Detected DLLs that are from the internet and “blocked” by CASPOL

安稳与你 提交于 2019-12-12 06:23:54

问题


Is there a way in code to detected whether a DLL is blocked from being loaded because it was downloaded from the internet? I know the caspol.exe utility can read permissions settings, but I would like to stay in code, if possible.


回答1:


Blocked content is controlled by NTFS alternative data streams and can be removed using a command line utility by sysinternals called streams. This is a quote from Wikipedia on ADS.

Microsoft introduced the Attachment Execution Service that stores details on the origin of downloaded files in alternate data streams attached to files, in an effort to protect users from downloaded files that may present a risk.

It tracks the origin of the file, and hence if it originated from the internet it applies the untrusted security policy. Removing the stream removes the record that the file came from an untrusted source. This has the same affect as right-clicking on the file, viewing properties, and choosing unblock. It's also the same affect as using caspol to make the dll full trust.

The following creates a zero byte stream associated with the file test.

echo hello > test:stream

The following project on codeproject has some example code for working with them. I believe you need to delete them from unmanaged code.

Accessing alternative data-streams of files on an NTFS volume



来源:https://stackoverflow.com/questions/7326371/detected-dlls-that-are-from-the-internet-and-blocked-by-caspol

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!