|
Sorry, I have not used this API, you will need to study the documentation. Alternatively use Google to find sample code.
|
|
|
|
|
Hi,
You should add more error handling, this is just a code sample:
#include <guiddef.h>
#include <initguid.h>
#include <windows.h>
#include <comdef.h>
#include <cguid.h>
#include <atlcomcli.h>
#include <gpedit.h>
#include <Iaccess.h>
#pragma comment(lib,"gpedit.lib")
int main()
{
HKEY key;
HKEY pol;
DWORD val = 1;
DWORD disp = 0;
GUID ext = REGISTRY_EXTENSION_GUID;
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
CComPtr<IGroupPolicyObject> lgp;
HRESULT hr = CoCreateInstance(CLSID_GroupPolicyObject, NULL, CLSCTX_INPROC_SERVER, IID_IGroupPolicyObject, (LPVOID*)&lgp);
if (SUCCEEDED(lgp->OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY)))
{
if (SUCCEEDED(lgp->GetRegistryKey(GPO_SECTION_MACHINE, &key)))
{
RegCreateKeyExW(key, L"SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &pol, &disp);
RegSetValueEx(pol, L"Deny_All", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegCreateKeyExW(key, L"SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &pol, &disp);
RegSetValueEx(pol, L"Deny_Write", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegSetValueEx(pol, L"Deny_Read", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegSetValueEx(pol, L"Deny_Execute", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegCloseKey(key);
hr = lgp->Save(TRUE, TRUE, &ext, const_cast<GUID*>(&CLSID_GPESnapIn));
_com_error err(hr);
wprintf(L"%s", err.ErrorMessage());
}
}
lgp.Release();
CoUninitialize();
return 0;
}
It will set the following policies:
- All Removable Storage classes: Deny All access
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
Best Wishes,
-David Delaune
[Edit two days later]
You can also add an attack surface reduction policy via Windows Defender that requires anything that executes from USB to be signed:
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
modified 4-Sep-20 17:57pm.
|
|
|
|
|
To anyone who can help me Please?
I apologise in advance if my question seems confusing noobish but I have no clue about coding in C++ hence the apparent ignorance & difficulty to me (& for some it may be a very basic question). First of all I have these lines of code that I would like to amend slightly like so:
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP() {
hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
}
It is not my code it belongs to Abdellatif_El_Khlifi & all credit belongs to him but I would like to make a small amendmant to his code but have no clue how to do this the alteration I would like to change this line:
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
and alter to: (this is obviously not C++ but just trying to illustrate what I am trying to do)
SetSfcFileException(0, L"%SystemDrive%\\windows\\system32\\calc.exe",-1);
My question is there a equivelent C++ code for the SystemDrive variable & could someone re-code this to make the small amendmant Please to suit my needs? The reason is it will make the program more generic for me just in case say for instance my OS XP is installed on D:\\ drive instead of C:\\ drive. I have found this snippet of code that may be of help but have no clue as to how I would incorporate in the given scenario above. char *sysDrive = getenv ("SystemDrive"); or this
sysdrive = getenv("SYSTEMDRIVE");
if (sysdrive == NULL || *sysdrive == NUL)
sysdrive = "C:\\";
}
Best Regards,
Jackngill
|
|
|
|
|
Funny that someone who admits having little programming experience wants to explore an issue that has been linked to malware in the past.
Can you explain what legitimate purpose you have?
BTW the article you mention is here on CP. Also I don’t see what useful purpose it serves.
Mircea
modified 30-Aug-20 23:38pm.
|
|
|
|
|
Hi Mircea,
I suppose as with all things in life you can use any tool for either a positive outcome or negative outcome & I am not very happy that I am being targeted as a possible Malware code writer as I am absolutely not. For one thing I would not post a question like this here it would be on the dark web (Whatever that is as I have never been there) And who & what has been linked to malware? If it has been linked to malware why has the code by Abdellatif_El_Khlifi been allowed to remain posted for as long as it has, that to me is what is funny?
As to my personal reasons to undertake this task I will try to explain. Firstly I am still using XP & I like to carry operations like creating mini windows varients of XP Which is not negative in its self. I will chop and change from a good XP system to a Mini XP system on different drives so the code altered re the SystemDrive makes it easier for generic drives not being hardcoded to C:\\ & to me is a legitimate reason. The portion of code suits my needs very well in that I can selectively stop Windows File Protection on individual files to carry out removal or adjustment so that I do not get error messages being reported back. There is a way already of disabling WFP but it is more of a shotgun shampoo approach in that it switches off WFP wholesale but I digress. This code would facilitate me in selectively disarming WFP on a selective file(s) in a quick manner without rebooting etc etc. I stated & came clean about who wrote the original code & I hinted in my original post the reason for it. My motives are honourable & not for negative reasons to me it would prove very useful! XP as an OS is becoming a niche market there is no longer any support for it so if I was a malware code writer I would surely opt for something like Windows 10 for greater kudos YES/NO?
If it is a problem & is considered to be useful for malware can someone private post me the amended code so I can carry out what I want to do quietly for my own purposes? My preferences are set to recieve emails I do not want to cause trouble or engage in arguments, life is too short for that. I am asking for help can someone help Please?
P.S. I was going to ask if there could be an undo portion of code to undo the changes in a separate file that I could compile but I think that is going to be too ambitious as a request.
Best Regards,
Jackngill
modified 31-Aug-20 8:07am.
|
|
|
|
|
Here is one encouraging bit of news though I have stumbled upon the very thing I need called WFPReplacer, it is a commandline windows utility that pretty well does what I want & generally in the same manner. it disables WFP for both singular files & can be used for wholesale switching off of WFP if the right file is replaced. All I need to do is write a batch file as a front end to back up the system files I want to disable use WFPReplacer.exe. So if in the event of the proceedings the routine gets stuffed I can revert back to the backed up files. I think this program uses the same type of embedded coding but is written in Delphi/pascal, it is called Remko Weijnen's Blog (Remko's Blog) "replacing Wfp protected files".
I generally like to leave whatever I am doing on a positive note. And NO I do not have any interest in coding Malware, so just in case someone else lands on this forum & is trying to accomplish a similair exercise here is the code that one can compile (This is not my code it belongs to Remko Weijnen's Blog (Remko's Blog)) Please be advised it is NOT C++ it is a commandline exe Delhi/Pascal found at this link, so all credits belong to him. The link is:
https://www.remkoweijnen.nl/blog/2012/12/05/replacing-wfp-protected-files/
DWORD __stdcall SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, int Unknown)
hServer = hServerVar;
}
nts = SfcRedirectPath(lpSrc, (int)&v8);
if ( nts >= 0 )
dwResult = SfcCli_FileException((int)hServer, v9, Unknown).Simple;
else
dwResult = RtlNtStatusToDosError(nts);
dwResultVar = dwResult;
MemFree(v9);
return dwResultVar;
}
Also as one further warning (Unless you know what you are doing!!!) do not attempt to use this program, ALWAYS ALWAYS ALWAYS backup your system files before deletion or alteration.
What this program will do is disarm WFP for 60 seconds whilst you intercange or amend your files. Example usage for example is:
WfpReplacer.exe c:\windows\Notepad.exe (Errorlevel true or false will be produced on execution).
Best Regards
David
|
|
|
|
|
jackngill wrote:
My question is there a equivelent C++ code for the SystemDrive variable... Check out SHGetKnownFolderPath() or SHGetFolderPath() .
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Hi David,
Thanks for your post but your answer I think is for vista & above could be wrong but my ? is related to XP
Found this though:
Most of the constants are based on documented CSIDL's ( http://msdn.microsoft.com/en-us/library/bb762494%28v=VS.85%29.aspx ) except temp and quicklaunch IIRC. There is no documented api to get the systemdrive AFAIK so ReadEnvStr is as native as this is going to get.
ReadEnvStr $0 "SYSTEMDRIVE"
status: open --> closed
But even that is not even injectable into the line SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1); as the above only states open or closed status. I think ultimately I am flogging a dead horse, was hoping for a quick easy interchange of code but looks like the answer will require multi-lines of code & I am incapable of undertaking that.
But regardless many thanks for the response david
|
|
|
|
|
jackngill wrote: There is no documented api to get the systemdrive AFAIK Maybe, maybe not. But taking the first letter of CSIDL_SYSTEM or CSIDL_WINDOWS , for example, will get you the correct drive.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
|
How exactly would that function return the desired information?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
AS you suggested:
call any of the SHGetFolderPath(), ... with CSIDL_WINDOWS
and then pass the returned path (say, windowsDir) into PathGetDriveNumber:
WCHAR letter = L'A' + PathGetDriveNumberW(windowsDir);
|
|
|
|
|
But the return value from SHGetKnownFolderPath() already contains the system's drive letter. There's no need to pass that path to PathGetDriveNumber() , have it return a number, and then convert that number back into a drive letter that was already obtained.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Yes, i know it. It was just a proposal to use an API rather than to search for a letter in the returned path ...
|
|
|
|
|
Victor Nijegorodov wrote: ...rather than to search for a letter in the returned path Search for something that's always in position 0?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
|
Once more, my reply was not for you, it was just for the OP...
Sorry, if I put it in a wrong place!
|
|
|
|
|
AS you suggested:
call any of the SHGetFolderPath(), ... with CSIDL_WINDOWS
and then pass the returned path (say, windowsDir) into PathGetDriveNumber:
WCHAR letter = L'A' + PathGetDriveNumberW(windowsDir);
|
|
|
|
|
Hi folks thanks for the input,
PathGetDriveNumberA function
Searches a path for a drive letter within the range of 'A' to 'Z' and returns the corresponding drive number.
Syntax
int PathGetDriveNumberA(
LPCSTR pszPath
);
Parameters
pszPath
Type: LPCTSTR
A pointer to a null-terminated string of maximum length MAX_PATH that contains the path to be searched.
Return value
Type: int
Returns 0 through 25 (corresponding to 'A' through 'Z') if the path has a drive letter, or -1 otherwise.
Remarks
Note
The shlwapi.h header defines PathGetDriveNumber as an alias which automatically selects the ANSI or Unicode version of this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that not encoding-neutral can lead to mismatches that result in compilation or runtime errors. For more information, see Conventions for Function Prototypes.
Taken from: PathGetDriveNumberA function (shlwapi.h) - Win32 apps | Microsoft Docs[^]
does this help in any way?
Regards
Jackngill
|
|
|
|
|
|
|
Hi Victor
Many thanks can I take a further liberty in answering your question with yet another question?
Your "?" - Did you try GetEnvironmentVariable function (winbase.h) - Win32 apps | Microsoft Docs ?
Can I answer with:
Is there (of some Kind like for instance Emu8086) that would be able to run C++ code to check if it works & possibly feedback errors compatable that is compatable with XP as my skills in C++ are shall we say are very sadly lacking as suggested in my 1st post. I know what I want to do but don't know how to get there. The short answer is no sorry!
I have been researching further & I have found this snippet of code from (To reveal the source click on the link below)
C++/CLI Code Snippet - Access current environment directories and logical drives[^]
which states this
Console::WriteLine("Get Environment Variable: Home Drive " + Environment::GetEnvironmentVariable("HOMEDRIVE"));
However Line 15 (the last 2 lines) is all one line & it states Writeline which infers output to console?
Then could Homedrive be called/injected into this line in the first post
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
like this:
SetSfcFileException(0, L"HOMEDRIVE:\\windows\\system32\\calc.exe",-1);
I am assuming I would need new headers & would need to know where to insert the code. I am assuming prior to the execution of the code in the 1st post I made (which I did not write), because once the code is executed within the C++ it would remain memory resident to access later to envoke the HOMEDRIVE system variable. Hope I am not blowing smoke here just a theory?
P.S. Is the C++ code in post 1 for windows or commandline as the above code I think is for commandline, I wouldn't have thought mixing code from two standpoints would Not be Good?
All the best,
Jackngill
modified 4-Sep-20 9:35am.
|
|
|
|
|
jackngill wrote: I have been researching further & I have found this snippet of code from (To reveal the source click on the link below)
C++/CLI Code Snippet - Access current environment directories and logical drives[^]
The sample from CPP-CLI source has nothing to do with the native C++ code that you seem to be using!
Try this:
TCHAR buffer[30] = {0};
if (::GetEnvironmentVariable(_T("SYSTEMDRIVE"), buffer, _countof(buffer)))
{
TCHAR path[MAX_PATH] = {0};
_stprintf(path, _T("%s\windows\system32\calc.exe"), buffer);
TRACE(path); SetSfcFileException(0, path, -1);
}
|
|
|
|
|
Hi Victor,
Sorry about the prior code snippet apologies.
I have copied your code and ran it here:
https://www.onlinegdb.com/online_c++_compiler[^]
Unfortunately it came up with a few errors:
Compilation failed due to following error(s). main.cpp:1:1: error: ‘TCHAR’ does not name a type
TCHAR buffer[30] = {0};
^~~~~
main.cpp:2:5: error: expected unqualified-id before ‘if’
if (::GetEnvironmentVariable(_T("SYSTEMDRIVE"), buffer, _countof(buffer)))
^~
Do these error codes mean anything to you?
Best Regards
David
|
|
|
|
|
I have no idea what compiler you are using...
If you compile it as UNICODE then replace TCHAR with wchar_t, _T() macro - with L, and _stprintf - with swprintf.
Besides, learn using Google to fast search for such types of errors...
|
|
|
|
|