Skip to content
Snippets Groups Projects
Commit b979e42b authored by lhyqy5's avatar lhyqy5
Browse files

refactor code

parent f1067329
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/CertPolicyAppender.cs
+ 90
117
View file @ b979e42b
...@@ -7,60 +7,38 @@ using Microsoft.Win32; ...@@ -7,60 +7,38 @@ using Microsoft.Win32;
namespace SoftCertPolicyAppender namespace SoftCertPolicyAppender
{ {
public class CertPolicyAppender public class SoftwareRestrictionPolicyController
{ {
public void Load(string certFile)
{
var cert = new X509Certificate2();
cert.Import(certFile);
Certificate = cert;
/// <remarks>引用组件来自:https://bitbucket.org/MartinEden/local-policy/overview </remarks>
private static void DeletePolicyKey(string path)
{
var gpo = new ComputerGroupPolicyObject();
using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
{
machine.DeleteSubKey(path, false);
}
gpo.Save();
} }
public X509Certificate2 Certificate { get; private set; } /// <remarks>引用组件来自:https://bitbucket.org/MartinEden/local-policy/overview </remarks>
private static void SetPolicyKey(string path, string name, object value, RegistryValueKind kind)
/// <summary>
/// 构造写写入注册表的证书数据
/// </summary>
/// <returns></returns>
private byte[] CalcRegCertData()
{ {
var cert = Certificate; var gpo = new ComputerGroupPolicyObject();
var thumbprintData = cert.Thumbprint.HexString2Bytes().ToArray(); using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
{
var rtn = new List<byte>(); using (var cerKey = machine.CreateSubKey(path))
{
//添加数据头,格式是根据注册表的数据推算的,未注释部分为未知 if (cerKey != null) cerKey.SetValue(name, value, kind);
rtn.AddRange(BitConverter.GetBytes(3)); //可能为版本号 }
rtn.AddRange(BitConverter.GetBytes(1)); //可能为次版本号 }
rtn.AddRange(BitConverter.GetBytes(thumbprintData.Length)); //证书宅指纹长度 gpo.Save();
rtn.AddRange(thumbprintData); //证书指纹数据
rtn.AddRange(BitConverter.GetBytes(0x0d));
rtn.AddRange(BitConverter.GetBytes(1));
rtn.AddRange(BitConverter.GetBytes((short)2));
rtn.AddRange(BitConverter.GetBytes(0));
rtn.AddRange(BitConverter.GetBytes(0x1b));
rtn.AddRange(BitConverter.GetBytes(1));
rtn.AddRange(BitConverter.GetBytes(8));
rtn.AddRange(BitConverter.GetBytes(DateTime.Now.ToFileTime())); //时间戳
rtn.AddRange(BitConverter.GetBytes(0x20));
rtn.AddRange(BitConverter.GetBytes(1));
rtn.AddRange(BitConverter.GetBytes(cert.RawData.Length)); //证书长度
//添加证书数据
rtn.AddRange(cert.RawData);
return rtn.ToArray();
} }
/// <summary> private static void SetPolicyRegistryKey(string path, string name, object value, RegistryValueKind kind)
/// 写入注册表项
/// </summary>
/// <returns></returns>
public void WriteRegisty()
{ {
var cer = Certificate;
const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects"; const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
using(var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default)) using (var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default))
{ {
List<string> certKeys; List<string> certKeys;
using (var srk = rk.OpenSubKey(keyPath)) using (var srk = rk.OpenSubKey(keyPath))
...@@ -69,27 +47,24 @@ namespace SoftCertPolicyAppender ...@@ -69,27 +47,24 @@ namespace SoftCertPolicyAppender
{ {
throw new ApplicationException("无法打开注册表项:" + keyPath); throw new ApplicationException("无法打开注册表项:" + keyPath);
} }
certKeys = srk.GetSubKeyNames().Where(x => x.EndsWith("Machine")).Select(x => string.Format("{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}", keyPath, x, cer.Thumbprint)) certKeys = srk.GetSubKeyNames().Where(x => x.EndsWith("Machine")).Select(x => string.Format("{0}\\{1}\\{2}", keyPath, x, path))
//.Where(x => rk.OpenSubKey(x) == null) //.Where(x => rk.OpenSubKey(x) == null)
.ToList(); .ToList();
} }
foreach (var key in certKeys) foreach (var key in certKeys)
{ {
using (var skey=rk.CreateSubKey(key)) using (var skey = rk.CreateSubKey(key))
{ {
if (skey != null) skey.SetValue("Blob", CalcRegCertData(), RegistryValueKind.Binary); if (skey != null) skey.SetValue(name, value, kind);
} }
} }
} }
} }
private static void DeletePolicyRegistryKey(string path)
public void RemoveRegisty()
{ {
var cer = Certificate;
const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects"; const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
using (var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default)) using (var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default))
{ {
...@@ -100,96 +75,94 @@ namespace SoftCertPolicyAppender ...@@ -100,96 +75,94 @@ namespace SoftCertPolicyAppender
{ {
throw new ApplicationException("无法打开注册表项:" + keyPath); throw new ApplicationException("无法打开注册表项:" + keyPath);
} }
certKeys = srk.GetSubKeyNames().Where(x => x.EndsWith("Machine")).Select(x => string.Format("{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}", keyPath, x, cer.Thumbprint)) certKeys = srk.GetSubKeyNames().Where(x => x.EndsWith("Machine")).Select(x => string.Format("{0}\\{1}\\{2}", keyPath, x, path))
//.Where(x => rk.OpenSubKey(x) == null) //.Where(x => rk.OpenSubKey(x) == null)
.ToList(); .ToList();
} }
foreach (var certKey in certKeys) foreach (var key in certKeys)
{ {
rk.DeleteSubKey(certKey,false); rk.DeleteSubKey(key, false);
} }
} }
}
}
/// <summary> /// <summary>
/// 添加证书组策略 /// 构造写写入注册表的证书数据
/// </summary> /// </summary>
/// <remarks>引用组件来自:https://bitbucket.org/MartinEden/local-policy/overview </remarks> /// <returns></returns>
public void AddCertPolicy() private static byte[] CalcRegCertData(X509Certificate2 cert)
{ {
var cert = Certificate; var thumbprintData = cert.Thumbprint.HexString2Bytes().ToArray();
var gpo = new ComputerGroupPolicyObject(); var rtn = new List<byte>();
var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
{
using (var cerKey = machine.CreateSubKey(keyPath))
{
if (cerKey != null) cerKey.SetValue("Blob", CalcRegCertData(), RegistryValueKind.Binary);
}
}
gpo.Save();
} //添加数据头,格式是根据注册表的数据推算的,未注释部分为未知
rtn.AddRange(BitConverter.GetBytes(3)); //可能为版本号
rtn.AddRange(BitConverter.GetBytes(1)); //可能为次版本号
rtn.AddRange(BitConverter.GetBytes(thumbprintData.Length)); //证书宅指纹长度
rtn.AddRange(thumbprintData); //证书指纹数据
rtn.AddRange(BitConverter.GetBytes(0x0d));
rtn.AddRange(BitConverter.GetBytes(1));
rtn.AddRange(BitConverter.GetBytes((short)2));
rtn.AddRange(BitConverter.GetBytes(0));
rtn.AddRange(BitConverter.GetBytes(0x1b));
rtn.AddRange(BitConverter.GetBytes(1));
rtn.AddRange(BitConverter.GetBytes(8));
rtn.AddRange(BitConverter.GetBytes(DateTime.Now.ToFileTime())); //时间戳
rtn.AddRange(BitConverter.GetBytes(0x20));
rtn.AddRange(BitConverter.GetBytes(1));
rtn.AddRange(BitConverter.GetBytes(cert.RawData.Length)); //证书长度
//添加证书数据
rtn.AddRange(cert.RawData);
return rtn.ToArray();
}
public void RemoveCertPolicy()
/// <summary>
/// 添加证书规则
/// </summary>
/// <param name="cert"></param>
public static void AddCertRule(X509Certificate2 cert)
{ {
var cert = Certificate;
var gpo = new ComputerGroupPolicyObject();
var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint); var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine)) const string keyName = "Blob";
{ const RegistryValueKind kind = RegistryValueKind.Binary;
machine.DeleteSubKey(keyPath,false); var value = CalcRegCertData(cert);
} SetPolicyKey(keyPath, keyName,value,kind);
gpo.Save(); SetPolicyRegistryKey(keyPath,keyName,value,kind);
} }
public void SetForcePolicyStat(bool enable)
/// <summary>
/// 移除证书规则
/// </summary>
/// <param name="cert"></param>
public static void RemoveCertRule(X509Certificate2 cert)
{ {
var gpo = new ComputerGroupPolicyObject(); var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
const string keyPath = "Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"; DeletePolicyKey(keyPath);
using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine)) DeletePolicyRegistryKey(keyPath);
{
using (var cerKey = machine.CreateSubKey(keyPath))
{
cerKey.SetValue("AuthenticodeEnabled", enable ? 1 : 0, RegistryValueKind.DWord);
}
}
gpo.Save();
} }
public void SetForceRegistryPolicyStat(bool enable)
{
const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
using (var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default))
{
List<string> certKeys;
using (var srk = rk.OpenSubKey(keyPath))
{
if (srk == null)
{
throw new ApplicationException("无法打开注册表项:" + keyPath);
}
certKeys = srk.GetSubKeyNames().Where(x => x.EndsWith("Machine")).Select(x => string.Format("{0}\\{1}\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers", keyPath, x))
//.Where(x => rk.OpenSubKey(x) == null)
.ToList();
}
foreach (var key in certKeys) /// <summary>
{ /// 设置是否启用强制策略
using (var skey = rk.CreateSubKey(key)) /// </summary>
{ /// <param name="enable"></param>
if (skey != null) skey.SetValue("AuthenticodeEnabled", enable ? 1 : 0, RegistryValueKind.DWord); public static void SetForcePolicyState(bool enable)
} {
} const string keyPath = "Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers";
} const string keyName = "AuthenticodeEnabled";
const RegistryValueKind kind = RegistryValueKind.DWord;
var value = enable ? 1 : 0;
SetPolicyKey(keyPath, keyName, value, kind);
SetPolicyRegistryKey(keyPath, keyName, value, kind);
} }
} }
......
Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/Program.cs
+ 32
19
View file @ b979e42b
using System; using System;
using System.Linq; using System.Linq;
using System.Security.Cryptography.X509Certificates;
namespace SoftCertPolicyAppender namespace SoftCertPolicyAppender
{ {
...@@ -10,6 +11,23 @@ namespace SoftCertPolicyAppender ...@@ -10,6 +11,23 @@ namespace SoftCertPolicyAppender
{ {
var flag = 0; var flag = 0;
var cers = args.Where(x => x.EndsWith(".cer") || x.EndsWith(".crt") || x.EndsWith(".pem")).ToArray(); var cers = args.Where(x => x.EndsWith(".cer") || x.EndsWith(".crt") || x.EndsWith(".pem")).ToArray();
if (args.Contains("-h") || args.Contains("--help")||args.Length==0)
{
const string usage = @"Usage:SoftwareRestrictionPolicyController.exe [OPTOION]... [CERTFILE]...
config software restriction policy by cli
OPTIONs
--set-force set force certificate policy
--unset-force unset force certificate policy
-r remove certificate rule by CERTFILEs not add
CERTFILEs
certificate file path that will add certificate rule
";
Console.Write(usage);
return;
}
if (args.Contains("-r")) if (args.Contains("-r"))
{ {
flag = 1; flag = 1;
...@@ -17,45 +35,40 @@ namespace SoftCertPolicyAppender ...@@ -17,45 +35,40 @@ namespace SoftCertPolicyAppender
if (args.Contains("--set-force")) if (args.Contains("--set-force"))
{ {
var appender = new CertPolicyAppender (); SoftwareRestrictionPolicyController.SetForcePolicyState(true);
appender.SetForceRegistryPolicyStat (true);
appender.SetForcePolicyStat (true);
Console.WriteLine("Apply force certificate policy"); Console.WriteLine("Apply force certificate policy");
} }
if (args.Contains("--unset-force")) if (args.Contains("--unset-force"))
{ {
var appender = new CertPolicyAppender (); SoftwareRestrictionPolicyController.SetForcePolicyState(false);
appender.SetForceRegistryPolicyStat (false);
appender.SetForcePolicyStat (false);
Console.WriteLine("Cancel force certificate policy"); Console.WriteLine("Cancel force certificate policy");
} }
for (var i=0 ;i<cers.Length;i++) for (var i = 0; i < cers.Length; i++)
{ {
try try
{ {
var appdender = new CertPolicyAppender(); var cert = new X509Certificate2(cers[i]);
appdender.Load(cers[i]);
Console.ForegroundColor = ConsoleColor.DarkGreen; Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write("{0}.",i+1); Console.Write("{0}.", i + 1);
Console.ResetColor(); Console.ResetColor();
switch (flag) switch (flag)
{ {
case 0: case 0:
appdender.WriteRegisty(); SoftwareRestrictionPolicyController.AddCertRule(cert);
appdender.AddCertPolicy(); Console.Write("Add cert policy for ");
Console.Write("Add cert policy for ");
break; break;
case 1: case 1:
appdender.RemoveRegisty(); SoftwareRestrictionPolicyController.RemoveCertRule(cert);
appdender.RemoveCertPolicy(); Console.Write("Remove cert policy for ");
Console.Write("Remove cert policy for "); break;
break;
} }
Console.ForegroundColor = ConsoleColor.Yellow; Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("{0}({1})",appdender.Certificate.Subject,appdender.Certificate.Thumbprint); Console.WriteLine("{0}({1})", cert.Subject, cert.Thumbprint);
Console.ResetColor(); Console.ResetColor();
} }
catch (Exception e) catch (Exception e)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment