我有一个脚本,可以通过 powershell 为 Firefox 启用以下进程缓解措施:
Set-ProcessMitigation -name firefox.exe -enable sehop
Set-ProcessMitigation -name firefox.exe -enable enableropsimexec
Set-ProcessMitigation -name firefox.exe -enable enableropcallercheck
Set-ProcessMitigation -name firefox.exe -enable enableropstackpivot
Set-ProcessMitigation -name firefox.exe -enable enableimportaddressfilter
Set-ProcessMitigation -name firefox.exe -enable BlockLowLabelImageLoads
Set-ProcessMitigation -name firefox.exe -enable PreferSystem32
Set-ProcessMitigation -name firefox.exe -enable BlockRemoteImageLoads
Set-ProcessMitigation -name firefox.exe -enable DisableNonSystemFonts
Set-ProcessMitigation -name firefox.exe -enable EnforceModuleDependencySigning
Set-ProcessMitigation -name firefox.exe -enable StrictCFG
Set-ProcessMitigation -name firefox.exe -enable SuppressExports
Set-ProcessMitigation -name firefox.exe -enable CFG
Set-ProcessMitigation -name firefox.exe -enable AllowThreadsToOptOut
Set-ProcessMitigation -name firefox.exe -enable DisableExtensionPoints
Set-ProcessMitigation -name firefox.exe -enable StrictHandle
Set-ProcessMitigation -name firefox.exe -enable HighEntropy
Set-ProcessMitigation -name firefox.exe -enable BottomUp
Set-ProcessMitigation -name firefox.exe -enable RequireInfo
Set-ProcessMitigation -name firefox.exe -enable ForceRelocateImages
Set-ProcessMitigation -name firefox.exe -enable EmulateAtlThunks
Set-ProcessMitigation -name firefox.exe -enable DEP
但是,当我这样做时get-processmitigation firefox.exe,我得到以下输出:
ProcessName : firefox.exe
Source : Registry
Id : 0
DEP:
Enable : ON
EmulateAtlThunks : ON
Override DEP : False
ASLR:
BottomUp : ON
Override BottomUp : False
ForceRelocateImages : ON
RequireInfo : ON
Override ForceRelocate : False
HighEntropy : ON
Override High Entropy : False
StrictHandle:
Enable : NOTSET
Override StrictHandle : False
System Call:
DisableWin32kSystemCalls : NOTSET
Audit : NOTSET
Override SystemCall : False
ExtensionPoint:
DisableExtensionPoints : ON
Override ExtensionPoint : False
DynamicCode:
BlockDynamicCode : NOTSET
AllowThreadsToOptOut : NOTSET
Audit : NOTSET
Override DynamicCode : False
CFG:
Enable : NOTSET
SuppressExports : OFF
Override CFG : False
StrictControlFlowGuard : NOTSET
Override StrictCFG : False
BinarySignature:
MicrosoftSignedOnly : NOTSET
AllowStoreSignedBinaries : OFF
EnforceModuleDependencySigning : ON
AuditMicrosoftSignedOnly : NOTSET
AuditStoreSigned : OFF
AuditEnforceModuleDependencySigning: NOTSET
Override MicrosoftSignedOnly : False
Override DependencySigning : False
FontDisable:
DisableNonSystemFonts : ON
Audit : NOTSET
Override FontDisable : False
ImageLoad:
BlockRemoteImageLoads : ON
AuditRemoteImageLoads : NOTSET
Override BlockRemoteImages : False
BlockLowLabelImageLoads : ON
AuditLowLabelImageLoads : NOTSET
Override BlockLowLabel : False
PreferSystem32 : ON
AuditPreferSystem32 : NOTSET
Override PreferSystem32 : False
Payload:
EnableExportAddressFilter : NOTSET
AuditEnableExportAddressFilter : NOTSET
Override ExportAddressFilter : False
EnableExportAddressFilterPlus : NOTSET
AuditEnableExportAddressFilterPlus : NOTSET
Override ExportAddressFilterPlus : False
EAFModules : {}
EnableImportAddressFilter : ON
AuditEnableImportAddressFilter : NOTSET
Override ImportAddressFilter : False
EnableRopStackPivot : ON
AuditEnableRopStackPivot : NOTSET
Override EnableRopStackPivot : False
EnableRopCallerCheck : ON
AuditEnableRopCallerCheck : NOTSET
Override EnableRopCallerCheck : False
EnableRopSimExec : ON
AuditEnableRopSimExec : NOTSET
Override EnableRopSimExec : False
SEHOP:
Enable : NOTSET
TelemetryOnly : OFF
Audit : NOTSET
Override SEHOP : False
Heap:
TerminateOnError : NOTSET
Override HEAP : False
Child Process:
DisallowChildProcessCreation : NOTSET
Audit : NOTSET
Override ChildProcess : False
如您所见,许多默认情况下未启用的进程缓解确实未设置。但是,当我输入一个特定的进程缓解(例如 sehop 的进程缓解)时,它确实显示它已启用。每当我尝试启用所有进程缓解(即使一次只启用一个命令)或在脚本中运行所有进程缓解时,它们都不会启用,并且会出现某种错误。
为什么 powershell 拒绝启用这些进程缓解措施?为什么 Windows 拒绝接受我的请求?