From 0959938a6aea4bc1e81d5a7a164d4f509b84e8e7 Mon Sep 17 00:00:00 2001
From: JKornev <8bit.dosninja@gmail.com>
Date: Fri, 9 Dec 2016 23:27:27 +0300
Subject: [PATCH] Added 'query' command
---
Hidden/todo.txt | 14 +++---
HiddenCLI/Connection.cpp | 6 +--
HiddenCLI/HiddenCLI.vcxproj | 2 +
HiddenCLI/HiddenCLI.vcxproj.filters | 6 +++
HiddenCLI/Query.cpp | 75 +++++++++++++++++++++++++++++
HiddenCLI/Query.h | 20 ++++++++
HiddenCLI/cli.txt | 5 +-
7 files changed, 117 insertions(+), 11 deletions(-)
create mode 100644 HiddenCLI/Query.cpp
create mode 100644 HiddenCLI/Query.h
diff --git a/Hidden/todo.txt b/Hidden/todo.txt
index 283ce63..57f328c 100644
--- a/Hidden/todo.txt
+++ b/Hidden/todo.txt
@@ -44,14 +44,15 @@
+ Добавить поддержку флага автоприсвоение состояния существующим процессам для Hid_AddExcludedImage\Hid_AddProtectedImage
+ Проверить как ведёт себя файловый фильтр с файлами открытыми по ID или по короткому пути
- Реализовать HiddenCLI
- - ignore
- - unignore
- - protect
- - unprotect
- - query
+ + ignore
+ + unignore
+ + protect
+ + unprotect
+ + query
+ - Протестировать все комманды
- Проверить чтобы все ObjId генерировались начиная с 1
-- Написать тест HiddenCLITests
- Реализовать функционал вкл\выкл драйвера через IOCTL
+- Написать тест HiddenCLITests
+ Портировать драйвер под архитектуру x64
+ Портировать под версии Windows 8, 8.1, 10
+ Залить проект на Git
@@ -62,7 +63,6 @@
- Отреверсить установщик VMWare tools
- Сокрытие VMBox Tools
- Отреверсить установщик VMBox tools
-- Реализовать поддержку вкл\выкл драйвера
- Реализовать steals mode
- Реализовать поддержку загрузки дефольтных конфигов из реестра
- Насодить на ETL и DbgPrintEx
diff --git a/HiddenCLI/Connection.cpp b/HiddenCLI/Connection.cpp
index 0d9337e..036925d 100644
--- a/HiddenCLI/Connection.cpp
+++ b/HiddenCLI/Connection.cpp
@@ -40,9 +40,9 @@ void Connection::Open()
if (m_deviceName.size())
deviceName = m_deviceName.c_str();
- //status = Hid_Initialize(&m_context, deviceName);
- //if (!HID_STATUS_SUCCESSFUL(status))
- // throw WException(HID_STATUS_CODE(status), L"Error, can't connect to gate");
+ status = Hid_Initialize(&m_context, deviceName);
+ if (!HID_STATUS_SUCCESSFUL(status))
+ throw WException(HID_STATUS_CODE(status), L"Error, can't connect to gate");
}
HidContext Connection::GetContext()
diff --git a/HiddenCLI/HiddenCLI.vcxproj b/HiddenCLI/HiddenCLI.vcxproj
index 7576044..341f253 100644
--- a/HiddenCLI/HiddenCLI.vcxproj
+++ b/HiddenCLI/HiddenCLI.vcxproj
@@ -158,6 +158,7 @@
+
@@ -166,6 +167,7 @@
+
diff --git a/HiddenCLI/HiddenCLI.vcxproj.filters b/HiddenCLI/HiddenCLI.vcxproj.filters
index 889ab79..f0ecb77 100644
--- a/HiddenCLI/HiddenCLI.vcxproj.filters
+++ b/HiddenCLI/HiddenCLI.vcxproj.filters
@@ -14,6 +14,9 @@
Commands
+
+ Commands
+
@@ -31,6 +34,9 @@
Commands
+
+ Commands
+
diff --git a/HiddenCLI/Query.cpp b/HiddenCLI/Query.cpp
new file mode 100644
index 0000000..9d89a58
--- /dev/null
+++ b/HiddenCLI/Query.cpp
@@ -0,0 +1,75 @@
+#include "Query.h"
+#include
+
+using namespace std;
+
+CommandQuery::CommandQuery() : m_command(L"/query")
+{
+}
+
+CommandQuery::~CommandQuery()
+{
+}
+
+bool CommandQuery::CompareCommand(std::wstring& command)
+{
+ return (command == m_command);
+}
+
+void CommandQuery::LoadArgs(Arguments& args)
+{
+ wstring object, target;
+
+ if (!args.GetNext(object))
+ throw WException(-2, L"Error, mismatched argument #1 for command 'query'");
+
+ if (object != L"process")
+ throw WException(-2, L"Error, invalid object type for command 'query'");
+
+ if (!args.GetNext(target))
+ throw WException(-2, L"Error, mismatched argument #2 for command 'query'");
+
+ m_targetProcId = _wtol(target.c_str());
+ if (!m_targetProcId)
+ throw WException(-2, L"Error, invalid target pid for command 'query'");
+}
+
+const wchar_t* ConvertInheritTypeToUnicode(HidPsInheritTypes type)
+{
+ switch (type)
+ {
+ case HidPsInheritTypes::WithoutInherit:
+ return L"none";
+ break;
+ case HidPsInheritTypes::InheritOnce:
+ return L"once";
+ break;
+ case HidPsInheritTypes::InheritAlways:
+ return L"always";
+ break;
+ }
+ return L"unknown";
+}
+
+void CommandQuery::PerformCommand(Connection& connection)
+{
+ HidStatus status;
+ HidActiveState excludeState, protectedState;
+ HidPsInheritTypes excludedInherit, protectedInherit;
+
+ status = Hid_GetExcludedState(connection.GetContext(), m_targetProcId, &excludeState, &excludedInherit);
+ if (!HID_STATUS_SUCCESSFUL(status))
+ throw WException(HID_STATUS_CODE(status), L"Error, query ignored state rejected");
+
+ status = Hid_GetProtectedState(connection.GetContext(), m_targetProcId, &protectedState, &protectedInherit);
+ if (!HID_STATUS_SUCCESSFUL(status))
+ throw WException(HID_STATUS_CODE(status), L"Error, query protected state rejected");
+
+ wcerr << L"ignore state:" << (excludeState == HidActiveState::StateEnabled ? L"true" : L"false")
+ << L", inherit:" << ConvertInheritTypeToUnicode(excludedInherit) << endl;
+ wcerr << L"protect state:" << (protectedState == HidActiveState::StateEnabled ? L"true" : L"false")
+ << L", inherit:" << ConvertInheritTypeToUnicode(protectedInherit) << endl;
+
+ wcout << L"status:ok;ignore:" << excludeState << L"," << excludedInherit
+ << L";protect:" << protectedState << L"," << protectedInherit << endl;
+}
diff --git a/HiddenCLI/Query.h b/HiddenCLI/Query.h
new file mode 100644
index 0000000..a1166b5
--- /dev/null
+++ b/HiddenCLI/Query.h
@@ -0,0 +1,20 @@
+#pragma once
+
+#include "Commands.h"
+
+class CommandQuery : public ICommand
+{
+ const wchar_t* m_command = nullptr;
+
+ HidProcId m_targetProcId;
+
+public:
+
+ CommandQuery();
+ virtual ~CommandQuery();
+
+ virtual bool CompareCommand(std::wstring& command);
+ virtual void LoadArgs(Arguments& args);
+ virtual void PerformCommand(Connection& connection);
+};
+
diff --git a/HiddenCLI/cli.txt b/HiddenCLI/cli.txt
index 54b1394..ce70570 100644
--- a/HiddenCLI/cli.txt
+++ b/HiddenCLI/cli.txt
@@ -8,6 +8,9 @@ connection:
commands:
+ state
+ Enable or disable hidden
+
hide <%path%>
Hide filesystem or registry object by path
@@ -49,5 +52,5 @@ commands:
unprotect pid <%pid%>
Turn off protection for specific process by PID
- query <%pid%>
+ query process <%pid%>
Query information about state of the process by PID
\ No newline at end of file