hidden/Hidden/Helper.h

#pragma once

#include <Ntddk.h>

typedef enum _SYSTEM_INFORMATION_CLASS {
	SystemBasicInformation = 0,
	SystemPerformanceInformation = 2,
	SystemTimeOfDayInformation = 3,
	SystemProcessInformation = 5,
	SystemProcessorPerformanceInformation = 8,
	SystemInterruptInformation = 23,
	SystemExceptionInformation = 33,
	SystemRegistryQuotaInformation = 37,
	SystemLookasideInformation = 45,
	SystemPolicyInformation = 134,
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_PROCESS_INFORMATION {
	ULONG           NextEntryOffset;
	ULONG           NumberOfThreads;
	LARGE_INTEGER   Reserved[3];
	LARGE_INTEGER   CreateTime;
	LARGE_INTEGER   UserTime;
	LARGE_INTEGER   KernelTime;
	UNICODE_STRING  ImageName;
	KPRIORITY       BasePriority;
	HANDLE          ProcessId;
	HANDLE          InheritedFromProcessId;
	ULONG           HandleCount;
	UCHAR           Reserved4[4];
	PVOID           Reserved5[11];
	SIZE_T          PeakPagefileUsage;
	SIZE_T          PrivatePageCount;
	LARGE_INTEGER   Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

typedef struct _LDR_DATA_TABLE_ENTRY {
	LIST_ENTRY     LoadOrder;
	LIST_ENTRY     MemoryOrder;
	LIST_ENTRY     InitializationOrder;
	PVOID          ModuleBaseAddress;
	PVOID          EntryPoint;
	ULONG          ModuleSize;
	UNICODE_STRING FullModuleName;
	UNICODE_STRING ModuleName;
	ULONG          Flags;
	USHORT         LoadCount;
	USHORT         TlsIndex;
	union {
		LIST_ENTRY Hash;
		struct {
			PVOID SectionPointer;
			ULONG CheckSum;
		} s;
	} u;
	ULONG   TimeStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
	_Inout_   PVOID                    SystemInformation,
	_In_      ULONG                    SystemInformationLength,
	_Out_opt_ PULONG                   ReturnLength
);

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(
	_In_      HANDLE                    ProcessHandle,
	_In_      PROCESSINFOCLASS          ProcessInformationClass,
	_Out_     PVOID                     ProcessInformation,
	_In_      ULONG                     ProcessInformationLength,
	_Out_opt_ PULONG                    ReturnLength
);

_Must_inspect_result_
_IRQL_requires_max_(APC_LEVEL)
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
	_In_ HANDLE ProcessId,
	_Outptr_ PEPROCESS* Process
);

typedef struct _HANDLE_TABLE_ENTRY {
	union
	{
		PVOID Object;
		ULONG ObAttributes;
		PVOID InfoTable;
		ULONG Value;
	} u1;
	union
	{
		ULONG GrantedAccess;
		struct
		{
			USHORT GrantedAccessIndex;
			USHORT CreatorBackTraceIndex;
		} s1;
		LONG NextFreeTableEntry;
	} u2;
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE)(
	IN PHANDLE_TABLE_ENTRY HandleTableEntry,
	IN HANDLE Handle,
	IN PVOID EnumParameter
);

NTKERNELAPI
BOOLEAN
ExEnumHandleTable(
	_In_  PVOID HandleTable,
	_In_  EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
	_In_  PVOID EnumParameter,
	_Out_opt_ PHANDLE Handle
);

NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
VOID FreeInformation(PVOID Buffer);

#define NORMALIZE_INCREAMENT (USHORT)0x200

NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);

#define _LogMsg(lvl, lvlname, frmt, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, lvl , "[" lvlname "] [irql:%Iu,pid:%Iu] hidden!" __FUNCTION__ ": " frmt "\n", KeGetCurrentIrql(), PsGetCurrentProcessId(), __VA_ARGS__)

#define LogError(frmt,   ...) _LogMsg(DPFLTR_ERROR_LEVEL,   "error",   frmt, __VA_ARGS__)
#define LogWarning(frmt, ...) _LogMsg(DPFLTR_WARNING_LEVEL, "warning", frmt, __VA_ARGS__)
#define LogTrace(frmt,   ...) _LogMsg(DPFLTR_TRACE_LEVEL,   "trace",   frmt, __VA_ARGS__)
#define LogInfo(frmt,    ...) _LogMsg(DPFLTR_INFO_LEVEL,    "info",    frmt, __VA_ARGS__)
initial commit 2016-07-21 23:02:31 +00:00			`#pragma once`

			`#include <Ntddk.h>`

			`typedef enum _SYSTEM_INFORMATION_CLASS {`
			`SystemBasicInformation = 0,`
			`SystemPerformanceInformation = 2,`
			`SystemTimeOfDayInformation = 3,`
			`SystemProcessInformation = 5,`
			`SystemProcessorPerformanceInformation = 8,`
			`SystemInterruptInformation = 23,`
			`SystemExceptionInformation = 33,`
			`SystemRegistryQuotaInformation = 37,`
			`SystemLookasideInformation = 45,`
			`SystemPolicyInformation = 134,`
			`} SYSTEM_INFORMATION_CLASS;`

			`typedef struct _SYSTEM_PROCESS_INFORMATION {`
			`ULONG NextEntryOffset;`
			`ULONG NumberOfThreads;`
			`LARGE_INTEGER Reserved[3];`
			`LARGE_INTEGER CreateTime;`
			`LARGE_INTEGER UserTime;`
			`LARGE_INTEGER KernelTime;`
			`UNICODE_STRING ImageName;`
			`KPRIORITY BasePriority;`
			`HANDLE ProcessId;`
			`HANDLE InheritedFromProcessId;`
			`ULONG HandleCount;`
			`UCHAR Reserved4[4];`
			`PVOID Reserved5[11];`
			`SIZE_T PeakPagefileUsage;`
			`SIZE_T PrivatePageCount;`
			`LARGE_INTEGER Reserved6[6];`
			`} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;`

Stealth mode first steps 2016-12-30 16:57:52 +00:00			`typedef struct _LDR_DATA_TABLE_ENTRY {`
			`LIST_ENTRY LoadOrder;`
			`LIST_ENTRY MemoryOrder;`
			`LIST_ENTRY InitializationOrder;`
			`PVOID ModuleBaseAddress;`
			`PVOID EntryPoint;`
			`ULONG ModuleSize;`
			`UNICODE_STRING FullModuleName;`
			`UNICODE_STRING ModuleName;`
			`ULONG Flags;`
			`USHORT LoadCount;`
			`USHORT TlsIndex;`
			`union {`
			`LIST_ENTRY Hash;`
			`struct {`
			`PVOID SectionPointer;`
			`ULONG CheckSum;`
			`} s;`
			`} u;`
			`ULONG TimeStamp;`
			`} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;`

Multiple changes - Fixed issue with signing Release driver builds - Renamed all Nt* functions to Zw* (access denied fix, KTHREAD!PreviousMode) - Added "apply to all processes" feature for adding exluded\protected images api - Fixed sync issues for process table, sync primitives moved to external code etc 2016-10-18 21:28:55 +00:00			`NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(`
initial commit 2016-07-21 23:02:31 +00:00			`_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,`
			`_Inout_ PVOID SystemInformation,`
			`_In_ ULONG SystemInformationLength,`
			`_Out_opt_ PULONG ReturnLength`
			`);`

Multiple changes - Fixed issue with signing Release driver builds - Renamed all Nt* functions to Zw* (access denied fix, KTHREAD!PreviousMode) - Added "apply to all processes" feature for adding exluded\protected images api - Fixed sync issues for process table, sync primitives moved to external code etc 2016-10-18 21:28:55 +00:00			`NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(`
initial commit 2016-07-21 23:02:31 +00:00			`_In_ HANDLE ProcessHandle,`
			`_In_ PROCESSINFOCLASS ProcessInformationClass,`
			`_Out_ PVOID ProcessInformation,`
			`_In_ ULONG ProcessInformationLength,`
			`_Out_opt_ PULONG ReturnLength`
			`);`

Added a cache to routine that looks for ActiveProcessLinks offset 2021-07-30 19:44:18 +00:00			`_Must_inspect_result_`
			`_IRQL_requires_max_(APC_LEVEL)`
			`NTKERNELAPI`
			`NTSTATUS`
			`PsLookupProcessByProcessId(`
			`_In_ HANDLE ProcessId,`
			`_Outptr_ PEPROCESS* Process`
			`);`

Optimized process table access 2021-08-15 00:18:23 +00:00			`typedef struct _HANDLE_TABLE_ENTRY {`
			`union`
			`{`
			`PVOID Object;`
			`ULONG ObAttributes;`
			`PVOID InfoTable;`
			`ULONG Value;`
			`} u1;`
			`union`
			`{`
			`ULONG GrantedAccess;`
			`struct`
			`{`
			`USHORT GrantedAccessIndex;`
			`USHORT CreatorBackTraceIndex;`
			`} s1;`
			`LONG NextFreeTableEntry;`
			`} u2;`
			`} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;`

			`typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE)(`
			`IN PHANDLE_TABLE_ENTRY HandleTableEntry,`
			`IN HANDLE Handle,`
			`IN PVOID EnumParameter`
			`);`

			`NTKERNELAPI`
			`BOOLEAN`
			`ExEnumHandleTable(`
			`_In_ PVOID HandleTable,`
			`_In_ EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,`
			`_In_ PVOID EnumParameter,`
			`_Out_opt_ PHANDLE Handle`
			`);`

initial commit 2016-07-21 23:02:31 +00:00			`NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);`
			`NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);`
			`VOID FreeInformation(PVOID Buffer);`

Windows 10 path normalization fix 2018-12-19 23:54:24 +00:00			`#define NORMALIZE_INCREAMENT (USHORT)0x200`
initial commit 2016-07-21 23:02:31 +00:00
			`NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);`
Logging improvements 2018-12-02 21:56:39 +00:00
Added a test for a process hiding 2021-07-30 23:52:57 +00:00			`#define _LogMsg(lvl, lvlname, frmt, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, lvl , "[" lvlname "] [irql:%Iu,pid:%Iu] hidden!" __FUNCTION__ ": " frmt "\n", KeGetCurrentIrql(), PsGetCurrentProcessId(), __VA_ARGS__)`
Logging improvements 2018-12-02 21:56:39 +00:00
			`#define LogError(frmt, ...) _LogMsg(DPFLTR_ERROR_LEVEL, "error", frmt, __VA_ARGS__)`
			`#define LogWarning(frmt, ...) _LogMsg(DPFLTR_WARNING_LEVEL, "warning", frmt, __VA_ARGS__)`
			`#define LogTrace(frmt, ...) _LogMsg(DPFLTR_TRACE_LEVEL, "trace", frmt, __VA_ARGS__)`
			`#define LogInfo(frmt, ...) _LogMsg(DPFLTR_INFO_LEVEL, "info", frmt, __VA_ARGS__)`