检测到来自互联网并且被“阻止"的DLL.通过CASPOL [英] Detected DLLs that are from the internet and "blocked" by CASPOL
问题描述
是否有一种代码来检测是否由于从互联网上下载了DLL而阻止了该DLL的加载?我知道 caspol.exe 实用程序可以读取权限设置,但如果可能的话,我想保留在代码中.
Is there a way in code to detected whether a DLL is blocked from being loaded because it was downloaded from the internet? I know the caspol.exe utility can read permissions settings, but I would like to stay in code, if possible.
推荐答案
阻止的内容由NTFS备用数据流控制,并且可以由名为维基百科的引用.
Blocked content is controlled by NTFS alternative data streams and can be removed using a command line utility by sysinternals called streams. This is a quote from Wikipedia on ADS.
Microsoft引入了存储文件的附件执行服务有关备用数据流中下载文件来源的详细信息附加到文件上,以保护用户免受下载文件的侵害可能会带来风险.
Microsoft introduced the Attachment Execution Service that stores details on the origin of downloaded files in alternate data streams attached to files, in an effort to protect users from downloaded files that may present a risk.
它跟踪文件的来源,因此,如果它来自Internet,则将应用不受信任的安全策略.删除流将删除该文件来自不受信任来源的记录.这与右键单击文件,查看属性并选择取消阻止具有相同的效果.这与使用 caspol 来使dll完全信任具有相同的影响.
It tracks the origin of the file, and hence if it originated from the internet it applies the untrusted security policy. Removing the stream removes the record that the file came from an untrusted source. This has the same affect as right-clicking on the file, viewing properties, and choosing unblock. It's also the same affect as using caspol to make the dll full trust.
下面的代码创建一个与文件测试关联的零字节流.
The following creates a zero byte stream associated with the file test.
echo hello > test:stream
下面在codeproject上的项目有一些使用它们的示例代码.我相信您需要从非托管代码中删除它们.
The following project on codeproject has some example code for working with them. I believe you need to delete them from unmanaged code.
这篇关于检测到来自互联网并且被“阻止"的DLL.通过CASPOL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
