private static SaferPolicy TestSaferPolicy(string testPathScript, string testPathModule)
{
SaferPolicy result = SecuritySupport.GetSaferPolicy(testPathScript, null);
if (result == SaferPolicy.Disallowed)
{
result = SecuritySupport.GetSaferPolicy(testPathModule, null);
}
return(result);
}
internal static SaferPolicy GetSaferPolicy(string path)
{
SaferPolicy saferPolicy = SaferPolicy.Allowed;
IntPtr pLevelHandle;
if (!System.Management.Automation.Security.NativeMethods.SaferIdentifyLevel(1U, ref new SAFER_CODE_PROPERTIES()
{
cbSize = (uint)Marshal.SizeOf(typeof(SAFER_CODE_PROPERTIES)),
dwCheckFlags = 13U,
ImagePath = path,
dwWVTUIChoice = 2U
}, out pLevelHandle, "SCRIPT"))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
IntPtr zero = IntPtr.Zero;
try
{
if (!System.Management.Automation.Security.NativeMethods.SaferComputeTokenFromLevel(pLevelHandle, IntPtr.Zero, ref zero, 1U, IntPtr.Zero))
{
switch (Marshal.GetLastWin32Error())
{
case 786:
case 1260:
saferPolicy = SaferPolicy.Disallowed;
break;
default:
throw new Win32Exception();
}
}
else if (zero == IntPtr.Zero)
{
saferPolicy = SaferPolicy.Allowed;
}
else
{
saferPolicy = SaferPolicy.Disallowed;
System.Management.Automation.Security.NativeMethods.CloseHandle(zero);
}
}
finally
{
System.Management.Automation.Security.NativeMethods.SaferCloseLevel(pLevelHandle);
}
return(saferPolicy);
}
internal static SaferPolicy GetSaferPolicy(string path)
{
IntPtr ptr;
SaferPolicy allowed = SaferPolicy.Allowed;
SAFER_CODE_PROPERTIES pCodeProperties = new SAFER_CODE_PROPERTIES {
cbSize = (int)Marshal.SizeOf(typeof(SAFER_CODE_PROPERTIES)),
dwCheckFlags = 13,
ImagePath = path,
dwWVTUIChoice = 2
};
if (System.Management.Automation.Security.NativeMethods.SaferIdentifyLevel(1, ref pCodeProperties, out ptr, "SCRIPT"))
{
IntPtr zero = IntPtr.Zero;
try
{
if (!System.Management.Automation.Security.NativeMethods.SaferComputeTokenFromLevel(ptr, IntPtr.Zero, ref zero, 1, IntPtr.Zero))
{
int num = Marshal.GetLastWin32Error();
if ((num != 0x4ec) && (num != 0x312))
{
throw new Win32Exception();
}
return(SaferPolicy.Disallowed);
}
if (zero == IntPtr.Zero)
{
return(SaferPolicy.Allowed);
}
allowed = SaferPolicy.Disallowed;
System.Management.Automation.Security.NativeMethods.CloseHandle(zero);
return(allowed);
}
finally
{
System.Management.Automation.Security.NativeMethods.SaferCloseLevel(ptr);
}
}
throw new Win32Exception(Marshal.GetLastWin32Error());
}
private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception reason)
{
bool policyCheckPassed = false;
reason = null;
string path = script.Path;
string reasonMessage;
// path is assumed to be fully qualified here
if (path.IndexOf(System.IO.Path.DirectorySeparatorChar) < 0)
{
throw PSTraceSource.NewArgumentException("path");
}
if (path.LastIndexOf(System.IO.Path.DirectorySeparatorChar) == (path.Length - 1))
{
throw PSTraceSource.NewArgumentException("path");
}
FileInfo fi = new FileInfo(path);
// Return false if the file does not exist, so that
// we don't introduce a race condition
if (!fi.Exists)
{
reason = new FileNotFoundException(path);
return(false);
}
// Quick exit if we don't support the file type
if (!IsSupportedExtension(fi.Extension))
{
return(true);
}
// Get the execution policy
_executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
// See if they want to bypass the authorization manager
if (_executionPolicy == ExecutionPolicy.Bypass)
{
return(true);
}
// Always check the SAFER APIs if code integrity isn't being handled system-wide through
// WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
// Otherwise, block.
// SAFER APIs are not on CSS or OneCore
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Enforce)
{
SaferPolicy saferPolicy = SaferPolicy.Disallowed;
int saferAttempt = 0;
bool gotSaferPolicy = false;
// We need to put in a retry workaround, as the SAFER APIs fail when under stress.
while ((!gotSaferPolicy) && (saferAttempt < 5))
{
try
{
saferPolicy = SecuritySupport.GetSaferPolicy(path, null);
gotSaferPolicy = true;
}
catch (System.ComponentModel.Win32Exception)
{
if (saferAttempt > 4)
{
throw;
}
saferAttempt++;
System.Threading.Thread.Sleep(100);
}
}
// If the script is disallowed via AppLocker, block the file
// unless the system-wide lockdown policy is "Enforce" (where all PowerShell
// scripts are in blocked). If the system policy is "Enforce", then the
// script will be allowed (but ConstrainedLanguage will be applied).
if (saferPolicy == SaferPolicy.Disallowed)
{
reasonMessage = StringUtil.Format(Authenticode.Reason_DisallowedBySafer, path);
reason = new UnauthorizedAccessException(reasonMessage);
return(false);
}
}
if (_executionPolicy == ExecutionPolicy.Unrestricted)
{
// Product binaries are always trusted
// This avoids signature and security zone checks
if (SecuritySupport.IsProductBinary(path))
{
return(true);
}
// We need to give the "Remote File" warning
// if the file originated from the internet
if (!IsLocalFile(fi.FullName))
{
// Get the signature of the file.
if (String.IsNullOrEmpty(script.ScriptContents))
{
reasonMessage = StringUtil.Format(Authenticode.Reason_FileContentUnavailable, path);
reason = new UnauthorizedAccessException(reasonMessage);
return(false);
}
Signature signature = GetSignatureWithEncodingRetry(path, script);
// The file is signed, with a publisher that
// we trust
if (signature.Status == SignatureStatus.Valid)
{
// The file is signed by a trusted publisher
if (IsTrustedPublisher(signature, path))
{
policyCheckPassed = true;
}
}
// We don't care about the signature. If you distrust them,
// or the signature does not exist, we prompt you only
// because it's remote.
if (!policyCheckPassed)
{
RunPromptDecision decision = RunPromptDecision.DoNotRun;
// Get their remote prompt answer, allowing them to
// enter nested prompts, if wanted.
do
{
decision = RemoteFilePrompt(path, host);
if (decision == RunPromptDecision.Suspend)
{
host.EnterNestedPrompt();
}
} while (decision == RunPromptDecision.Suspend);
switch (decision)
{
case RunPromptDecision.RunOnce:
policyCheckPassed = true;
break;
case RunPromptDecision.DoNotRun:
default:
policyCheckPassed = false;
reasonMessage = StringUtil.Format(Authenticode.Reason_DoNotRun, path);
reason = new UnauthorizedAccessException(reasonMessage);
break;
}
}
}
else
{
policyCheckPassed = true;
}
}
// Don't need to check the signature if the file is local
// and we're in "RemoteSigned" mode
else if ((IsLocalFile(fi.FullName)) &&
(_executionPolicy == ExecutionPolicy.RemoteSigned))
{
policyCheckPassed = true;
}
else if ((_executionPolicy == ExecutionPolicy.AllSigned) ||
(_executionPolicy == ExecutionPolicy.RemoteSigned))
{
// if policy requires signature verification,
// make it so.
// Get the signature of the file.
if (String.IsNullOrEmpty(script.ScriptContents))
{
reasonMessage = StringUtil.Format(Authenticode.Reason_FileContentUnavailable, path);
reason = new UnauthorizedAccessException(reasonMessage);
return(false);
}
Signature signature = GetSignatureWithEncodingRetry(path, script);
// The file is signed.
if (signature.Status == SignatureStatus.Valid)
{
// The file is signed by a trusted publisher
if (IsTrustedPublisher(signature, path))
{
policyCheckPassed = true;
}
// The file is signed by an unknown publisher,
// So prompt.
else
{
policyCheckPassed = SetPolicyFromAuthenticodePrompt(path, host, ref reason, signature);
}
}
// The file is UnknownError, NotSigned, HashMismatch,
// NotTrusted, NotSupportedFileFormat
else
{
policyCheckPassed = false;
if (signature.Status == SignatureStatus.NotTrusted)
{
reason = new UnauthorizedAccessException(
StringUtil.Format(Authenticode.Reason_NotTrusted,
path,
signature.SignerCertificate.SubjectName.Name));
}
else
{
reason = new UnauthorizedAccessException(
StringUtil.Format(Authenticode.Reason_Unknown,
path,
signature.StatusMessage));
}
}
}
else // if(executionPolicy == ExecutionPolicy.Restricted)
{
// Deny everything
policyCheckPassed = false;
// But accept mshxml files from publishers that we
// trust, or files in the system protected directories
bool reasonSet = false;
if (String.Equals(fi.Extension, ".ps1xml", StringComparison.OrdinalIgnoreCase))
{
string[] trustedDirectories = new string[]
{ Platform.GetFolderPath(Environment.SpecialFolder.System),
Platform.GetFolderPath(Environment.SpecialFolder.ProgramFiles) };
foreach (string trustedDirectory in trustedDirectories)
{
if (fi.FullName.StartsWith(trustedDirectory, StringComparison.OrdinalIgnoreCase))
{
policyCheckPassed = true;
}
}
if (!policyCheckPassed)
{
// Get the signature of the file.
Signature signature = GetSignatureWithEncodingRetry(path, script);
// The file is signed by a trusted publisher
if (signature.Status == SignatureStatus.Valid)
{
if (IsTrustedPublisher(signature, path))
{
policyCheckPassed = true;
}
// The file is signed by an unknown publisher,
// So prompt.
else
{
policyCheckPassed = SetPolicyFromAuthenticodePrompt(path, host, ref reason, signature);
reasonSet = true;
}
}
}
}
if (!policyCheckPassed && !reasonSet)
{
reason = new UnauthorizedAccessException(
StringUtil.Format(Authenticode.Reason_RestrictedMode,
path));
}
}
return(policyCheckPassed);
}
private static SystemEnforcementMode GetAppLockerPolicy(string path, SafeHandle handle)
{
SaferPolicy result = SaferPolicy.Disallowed;
// If path is NULL, we're looking for the system-wide lockdown policy.
// Since there is no way to get that from AppLocker, we will test the policy
// against a random non-existent script and module. If that is allowed, then there is
// no AppLocker script policy.
if (String.IsNullOrEmpty(path))
{
if ((s_cachedSaferSystemPolicy != null) && (!InternalTestHooks.BypassAppLockerPolicyCaching))
{
result = s_cachedSaferSystemPolicy.Value;
}
else
{
//
// Temp path can sometimes be deleted. While many places in PowerShell depend on its existence,
// this one can crash PowerShell.
// A less sensitive implementation will be possible once AppLocker allows validation of files that
// don't exist.
//
string testPathScript = null;
string testPathModule = null;
try
{
// Start with the current profile temp path.
string tempPath = IO.Path.GetTempPath();
int iteration = 0;
while (iteration++ < 2)
{
bool error = false;
try
{
if (!IO.Directory.Exists(tempPath))
{
IO.Directory.CreateDirectory(tempPath);
}
testPathScript = IO.Path.Combine(tempPath, IO.Path.GetRandomFileName() + ".ps1");
testPathModule = IO.Path.Combine(tempPath, IO.Path.GetRandomFileName() + ".psm1");
// AppLocker fails when you try to check a policy on a file
// with no content. So create a scratch file and test on that.
IO.File.WriteAllText(testPathScript, "1");
IO.File.WriteAllText(testPathModule, "1");
}
catch (System.IO.IOException)
{
if (iteration == 2)
{
throw;
}
error = true;
}
catch (System.UnauthorizedAccessException)
{
if (iteration == 2)
{
throw;
}
error = true;
}
catch (System.Security.SecurityException)
{
if (iteration == 2)
{
throw;
}
error = true;
}
if (!error)
{
break;
}
// Try again with the AppData\LocalLow\Temp path using known folder id:
// https://msdn.microsoft.com/en-us/library/dd378457.aspx
Guid AppDatalocalLowFolderId = new Guid("A520A1A4-1780-4FF6-BD18-167343C5AF16");
tempPath = GetKnownFolderPath(AppDatalocalLowFolderId) + @"\Temp";
} // end while loop
// Test policy.
result = TestSaferPolicy(testPathScript, testPathModule);
}
catch (System.IO.IOException)
{
// If we fail to test the policy, assume the default.
result = SaferPolicy.Disallowed;
}
catch (System.UnauthorizedAccessException)
{
// This can happen during thread impersonation if the profile temp paths are not accessible.
// Allow policy if impersonated, otherwise disallow.
result =
(System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLevel == System.Security.Principal.TokenImpersonationLevel.Impersonation) ?
SaferPolicy.Allowed : SaferPolicy.Disallowed;
}
catch (ArgumentException)
{
// This is for IO.Path.GetTempPath() call when temp paths are not accessible.
result =
(System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLevel == System.Security.Principal.TokenImpersonationLevel.Impersonation) ?
SaferPolicy.Allowed : SaferPolicy.Disallowed;
}
finally
{
if (IO.File.Exists(testPathScript))
{
IO.File.Delete(testPathScript);
}
if (IO.File.Exists(testPathModule))
{
IO.File.Delete(testPathModule);
}
}
s_cachedSaferSystemPolicy = result;
}
if (result == SaferPolicy.Disallowed)
{
return(SystemEnforcementMode.Enforce);
}
else
{
return(SystemEnforcementMode.None);
}
}
else
{
// We got a path. Return the result for that path.
result = SecuritySupport.GetSaferPolicy(path, handle);
if (result == SaferPolicy.Disallowed)
{
return(SystemEnforcementMode.Enforce);
}
return(SystemEnforcementMode.None);
}
}
private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception reason)
{
string str2;
bool flag = false;
reason = null;
string path = script.Path;
if (Environment.OSVersion.Platform == PlatformID.Win32NT)
{
if (path.IndexOf('\\') < 0)
{
throw PSTraceSource.NewArgumentException("path");
}
if (path.LastIndexOf('\\') == (path.Length - 1))
{
throw PSTraceSource.NewArgumentException("path");
}
}
FileInfo info = new FileInfo(path);
if (!info.Exists)
{
reason = new FileNotFoundException(path);
return(false);
}
if (!IsSupportedExtension(info.Extension))
{
return(true);
}
if (this.IsProductBinary(path))
{
return(true);
}
this.executionPolicy = SecuritySupport.GetExecutionPolicy(this.shellId);
if (this.executionPolicy == ExecutionPolicy.Bypass)
{
return(true);
}
SaferPolicy disallowed = SaferPolicy.Disallowed;
int num = 0;
bool flag2 = false;
while (!flag2 && (num < 5))
{
try
{
disallowed = SecuritySupport.GetSaferPolicy(path);
flag2 = true;
continue;
}
catch (Win32Exception)
{
if (num > 4)
{
throw;
}
num++;
Thread.Sleep(100);
continue;
}
}
if (disallowed == SaferPolicy.Disallowed)
{
str2 = StringUtil.Format(Authenticode.Reason_DisallowedBySafer, path);
reason = new UnauthorizedAccessException(str2);
return(false);
}
if (this.executionPolicy != ExecutionPolicy.Unrestricted)
{
if (this.IsLocalFile(info.FullName) && (this.executionPolicy == ExecutionPolicy.RemoteSigned))
{
return(true);
}
if ((this.executionPolicy == ExecutionPolicy.AllSigned) || (this.executionPolicy == ExecutionPolicy.RemoteSigned))
{
if (string.IsNullOrEmpty(script.ScriptContents))
{
str2 = StringUtil.Format(Authenticode.Reason_FileContentUnavailable, path);
reason = new UnauthorizedAccessException(str2);
return(false);
}
System.Management.Automation.Signature signature = this.GetSignatureWithEncodingRetry(path, script);
if (signature.Status == SignatureStatus.Valid)
{
return(this.IsTrustedPublisher(signature, path) || this.SetPolicyFromAuthenticodePrompt(path, host, ref reason, signature));
}
flag = false;
if (signature.Status == SignatureStatus.NotTrusted)
{
reason = new UnauthorizedAccessException(StringUtil.Format(Authenticode.Reason_NotTrusted, path, signature.SignerCertificate.SubjectName.Name));
return(flag);
}
reason = new UnauthorizedAccessException(StringUtil.Format(Authenticode.Reason_Unknown, path, signature.StatusMessage));
return(flag);
}
flag = false;
bool flag3 = false;
if (string.Equals(info.Extension, ".ps1xml", StringComparison.OrdinalIgnoreCase))
{
string[] strArray = new string[] { Environment.GetFolderPath(Environment.SpecialFolder.System), Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) };
foreach (string str3 in strArray)
{
if (info.FullName.StartsWith(str3, StringComparison.OrdinalIgnoreCase))
{
flag = true;
}
}
if (!flag)
{
System.Management.Automation.Signature signature3 = this.GetSignatureWithEncodingRetry(path, script);
if (signature3.Status == SignatureStatus.Valid)
{
if (this.IsTrustedPublisher(signature3, path))
{
flag = true;
}
else
{
flag = this.SetPolicyFromAuthenticodePrompt(path, host, ref reason, signature3);
flag3 = true;
}
}
}
}
if (!flag && !flag3)
{
reason = new UnauthorizedAccessException(StringUtil.Format(Authenticode.Reason_RestrictedMode, path));
}
return(flag);
}
if (this.IsLocalFile(info.FullName))
{
return(true);
}
if (string.IsNullOrEmpty(script.ScriptContents))
{
str2 = StringUtil.Format(Authenticode.Reason_FileContentUnavailable, path);
reason = new UnauthorizedAccessException(str2);
return(false);
}
System.Management.Automation.Signature signatureWithEncodingRetry = this.GetSignatureWithEncodingRetry(path, script);
if ((signatureWithEncodingRetry.Status == SignatureStatus.Valid) && this.IsTrustedPublisher(signatureWithEncodingRetry, path))
{
flag = true;
}
if (flag)
{
return(flag);
}
RunPromptDecision doNotRun = RunPromptDecision.DoNotRun;
Label_0149:
doNotRun = this.RemoteFilePrompt(path, host);
if (doNotRun == RunPromptDecision.Suspend)
{
host.EnterNestedPrompt();
}
switch (doNotRun)
{
case RunPromptDecision.RunOnce:
return(true);
case RunPromptDecision.Suspend:
goto Label_0149;
}
flag = false;
str2 = StringUtil.Format(Authenticode.Reason_DoNotRun, path);
reason = new UnauthorizedAccessException(str2);
return(flag);
}
