Closed HotCakeX closed 1 year ago
jgeurten
commented
1 year ago Looking into this. I'm guessing the Wizard and the powershell cmdlets don't have privileges to scan protected media like this but we'll check with the file system and xbox team
HotCakeX
commented
1 year ago @jgeurten Thank you, btw WDACConfig module can now automatically detect and create allow rules for those files
And yes, you're right, they don't have the privileges to access those files, though I assumed since I used the App/game's PFN then it'd be allowed to run.
jgeurten
commented
1 year ago Very cool! How did you get around the permissions issue?
HotCakeX
commented
1 year ago Very cool! How did you get around the permissions issue?
Thank you, I figured since kernel can get their hashes and stores them in event viewer logs, I don't have to do it myself.
So I added one more step to those cmdlets by searching in the user selected directoy(s) for any executables that throw [System.UnauthorizedAccessException] when get-filehash tries to access it. I collect the location of those exes, look for them in event viewer logs between the time the cmdlet was first run by user till the time the scan begins, extract their hashes and add them to the Supplemental policy.
Though I hope the Xbox team and you guys can change the behavior of those exes or ConfigCI cmdlets so that PFN rule will properly cover all of the files included in a packaged app 🙂
HotCakeX
commented
1 year ago Speaking of PFN rule, I noticed WDAC Wizard doesn't create rules for a packaged app's dependency.
Part of the policy made by WDAC Wizard
<FileRules>
<Allow ID="ID_ALLOW_PFN_0_0_0" FriendlyName="Allow packaged app by Package Family Name (PFN): DevolverDigital.DiscRoomWin10_6kzv4j18v0c96" PackageFamilyName="DevolverDigital.DiscRoomWin10_6kzv4j18v0c96" MinimumFileVersion="1.0.0.0" />
</FileRules>Part of the policy made by my module
<FileRules>
<Allow ID="ID_ALLOW_A_1" FriendlyName="DevolverDigital.DiscRoomWin10_6kzv4j18v0c96 FileRule" MinimumFileVersion="0.0.0.0" PackageFamilyName="DevolverDigital.DiscRoomWin10_6kzv4j18v0c96" PackageVersion="1.0.5.0" />
<Allow ID="ID_ALLOW_A_2" FriendlyName="Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe FileRule" MinimumFileVersion="0.0.0.0" PackageFamilyName="Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe" PackageVersion="14.0.30704.0" />
</FileRules>Oh and as you can see WDAC Wizard doesn't mention the package version in the rule
jgeurten
commented
1 year ago That's a good point. I'll add that now
I've been trying to create an allow rule for an executable in an Xbox game pass game called Disc Room but it's not working the way I thought it would.
Scanning the folder where the file is located (Level = Hash) using WDAC Wizard or cmdlets directly, creates a policy that includes everything except for that file.
I've tried using DriverFiles and PFN level too but no luck. Is this one of the shortcomings of WDAC or am I missing something?