feat: block dll policy

joaoviictorti · joaoviictorti · commit f4298c79d262 · 2024-02-10T19:18:33.000-03:00
diff --git a/Block_DLL_Policy/.gitignore b/Block_DLL_Policy/.gitignore
@@ -0,0 +1 @@
+/target
diff --git a/Block_DLL_Policy/Cargo.lock b/Block_DLL_Policy/Cargo.lock
diff --git a/Block_DLL_Policy/Cargo.toml b/Block_DLL_Policy/Cargo.toml
@@ -0,0 +1,7 @@
+[package]
+name = "block_dll_policy"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+windows = { version = "0.52.0", features = ["Win32_System_Threading", "Win32_Foundation", "Win32_Security", "Win32_System_Memory", "Win32_System_SystemServices"] }
diff --git a/Block_DLL_Policy/README.md b/Block_DLL_Policy/README.md
@@ -0,0 +1,22 @@
+# Block DLL Policy 🦀
+
+<p align="left">
+	<a href="https://www.rust-lang.org/"><img src="https://img.shields.io/badge/made%20with-Rust-red"></a>
+	<a href="#"><img src="https://img.shields.io/badge/platform-windows-blueviolet"></a>
+</p>
+
+- [Overview](#overview)
+- [Usage](#usage)
+
+# Overview
+The "Block DLL Policy" technique is an effective strategy for preventing non-Microsoft-signed DLLs from being loaded into system processes. This policy can be applied both when creating new processes and implemented in our local process.
+
+# Usage 
+
+You can run with cargo run or the compiled binary directly:
+```sh
+cargo run
+```
+```sh
+target/release/block_dll_policy.exe
+```
diff --git a/Block_DLL_Policy/src/main.rs b/Block_DLL_Policy/src/main.rs
@@ -0,0 +1,88 @@
+use std::{ptr::null_mut, ffi::c_void};
+use windows::core::PSTR;
+use windows::Win32::System::{
+    Memory::{GetProcessHeap, HeapAlloc, HEAP_ZERO_MEMORY},
+    SystemServices::{
+        PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_0,
+    },
+    Threading::{
+        CreateProcessA, DeleteProcThreadAttributeList, InitializeProcThreadAttributeList,
+        ProcessSignaturePolicy, SetProcessMitigationPolicy, UpdateProcThreadAttribute,
+        EXTENDED_STARTUPINFO_PRESENT, LPPROC_THREAD_ATTRIBUTE_LIST, PROCESS_INFORMATION,
+        PROCESS_MITIGATION_POLICY, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, STARTUPINFOEXA,
+        STARTUPINFOW_FLAGS,
+    },
+};
+
+const PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON: u64 = 0x00000001u64 << 44;
+
+fn main() {
+    create_process_block_dll();
+    // current_process_block_dll();
+}
+
+fn current_process_block_dll() {
+    unsafe {
+        let mut policy = PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY {
+            Anonymous: PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_0 { Flags: 0 },
+        };
+        policy.Anonymous.Flags |= 1 << 0;
+        let _ = SetProcessMitigationPolicy(
+            PROCESS_MITIGATION_POLICY(ProcessSignaturePolicy.0),
+            &policy as *const _ as *const _,
+            std::mem::size_of_val(&policy),
+        );
+    }
+}
+
+fn create_process_block_dll() {
+    let mut process_information = PROCESS_INFORMATION::default();
+    let mut startup_info = STARTUPINFOEXA::default();
+    startup_info.StartupInfo.cb = std::mem::size_of::<STARTUPINFOEXA>() as u32;
+    startup_info.StartupInfo.dwFlags = STARTUPINFOW_FLAGS(EXTENDED_STARTUPINFO_PRESENT.0);
+    let mut attr_size: usize = 0;
+    unsafe {
+        let _ = InitializeProcThreadAttributeList(
+            LPPROC_THREAD_ATTRIBUTE_LIST(null_mut()),
+            1,
+            0,
+            &mut attr_size,
+        );
+
+        let attr_list = LPPROC_THREAD_ATTRIBUTE_LIST(HeapAlloc(
+            GetProcessHeap().unwrap(),
+            HEAP_ZERO_MEMORY,
+            attr_size,
+        ));
+
+        let _ = InitializeProcThreadAttributeList(attr_list, 1, 0, &mut attr_size);
+
+        let policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
+        let _ = UpdateProcThreadAttribute(
+            attr_list,
+            0,
+            PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY as usize,
+            Some(&policy as *const _ as *const c_void),
+            std::mem::size_of::<u64>(),
+            None,
+            None,
+        );
+
+        let windir = std::env::var("WINDIR").unwrap() + "\\System32\\SystemSettingsBroker.exe";
+        startup_info.lpAttributeList = attr_list;
+        let _ = CreateProcessA(
+            None,
+            PSTR(windir.as_ptr() as _),
+            None,
+            None,
+            false,
+            EXTENDED_STARTUPINFO_PRESENT,
+            None,
+            None,
+            &startup_info.StartupInfo,
+            &mut process_information,
+        );
+
+        DeleteProcThreadAttributeList(attr_list);
+    }
+}
