起因
最近工作中遇到一个银狐变种,会通过手段导致杀软无法正常运行,提示 你的组织使用了 Windows Defender 应用程序控制来阻止此应用
简单记录一下。
解决过程
通过gemini的深度研究功能,帮我查找到相关的资料。Windows Defender Application Control(WDAC)是为企业设计的应用管控工具,没想到被银狐用来对抗杀软,同样的,也有红队使用其来对抗EDR。
通过CiTool能够罗列出来目前加载的所有的规则,受害机器的输出如下:
citool -lp -j
{
"Policies": [{
"PolicyID": "a244370e-44c9-4c06-b551-f6016e563076",
"BasePolicyID": "a244370e-44c9-4c06-b551-f6016e563076",
"FriendlyName": "AllowMicrosoft_2025-05-04",
"Version": 2814749767434246,
"VersionString": "10.0.5.6",
"IsSystemPolicy": false,
"IsSignedPolicy": false,
"IsOnDisk": true,
"IsEnforced": true,
"IsAuthorized": true,
"PolicyOptions": ["Enabled:UMCI", "Disabled:Runtime FilePath Rule Protection", "Enabled:Inherit Default Policy", "Enabled:Unsigned System Integrity Policy", "Disabled:Script Enforcement", "Enabled:Update Policy No Reboot"]
},{
"PolicyID": "a072029f-588b-4b5e-b7f9-05aad67df687",
"BasePolicyID": "a072029f-588b-4b5e-b7f9-05aad67df687",
"FriendlyName": "Microsoft Windows Virtualization Based Security Policy",
"Version": 2814751590187008,
"VersionString": "10.0.27818.0",
"IsSystemPolicy": true,
"IsSignedPolicy": true,
"IsOnDisk": true,
"IsEnforced": false,
"IsAuthorized": false,
"PolicyOptions": ["Enabled:Advanced Boot Options Menu", "Enabled:Update Policy No Reboot"]
}],
"OperationResult": 0
}
为了方便查看我把JSON格式化了一下,且只保留了有问题的一个和正常的一个,实际输出会有很多。其中AllowMicrosoft_2025-05-04就是有问题的部分,虽然显示的是"IsOnDisk": true,但是我在c:\Windows\System32\CodeIntegrity\CiPolicies\Active目录下确实没找到对应的文件,但是该目录的变更时间和中马时间能对应的上。可能加载以后被删除掉了原始的文件。
通过citool可以直接删除掉,命令如下:
citool -rp a244370e-44c9-4c06-b551-f6016e563076 -j
不过还有一个值得注意的是 CiTool.exe 并不在所有的windows版本中可用,
从 Windows 11、版本 22H2 和 2025 Windows Server 开始,它包含在 Windows 映像中
https://learn.microsoft.com/zh-cn/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands
我本地测试也发现,在不同版本的win11中该文件存在不同的版本,他们接受的参数不相同。所以如果想要自动化处理,最好在脚本内自带一个CiTool.exe
完整的自动化脚本如下:
$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition
$citoolPath = Join-Path $scriptDir "CiTool.exe"
$policies = & $citoolPath -lp -j | ConvertFrom-Json
$unsignedPolicies = $policies.Policies | Where-Object { -not $_.IsSignedPolicy }
foreach ($p in $unsignedPolicies) {
& $citoolPath -rp $p.PolicyID -j
}
# Refresh
echo "Refreshing policy list..."
& $citoolPath -r -j
$services = Get-WmiObject -Class Win32_Service
$targetServices = $services | Where-Object {
$_.PathName -like "*cmd /c cd /d `"C:\ProgramData\*"
}
if ($targetServices.Count -eq 0) {
Write-Host "No matching services found."
} else {
foreach ($svc in $targetServices) {
$name = $svc.Name
$displayName = $svc.DisplayName
$path = $svc.PathName
Write-Host "`n[!] Suspicious service detected:"
Write-Host "Name : $name"
Write-Host "DisplayName : $displayName"
Write-Host "Path : $path"
try {
Write-Host "Stopping service $name..."
Stop-Service -Name $name -Force -ErrorAction Stop
Write-Host "Service stopped."
} catch {
Write-Host "Failed to stop service: $($_.Exception.Message)"
}
Write-Host "Deleting service $name..."
sc.exe delete $name | Out-Null
Write-Host "Service deleted."
if ($path -match 'C:\\ProgramData\\([^\\]+)\\([^\\]+)') {
$dirPath = "C:\ProgramData\$($Matches[1])"
if (Test-Path $dirPath) {
Write-Host "Removing directory: $dirPath"
Remove-Item -Path $dirPath -Recurse -Force -ErrorAction SilentlyContinue
Write-Host "Directory removed."
}
}
}
}
其中C:\ProgramData\*是针对该样本的,后续可能会变化或者存在误杀。
使用教程
- 下载安装360卫士,虽然打不开 但是先备好。
- 保存文件为
stoploss.ps1,准备好CiTool.exe放到同目录,执行powershell -NoProfile -ExecutionPolicy Bypass -File ".\stoploss.ps1" - 再打开360卫士杀毒扫描,即可轻易解决。
IOC
- hxxps[://]www[.]sougoui[.]com/
- hxxps[://]xinfeng168168[.]oss-ap-southeast-1[.]aliyuncs[.]com/sogou_pinyin–utt_13[.]12[.]zip
- cf9f5ee7bb8c4dc3e33c80bb74cdd863