PsTable raise condition fix and etc

2024-06-16 12:08:05 +00:00 · 2016-08-28 19:52:50 +03:00 · 2016-08-28 19:52:50 +03:00 · 07d0e4d747
commit 07d0e4d747
parent e3f90905a4
5 changed files with 10 additions and 19 deletions
--- a/Hidden/PsMonitor.c
+++ b/Hidden/PsMonitor.c
@ -14,7 +14,6 @@ OB_CALLBACK_REGISTRATION g_regCallback;

 PsRulesContext g_excludeProcessRules;
 PsRulesContext g_protectProcessRules;
-//ExcludeContext g_protectProcessContext;

 CONST PWCHAR g_excludeProcesses[] = {
 	//L"\\??\\C:\\Windows\\System32\\calc.exe",
--- a/Hidden/PsRules.c
+++ b/Hidden/PsRules.c
@ -2,10 +2,6 @@

 #define PSRULE_ALLOC_TAG 'lRsP'

-//RTL_AVL_TABLE g_psRulesTable;
-//ULONGLONG     g_psRulesIdCounter = 0;
-//KSPIN_LOCK    g_psRulesTableLock;
-
 typedef struct _PsRulesInternalContext {
 	RTL_AVL_TABLE table;
 	ULONGLONG     idCounter;
--- a/Hidden/PsTable.c
+++ b/Hidden/PsTable.c
@ -70,15 +70,14 @@ BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry)
 	PProcessTableEntry entry2;

 	KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
+
 	entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
+	if (entry2)
+		RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry));
+
 	KeReleaseInStackQueuedSpinLock(&lockHandle);

-	if (!entry2)
-		return FALSE;
-
-	RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry));
-
-	return TRUE;
+	return (entry2 ? TRUE : FALSE);
 }

 BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
@ -87,15 +86,15 @@ BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
 	PProcessTableEntry entry2;

 	KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
+
 	entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
-	KeReleaseInStackQueuedSpinLock(&lockHandle);

 	if (!entry2)
-		return FALSE;
+		RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));

-	RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));
+	KeReleaseInStackQueuedSpinLock(&lockHandle);

-	return TRUE;
+	return (entry2 ? TRUE : FALSE);
 }

 // Initialization
--- a/Hidden/PsTable.h
+++ b/Hidden/PsTable.h
@ -11,9 +11,6 @@ typedef struct _ProcessTableEntry{

 	BOOLEAN protected;
 	ULONG   inheritProtection;
-	// bypassing 
-	BOOLEAN protectedFirstProcessRef;
-	BOOLEAN protectedFirstThreadRef;

 } ProcessTableEntry, *PProcessTableEntry;

--- a/Hidden/todo.txt
+++ b/Hidden/todo.txt
@ -31,7 +31,7 @@

 - Проверить работу на x64
 - Залить проект на Git
-	- Переименовать проект драйвера в Hidden
+	+ Переименовать проект драйвера в Hidden
 	- Привести в порядок все версии билда Release, Debug, ...
 - Добавить в проект конфигурации для сокрытия виртуалок
 	- Сокрытие VMWare Tools