Configs installation to registry

2016-12-25 23:56:18 +03:00 · 2016-12-25 23:56:18 +03:00 · 1b643e5e84
parent 432a731aac
commit 1b643e5e84
15 changed files with 182 additions and 41 deletions
--- a/Hidden/Configs.c
+++ b/Hidden/Configs.c
@ -56,7 +56,7 @@ NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath)
 	QueryAndAllocRegistryData(hkey, L"Hid_HideRegKeys",     REG_MULTI_SZ, &config.hideRegKeys,   NULL);
 	QueryAndAllocRegistryData(hkey, L"Hid_HideRegValues",   REG_MULTI_SZ, &config.hideRegValues, NULL);

-	QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages",    REG_MULTI_SZ, &config.ignoreImages,  NULL);
+	QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages",   REG_MULTI_SZ, &config.ignoreImages,  NULL);
 	QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL);

 	ZwClose(hkey);
--- a/Hidden/FsFilter.c
+++ b/Hidden/FsFilter.c
@ -754,16 +754,16 @@ NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_

 VOID LoadConfigFilesCallback(PUNICODE_STRING Str, PVOID Params)
 {
-	ExcludeContext context = (ExcludeContext)Params;
-	ExcludeEntryId id;
-	AddExcludeListFile(context, Str, &id);
+	ULONGLONG id;
+	UNREFERENCED_PARAMETER(Params);
+	AddHiddenFile(Str, &id);
 }

 VOID LoadConfigDirsCallback(PUNICODE_STRING Str, PVOID Params)
 {
-	ExcludeContext context = (ExcludeContext)Params;
-	ExcludeEntryId id;
-	AddExcludeListDirectory(context, Str, &id);
+	ULONGLONG id;
+	UNREFERENCED_PARAMETER(Params);
+	AddHiddenDir(Str, &id);
 }

 NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
@ -790,7 +790,7 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
 		AddExcludeListFile(g_excludeFileContext, &str, &id);
 	}

-	CfgEnumConfigsTable(HideFilesTable, &LoadConfigFilesCallback, g_excludeFileContext);
+	CfgEnumConfigsTable(HideFilesTable, &LoadConfigFilesCallback, NULL);

 	status = InitializeExcludeListContext(&g_excludeDirectoryContext, ExcludeDirectory);
 	if (!NT_SUCCESS(status))
@ -806,7 +806,7 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
 		AddExcludeListDirectory(g_excludeDirectoryContext, &str, &id);
 	}

-	CfgEnumConfigsTable(HideDirsTable, &LoadConfigDirsCallback, g_excludeDirectoryContext);
+	CfgEnumConfigsTable(HideDirsTable, &LoadConfigDirsCallback, NULL);

 	// Filesystem mini-filter initialization

--- a/Hidden/PsMonitor.c
+++ b/Hidden/PsMonitor.c
@ -408,15 +408,28 @@ NTSTATUS ParsePsConfigEntry(PUNICODE_STRING Entry, PUNICODE_STRING Path, PULONG
 	return STATUS_NOT_FOUND;
 }

-VOID LoadConfigRulesCallback(PUNICODE_STRING Str, PVOID Params)
+VOID LoadProtectedRulesCallback(PUNICODE_STRING Str, PVOID Params)
 {
-	PsRulesContext context = (PsRulesContext)Params;
 	UNICODE_STRING path;
 	ULONG inherit;
 	PsRuleEntryId ruleId;

+	UNREFERENCED_PARAMETER(Params);
+
 	if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit)))
-		AddRuleToPsRuleList(context, &path, inherit, &ruleId);
+		AddProtectedImage(&path, inherit, FALSE, &ruleId);
+}
+
+VOID LoadIgnoredRulesCallback(PUNICODE_STRING Str, PVOID Params)
+{
+	UNICODE_STRING path;
+	ULONG inherit;
+	PsRuleEntryId ruleId;
+
+	UNREFERENCED_PARAMETER(Params);
+
+	if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit)))
+		AddExcludedImage(&path, inherit, FALSE, &ruleId);
 }

 NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
@ -485,7 +498,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
 	}

 	// Load entries from the config
-	CfgEnumConfigsTable(IgnoreImagesTable, &LoadConfigRulesCallback, g_excludeProcessRules);
+	CfgEnumConfigsTable(IgnoreImagesTable, &LoadIgnoredRulesCallback, NULL);

 	// protected

@ -514,7 +527,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
 	}

 	// Load entries from the config
-	CfgEnumConfigsTable(ProtectImagesTable, &LoadConfigRulesCallback, g_protectProcessRules);
+	CfgEnumConfigsTable(ProtectImagesTable, &LoadProtectedRulesCallback, NULL);

 	// Process table

--- a/Hidden/RegFilter.c
+++ b/Hidden/RegFilter.c
@ -6,6 +6,7 @@
 #include "ExcludeList.h"
 #include "PsMonitor.h"
 #include "Configs.h"
+#include "Driver.h"

 #define FILTER_ALLOC_TAG 'FRlF'

@ -514,6 +515,9 @@ NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Ar
 	REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
 	NTSTATUS status;

+	if (!IsDriverEnabled())
+		return STATUS_SUCCESS;
+
 	switch (notifyClass)
 	{
 	case RegNtPreCreateKey:
--- a/Hidden/todo.txt
+++ b/Hidden/todo.txt
@ -67,8 +67,7 @@
 		- Отреверсить установщик VMBox tools
 - Реализовать steals mode
 + Реализовать поддержку загрузки дефольтных конфигов из реестра
- Реализовать установку конфигов в реестр через hiddencli
-	- Добавить нормализацию пути т.к. ядро это не делает
+ Реализовать установку конфигов в реестр через hiddencli
 - Привести в порядок вывод статуса в hiddencli
 - Насодить на ETL и DbgPrintEx

--- a/HiddenCLI/Connection.cpp
+++ b/HiddenCLI/Connection.cpp
@ -53,3 +53,15 @@ HidContext Connection::GetContext()
 	return m_context;
 }

+LibInitializator::LibInitializator()
+{
+	HidStatus status = Hid_InitializeWithNoConnection();
+	if (!HID_STATUS_SUCCESSFUL(status))
+		throw WException(HID_STATUS_CODE(status), L"Error, init hidden lib");
+}
+
+LibInitializator::~LibInitializator()
+{
+	// We don't need release lib resources because in case of the 
+	// Hid_InitializeWithNoConnection() there aren't any dynamic data
+}
--- a/HiddenCLI/Connection.h
+++ b/HiddenCLI/Connection.h
@ -20,3 +20,10 @@ public:

 	HidContext GetContext();
 };
+
+class LibInitializator
+{
+public:
+	LibInitializator();
+	~LibInitializator();
+};
--- a/HiddenCLI/HiddenCLI.cpp
+++ b/HiddenCLI/HiddenCLI.cpp
@ -105,7 +105,24 @@ bool PrintUsage(Arguments& args)
 		L"    Turn off protection for specific process by PID\n"
 		L"\n"
 		L"  /query process <%pid%>\n"
-		L"    Query information about state of the process by PID\n";
+		L"    Query information about state of the process by PID\n"
+		L"\n"
+		L"options:\n"
+		L"\n"
+		L"  inherit:none\n"
+		L"    Disable inheritance of the protected or ignored state\n"
+		L"\n"
+		L"  inherit:once\n"
+		L"    Child process will inherit the same state but its children no\n"
+		L"\n"
+		L"  inherit:always\n"
+		L"    Child process will inherit the same state and its children too\n"
+		L"\n"
+		L"  apply:forall\n"
+		L"    Apply policy for existing processes and for all new processes\n"
+		L"\n"
+		L"  apply:fornew\n"
+		L"    Don't apply policy for existing processes only for new\n";

 	wcout << message << endl;
 	return true;
@ -140,8 +157,6 @@ int wmain(int argc, wchar_t* argv[])
 	try 
 	{
 		Arguments arguments(argc , argv);
-		Connection connection(arguments);
-		wstring mode;

 		if (!arguments.ArgsCount())
 			throw WException(
@ -152,28 +167,37 @@ int wmain(int argc, wchar_t* argv[])
 		if (PrintUsage(arguments))
 			return 0;

-		{
-			CommandMode mode(arguments);
-			CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);

-			if (mode.GetModeType() == CommandModeType::Execute)
+		CommandMode mode(arguments);
+
+		if (mode.GetModeType() == CommandModeType::Execute)
+		{
+			Connection connection(arguments);
 			{
+				CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
 				connection.Open();
 				commands->Perform(connection);
 			}
-			else if (mode.GetModeType() == CommandModeType::Install)
+		}
+		else if (mode.GetModeType() == CommandModeType::Install)
+		{
+			LibInitializator lib;
 			{
+				CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
 				RegistryKey key(mode.GetConfigRegistryKeyPath());
 				commands->Install(key);
 			}
-			else if (mode.GetModeType() == CommandModeType::Uninstall)
+		}
+		else if (mode.GetModeType() == CommandModeType::Uninstall)
+		{
+			LibInitializator lib;
 			{
+				CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
 				RegistryKey key(mode.GetConfigRegistryKeyPath());
 				commands->Uninstall(key);
 			}
-
-			wcout << L"status:ok" << endl;
 		}
+		wcout << L"status:ok" << endl;
 	}
 	catch (WException& exception)
 	{
--- a/HiddenCLI/Hide.cpp
+++ b/HiddenCLI/Hide.cpp
@ -1,5 +1,6 @@
 #include "Hide.h"
 #include <iostream>
+#include <algorithm>

 using namespace std;

@ -18,6 +19,17 @@ bool CommandHide::CompareCommand(std::wstring& command)
 	return (command == m_command);
 }

+HidRegRootTypes CommandHide::GetTypeAndNormalizeRegPath(std::wstring& regPath)
+{
+	HidRegRootTypes type = GetRegType(regPath);
+	size_t pos = regPath.find(L"\\");
+	if (pos == wstring::npos)
+		throw WException(-2, L"Error, invalid registry path");
+
+	regPath = std::move(wstring(regPath.c_str() + pos + 1));
+	return type;
+}
+
 void CommandHide::LoadArgs(Arguments& args, CommandModeType mode)
 {
 	wstring object;
@ -39,12 +51,12 @@ void CommandHide::LoadArgs(Arguments& args, CommandModeType mode)
 	else if (object == L"regkey")
 	{
 		m_hideType = EObjTypes::TypeRegKey;
-		m_regRootType = GetRegType(m_path);
+		m_regRootType = GetTypeAndNormalizeRegPath(m_path);
 	}
 	else if (object == L"regval")
 	{
 		m_hideType = EObjTypes::TypeRegVal;
-		m_regRootType = GetRegType(m_path);
+		m_regRootType = GetTypeAndNormalizeRegPath(m_path);
 	}
 	else
 	{
@ -86,25 +98,28 @@ void CommandHide::InstallCommand(RegistryKey& configKey)
 {
 	vector<wstring> commands;
 	const wchar_t* valueName;
+	HidStatus status;
 	wstring entry;

+	entry.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
+
 	switch (m_hideType)
 	{
 	case EObjTypes::TypeFile:
 		valueName = L"Hid_HideFsFiles";
-		entry = m_path;
+		status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
 		break;
 	case EObjTypes::TypeDir:
 		valueName = L"Hid_HideFsDirs";
-		entry = m_path;
+		status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
 		break;
 	case EObjTypes::TypeRegKey:
 		valueName = L"Hid_HideRegKeys";
-		entry = m_path;
+		status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
 		break;
 	case EObjTypes::TypeRegVal:
 		valueName = L"Hid_HideRegValues";
-		entry = m_path;
+		status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
 		break;
 	default:
 		throw WException(-2, L"Internal error, invalid type for command 'hide'");
--- a/HiddenCLI/Hide.h
+++ b/HiddenCLI/Hide.h
@ -9,6 +9,8 @@ class CommandHide : public ICommand
 	EObjTypes       m_hideType;
 	HidRegRootTypes m_regRootType;
 	std::wstring    m_path;
+	
+	HidRegRootTypes GetTypeAndNormalizeRegPath(std::wstring& regPath);

 public:

--- a/HiddenCLI/Ignore.cpp
+++ b/HiddenCLI/Ignore.cpp
@ -92,9 +92,16 @@ void CommandIgnore::PerformCommand(Connection& connection)
 void CommandIgnore::InstallCommand(RegistryKey& configKey)
 {
 	vector<wstring> commands;
-	wstring entry;
+	wstring temp, entry;
+	HidStatus status;

-	entry = m_targetImage;
+	temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
+
+	status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast<wchar_t*>(temp.c_str()), temp.size());
+	if (!HID_STATUS_SUCCESSFUL(status))
+		throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'ignore' rejected");
+
+	entry += temp.c_str();
 	entry += L";";
 	entry += ConvertInheritTypeToUnicode(m_inheritType);

--- a/HiddenCLI/Protect.cpp
+++ b/HiddenCLI/Protect.cpp
@ -92,9 +92,16 @@ void CommandProtect::PerformCommand(Connection& connection)
 void CommandProtect::InstallCommand(RegistryKey& configKey)
 {
 	vector<wstring> commands;
-	wstring entry;
+	wstring temp, entry;
+	HidStatus status;

-	entry = m_targetImage;
+	temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
+
+	status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast<wchar_t*>(temp.c_str()), temp.size());
+	if (!HID_STATUS_SUCCESSFUL(status))
+		throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'protect' rejected");
+
+	entry += temp.c_str();
 	entry += L";";
 	entry += ConvertInheritTypeToUnicode(m_inheritType);

--- a/HiddenCLI/cli.txt
+++ b/HiddenCLI/cli.txt
@ -79,3 +79,20 @@ commands:

 	/query process <%pid%>
 		Query information about state of the process by PID
+
+options:
+
+  inherit:none
+    Disable inheritance of the protected or ignored state
+
+  inherit:once
+    Child process will inherit the same state but its children no
+
+  inherit:always
+    Child process will inherit the same state and its children too
+
+  apply:forall
+    Apply policy for existing processes and for all new processes
+
+  apply:fornew
+    Don't apply policy for existing processes only for new
--- a/HiddenLib/HiddenLib.cpp
+++ b/HiddenLib/HiddenLib.cpp
@ -44,11 +44,8 @@ static RtlDosPathNameToRelativeNtPathName_U_Prototype RtlDosPathNameToRelativeNt
 static RtlFormatCurrentUserKeyPath_Prototype RtlFormatCurrentUserKeyPath = nullptr;
 static RtlFreeUnicodeString_Prototype RtlFreeUnicodeString = nullptr;

-HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName)
+HidStatus _API Hid_InitializeWithNoConnection()
 {
-	HANDLE hdevice = INVALID_HANDLE_VALUE;
-	PHidContextInternal context;
-
 	if (!RtlDosPathNameToRelativeNtPathName_U)
 	{
 		*(FARPROC*)&RtlDosPathNameToRelativeNtPathName_U = GetProcAddress(
@ -79,6 +76,19 @@ HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName)
 			return HID_SET_STATUS(FALSE, GetLastError());
 	}

+	return HID_SET_STATUS(TRUE, 0);
+}
+
+HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName)
+{
+	HANDLE hdevice = INVALID_HANDLE_VALUE;
+	PHidContextInternal context;
+	HidStatus status;
+
+	status = Hid_InitializeWithNoConnection();
+	if (!HID_STATUS_SUCCESSFUL(status))
+		return status;
+
 	if (!deviceName)
 		deviceName = DEVICE_WIN32_NAME;

@ -733,3 +743,19 @@ HidStatus _API Hid_RemoveProtectedState(HidContext context, HidProcId procId)
 {
 	return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsProtectedObject, HidActiveState::StateDisabled, HidPsInheritTypes::WithoutInherit);
 }
+
+HidStatus _API Hid_NormalizeFilePath(const wchar_t* filePath, wchar_t* normalized, size_t normalizedLen)
+{
+	if (!ConvertToNtPath(filePath, normalized, normalizedLen))
+		return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
+
+	return HID_SET_STATUS(TRUE, 0);
+}
+
+HidStatus _API Hid_NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* regPath, wchar_t* normalized, size_t normalizedLen)
+{
+	if (!NormalizeRegistryPath(root, regPath, normalized, normalizedLen))
+		return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
+
+	return HID_SET_STATUS(TRUE, 0);
+}
--- a/HiddenLib/HiddenLib.h
+++ b/HiddenLib/HiddenLib.h
@ -7,6 +7,8 @@ typedef unsigned long long HidStatus;

 #define HID_SET_STATUS(state, code)   (unsigned long long)((unsigned long long)code << 1 | (state ? 1 : 0))

+#define HID_NORMALIZATION_OVERHEAD                         100
+
 #define _API __cdecl

 typedef void*       HidContext;
@ -39,6 +41,7 @@ enum HidRegRootTypes
 	RegHKU
 };

+HidStatus _API Hid_InitializeWithNoConnection();
 HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName = 0);
 void _API Hid_Destroy(HidContext context);

@ -78,3 +81,8 @@ HidStatus _API Hid_RemoveAllProtectedImages(HidContext context);
 HidStatus _API Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
 HidStatus _API Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType);
 HidStatus _API Hid_RemoveProtectedState(HidContext context, HidProcId procId);
+
+// Misc
+
+HidStatus _API Hid_NormalizeFilePath(const wchar_t* filePath, wchar_t* normalized, size_t normalizedLen);
+HidStatus _API Hid_NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* regPath, wchar_t* normalized, size_t normalizedLen);