hidden/Hidden/Driver.c

#include <fltKernel.h>
#include <Ntddk.h>
#include "ExcludeList.h"

#include "RegFilter.h"
#include "FsFilter.h"
#include "PsMonitor.h"
#include "Device.h"
#include "Driver.h"
#include "Configs.h"
#include "Helper.h"
#include "KernelAnalyzer.h"

#define DRIVER_ALLOC_TAG 'nddH'

PDRIVER_OBJECT g_driverObject = NULL;

volatile LONG g_driverActive = FALSE;

// =========================================================================================

VOID EnableDisableDriver(BOOLEAN enabled)
{
	InterlockedExchange(&g_driverActive, (LONG)enabled);
}

BOOLEAN IsDriverEnabled()
{
	return (g_driverActive ? TRUE : FALSE);
}

// =========================================================================================

ULONGLONG g_hiddenRegConfigId = 0;
ULONGLONG g_hiddenDriverFileId = 0;

NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
	PLDR_DATA_TABLE_ENTRY LdrEntry;
	UNICODE_STRING normalized;
	NTSTATUS status;

	if (!CfgGetStealthState())
		return STATUS_SUCCESS;
	
	LdrEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;

	normalized.Length = 0;
	normalized.MaximumLength = LdrEntry->FullModuleName.Length + NORMALIZE_INCREAMENT;
	normalized.Buffer = (PWCH)ExAllocatePoolWithQuotaTag(PagedPool, normalized.MaximumLength, DRIVER_ALLOC_TAG);
	
	if (!normalized.Buffer)
	{
		LogError("Error, can't allocate buffer");
		return STATUS_MEMORY_NOT_ALLOCATED;
	}

	status = NormalizeDevicePath(&LdrEntry->FullModuleName, &normalized);
	if (!NT_SUCCESS(status))
	{
		LogError("Error, path normalization failed with code:%08x, path:%wZ", status, &LdrEntry->FullModuleName);
		ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);
		return status;
	}

	status = AddHiddenFile(&normalized, &g_hiddenDriverFileId);
	if (!NT_SUCCESS(status))
		LogWarning("Error, can't hide self registry key");

	ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);

	status = AddHiddenRegKey(RegistryPath, &g_hiddenRegConfigId);
	if (!NT_SUCCESS(status))
		LogWarning("Error, can't hide self registry key");

	LogTrace("Stealth mode has been activated");
	return STATUS_SUCCESS;
}

// =========================================================================================

_Function_class_(DRIVER_UNLOAD)
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
	UNREFERENCED_PARAMETER(DriverObject);

	DestroyDevice();
	DestroyRegistryFilter();
	DestroyFSMiniFilter();
	DestroyPsMonitor();

	DestroyKernelAnalyzer();
}

_Function_class_(DRIVER_INITIALIZE)
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
	NTSTATUS status;

	UNREFERENCED_PARAMETER(RegistryPath);

	EnableDisableDriver(TRUE);

	status = InitializeConfigs(RegistryPath);
	if (!NT_SUCCESS(status))
		LogWarning("Error, can't initialize configs");

	EnableDisableDriver(CfgGetDriverState());

	InitializeKernelAnalyzer();

	status = InitializePsMonitor(DriverObject);
	if (!NT_SUCCESS(status))
		LogWarning("Error, object monitor haven't started");

	status = InitializeFSMiniFilter(DriverObject);
	if (!NT_SUCCESS(status))
		LogWarning("Error, file-system mini-filter haven't started");

	status = InitializeRegistryFilter(DriverObject);
	if (!NT_SUCCESS(status))
		LogWarning("Error, registry filter haven't started");

	status = InitializeDevice(DriverObject);
	if (!NT_SUCCESS(status))
		LogWarning("Error, can't create device");

	status = InitializeStealthMode(DriverObject, RegistryPath);
	if (!NT_SUCCESS(status))
		LogWarning("Error, can't activate stealth mode");

	DestroyConfigs();

	DriverObject->DriverUnload = DriverUnload;
	g_driverObject = DriverObject;

	return STATUS_SUCCESS;
}
initial commit 2016-07-21 23:02:31 +00:00			`#include <fltKernel.h>`
			`#include <Ntddk.h>`
			`#include "ExcludeList.h"`

			`#include "RegFilter.h"`
			`#include "FsFilter.h"`
			`#include "PsMonitor.h"`
			`#include "Device.h"`
			`#include "Driver.h"`
Driver loads configs from registry 2016-12-18 18:11:10 +00:00			`#include "Configs.h"`
Stealth mode first steps 2016-12-30 16:57:52 +00:00			`#include "Helper.h"`
Added a kernel analyzer module that looks for non-exported objects in the ntoskrnl 2021-08-11 22:39:01 +00:00			`#include "KernelAnalyzer.h"`
initial commit 2016-07-21 23:02:31 +00:00
Fixes for Code Analysis artifacts 2017-02-02 22:55:19 +00:00			`#define DRIVER_ALLOC_TAG 'nddH'`

initial commit 2016-07-21 23:02:31 +00:00			`PDRIVER_OBJECT g_driverObject = NULL;`

Added 'state' command 2016-12-12 20:40:35 +00:00			`volatile LONG g_driverActive = FALSE;`
initial commit 2016-07-21 23:02:31 +00:00
			`// =========================================================================================`

Added 'state' command 2016-12-12 20:40:35 +00:00			`VOID EnableDisableDriver(BOOLEAN enabled)`
initial commit 2016-07-21 23:02:31 +00:00			`{`
Added 'state' command 2016-12-12 20:40:35 +00:00			`InterlockedExchange(&g_driverActive, (LONG)enabled);`
initial commit 2016-07-21 23:02:31 +00:00			`}`

Added 'state' command 2016-12-12 20:40:35 +00:00			`BOOLEAN IsDriverEnabled()`
initial commit 2016-07-21 23:02:31 +00:00			`{`
Added 'state' command 2016-12-12 20:40:35 +00:00			`return (g_driverActive ? TRUE : FALSE);`
initial commit 2016-07-21 23:02:31 +00:00			`}`

			`// =========================================================================================`

Stealth mode first steps 2016-12-30 16:57:52 +00:00			`ULONGLONG g_hiddenRegConfigId = 0;`
			`ULONGLONG g_hiddenDriverFileId = 0;`

			`NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)`
Load configs improvements 2016-12-21 21:04:55 +00:00			`{`
Stealth mode first steps 2016-12-30 16:57:52 +00:00			`PLDR_DATA_TABLE_ENTRY LdrEntry;`
			`UNICODE_STRING normalized;`
			`NTSTATUS status;`

Load configs improvements 2016-12-21 21:04:55 +00:00			`if (!CfgGetStealthState())`
			`return STATUS_SUCCESS;`
Stealth mode first steps 2016-12-30 16:57:52 +00:00
			`LdrEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;`

			`normalized.Length = 0;`
			`normalized.MaximumLength = LdrEntry->FullModuleName.Length + NORMALIZE_INCREAMENT;`
Fixes for Code Analysis artifacts 2017-02-02 22:55:19 +00:00			`normalized.Buffer = (PWCH)ExAllocatePoolWithQuotaTag(PagedPool, normalized.MaximumLength, DRIVER_ALLOC_TAG);`
Stealth mode first steps 2016-12-30 16:57:52 +00:00
			`if (!normalized.Buffer)`
			`{`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogError("Error, can't allocate buffer");`
Stealth mode first steps 2016-12-30 16:57:52 +00:00			`return STATUS_MEMORY_NOT_ALLOCATED;`
			`}`

			`status = NormalizeDevicePath(&LdrEntry->FullModuleName, &normalized);`
			`if (!NT_SUCCESS(status))`
			`{`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogError("Error, path normalization failed with code:%08x, path:%wZ", status, &LdrEntry->FullModuleName);`
Fixes for Code Analysis artifacts 2017-02-02 22:55:19 +00:00			`ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);`
Stealth mode first steps 2016-12-30 16:57:52 +00:00			`return status;`
			`}`
Load configs improvements 2016-12-21 21:04:55 +00:00
Stealth mode first steps 2016-12-30 16:57:52 +00:00			`status = AddHiddenFile(&normalized, &g_hiddenDriverFileId);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, can't hide self registry key");`
Stealth mode first steps 2016-12-30 16:57:52 +00:00
Fixes for Code Analysis artifacts 2017-02-02 22:55:19 +00:00			`ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);`
Stealth mode first steps 2016-12-30 16:57:52 +00:00
			`status = AddHiddenRegKey(RegistryPath, &g_hiddenRegConfigId);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, can't hide self registry key");`
Load configs improvements 2016-12-21 21:04:55 +00:00
Logging improvements 2018-12-02 21:56:39 +00:00			`LogTrace("Stealth mode has been activated");`
Load configs improvements 2016-12-21 21:04:55 +00:00			`return STATUS_SUCCESS;`
			`}`

			`// =========================================================================================`

Fixes for Code Analysis artifacts 2017-02-02 22:55:19 +00:00			`_Function_class_(DRIVER_UNLOAD)`
initial commit 2016-07-21 23:02:31 +00:00			`VOID DriverUnload(PDRIVER_OBJECT DriverObject)`
			`{`
			`UNREFERENCED_PARAMETER(DriverObject);`

			`DestroyDevice();`
			`DestroyRegistryFilter();`
			`DestroyFSMiniFilter();`
			`DestroyPsMonitor();`
Added a kernel analyzer module that looks for non-exported objects in the ntoskrnl 2021-08-11 22:39:01 +00:00
			`DestroyKernelAnalyzer();`
initial commit 2016-07-21 23:02:31 +00:00			`}`

Fixes for Code Analysis artifacts 2017-02-02 22:55:19 +00:00			`_Function_class_(DRIVER_INITIALIZE)`
initial commit 2016-07-21 23:02:31 +00:00			`NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)`
			`{`
			`NTSTATUS status;`

			`UNREFERENCED_PARAMETER(RegistryPath);`

Added 'state' command 2016-12-12 20:40:35 +00:00			`EnableDisableDriver(TRUE);`
initial commit 2016-07-21 23:02:31 +00:00
Driver loads configs from registry 2016-12-18 18:11:10 +00:00			`status = InitializeConfigs(RegistryPath);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, can't initialize configs");`
Driver loads configs from registry 2016-12-18 18:11:10 +00:00
Load configs improvements 2016-12-21 21:04:55 +00:00			`EnableDisableDriver(CfgGetDriverState());`

Added a kernel analyzer module that looks for non-exported objects in the ntoskrnl 2021-08-11 22:39:01 +00:00			`InitializeKernelAnalyzer();`

initial commit 2016-07-21 23:02:31 +00:00			`status = InitializePsMonitor(DriverObject);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, object monitor haven't started");`
initial commit 2016-07-21 23:02:31 +00:00
			`status = InitializeFSMiniFilter(DriverObject);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, file-system mini-filter haven't started");`
initial commit 2016-07-21 23:02:31 +00:00
			`status = InitializeRegistryFilter(DriverObject);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, registry filter haven't started");`
initial commit 2016-07-21 23:02:31 +00:00
			`status = InitializeDevice(DriverObject);`
			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, can't create device");`
initial commit 2016-07-21 23:02:31 +00:00
Stealth mode first steps 2016-12-30 16:57:52 +00:00			`status = InitializeStealthMode(DriverObject, RegistryPath);`
Load configs improvements 2016-12-21 21:04:55 +00:00			`if (!NT_SUCCESS(status))`
Logging improvements 2018-12-02 21:56:39 +00:00			`LogWarning("Error, can't activate stealth mode");`
Load configs improvements 2016-12-21 21:04:55 +00:00
Driver loads configs from registry 2016-12-18 18:11:10 +00:00			`DestroyConfigs();`

initial commit 2016-07-21 23:02:31 +00:00			`DriverObject->DriverUnload = DriverUnload;`
			`g_driverObject = DriverObject;`

			`return STATUS_SUCCESS;`
			`}`