
security.SetAccessRuleProtection(true, false);
break;
}
}
if (security != null)
{
regKey.SetAccessControl(security);
}
}
// 所有者変更
if (Owner != null)
{
string subinacl = EmbeddedResource.GetSubinacl(Item.APPLICATION_NAME);
// 管理者実行確認
Functions.CheckAdmin();
// テスト自動生成
_generator.RegistryOwner(RegistryPath, Owner);
using (Process proc = new Process())
{
proc.StartInfo.FileName = subinacl;
proc.StartInfo.Arguments = $"/subkeyreg \"{RegistryPath}\" /owner=\"{Owner}\"";
proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
proc.Start();
proc.WaitForExit();
}
}
// レジストリ値の設定
if (Name != null)
{
// テスト自動生成
_generator.RegistryType(RegistryPath, Name, Type);
_generator.RegistryValue(RegistryPath, Name, Value);
switch (Type)
{
case Item.REG_SZ:
Registry.SetValue(RegistryPath, Name, Value, RegistryValueKind.String);
break;
case Item.REG_BINARY:
Registry.SetValue(RegistryPath, Name, RegistryControl.StringToRegBinary(Value), RegistryValueKind.Binary);
break;
case Item.REG_DWORD:
Registry.SetValue(RegistryPath, Name, int.Parse(Value), RegistryValueKind.DWord);
break;
case Item.REG_QWORD:
Registry.SetValue(RegistryPath, Name, long.Parse(Value), RegistryValueKind.QWord);
break;
case Item.REG_MULTI_SZ:
Registry.SetValue(RegistryPath, Name, Functions.SplitBQt0(Value), RegistryValueKind.MultiString);
break;
case Item.REG_EXPAND_SZ:
Registry.SetValue(RegistryPath, Name, Value, RegistryValueKind.ExpandString);
break;
case Item.REG_NONE:
Registry.SetValue(RegistryPath, Name, new byte[2] {
0, 0
}, RegistryValueKind.None);
break;
}
}
/* 実行していて結構うっとおしいので、出力しないことにします。
* using (RegistryKey regKey = RegistryControl.GetRegistryKey(Path, false, false))
* {
* WriteObject(new RegistrySummary(regKey, true));
* }
*/
}
public static bool WriteTrustedRegistry(int regType, string regPath, bool blAdd)
{
try
{
WindowsIdentity current = WindowsIdentity.GetCurrent();
if (!Trust.MySetPrivilege("SeTakeOwnershipPrivilege", true))
{
Logger.Info("Failed to take ownership privilege");
return(false);
}
if (!Trust.MySetPrivilege("SeRestorePrivilege", true))
{
Logger.Info("Failed to restore ownership privilege");
return(false);
}
RegistryKey registryKey = (RegistryKey)null;
switch (regType)
{
case 0:
registryKey = Registry.ClassesRoot.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
break;
case 1:
registryKey = Registry.CurrentUser.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
break;
case 2:
registryKey = Registry.LocalMachine.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
break;
}
if (registryKey == null)
{
return(true);
}
RegistrySecurity accessControl = registryKey.GetAccessControl(AccessControlSections.All);
SecurityIdentifier securityIdentifier = new SecurityIdentifier(accessControl.GetOwner(typeof(SecurityIdentifier)).ToString());
accessControl.SetOwner((IdentityReference)current.User);
registryKey.SetAccessControl(accessControl);
RegistryAccessRule rule = new RegistryAccessRule((IdentityReference)current.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
accessControl.AddAccessRule(rule);
registryKey.SetAccessControl(accessControl);
registryKey.Close();
switch (regType)
{
case 0:
registryKey = Registry.ClassesRoot.OpenSubKey(regPath, true);
break;
case 1:
registryKey = Registry.CurrentUser.OpenSubKey(regPath, true);
break;
case 2:
registryKey = Registry.LocalMachine.OpenSubKey(regPath, true);
break;
}
if (blAdd)
{
registryKey.SetValue((string)null, (object)FixUpOle.olePath);
}
else
{
registryKey.SetValue((string)null, (object)"oleaut32.dll");
}
accessControl.SetOwner((IdentityReference)securityIdentifier);
registryKey.SetAccessControl(accessControl);
accessControl.RemoveAccessRule(rule);
registryKey.SetAccessControl(accessControl);
registryKey.Close();
return(true);
}
catch (Exception ex)
{
return(false);
}
}
