【Windows】获取进程缓解策略设置情况

目录

一、前言

二、主要概念

三、实现步骤

四、总结

---

原文出处链接：[https://blog.csdn.net/qq_59075481/article/details/142234952]

一、前言

在现代操作系统中，进程缓解策略（Process Mitigation Policy）提供了一种防御机制，可以防止潜在的攻击对系统中的进程进行利用。通过分析进程的缓解策略设置，开发人员和系统管理员可以更好地了解当前进程的安全状态以及应用了哪些安全措施。

本文介绍一种通过编程方式获取进程的缓解策略设置的方法。我们将利用 Windows 提供的 GetProcessMitigationPolicy 函数来获取不同类型的缓解策略，并使用 C 示例来演示如何实现这一功能。

警告：我们将在下一篇讲解如何远程修改部分安全缓解策略以及缓解策略的绕过技术。

二、主要概念

在 Windows 操作系统中，每个进程都可以设置多种缓解策略，这些策略可以增强系统安全性。常见的缓解策略包括：

进程缓解策略是操作系统用来防止恶意软件或攻击者利用进程漏洞的安全机制。以下是一些常见的缓解策略：

1. 数据执行防护 (DEP, Data Execution Prevention)：DEP 是一种安全功能，旨在防止恶意代码执行非代码区域的内容（如堆栈或堆）。启用 DEP 后，如果在数据区中检测到代码执行，将导致进程异常终止。
2. 地址空间布局随机化 (ASLR, Address Space Layout Randomization)：ASLR 通过随机化程序的内存地址来增加攻击者预测这些地址的难度。通过随机化可执行文件、DLLs、堆、栈和其他内存区域的位置，ASLR 可以有效防止缓冲区溢出和其他内存攻击。
3. 动态代码执行限制 (Dynamic Code Policy)：该策略限制进程生成动态代码或修改现有的可执行代码，防止恶意代码注入和代码覆盖攻击。
4. 控制流保护 (CFG, Control Flow Guard)：CFG 是一种防御机制，用于防止间接调用的目标被篡改，从而保护程序免受控制流劫持攻击。CFG 可通过在运行时检查目标地址是否安全来防止攻击。
5. 结构化异常处理覆盖保护 (SEHOP, Structured Exception Handling Overwrite Protection)：SEHOP 保护 Windows 应用程序免受结构化异常处理（SEH）覆盖攻击，这是堆栈缓冲区溢出攻击的一种形式。
6. 系统调用禁用 (System Call Disable Policy)：该策略可以禁止进程进行特定的系统调用，以限制进程与操作系统内核的交互，降低进程被利用的风险。
7. 子进程创建策略 (Child Process Policy)：限制进程创建子进程的能力，防止恶意软件通过子进程传播或执行进一步的攻击。
8. 映像加载策略 (Image Load Policy)：该策略控制哪些类型的可执行文件可以映射到进程地址空间，防止从不受信任的来源加载恶意代码。

进程缓解策略有哪些？（进程缓解策略从 Win 8 开始引入，下面的版本是目前 Win10/11 上的枚举）。

typedef enum _PROCESS_MITIGATION_POLICY {ProcessDEPPolicy,ProcessASLRPolicy,ProcessDynamicCodePolicy,ProcessStrictHandleCheckPolicy,ProcessSystemCallDisablePolicy,ProcessMitigationOptionsMask,ProcessExtensionPointDisablePolicy,ProcessControlFlowGuardPolicy,ProcessSignaturePolicy,ProcessFontDisablePolicy,ProcessImageLoadPolicy,ProcessSystemCallFilterPolicy,ProcessPayloadRestrictionPolicy,ProcessChildProcessPolicy,ProcessSideChannelIsolationPolicy,ProcessUserShadowStackPolicy,ProcessRedirectionTrustPolicy,ProcessUserPointerAuthPolicy,ProcessSEHOPPolicy,ProcessActivationContextTrustPolicy,MaxProcessMitigationPolicy
} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;

三、实现步骤

以下步骤描述了如何获取和显示进程的缓解策略：

1. 获取目标进程的句柄： 使用 OpenProcess 函数以 PROCESS_QUERY_LIMITED_INFORMATION 权限打开目标进程。
2. 启用SE_DEBUG_NAME特权： 调用 EnableDebugPrivilege 函数启用调试特权，使得当前进程能够访问所有进程的信息。
3. 获取进程的路径和描述信息： 使用 QueryFullProcessImageNameW 函数获取进程的完整路径，并调用 GetProcessDescription 函数获取PE文件的描述信息。
4. 获取并显示缓解策略： 使用 GetProcessMitigationPolicy 函数依次获取不同类型的缓解策略（如 DEP、ASLR、CFG 等），并打印每个策略的二进制表示和详细分析。

代码示例

获取进程缓解策略的前提：当前线程对目标进程至少能打开有限信息查询访问句柄。

查询进程缓解策略的需求：至少以 PROCESS_QUERY_LIMITED_INFORMATION 访问权限打开进程。部分进程的访问可能需要至少需要管理员身份。

描述：目前 win11 上面有 20 组缓解策略，每个策略占一个 32 位二进制位(DWORD)，但结构中有很多保留位暂未使用。

以下是核心代码实现，它展示了如何获取和打印进程的缓解策略：

#include <tchar.h>
#include <stdio.h>
#include <Windows.h>
#include <Processthreadsapi.h>
#include <winver.h>#pragma comment(lib, "Version.lib")// 打印 DWORD 类型的 Flags 的二进制表示，每一位之间用 | 分隔
static void PrintBinaryFlags(DWORD flags)
{printf(" Policy Flags: \n");// 打印位偏移（从 0 到 31）for (int i = 31; i >= 0; i--){printf("%2d", i);if (i != 0) {printf(" | ");}}printf("\n");// 打印 Flags 的二进制表示for (int i = 31; i >= 0; i--){printf(" %d", (flags >> i) & 1);  // 右移并与 1 进行按位与操作，提取该位if (i != 0) {printf(" | ");}}printf("\n");
}static void show_mitigations(HANDLE hProc) {PROCESS_MITIGATION_DEP_POLICY dep = { 0 };PROCESS_MITIGATION_ASLR_POLICY aslr = { 0 };PROCESS_MITIGATION_DYNAMIC_CODE_POLICY dynamic_code = { 0 };PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY strict_handle_check = { 0 };PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY system_call_disable = { 0 };ULONG64 mitigation_options = { 0 };PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY extension_point_disable = { 0 };PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY cfg = { 0 };PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY signature = { 0 };PROCESS_MITIGATION_FONT_DISABLE_POLICY font = { 0 };PROCESS_MITIGATION_IMAGE_LOAD_POLICY image_load = { 0 };PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY syscall_filter = { 0 };  // win11 NewPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY payload_rtict = { 0 };   // win11 NewPROCESS_MITIGATION_CHILD_PROCESS_POLICY child_proc = { 0 };            // win11 NewPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY side_cnl_isan = { 0 };PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY usw_stack = { 0 };PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY trust_redc = { 0 };PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY upt_auth = { 0 };PROCESS_MITIGATION_SEHOP_POLICY seh_op_policy = { 0 };PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY activ_ctx_truct = { 0 };  // win11 New/*描述：数据执行防护 (DEP) 的进程缓解策略。typedef struct _PROCESS_MITIGATION_DEP_POLICY {union {DWORD Flags;struct {DWORD Enable : 1;DWORD DisableAtlThunkEmulation : 1;DWORD ReservedFlags : 30;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;BOOLEAN Permanent;} PROCESS_MITIGATION_DEP_POLICY, *PPROCESS_MITIGATION_DEP_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessDEPPolicy, &dep, sizeof(dep));printf("ProcessDEPPolicy:\n");PrintBinaryFlags(dep.Flags);printf("\n Analysis:\n");printf("   Enable                                     %u\n", dep.Enable);printf("   DisableAtlThunkEmulation                   %u\n", dep.DisableAtlThunkEmulation);printf("\n");/*描述：地址空间布局随机化 (ASLR) 的进程缓解策略。typedef struct _PROCESS_MITIGATION_ASLR_POLICY {union {DWORD Flags;struct {DWORD EnableBottomUpRandomization : 1;DWORD EnableForceRelocateImages : 1;DWORD EnableHighEntropy : 1;DWORD DisallowStrippedImages : 1;DWORD ReservedFlags : 28;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_ASLR_POLICY, *PPROCESS_MITIGATION_ASLR_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessASLRPolicy, &aslr, sizeof(aslr));printf("ProcessASLRPolicy:\n");PrintBinaryFlags(aslr.Flags);printf("\n Analysis:\n");printf("   EnableBottomUpRandomization                %u\n", aslr.EnableBottomUpRandomization);printf("   EnableForceRelocateImages                  %u\n", aslr.EnableForceRelocateImages);printf("   EnableHighEntropy                          %u\n", aslr.EnableHighEntropy);printf("   DisallowStrippedImages                     %u\n", aslr.DisallowStrippedImages);printf("\n");/*描述：动态代码执行进程缓解策略。启用后，进程无法生成动态代码或修改现有的可执行代码。typedef struct _PROCESS_MITIGATION_DYNAMIC_CODE_POLICY {union {DWORD Flags;struct {DWORD ProhibitDynamicCode : 1;DWORD AllowThreadOptOut : 1;DWORD AllowRemoteDowngrade : 1;DWORD AuditProhibitDynamicCode : 1;DWORD ReservedFlags : 28;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessDynamicCodePolicy, &dynamic_code, sizeof(dynamic_code));printf("ProcessStrictHandleCheckPolicy:\n");PrintBinaryFlags(dynamic_code.Flags);printf("\n Analysis:\n");printf("   ProhibitDynamicCode                        %u\n", dynamic_code.ProhibitDynamicCode);printf("   AllowThreadOptOut                          %u\n", dynamic_code.AllowThreadOptOut);printf("   AllowRemoteDowngrade                       %u\n", dynamic_code.AllowRemoteDowngrade);printf("   AuditProhibitDynamicCode                   %u\n", dynamic_code.AuditProhibitDynamicCode);printf("\n");/*描述：如果进程操作无效的句柄，则会收到严重错误。typedef struct _PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY {union {DWORD Flags;struct {DWORD RaiseExceptionOnInvalidHandleReference : 1;DWORD HandleExceptionsPermanentlyEnabled : 1;DWORD ReservedFlags : 30;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessStrictHandleCheckPolicy, &strict_handle_check, sizeof(strict_handle_check));printf("ProcessStrictHandleCheckPolicy:\n");PrintBinaryFlags(strict_handle_check.Flags);printf("\n Analysis:\n");printf("   RaiseExceptionOnInvalidHandleReference     %u\n", strict_handle_check.RaiseExceptionOnInvalidHandleReference);printf("   HandleExceptionsPermanentlyEnabled         %u\n", strict_handle_check.HandleExceptionsPermanentlyEnabled);printf("\n");/*描述：禁用在最底层使用 NTUser/GDI 函数的功能。typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY {union {DWORD Flags;struct {DWORD DisallowWin32kSystemCalls : 1;DWORD AuditDisallowWin32kSystemCalls : 1;DWORD ReservedFlags : 30;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessSystemCallDisablePolicy, &system_call_disable, sizeof(system_call_disable));printf("ProcessSystemCallDisablePolicy:\n");PrintBinaryFlags(system_call_disable.Flags);printf("\n Analysis:\n");printf("   DisallowWin32kSystemCalls                  %u\n", system_call_disable.DisallowWin32kSystemCalls);printf("   AuditDisallowWin32kSystemCalls             %u\n", system_call_disable.AuditDisallowWin32kSystemCalls);printf("\n");/** 描述：返回系统上所有缓解选项的有效位掩码（3333333333333303，看样子第四位是没用到还是啥意思？）。*       掩码：*		      1011110101111010011000100101010000000101010100110111* *       应用程序可以设置许多缓解选项，而无需查询操作系统的缓解选项，*       方法是将按位与掩码组合在一起，一次排除所有不支持的位。*        lpBuffer 参数指向掩码的 ULONG64 位向量，或 ULONG64 位向量的双元素数组。*/GetProcessMitigationPolicy(hProc, ProcessMitigationOptionsMask, &mitigation_options, sizeof(mitigation_options));printf("ProcessMitigationOptionsMask:\n");printf("   MitigationOptions                          %llx\n", mitigation_options);printf("\n");/*描述：阻止启用某些内置第三方扩展点，从而阻止将旧扩展点 DLL 加载到进程中。typedef struct _PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY {union {DWORD Flags;struct {DWORD DisableExtensionPoints : 1;DWORD ReservedFlags : 31;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessExtensionPointDisablePolicy, &extension_point_disable, sizeof(extension_point_disable));printf("ProcessExtensionPointDisablePolicy:\n");PrintBinaryFlags(extension_point_disable.Flags);printf("\n Analysis:\n");printf("   DisableExtensionPoints                     %u\n", extension_point_disable.DisableExtensionPoints);printf("\n");/*描述：控制流防护 (CFG) 的进程缓解策略。typedef struct _PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY {union {DWORD Flags;struct {DWORD EnableControlFlowGuard : 1;DWORD EnableExportSuppression : 1;DWORD StrictMode : 1;DWORD EnableXfg : 1;DWORD EnableXfgAuditMode : 1;DWORD ReservedFlags : 27;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessControlFlowGuardPolicy, &cfg, sizeof(cfg));printf("ProcessControlFlowGuardPolicy:\n");PrintBinaryFlags(cfg.Flags);printf("\n Analysis:\n");printf("   EnableControlFlowGuard                     %u\n", cfg.EnableControlFlowGuard);printf("   EnableExportSuppression                    %u\n", cfg.EnableExportSuppression);printf("   StrictMode                                 %u\n", cfg.StrictMode);printf("   EnableXfg                                  %u\n", cfg.EnableXfg);printf("   EnableXfgAuditMode                         %u\n", cfg.EnableXfgAuditMode);printf("\n");/*描述：可以将映像加载限制为由 Microsoft、Windows 应用商店或Microsoft、Windows 应用商店和 Windows 硬件质量实验室 (WHQL) 签名的映像的进程缓解策略。typedef struct _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY {union {DWORD Flags;struct {DWORD MicrosoftSignedOnly : 1;DWORD StoreSignedOnly : 1;DWORD MitigationOptIn : 1;DWORD AuditMicrosoftSignedOnly : 1;DWORD AuditStoreSignedOnly : 1;DWORD ReservedFlags : 27;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, *PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessSignaturePolicy, &signature, sizeof(signature));printf("ProcessSignaturePolicy:\n");PrintBinaryFlags(signature.Flags);printf("\n Analysis:\n");printf("   MicrosoftSignedOnly                        %u\n", signature.MicrosoftSignedOnly);printf("   StoreSignedOnly                            %u\n", signature.StoreSignedOnly);printf("   MitigationOptIn                            %u\n", signature.MitigationOptIn);printf("   AuditMicrosoftSignedOnly                   %u\n", signature.AuditMicrosoftSignedOnly);printf("   AuditStoreSignedOnly                       %u\n", signature.AuditStoreSignedOnly);printf("\n");/*描述：有关进程的字体加载的缓解策略。启用后，进程无法加载非系统字体。typedef struct _PROCESS_MITIGATION_FONT_DISABLE_POLICY {union {DWORD Flags;struct {DWORD DisableNonSystemFonts     : 1;DWORD AuditNonSystemFontLoading : 1;DWORD ReservedFlags             : 30;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_FONT_DISABLE_POLICY, *PPROCESS_MITIGATION_FONT_DISABLE_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessFontDisablePolicy, &font, sizeof(font));printf("ProcessFontDisablePolicy:\n");PrintBinaryFlags(font.Flags);printf("\n Analysis:\n");printf("   DisableNonSystemFonts                      %u\n", font.DisableNonSystemFonts);printf("   AuditNonSystemFontLoading                  %u\n", font.AuditNonSystemFontLoading);printf("\n");/*描述：有关进程映像加载的策略，该策略确定允许映射到进程的可执行映像的类型。启用后，无法从某些位置加载映像，例如具有低强制签名的远程设备或文件。typedef struct _PROCESS_MITIGATION_IMAGE_LOAD_POLICY {union {DWORD Flags;struct {DWORD NoRemoteImages : 1;DWORD NoLowMandatoryLabelImages : 1;DWORD PreferSystem32Images : 1;DWORD AuditNoRemoteImages : 1;DWORD AuditNoLowMandatoryLabelImages : 1;DWORD ReservedFlags : 27;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_IMAGE_LOAD_POLICY, *PPROCESS_MITIGATION_IMAGE_LOAD_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessImageLoadPolicy, &image_load, sizeof(image_load));printf("ProcessImageLoadPolicy:\n");PrintBinaryFlags(image_load.Flags);printf("\n Analysis:\n");printf("   NoRemoteImages                             %u\n", image_load.NoRemoteImages);printf("   NoLowMandatoryLabelImages                  %u\n", image_load.NoLowMandatoryLabelImages);printf("   PreferSystem32Images                       %u\n", image_load.PreferSystem32Images);printf("   AuditNoRemoteImages                        %u\n", image_load.AuditNoRemoteImages);printf("   AuditNoLowMandatoryLabelImages             %u\n", image_load.AuditNoLowMandatoryLabelImages);printf("\n");/*描述：关于系统调用的进程筛选器缓解策略。typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY {union {DWORD Flags;struct {DWORD FilterId: 4;DWORD ReservedFlags : 28;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessSystemCallFilterPolicy, &syscall_filter, sizeof(syscall_filter));printf("ProcessSystemCallFilterPolicy:\n");PrintBinaryFlags(syscall_filter.Flags);printf("\n Analysis:\n");printf("   FilterId                                   %u\n", syscall_filter.FilterId);printf("\n");/*描述：进行有效负载限制的进程缓解策略。typedef struct _PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY {union {DWORD Flags;struct {DWORD EnableExportAddressFilter     : 1;DWORD AuditExportAddressFilter      : 1;DWORD EnableExportAddressFilterPlus : 1;DWORD AuditExportAddressFilterPlus  : 1;DWORD EnableImportAddressFilter     : 1;DWORD AuditImportAddressFilter      : 1;DWORD EnableRopStackPivot           : 1;DWORD AuditRopStackPivot            : 1;DWORD EnableRopCallerCheck          : 1;DWORD AuditRopCallerCheck           : 1;DWORD EnableRopSimExec              : 1;DWORD AuditRopSimExec               : 1;DWORD ReservedFlags                 : 20;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY, *PPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessPayloadRestrictionPolicy, &payload_rtict, sizeof(payload_rtict));printf("ProcessPayloadRestrictionPolicy:\n");PrintBinaryFlags(payload_rtict.Flags);printf("\n Analysis:\n");printf("   EnableExportAddressFilter                  %u\n", payload_rtict.EnableExportAddressFilter);printf("   AuditExportAddressFilter                   %u\n", payload_rtict.AuditExportAddressFilter);printf("   EnableExportAddressFilterPlus              %u\n", payload_rtict.EnableExportAddressFilterPlus);printf("   AuditExportAddressFilterPlus               %u\n", payload_rtict.AuditExportAddressFilterPlus);printf("   EnableImportAddressFilter                  %u\n", payload_rtict.EnableImportAddressFilter);printf("   AuditImportAddressFilter                   %u\n", payload_rtict.AuditImportAddressFilter);printf("   EnableRopStackPivot                        %u\n", payload_rtict.EnableRopStackPivot);printf("   AuditRopStackPivot                         %u\n", payload_rtict.AuditRopStackPivot);printf("   EnableRopCallerCheck                       %u\n", payload_rtict.EnableRopCallerCheck);printf("   AuditRopCallerCheck                        %u\n", payload_rtict.AuditRopCallerCheck);printf("   EnableRopSimExec                           %u\n", payload_rtict.EnableRopSimExec);printf("   AuditRopSimExec                            %u\n", payload_rtict.AuditRopSimExec);printf("\n");/*描述：进程的子进程缓解策略。typedef struct _PROCESS_MITIGATION_CHILD_PROCESS_POLICY {union {DWORD Flags;struct {DWORD NoChildProcessCreation : 1;DWORD AuditNoChildProcessCreation : 1;DWORD AllowSecureProcessCreation : 1;DWORD ReservedFlags : 29;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_CHILD_PROCESS_POLICY, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessChildProcessPolicy, &child_proc, sizeof(child_proc));printf("ProcessChildProcessPolicy:\n");PrintBinaryFlags(child_proc.Flags);printf("\n Analysis:\n");printf("   NoChildProcessCreation                     %u\n", child_proc.NoChildProcessCreation);printf("   AuditNoChildProcessCreation                %u\n", child_proc.AuditNoChildProcessCreation);printf("   AllowSecureProcessCreation                 %u\n", child_proc.AllowSecureProcessCreation);printf("\n");/*描述：有关指定进程的侧信道隔离的策略。从 Windows 10 版本 1809 及更高版本开始支持。typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY {union {DWORD Flags;struct {//// 在用户模式下防止分支目标污染 交错/同时多线程 (cross-SMT)。//DWORD SmtBranchTargetIsolation : 1;// // 将此进程隔离到一个不同的安全域中，甚至与作为相同安全上下文// 运行的其他进程隔离。这可以防止通过跨进程实施的分支目标注入（// 通常这种分支目标注入仅在不同的安全上下文中被禁止）。//// 页面合并仅限于同一安全域内的进程。因此，此标志也有效地将进程// 限制为只能在进程本身内部组合，但公共页面除外（除非受到//   DisablePageCombine 策略的进一步限制）。// DWORD IsolateSecurityDomain : 1;// // 禁用此进程的所有页面组合，即使是进程本身的内部，但常见页面// （0 或 1）除外。// DWORD DisablePageCombine : 1;//// 禁用内存歧义消除 (Memory Disambiguation)//DWORD SpeculativeStoreBypassDisable : 1;// // 防止将此进程的线程与其安全域外的线程安排在同一核心上。// DWORD RestrictCoreSharing : 1;DWORD ReservedFlags : 27;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessSideChannelIsolationPolicy, &side_cnl_isan, sizeof(side_cnl_isan));printf("ProcessSideChannelIsolationPolicy:\n");PrintBinaryFlags(side_cnl_isan.Flags);printf("\n Analysis:\n");printf("   SmtBranchTargetIsolation                   %u\n", side_cnl_isan.SmtBranchTargetIsolation);printf("   IsolateSecurityDomain                      %u\n", side_cnl_isan.IsolateSecurityDomain);printf("   DisablePageCombine                         %u\n", side_cnl_isan.DisablePageCombine);printf("   SpeculativeStoreBypassDisable              %u\n", side_cnl_isan.SpeculativeStoreBypassDisable);printf("   RestrictCoreSharing                        %u\n", side_cnl_isan.RestrictCoreSharing);printf("\n");/*描述：有关进程的用户模式硬件强制 Stack 保护的策略。自 Windows 10 版本 2004 及更高版本开始支持。typedef struct _PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY {union {DWORD Flags;struct {DWORD EnableUserShadowStack : 1;DWORD AuditUserShadowStack : 1;DWORD SetContextIpValidation : 1;DWORD AuditSetContextIpValidation : 1;DWORD EnableUserShadowStackStrictMode : 1;DWORD BlockNonCetBinaries : 1;DWORD BlockNonCetBinariesNonEhcont : 1;DWORD AuditBlockNonCetBinaries : 1;DWORD CetDynamicApisOutOfProcOnly : 1;DWORD SetContextIpValidationRelaxedMode : 1;DWORD ReservedFlags : 22;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY, *PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessUserShadowStackPolicy, &usw_stack, sizeof(usw_stack));printf("ProcessUserShadowStackPolicy:\n");PrintBinaryFlags(usw_stack.Flags);printf("\n Analysis:\n");printf("   EnableUserShadowStack                      %u\n", usw_stack.EnableUserShadowStack);printf("   AuditUserShadowStack                       %u\n", usw_stack.AuditUserShadowStack);printf("   SetContextIpValidation                     %u\n", usw_stack.SetContextIpValidation);printf("   AuditSetContextIpValidation                %u\n", usw_stack.AuditSetContextIpValidation);printf("   EnableUserShadowStackStrictMode            %u\n", usw_stack.EnableUserShadowStackStrictMode);printf("   BlockNonCetBinaries                        %u\n", usw_stack.BlockNonCetBinaries);printf("   BlockNonCetBinariesNonEhcont               %u\n", usw_stack.BlockNonCetBinariesNonEhcont);printf("   AuditBlockNonCetBinaries                   %u\n", usw_stack.AuditBlockNonCetBinaries);printf("   CetDynamicApisOutOfProcOnly                %u\n", usw_stack.CetDynamicApisOutOfProcOnly);printf("   SetContextIpValidationRelaxedMode          %u\n", usw_stack.SetContextIpValidationRelaxedMode);printf("\n");/*描述：进程的重定向卫士 (RedirectionGuard) 策略。typedef struct _PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY {union {DWORD Flags;struct {DWORD EnforceRedirectionTrust : 1;DWORD AuditRedirectionTrust : 1;DWORD ReservedFlags : 30;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY, *PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessRedirectionTrustPolicy, &trust_redc, sizeof(trust_redc));printf("ProcessRedirectionTrustPolicy:\n");PrintBinaryFlags(trust_redc.Flags);printf("\n Analysis:\n");printf("   EnforceRedirectionTrust                    %u\n", trust_redc.EnforceRedirectionTrust);printf("   EnforceRedirectionTrust                    %u\n", trust_redc.AuditRedirectionTrust);printf("\n");/*描述：进程的用户指针身份验证策略。typedef struct _PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY {union {DWORD Flags;struct {DWORD EnablePointerAuthUserIp : 1;DWORD ReservedFlags : 31;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY, *PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessUserPointerAuthPolicy, &upt_auth, sizeof(upt_auth));printf("ProcessUserPointerAuthPolicy:\n");PrintBinaryFlags(upt_auth.Flags);printf("\n Analysis:\n");printf("   EnablePointerAuthUserIp                    %u\n", upt_auth.EnablePointerAuthUserIp);printf("\n");/*描述：结构化异常处理覆盖保护 (SEHOP) 策略。typedef struct _PROCESS_MITIGATION_SEHOP_POLICY {union {DWORD Flags;struct {DWORD EnableSehop : 1;DWORD ReservedFlags : 31;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_SEHOP_POLICY, *PPROCESS_MITIGATION_SEHOP_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessSEHOPPolicy, &seh_op_policy, sizeof(seh_op_policy));printf("ProcessSEHOPPolicy:\n");PrintBinaryFlags(seh_op_policy.Flags);printf("\n Analysis:\n");printf("   EnableSehop                                %u\n", seh_op_policy.EnableSehop);printf("\n");/*描述：进程的激活上下文(ActivationContext) 保护策略。typedef struct _PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY {union {DWORD Flags;struct {DWORD AssemblyManifestRedirectionTrust : 1;DWORD ReservedFlags : 31;} DUMMYSTRUCTNAME;} DUMMYUNIONNAME;} PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY, *PPROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY;*/GetProcessMitigationPolicy(hProc, ProcessActivationContextTrustPolicy, &activ_ctx_truct, sizeof(activ_ctx_truct));printf("ProcessActivationContextTrustPolicy:\n");PrintBinaryFlags(activ_ctx_truct.Flags);printf("\n Analysis:\n");printf("   AssemblyManifestRedirectionTrust           %u\n", activ_ctx_truct.AssemblyManifestRedirectionTrust);//printf("\n");
}BOOL EnableDebugPrivilege(BOOL fEnable) {BOOL fOk = FALSE;HANDLE hToken;if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {TOKEN_PRIVILEGES tp = { 0 };tp.PrivilegeCount = 1;LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);fOk = (GetLastError() == ERROR_SUCCESS);CloseHandle(hToken);}return(fOk);
}// 获取 PE 文件的描述信息
void GetProcessDescription(const wchar_t* filePath) {DWORD verHandle = 0;DWORD verSize = GetFileVersionInfoSizeW(filePath, &verHandle);if (verSize > 0) {LPVOID verData = malloc(verSize);if (GetFileVersionInfoW(filePath, verHandle, verSize, verData)) {LPVOID lpBuffer = NULL;UINT size = 0;if (VerQueryValueW(verData, L"\\StringFileInfo\\040904b0\\FileDescription", &lpBuffer, &size) && size > 0) {printf("[*] Description: %ws\n", (wchar_t*)lpBuffer);}else {printf("[!] No description available.\n");}}else {printf("[!] Unable to get version info, code %u\n", GetLastError());}free(verData);}else {printf("[!] Unable to get version size, code %u\n", GetLastError());}
}int main(int argc, const char* argv[]) {printf("\n");if (argc != 2) {printf("\nGetProcessMitigationPolicy for Win10/11.\n\n");printf("Usage:\n");printf("%s <pid>\n", argv[0]);return 0;}// 启用 SE_DEBUG 特权if (!EnableDebugPrivilege(TRUE)) {printf("[!] AdjustTokenPrivileges Failed.<%d>\n", GetLastError());}// 从命令行参数获取目标进程 PIDDWORD dwTargetPid = 0;dwTargetPid = atoi(argv[1]);printf("[*] TargetPid:%d\n", dwTargetPid);// 访问目标进程HANDLE hProcess;hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwTargetPid);if (hProcess == NULL) {printf("[!] Unable to open process %u, code %u\n", dwTargetPid, GetLastError());return 0;}// 获取进程名称wchar_t processPath[2048];ZeroMemory(processPath, sizeof(wchar_t) * 2048);DWORD dwSize = 2046;if (QueryFullProcessImageNameW(hProcess, 0, processPath, &dwSize)) {printf("[*] Process Path: %ws\n", processPath); // 输出进程路径// 从路径中提取进程名称wchar_t* processName = wcsrchr(processPath, '\\');if (processName) {printf("[*] Process Name: %ws\n", processName + 1); // 输出进程名称}else {printf("[*] Process Name: %ws\n", processPath); // 如果路径中没有分隔符，直接输出路径}// 获取并输出进程的描述信息GetProcessDescription(processPath);}else {printf("[!] Unable to get process path, code %u\n", GetLastError());}printf("\n");// 解析进程的缓解策略show_mitigations(hProcess);printf("\n");CloseHandle(hProcess);return 0;
}

测试效果截图：

四、总结

通过本文的介绍和代码示例，开发人员可以有效地获取和分析 Windows 进程的缓解策略设置。通过使用 ​​​​​​​GetProcessMitigationPolicy 函数，可以有效地分析和显示目标进程的各项安全设置。

这些方法在系统安全和软件开发中非常有用，特别是在需要确保应用程序或系统服务的安全性时。开发者可以将这些方法集成到调试工具或安全扫描工具中，进一步增强系统的安全性和稳定性。

---

原文出处链接：[https://blog.csdn.net/qq_59075481/article/details/142234952]。

本文发布于：2024.09.13，更新于：2024.09.13.