0

从 2 天开始,我尝试创建一个 VisualStudio 应用程序,它应该在 applocker 规则中受到信任。不幸的是,如果我用自己创建的签名签署我的 exe,它不能在 applocker 向导中使用,有一个错误消息,无法从我的 exe 文件中提取发布者信息。

根据 C:\Windows\ 下的 Microsoft 文件创建规则适用于所有 exe、ps1 文件,无论文件是否已签名。

我想通了,有一个 poweshell 命令:Get-AppLockerFileInformation 可以更轻松地获取发布者信息。

例如,如果我将 C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\Add-Numbers.ps1 复制到 C:\Temp\ 文件夹并运行

Get-AppLockerFileInformation -Directory C:\Temp -Recurse -FileType exe, script

命令,那么结果是:

Path                                                                  Publisher                                                                                                                    Hash
----                                                                  ---------                                                                                                                    ----
%OSDRIVE%\TEMP\ADD-NUMBERS.PS1                                        O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,0.0.0.0                                                             S...

对于我自己创建的所有 exe、ps1 文件,发布者都是空的。请注意,ADD-NUMBERS.PS1 只有 55 个字节,根本没有签名。所以出版商信息必须以某种方式隐藏......

4

1 回答 1

1

继续我对帮助文件中的指导知识的评论...

'签署 PowerShell 脚本'

命中

关于签名说明如何对脚本进行签名以使其符合 PowerShell 执行策略。

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 `
-eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer `
-ss Root -sr localMachine

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 `
-eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer

Get-ChildItem cert:\CurrentUser\my -codesigning

Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
4D4917CB140714BA5B81B96E0B18AAF2C4564FDF  CN=PowerShell User ]


# To use this script, copy the following text into a text file, and name it Add-Signature.ps1.
## Signs a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature $file $cert


# To sign the Add-Signature.ps1 script file, type the following commands at the $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature add-signature.ps1 $cert

签署 PowerShell 脚本

Get-Help -Name Get-AppLockerFileInformation -Examples

<#
 Get-Help -Name Get-AppLockerFileInformation -Examples

NAME
    Get-AppLockerFileInformation
    
SYNOPSIS
    Gets the file information necessary to create AppLocker rules from a list of files or an event log.
    
    
    EXAMPLE 1
#>
    
    Get-AppLockerFileInformation -Directory C:\Windows\system32\ -Recurse -FileType exe, script
    

<#
    This example gets the file information for all the .exe files and scripts under %windir%\system32.
    
    
    EXAMPLE 2
#>
    
    Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | Format-List

<#
    Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE 
    Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0 
    Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C 
    AppX      : False
#> 
    
    
    Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" | Format-List

<#
    Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE 
    Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0 
    Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C 
    AppX      : False
    
    This example gets the file information for the file specified by the path.
    
    
    EXAMPLE 3
#>
    
    Get-AppXPackage –AllUsers | Get-AppLockerFileInformation

<#
    Path      : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx 
    Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, 
                C=US\windows.immersivecontrolpanel\APPX,6.2.0.0 
    Hash      : 
    AppX      : True 
    
    Path      : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx 
    Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, 
                C=US\windows.RemoteDesktop\APPX,1.0.0.0 
    Hash      : 
    AppX      : True 
    
    Path      : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx 
    Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0 
    Hash      : 
    AppX      : True
    
    This example outputs the file information for all the packaged applications installed on this machine for all users.
    
    
    EXAMPLE 4
#>
    
    Get-AppLockerFileInformation -EventLog -EventType Audited
    

<#
    This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the 
    AppLocker audit log.
    
    
    EXAMPLE 5
#>
    
    Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics
    

<#
    This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of 
    times the event type occurred.
    
    
    EXAMPLE 6
#>
    
    Get-AppLockerFileInformation -EventLog -EventType Audited | 
    New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize | 
    Set-AppLockerPolicy -LDAP LDAP://TestGPO
<#    
    This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).
#>

Clear-Host
Get-AppLockerFileInformation -Directory 'D:\Scripts' -FileType exe, script | 
Select Path, Publisher, Hash | 
Where Publisher -NE $null | 
Format-List

# Results
<#
Path      : D:\SCRIPTS\SCRIPTS_POWERSHELL_WINDOWSXP-KB926139-X86-ENU.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS XP FAMILY\SFXCAB.EXE,1.0.0.0
Hash      : SHA256 0xCC11045CB14501C530FF6D3A65154517B8A8E0791E99049BD6CFA349EFA003F6

...

Path      : D:\SCRIPTS\AREMYSERVERSONLINE.PS1
Publisher : O=EXCHANGEMASTER GMBH, L=KLOTEN, S=ZH, C=CH\\,0.0.0.0
Hash      : SHA256 0x093C4586412C9B5FD942E298FA02A6809ABD886C67B8831EB0293FB15476AA0B

...
#>

Get-Content -Path 'D:\SCRIPTS\AREMYSERVERSONLINE.PS1'
# Results
<#
 Get-Content -Path 'D:\SCRIPTS\AREMYSERVERSONLINE.PS1'
<#
.NAME
   AreMyServersOnline v1.0
...

# SIG # Begin signature block
# MIIc2gYJKoZIhvcNAQcCoIIcyzCCHMcCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
...
# SIG # End signature block
#>
于 2020-08-12T04:55:08.557 回答