两天以来,我尝试创建一个VisualStudio应用程序,该应用程序应该在applocker规则中受信任。不幸的是,如果我用自己创建的签名对我的exe进行签名,它将无法在applocker向导中使用,会出现一条错误消息,即无法从我的exe文件中提取发布者信息。
基于Microsoft文件unter C:\Windows\创建规则适用于所有exe、ps1文件,无论这些文件是否已签名。
我发现,有一个poweshell命令:Get-AppLockerFileInformation可以更容易地获取发布者信息。
例如,如果我将C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856a364e35_10.0.190941.1_none_9478227a78f23d5\Add-Numbers.ps1复制到C:\Temp\文件夹并运行
Get-AppLockerFileInformation -Directory C:Temp -Recurse -FileType exe, script
命令,则结果为:
Path Publisher Hash
---- --------- ----
%OSDRIVE%TEMPADD-NUMBERS.PS1 O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\,0.0.0.0 S...
对于我自己创建的所有exe、ps1文件,发布者都是空的。请注意,ADD-NUMBERS.PS1只有55个字节,根本没有签名。所以出版商的信息必须以某种方式隐藏。。。
关于帮助文件中指导知识的评论的延续。。。
"正在签署PowerShell脚本">
点击次数
关于签名解释如何对脚本进行签名以使其符合使用PowerShell执行策略。
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 `
-eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer `
-ss Root -sr localMachine
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 `
-eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
Get-ChildItem cert:CurrentUsermy -codesigning
Directory: Microsoft.PowerShell.SecurityCertificate::CurrentUserMy
Thumbprint Subject
---------- -------
4D4917CB140714BA5B81B96E0B18AAF2C4564FDF CN=PowerShell User ]
# To use this script, copy the following text into a text file, and name it Add-Signature.ps1.
## Signs a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]
Set-AuthenticodeSignature $file $cert
# To sign the Add-Signature.ps1 script file, type the following commands at the $cert = @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]
Set-AuthenticodeSignature add-signature.ps1 $cert
签名PowerShell脚本
Get-Help -Name Get-AppLockerFileInformation -Examples
<#
Get-Help -Name Get-AppLockerFileInformation -Examples
NAME
Get-AppLockerFileInformation
SYNOPSIS
Gets the file information necessary to create AppLocker rules from a list of files or an event log.
EXAMPLE 1
#>
Get-AppLockerFileInformation -Directory C:Windowssystem32 -Recurse -FileType exe, script
<#
This example gets the file information for all the .exe files and scripts under %windir%system32.
EXAMPLE 2
#>
Get-AppLockerFileInformation -Path "C:Program Files (x86)Internet Exploreriexplore.exe" | Format-List
<#
Path : %PROGRAMFILES%INTERNET EXPLORERIEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNTWINDOWS® INTERNET EXPLORERIEXPLORE.EXE,10.0.8421.0
Hash : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False
#>
Get-AppLockerFileInformation -Path "C:Program FilesInternet Exploreriexplore.exe" | Format-List
<#
Path : %PROGRAMFILES%INTERNET EXPLORERIEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNTWINDOWS® INTERNET EXPLORERIEXPLORE.EXE,10.0.8421.0
Hash : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False
This example gets the file information for the file specified by the path.
EXAMPLE 3
#>
Get-AppXPackage –AllUsers | Get-AppLockerFileInformation
<#
Path : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
C=USwindows.immersivecontrolpanelAPPX,6.2.0.0
Hash :
AppX : True
Path : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
C=USwindows.RemoteDesktopAPPX,1.0.0.0
Hash :
AppX : True
Path : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=USWinStoreAPPX,1.0.0.0
Hash :
AppX : True
This example outputs the file information for all the packaged applications installed on this machine for all users.
EXAMPLE 4
#>
Get-AppLockerFileInformation -EventLog -EventType Audited
<#
This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the
AppLocker audit log.
EXAMPLE 5
#>
Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics
<#
This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of
times the event type occurred.
EXAMPLE 6
#>
Get-AppLockerFileInformation -EventLog -EventType Audited |
New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize |
Set-AppLockerPolicy -LDAP LDAP://TestGPO
<#
This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).
#>
Clear-Host
Get-AppLockerFileInformation -Directory 'D:Scripts' -FileType exe, script |
Select Path, Publisher, Hash |
Where Publisher -NE $null |
Format-List
# Results
<#
Path : D:SCRIPTSSCRIPTS_POWERSHELL_WINDOWSXP-KB926139-X86-ENU.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=USWINDOWS XP FAMILYSFXCAB.EXE,1.0.0.0
Hash : SHA256 0xCC11045CB14501C530FF6D3A65154517B8A8E0791E99049BD6CFA349EFA003F6
...
Path : D:SCRIPTSAREMYSERVERSONLINE.PS1
Publisher : O=EXCHANGEMASTER GMBH, L=KLOTEN, S=ZH, C=CH\,0.0.0.0
Hash : SHA256 0x093C4586412C9B5FD942E298FA02A6809ABD886C67B8831EB0293FB15476AA0B
...
#>
Get-Content -Path 'D:SCRIPTSAREMYSERVERSONLINE.PS1'
# Results
<#
Get-Content -Path 'D:SCRIPTSAREMYSERVERSONLINE.PS1'
<#
.NAME
AreMyServersOnline v1.0
...
# SIG # Begin signature block
# MIIc2gYJKoZIhvcNAQcCoIIcyzCCHMcCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
...
# SIG # End signature block
#>