如何保护 MSI 免受修改

2022-01-23 00:00:00 c c++ wix windows-installer custom-action

我想保护 MSI 文件不被修改.可以使用 ORCA 或 MSI API 轻松完成.这很可悲,因为任何人都可以修改/添加/删除具有管理员权限的 Windows 安装程序自定义操作或属性.

I would like to protect the MSI file against modification. It could be easily done with ORCA or with MSI API. It is sad because anyone can modify/add/remove windows installer custom actions or properties who have admin rights.

有没有办法将 MSI 文件设置为某种只读模式或以某种方式保护其内容?

Is there any way to set an MSI file to some read-only mode or somehow protect its content?

推荐答案

简短的回答是否定的,您不能阻止某人编辑 .msi 文件.您可以采取多种方法来尽量减少有人这样做的可能性,或者增加与任何编辑相关的困难的方法,但您无法完全阻止它.

The short answer is no, you cannot prevent someone from editing a .msi file. There are various approaches you can take to minimize the likelihood of someone doing so, or approaches that increase the difficulties associated with any edit, but you cannot fully prevent it.

要更好地回答这个问题,必须改进您提出的问题.保护"听起来像是一个安全问题,因此它至少有助于建立一个扶手椅威胁模型.例如,您可能会尝试避免以下三件事:

To answer this better, one must refine the question you are asking. "Protect" sounds like a security sort of question, so it helps to establish at least an armchair threat model. For instance, here are three things you may be trying to prevent:

  1. 感兴趣的用户更改安装到该用户系统的位
  2. 企业用户修改其系统管理员安装到用户计算机上的内容
  3. 恶意方更改并提供伪装成您的应用的位,而其他人错误地安装了该位

在这三个中,第一个并不是真正的安全边界,因此您无能为力.它要么是需要管理权限并且用户拥有它们的安装,要么是允许没有管理权限的用户使用它的每用户安装.在任何一种情况下,.msi 对系统的访问权限都不会超过更改它的用户已经拥有的权限.

Of those three, the first isn't really a security boundary, so there's not much you can do. Either it's an install that requires administrative privileges and the user has them, or it's a per-user install that allows users without administrative privileges to use it. In either case, the .msi has no more access to the system than the user who altered it already had.

第二个跨越了界限,但涉及到应该勤于验证签名的人,并且可能从源而不是用户获取安装.第三个是明显的安全问题,不幸的是涉及到您无法可靠地期望会勤奋验证签名的人.

The second crosses a boundary, but involves someone who should be diligent about verifying signatures, and may likely acquire the installation from the source instead of the user. The third is a clear security concern, and unfortunately involves people you cannot reliably expect to be diligent about verifying signatures.

那你能做什么?

  • 您可以对 .msi 文件进行签名.这会留下文件被更改的迹象,如果是的话.请注意,转换(.mst 文件)可以改变.msi 在不改变文件本身的情况下做了什么;但是,这也会影响签名状态的表示.
  • 您可以尝试让潜在用户了解在接受 UAC 提示之前验证数字签名的重要性.这不会阻止试图破坏您的许可的人,但可能会帮助其他人避免安装恶意软件而不是您的实际程序.
  • 您可以将 .msi 包装在已签名的 .exe 引导程序中.这使事情更难访问;尝试使用普通工具不会直接起作用,而是需要更改方弄清楚如何提取 .msi 文件.虽然这通常不是很困难,但至少是另一个障碍.
  • 您可以尝试将签名验证注入 .msi 文件.正如您所说,这些可能很容易通过对 .msi 文件的进一步更改来解决,除非您可以将它们与重要且难以复制的其他代码结合起来.当然,这只会让改变变得更加困难.但并非不可能.同样,您必须考虑 .mst 案例,以及是否要支持 管理安装和从这些缓存中安装.
  • 您可以为应用本身添加相关签名或其他验证.如果 .msi 文件被更改,但它不会更改安装到机器上的内容,那么您的应用程序在乎吗?答案取决于您到底要防止什么;例如,它无助于防止跟踪恶意软件.
  • 考虑其他打包或部署选项,无论是来自 Microsoft(如 .appx/.msix)还是来自第三方.每个都有自己的优点和缺点,以及对我在这里讨论的每件事的敏感性.
  • 在其他地方运行您的应用;例如,将您的应用程序重写为 Web 应用程序,以便无需安装.显然,这仅适用于某些类型的应用程序,但该列表还在继续增长.
  • You can sign the .msi file. This leaves indications that the file was altered, if it was. Note that transforms (.mst files) can alter what the .msi does without altering the file itself; however this also affects the representation of the signed status.
  • You can try to educate your prospective users about the importance of verifying the digital signature before accepting a UAC prompt. This won't stop someone who's trying to subvert your licensing, but may help someone avoid installing malware instead of your actual program.
  • You can wrap the .msi in a signed .exe bootstrap. This makes things harder to access; attempts to use the normal tooling won't work directly, and instead require the altering party to figure out how to extract the .msi file. While that's typically not very difficult, it's at least another hurdle.
  • You can try to inject signature verifications into the .msi file. As you say, these are likely to be easy to defeat by further alterations to the .msi file, unless you can couple them with important and hard to duplicate other code. That, of course, merely makes it harder to alter; but not impossible. Again you'll have to consider the .mst case, and whether you want to support administrative installations and installations from those caches.
  • You can add relevant signature or other verifications to the app itself. If the .msi file is altered, but it doesn't alter what is installed to the machine, does your app care? The answer depends on what exactly you're trying to protect against; for instance it won't help prevent tag-along malware.
  • Consider other packaging or deployment options, whether from Microsoft (like .appx / .msix) or from third parties. Each comes with their own set of advantages and disadvantages, and their own level of susceptibility to each thing I've discussed here.
  • Run your app somewhere else; for example, rewrite your app as a web application so that there is no installation. Obviously this can only work for certain kinds of applications, but that list continues to grow.

你不能做什么?

  • 让所有用户都给予足够的关注
  • 防止恶意方创建假装适用于您的应用但只有恶意负载的安装程序
  • 防止机器所有者在 .msi 运行之前或之后更改机器
  • 支持所有人们使用 .msi 文件的方式,而不仅仅是使用 .msi 文件(管理安装、转换、重新打包"、各种特定于 .msi 的部署实用程序等都是正常的对某些类别的软件使用模式)
  • Make all users pay enough attention
  • Prevent a malicious party from creating an installer that pretends to be for your app but has only a malicious payload
  • Prevent a machine's owner from altering the machine either before or after the .msi runs
  • Support all of the ways people use .msi files without just using a .msi file (administrative installs, transforms, "repackaging", various .msi-specific deployment utilities, etc. are all normal use patterns for certain classes of software)

在本练习结束时,您必须决定这对您来说是否会破坏交易,或者您可以接受.确保您了解为什么有人要更改您的 .msi 文件,并且在关注 .msi 文件本身之前,请考虑他们是否可以通过非 .msi 方式产生相同的效果.如果它特定于 .msi 并且是一个交易破坏者,请查看其他安装技术.如果没有什么可以阻止您试图阻止的情况,也许您可??以找到减少人们尝试这种情况的动机的方法.

At the end of this exercise, you'll have to decide whether this is a deal breaker for you, or something you can accept. Make sure you understand why someone would want to alter your .msi file, and before focusing on the .msi file itself, consider whether they can have the same effect through non-.msi means. If it's specific to .msi and is a deal breaker, look into other installation technologies. If nothing can prevent the scenario you seek to prevent, perhaps you can find ways to reduce the incentive for people to attempt it.

相关文章