diff --git a/Hidden/Configs.c b/Hidden/Configs.c index 2691dad..7638cad 100644 --- a/Hidden/Configs.c +++ b/Hidden/Configs.c @@ -56,7 +56,7 @@ NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath) QueryAndAllocRegistryData(hkey, L"Hid_HideRegKeys", REG_MULTI_SZ, &config.hideRegKeys, NULL); QueryAndAllocRegistryData(hkey, L"Hid_HideRegValues", REG_MULTI_SZ, &config.hideRegValues, NULL); - QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL); + QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL); QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL); ZwClose(hkey); diff --git a/Hidden/FsFilter.c b/Hidden/FsFilter.c index 0748297..7441492 100644 --- a/Hidden/FsFilter.c +++ b/Hidden/FsFilter.c @@ -754,16 +754,16 @@ NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_ VOID LoadConfigFilesCallback(PUNICODE_STRING Str, PVOID Params) { - ExcludeContext context = (ExcludeContext)Params; - ExcludeEntryId id; - AddExcludeListFile(context, Str, &id); + ULONGLONG id; + UNREFERENCED_PARAMETER(Params); + AddHiddenFile(Str, &id); } VOID LoadConfigDirsCallback(PUNICODE_STRING Str, PVOID Params) { - ExcludeContext context = (ExcludeContext)Params; - ExcludeEntryId id; - AddExcludeListDirectory(context, Str, &id); + ULONGLONG id; + UNREFERENCED_PARAMETER(Params); + AddHiddenDir(Str, &id); } NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject) @@ -790,7 +790,7 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject) AddExcludeListFile(g_excludeFileContext, &str, &id); } - CfgEnumConfigsTable(HideFilesTable, &LoadConfigFilesCallback, g_excludeFileContext); + CfgEnumConfigsTable(HideFilesTable, &LoadConfigFilesCallback, NULL); status = InitializeExcludeListContext(&g_excludeDirectoryContext, ExcludeDirectory); if (!NT_SUCCESS(status)) @@ -806,7 +806,7 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject) AddExcludeListDirectory(g_excludeDirectoryContext, &str, &id); } - CfgEnumConfigsTable(HideDirsTable, &LoadConfigDirsCallback, g_excludeDirectoryContext); + CfgEnumConfigsTable(HideDirsTable, &LoadConfigDirsCallback, NULL); // Filesystem mini-filter initialization diff --git a/Hidden/PsMonitor.c b/Hidden/PsMonitor.c index 62e501b..a82ce59 100644 --- a/Hidden/PsMonitor.c +++ b/Hidden/PsMonitor.c @@ -408,15 +408,28 @@ NTSTATUS ParsePsConfigEntry(PUNICODE_STRING Entry, PUNICODE_STRING Path, PULONG return STATUS_NOT_FOUND; } -VOID LoadConfigRulesCallback(PUNICODE_STRING Str, PVOID Params) +VOID LoadProtectedRulesCallback(PUNICODE_STRING Str, PVOID Params) { - PsRulesContext context = (PsRulesContext)Params; UNICODE_STRING path; ULONG inherit; PsRuleEntryId ruleId; + UNREFERENCED_PARAMETER(Params); + if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit))) - AddRuleToPsRuleList(context, &path, inherit, &ruleId); + AddProtectedImage(&path, inherit, FALSE, &ruleId); +} + +VOID LoadIgnoredRulesCallback(PUNICODE_STRING Str, PVOID Params) +{ + UNICODE_STRING path; + ULONG inherit; + PsRuleEntryId ruleId; + + UNREFERENCED_PARAMETER(Params); + + if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit))) + AddExcludedImage(&path, inherit, FALSE, &ruleId); } NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) @@ -485,7 +498,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) } // Load entries from the config - CfgEnumConfigsTable(IgnoreImagesTable, &LoadConfigRulesCallback, g_excludeProcessRules); + CfgEnumConfigsTable(IgnoreImagesTable, &LoadIgnoredRulesCallback, NULL); // protected @@ -514,7 +527,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) } // Load entries from the config - CfgEnumConfigsTable(ProtectImagesTable, &LoadConfigRulesCallback, g_protectProcessRules); + CfgEnumConfigsTable(ProtectImagesTable, &LoadProtectedRulesCallback, NULL); // Process table diff --git a/Hidden/RegFilter.c b/Hidden/RegFilter.c index dbe2829..4c9f668 100644 --- a/Hidden/RegFilter.c +++ b/Hidden/RegFilter.c @@ -6,6 +6,7 @@ #include "ExcludeList.h" #include "PsMonitor.h" #include "Configs.h" +#include "Driver.h" #define FILTER_ALLOC_TAG 'FRlF' @@ -514,6 +515,9 @@ NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Ar REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1; NTSTATUS status; + if (!IsDriverEnabled()) + return STATUS_SUCCESS; + switch (notifyClass) { case RegNtPreCreateKey: diff --git a/Hidden/todo.txt b/Hidden/todo.txt index 31690b9..1293b64 100644 --- a/Hidden/todo.txt +++ b/Hidden/todo.txt @@ -67,8 +67,7 @@ - Отреверсить установщик VMBox tools - Реализовать steals mode + Реализовать поддержку загрузки дефольтных конфигов из реестра -- Реализовать установку конфигов в реестр через hiddencli - - Добавить нормализацию пути т.к. ядро это не делает ++ Реализовать установку конфигов в реестр через hiddencli - Привести в порядок вывод статуса в hiddencli - Насодить на ETL и DbgPrintEx diff --git a/HiddenCLI/Connection.cpp b/HiddenCLI/Connection.cpp index 2078ad7..2943985 100644 --- a/HiddenCLI/Connection.cpp +++ b/HiddenCLI/Connection.cpp @@ -53,3 +53,15 @@ HidContext Connection::GetContext() return m_context; } +LibInitializator::LibInitializator() +{ + HidStatus status = Hid_InitializeWithNoConnection(); + if (!HID_STATUS_SUCCESSFUL(status)) + throw WException(HID_STATUS_CODE(status), L"Error, init hidden lib"); +} + +LibInitializator::~LibInitializator() +{ + // We don't need release lib resources because in case of the + // Hid_InitializeWithNoConnection() there aren't any dynamic data +} diff --git a/HiddenCLI/Connection.h b/HiddenCLI/Connection.h index 7afac2e..8449585 100644 --- a/HiddenCLI/Connection.h +++ b/HiddenCLI/Connection.h @@ -20,3 +20,10 @@ public: HidContext GetContext(); }; + +class LibInitializator +{ +public: + LibInitializator(); + ~LibInitializator(); +}; diff --git a/HiddenCLI/HiddenCLI.cpp b/HiddenCLI/HiddenCLI.cpp index 2915658..e426e01 100644 --- a/HiddenCLI/HiddenCLI.cpp +++ b/HiddenCLI/HiddenCLI.cpp @@ -105,7 +105,24 @@ bool PrintUsage(Arguments& args) L" Turn off protection for specific process by PID\n" L"\n" L" /query process <%pid%>\n" - L" Query information about state of the process by PID\n"; + L" Query information about state of the process by PID\n" + L"\n" + L"options:\n" + L"\n" + L" inherit:none\n" + L" Disable inheritance of the protected or ignored state\n" + L"\n" + L" inherit:once\n" + L" Child process will inherit the same state but its children no\n" + L"\n" + L" inherit:always\n" + L" Child process will inherit the same state and its children too\n" + L"\n" + L" apply:forall\n" + L" Apply policy for existing processes and for all new processes\n" + L"\n" + L" apply:fornew\n" + L" Don't apply policy for existing processes only for new\n"; wcout << message << endl; return true; @@ -140,8 +157,6 @@ int wmain(int argc, wchar_t* argv[]) try { Arguments arguments(argc , argv); - Connection connection(arguments); - wstring mode; if (!arguments.ArgsCount()) throw WException( @@ -152,28 +167,37 @@ int wmain(int argc, wchar_t* argv[]) if (PrintUsage(arguments)) return 0; - { - CommandMode mode(arguments); - CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); - if (mode.GetModeType() == CommandModeType::Execute) + CommandMode mode(arguments); + + if (mode.GetModeType() == CommandModeType::Execute) + { + Connection connection(arguments); { + CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); connection.Open(); commands->Perform(connection); } - else if (mode.GetModeType() == CommandModeType::Install) + } + else if (mode.GetModeType() == CommandModeType::Install) + { + LibInitializator lib; { + CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); RegistryKey key(mode.GetConfigRegistryKeyPath()); commands->Install(key); } - else if (mode.GetModeType() == CommandModeType::Uninstall) + } + else if (mode.GetModeType() == CommandModeType::Uninstall) + { + LibInitializator lib; { + CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); RegistryKey key(mode.GetConfigRegistryKeyPath()); commands->Uninstall(key); } - - wcout << L"status:ok" << endl; } + wcout << L"status:ok" << endl; } catch (WException& exception) { diff --git a/HiddenCLI/Hide.cpp b/HiddenCLI/Hide.cpp index 2ad76db..59d8adc 100644 --- a/HiddenCLI/Hide.cpp +++ b/HiddenCLI/Hide.cpp @@ -1,5 +1,6 @@ #include "Hide.h" #include +#include using namespace std; @@ -18,6 +19,17 @@ bool CommandHide::CompareCommand(std::wstring& command) return (command == m_command); } +HidRegRootTypes CommandHide::GetTypeAndNormalizeRegPath(std::wstring& regPath) +{ + HidRegRootTypes type = GetRegType(regPath); + size_t pos = regPath.find(L"\\"); + if (pos == wstring::npos) + throw WException(-2, L"Error, invalid registry path"); + + regPath = std::move(wstring(regPath.c_str() + pos + 1)); + return type; +} + void CommandHide::LoadArgs(Arguments& args, CommandModeType mode) { wstring object; @@ -39,12 +51,12 @@ void CommandHide::LoadArgs(Arguments& args, CommandModeType mode) else if (object == L"regkey") { m_hideType = EObjTypes::TypeRegKey; - m_regRootType = GetRegType(m_path); + m_regRootType = GetTypeAndNormalizeRegPath(m_path); } else if (object == L"regval") { m_hideType = EObjTypes::TypeRegVal; - m_regRootType = GetRegType(m_path); + m_regRootType = GetTypeAndNormalizeRegPath(m_path); } else { @@ -86,25 +98,28 @@ void CommandHide::InstallCommand(RegistryKey& configKey) { vector commands; const wchar_t* valueName; + HidStatus status; wstring entry; + entry.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); + switch (m_hideType) { case EObjTypes::TypeFile: valueName = L"Hid_HideFsFiles"; - entry = m_path; + status = Hid_NormalizeFilePath(m_path.c_str(), const_cast(entry.c_str()), entry.size()); break; case EObjTypes::TypeDir: valueName = L"Hid_HideFsDirs"; - entry = m_path; + status = Hid_NormalizeFilePath(m_path.c_str(), const_cast(entry.c_str()), entry.size()); break; case EObjTypes::TypeRegKey: valueName = L"Hid_HideRegKeys"; - entry = m_path; + status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast(entry.c_str()), entry.size()); break; case EObjTypes::TypeRegVal: valueName = L"Hid_HideRegValues"; - entry = m_path; + status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast(entry.c_str()), entry.size()); break; default: throw WException(-2, L"Internal error, invalid type for command 'hide'"); diff --git a/HiddenCLI/Hide.h b/HiddenCLI/Hide.h index 40cb059..7583d61 100644 --- a/HiddenCLI/Hide.h +++ b/HiddenCLI/Hide.h @@ -9,6 +9,8 @@ class CommandHide : public ICommand EObjTypes m_hideType; HidRegRootTypes m_regRootType; std::wstring m_path; + + HidRegRootTypes GetTypeAndNormalizeRegPath(std::wstring& regPath); public: diff --git a/HiddenCLI/Ignore.cpp b/HiddenCLI/Ignore.cpp index a2c58e1..12c4499 100644 --- a/HiddenCLI/Ignore.cpp +++ b/HiddenCLI/Ignore.cpp @@ -92,9 +92,16 @@ void CommandIgnore::PerformCommand(Connection& connection) void CommandIgnore::InstallCommand(RegistryKey& configKey) { vector commands; - wstring entry; + wstring temp, entry; + HidStatus status; - entry = m_targetImage; + temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); + + status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast(temp.c_str()), temp.size()); + if (!HID_STATUS_SUCCESSFUL(status)) + throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'ignore' rejected"); + + entry += temp.c_str(); entry += L";"; entry += ConvertInheritTypeToUnicode(m_inheritType); diff --git a/HiddenCLI/Protect.cpp b/HiddenCLI/Protect.cpp index 65fb116..604074f 100644 --- a/HiddenCLI/Protect.cpp +++ b/HiddenCLI/Protect.cpp @@ -92,9 +92,16 @@ void CommandProtect::PerformCommand(Connection& connection) void CommandProtect::InstallCommand(RegistryKey& configKey) { vector commands; - wstring entry; + wstring temp, entry; + HidStatus status; - entry = m_targetImage; + temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); + + status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast(temp.c_str()), temp.size()); + if (!HID_STATUS_SUCCESSFUL(status)) + throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'protect' rejected"); + + entry += temp.c_str(); entry += L";"; entry += ConvertInheritTypeToUnicode(m_inheritType); diff --git a/HiddenCLI/cli.txt b/HiddenCLI/cli.txt index 8551259..5481e8a 100644 --- a/HiddenCLI/cli.txt +++ b/HiddenCLI/cli.txt @@ -79,3 +79,20 @@ commands: /query process <%pid%> Query information about state of the process by PID + +options: + + inherit:none + Disable inheritance of the protected or ignored state + + inherit:once + Child process will inherit the same state but its children no + + inherit:always + Child process will inherit the same state and its children too + + apply:forall + Apply policy for existing processes and for all new processes + + apply:fornew + Don't apply policy for existing processes only for new diff --git a/HiddenLib/HiddenLib.cpp b/HiddenLib/HiddenLib.cpp index a4746fd..94ecc52 100644 --- a/HiddenLib/HiddenLib.cpp +++ b/HiddenLib/HiddenLib.cpp @@ -44,11 +44,8 @@ static RtlDosPathNameToRelativeNtPathName_U_Prototype RtlDosPathNameToRelativeNt static RtlFormatCurrentUserKeyPath_Prototype RtlFormatCurrentUserKeyPath = nullptr; static RtlFreeUnicodeString_Prototype RtlFreeUnicodeString = nullptr; -HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName) +HidStatus _API Hid_InitializeWithNoConnection() { - HANDLE hdevice = INVALID_HANDLE_VALUE; - PHidContextInternal context; - if (!RtlDosPathNameToRelativeNtPathName_U) { *(FARPROC*)&RtlDosPathNameToRelativeNtPathName_U = GetProcAddress( @@ -79,6 +76,19 @@ HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName) return HID_SET_STATUS(FALSE, GetLastError()); } + return HID_SET_STATUS(TRUE, 0); +} + +HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName) +{ + HANDLE hdevice = INVALID_HANDLE_VALUE; + PHidContextInternal context; + HidStatus status; + + status = Hid_InitializeWithNoConnection(); + if (!HID_STATUS_SUCCESSFUL(status)) + return status; + if (!deviceName) deviceName = DEVICE_WIN32_NAME; @@ -733,3 +743,19 @@ HidStatus _API Hid_RemoveProtectedState(HidContext context, HidProcId procId) { return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsProtectedObject, HidActiveState::StateDisabled, HidPsInheritTypes::WithoutInherit); } + +HidStatus _API Hid_NormalizeFilePath(const wchar_t* filePath, wchar_t* normalized, size_t normalizedLen) +{ + if (!ConvertToNtPath(filePath, normalized, normalizedLen)) + return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER); + + return HID_SET_STATUS(TRUE, 0); +} + +HidStatus _API Hid_NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* regPath, wchar_t* normalized, size_t normalizedLen) +{ + if (!NormalizeRegistryPath(root, regPath, normalized, normalizedLen)) + return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER); + + return HID_SET_STATUS(TRUE, 0); +} diff --git a/HiddenLib/HiddenLib.h b/HiddenLib/HiddenLib.h index ff2c8bc..0d97dde 100644 --- a/HiddenLib/HiddenLib.h +++ b/HiddenLib/HiddenLib.h @@ -7,6 +7,8 @@ typedef unsigned long long HidStatus; #define HID_SET_STATUS(state, code) (unsigned long long)((unsigned long long)code << 1 | (state ? 1 : 0)) +#define HID_NORMALIZATION_OVERHEAD 100 + #define _API __cdecl typedef void* HidContext; @@ -39,6 +41,7 @@ enum HidRegRootTypes RegHKU }; +HidStatus _API Hid_InitializeWithNoConnection(); HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName = 0); void _API Hid_Destroy(HidContext context); @@ -78,3 +81,8 @@ HidStatus _API Hid_RemoveAllProtectedImages(HidContext context); HidStatus _API Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType); HidStatus _API Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType); HidStatus _API Hid_RemoveProtectedState(HidContext context, HidProcId procId); + +// Misc + +HidStatus _API Hid_NormalizeFilePath(const wchar_t* filePath, wchar_t* normalized, size_t normalizedLen); +HidStatus _API Hid_NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* regPath, wchar_t* normalized, size_t normalizedLen);