mirror of
https://github.com/JKornev/hidden
synced 2024-06-16 12:08:05 +00:00
Configs installation to registry
This commit is contained in:
parent
432a731aac
commit
1b643e5e84
@ -56,7 +56,7 @@ NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath)
|
||||
QueryAndAllocRegistryData(hkey, L"Hid_HideRegKeys", REG_MULTI_SZ, &config.hideRegKeys, NULL);
|
||||
QueryAndAllocRegistryData(hkey, L"Hid_HideRegValues", REG_MULTI_SZ, &config.hideRegValues, NULL);
|
||||
|
||||
QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL);
|
||||
QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL);
|
||||
QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL);
|
||||
|
||||
ZwClose(hkey);
|
||||
|
@ -754,16 +754,16 @@ NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_
|
||||
|
||||
VOID LoadConfigFilesCallback(PUNICODE_STRING Str, PVOID Params)
|
||||
{
|
||||
ExcludeContext context = (ExcludeContext)Params;
|
||||
ExcludeEntryId id;
|
||||
AddExcludeListFile(context, Str, &id);
|
||||
ULONGLONG id;
|
||||
UNREFERENCED_PARAMETER(Params);
|
||||
AddHiddenFile(Str, &id);
|
||||
}
|
||||
|
||||
VOID LoadConfigDirsCallback(PUNICODE_STRING Str, PVOID Params)
|
||||
{
|
||||
ExcludeContext context = (ExcludeContext)Params;
|
||||
ExcludeEntryId id;
|
||||
AddExcludeListDirectory(context, Str, &id);
|
||||
ULONGLONG id;
|
||||
UNREFERENCED_PARAMETER(Params);
|
||||
AddHiddenDir(Str, &id);
|
||||
}
|
||||
|
||||
NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
|
||||
@ -790,7 +790,7 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
|
||||
AddExcludeListFile(g_excludeFileContext, &str, &id);
|
||||
}
|
||||
|
||||
CfgEnumConfigsTable(HideFilesTable, &LoadConfigFilesCallback, g_excludeFileContext);
|
||||
CfgEnumConfigsTable(HideFilesTable, &LoadConfigFilesCallback, NULL);
|
||||
|
||||
status = InitializeExcludeListContext(&g_excludeDirectoryContext, ExcludeDirectory);
|
||||
if (!NT_SUCCESS(status))
|
||||
@ -806,7 +806,7 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
|
||||
AddExcludeListDirectory(g_excludeDirectoryContext, &str, &id);
|
||||
}
|
||||
|
||||
CfgEnumConfigsTable(HideDirsTable, &LoadConfigDirsCallback, g_excludeDirectoryContext);
|
||||
CfgEnumConfigsTable(HideDirsTable, &LoadConfigDirsCallback, NULL);
|
||||
|
||||
// Filesystem mini-filter initialization
|
||||
|
||||
|
@ -408,15 +408,28 @@ NTSTATUS ParsePsConfigEntry(PUNICODE_STRING Entry, PUNICODE_STRING Path, PULONG
|
||||
return STATUS_NOT_FOUND;
|
||||
}
|
||||
|
||||
VOID LoadConfigRulesCallback(PUNICODE_STRING Str, PVOID Params)
|
||||
VOID LoadProtectedRulesCallback(PUNICODE_STRING Str, PVOID Params)
|
||||
{
|
||||
PsRulesContext context = (PsRulesContext)Params;
|
||||
UNICODE_STRING path;
|
||||
ULONG inherit;
|
||||
PsRuleEntryId ruleId;
|
||||
|
||||
UNREFERENCED_PARAMETER(Params);
|
||||
|
||||
if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit)))
|
||||
AddRuleToPsRuleList(context, &path, inherit, &ruleId);
|
||||
AddProtectedImage(&path, inherit, FALSE, &ruleId);
|
||||
}
|
||||
|
||||
VOID LoadIgnoredRulesCallback(PUNICODE_STRING Str, PVOID Params)
|
||||
{
|
||||
UNICODE_STRING path;
|
||||
ULONG inherit;
|
||||
PsRuleEntryId ruleId;
|
||||
|
||||
UNREFERENCED_PARAMETER(Params);
|
||||
|
||||
if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit)))
|
||||
AddExcludedImage(&path, inherit, FALSE, &ruleId);
|
||||
}
|
||||
|
||||
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
@ -485,7 +498,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
}
|
||||
|
||||
// Load entries from the config
|
||||
CfgEnumConfigsTable(IgnoreImagesTable, &LoadConfigRulesCallback, g_excludeProcessRules);
|
||||
CfgEnumConfigsTable(IgnoreImagesTable, &LoadIgnoredRulesCallback, NULL);
|
||||
|
||||
// protected
|
||||
|
||||
@ -514,7 +527,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
}
|
||||
|
||||
// Load entries from the config
|
||||
CfgEnumConfigsTable(ProtectImagesTable, &LoadConfigRulesCallback, g_protectProcessRules);
|
||||
CfgEnumConfigsTable(ProtectImagesTable, &LoadProtectedRulesCallback, NULL);
|
||||
|
||||
// Process table
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
#include "ExcludeList.h"
|
||||
#include "PsMonitor.h"
|
||||
#include "Configs.h"
|
||||
#include "Driver.h"
|
||||
|
||||
#define FILTER_ALLOC_TAG 'FRlF'
|
||||
|
||||
@ -514,6 +515,9 @@ NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Ar
|
||||
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!IsDriverEnabled())
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
switch (notifyClass)
|
||||
{
|
||||
case RegNtPreCreateKey:
|
||||
|
@ -67,8 +67,7 @@
|
||||
- Отреверсить установщик VMBox tools
|
||||
- Реализовать steals mode
|
||||
+ Реализовать поддержку загрузки дефольтных конфигов из реестра
|
||||
- Реализовать установку конфигов в реестр через hiddencli
|
||||
- Добавить нормализацию пути т.к. ядро это не делает
|
||||
+ Реализовать установку конфигов в реестр через hiddencli
|
||||
- Привести в порядок вывод статуса в hiddencli
|
||||
- Насодить на ETL и DbgPrintEx
|
||||
|
||||
|
@ -53,3 +53,15 @@ HidContext Connection::GetContext()
|
||||
return m_context;
|
||||
}
|
||||
|
||||
LibInitializator::LibInitializator()
|
||||
{
|
||||
HidStatus status = Hid_InitializeWithNoConnection();
|
||||
if (!HID_STATUS_SUCCESSFUL(status))
|
||||
throw WException(HID_STATUS_CODE(status), L"Error, init hidden lib");
|
||||
}
|
||||
|
||||
LibInitializator::~LibInitializator()
|
||||
{
|
||||
// We don't need release lib resources because in case of the
|
||||
// Hid_InitializeWithNoConnection() there aren't any dynamic data
|
||||
}
|
||||
|
@ -20,3 +20,10 @@ public:
|
||||
|
||||
HidContext GetContext();
|
||||
};
|
||||
|
||||
class LibInitializator
|
||||
{
|
||||
public:
|
||||
LibInitializator();
|
||||
~LibInitializator();
|
||||
};
|
||||
|
@ -105,7 +105,24 @@ bool PrintUsage(Arguments& args)
|
||||
L" Turn off protection for specific process by PID\n"
|
||||
L"\n"
|
||||
L" /query process <%pid%>\n"
|
||||
L" Query information about state of the process by PID\n";
|
||||
L" Query information about state of the process by PID\n"
|
||||
L"\n"
|
||||
L"options:\n"
|
||||
L"\n"
|
||||
L" inherit:none\n"
|
||||
L" Disable inheritance of the protected or ignored state\n"
|
||||
L"\n"
|
||||
L" inherit:once\n"
|
||||
L" Child process will inherit the same state but its children no\n"
|
||||
L"\n"
|
||||
L" inherit:always\n"
|
||||
L" Child process will inherit the same state and its children too\n"
|
||||
L"\n"
|
||||
L" apply:forall\n"
|
||||
L" Apply policy for existing processes and for all new processes\n"
|
||||
L"\n"
|
||||
L" apply:fornew\n"
|
||||
L" Don't apply policy for existing processes only for new\n";
|
||||
|
||||
wcout << message << endl;
|
||||
return true;
|
||||
@ -140,8 +157,6 @@ int wmain(int argc, wchar_t* argv[])
|
||||
try
|
||||
{
|
||||
Arguments arguments(argc , argv);
|
||||
Connection connection(arguments);
|
||||
wstring mode;
|
||||
|
||||
if (!arguments.ArgsCount())
|
||||
throw WException(
|
||||
@ -152,28 +167,37 @@ int wmain(int argc, wchar_t* argv[])
|
||||
if (PrintUsage(arguments))
|
||||
return 0;
|
||||
|
||||
{
|
||||
CommandMode mode(arguments);
|
||||
CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
|
||||
|
||||
if (mode.GetModeType() == CommandModeType::Execute)
|
||||
CommandMode mode(arguments);
|
||||
|
||||
if (mode.GetModeType() == CommandModeType::Execute)
|
||||
{
|
||||
Connection connection(arguments);
|
||||
{
|
||||
CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
|
||||
connection.Open();
|
||||
commands->Perform(connection);
|
||||
}
|
||||
else if (mode.GetModeType() == CommandModeType::Install)
|
||||
}
|
||||
else if (mode.GetModeType() == CommandModeType::Install)
|
||||
{
|
||||
LibInitializator lib;
|
||||
{
|
||||
CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
|
||||
RegistryKey key(mode.GetConfigRegistryKeyPath());
|
||||
commands->Install(key);
|
||||
}
|
||||
else if (mode.GetModeType() == CommandModeType::Uninstall)
|
||||
}
|
||||
else if (mode.GetModeType() == CommandModeType::Uninstall)
|
||||
{
|
||||
LibInitializator lib;
|
||||
{
|
||||
CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode);
|
||||
RegistryKey key(mode.GetConfigRegistryKeyPath());
|
||||
commands->Uninstall(key);
|
||||
}
|
||||
|
||||
wcout << L"status:ok" << endl;
|
||||
}
|
||||
wcout << L"status:ok" << endl;
|
||||
}
|
||||
catch (WException& exception)
|
||||
{
|
||||
|
@ -1,5 +1,6 @@
|
||||
#include "Hide.h"
|
||||
#include <iostream>
|
||||
#include <algorithm>
|
||||
|
||||
using namespace std;
|
||||
|
||||
@ -18,6 +19,17 @@ bool CommandHide::CompareCommand(std::wstring& command)
|
||||
return (command == m_command);
|
||||
}
|
||||
|
||||
HidRegRootTypes CommandHide::GetTypeAndNormalizeRegPath(std::wstring& regPath)
|
||||
{
|
||||
HidRegRootTypes type = GetRegType(regPath);
|
||||
size_t pos = regPath.find(L"\\");
|
||||
if (pos == wstring::npos)
|
||||
throw WException(-2, L"Error, invalid registry path");
|
||||
|
||||
regPath = std::move(wstring(regPath.c_str() + pos + 1));
|
||||
return type;
|
||||
}
|
||||
|
||||
void CommandHide::LoadArgs(Arguments& args, CommandModeType mode)
|
||||
{
|
||||
wstring object;
|
||||
@ -39,12 +51,12 @@ void CommandHide::LoadArgs(Arguments& args, CommandModeType mode)
|
||||
else if (object == L"regkey")
|
||||
{
|
||||
m_hideType = EObjTypes::TypeRegKey;
|
||||
m_regRootType = GetRegType(m_path);
|
||||
m_regRootType = GetTypeAndNormalizeRegPath(m_path);
|
||||
}
|
||||
else if (object == L"regval")
|
||||
{
|
||||
m_hideType = EObjTypes::TypeRegVal;
|
||||
m_regRootType = GetRegType(m_path);
|
||||
m_regRootType = GetTypeAndNormalizeRegPath(m_path);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -86,25 +98,28 @@ void CommandHide::InstallCommand(RegistryKey& configKey)
|
||||
{
|
||||
vector<wstring> commands;
|
||||
const wchar_t* valueName;
|
||||
HidStatus status;
|
||||
wstring entry;
|
||||
|
||||
entry.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
|
||||
|
||||
switch (m_hideType)
|
||||
{
|
||||
case EObjTypes::TypeFile:
|
||||
valueName = L"Hid_HideFsFiles";
|
||||
entry = m_path;
|
||||
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
||||
break;
|
||||
case EObjTypes::TypeDir:
|
||||
valueName = L"Hid_HideFsDirs";
|
||||
entry = m_path;
|
||||
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
||||
break;
|
||||
case EObjTypes::TypeRegKey:
|
||||
valueName = L"Hid_HideRegKeys";
|
||||
entry = m_path;
|
||||
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
||||
break;
|
||||
case EObjTypes::TypeRegVal:
|
||||
valueName = L"Hid_HideRegValues";
|
||||
entry = m_path;
|
||||
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
||||
break;
|
||||
default:
|
||||
throw WException(-2, L"Internal error, invalid type for command 'hide'");
|
||||
|
@ -9,6 +9,8 @@ class CommandHide : public ICommand
|
||||
EObjTypes m_hideType;
|
||||
HidRegRootTypes m_regRootType;
|
||||
std::wstring m_path;
|
||||
|
||||
HidRegRootTypes GetTypeAndNormalizeRegPath(std::wstring& regPath);
|
||||
|
||||
public:
|
||||
|
||||
|
@ -92,9 +92,16 @@ void CommandIgnore::PerformCommand(Connection& connection)
|
||||
void CommandIgnore::InstallCommand(RegistryKey& configKey)
|
||||
{
|
||||
vector<wstring> commands;
|
||||
wstring entry;
|
||||
wstring temp, entry;
|
||||
HidStatus status;
|
||||
|
||||
entry = m_targetImage;
|
||||
temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
|
||||
|
||||
status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast<wchar_t*>(temp.c_str()), temp.size());
|
||||
if (!HID_STATUS_SUCCESSFUL(status))
|
||||
throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'ignore' rejected");
|
||||
|
||||
entry += temp.c_str();
|
||||
entry += L";";
|
||||
entry += ConvertInheritTypeToUnicode(m_inheritType);
|
||||
|
||||
|
@ -92,9 +92,16 @@ void CommandProtect::PerformCommand(Connection& connection)
|
||||
void CommandProtect::InstallCommand(RegistryKey& configKey)
|
||||
{
|
||||
vector<wstring> commands;
|
||||
wstring entry;
|
||||
wstring temp, entry;
|
||||
HidStatus status;
|
||||
|
||||
entry = m_targetImage;
|
||||
temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
|
||||
|
||||
status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast<wchar_t*>(temp.c_str()), temp.size());
|
||||
if (!HID_STATUS_SUCCESSFUL(status))
|
||||
throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'protect' rejected");
|
||||
|
||||
entry += temp.c_str();
|
||||
entry += L";";
|
||||
entry += ConvertInheritTypeToUnicode(m_inheritType);
|
||||
|
||||
|
@ -79,3 +79,20 @@ commands:
|
||||
|
||||
/query process <%pid%>
|
||||
Query information about state of the process by PID
|
||||
|
||||
options:
|
||||
|
||||
inherit:none
|
||||
Disable inheritance of the protected or ignored state
|
||||
|
||||
inherit:once
|
||||
Child process will inherit the same state but its children no
|
||||
|
||||
inherit:always
|
||||
Child process will inherit the same state and its children too
|
||||
|
||||
apply:forall
|
||||
Apply policy for existing processes and for all new processes
|
||||
|
||||
apply:fornew
|
||||
Don't apply policy for existing processes only for new
|
||||
|
@ -44,11 +44,8 @@ static RtlDosPathNameToRelativeNtPathName_U_Prototype RtlDosPathNameToRelativeNt
|
||||
static RtlFormatCurrentUserKeyPath_Prototype RtlFormatCurrentUserKeyPath = nullptr;
|
||||
static RtlFreeUnicodeString_Prototype RtlFreeUnicodeString = nullptr;
|
||||
|
||||
HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName)
|
||||
HidStatus _API Hid_InitializeWithNoConnection()
|
||||
{
|
||||
HANDLE hdevice = INVALID_HANDLE_VALUE;
|
||||
PHidContextInternal context;
|
||||
|
||||
if (!RtlDosPathNameToRelativeNtPathName_U)
|
||||
{
|
||||
*(FARPROC*)&RtlDosPathNameToRelativeNtPathName_U = GetProcAddress(
|
||||
@ -79,6 +76,19 @@ HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName)
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
}
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName)
|
||||
{
|
||||
HANDLE hdevice = INVALID_HANDLE_VALUE;
|
||||
PHidContextInternal context;
|
||||
HidStatus status;
|
||||
|
||||
status = Hid_InitializeWithNoConnection();
|
||||
if (!HID_STATUS_SUCCESSFUL(status))
|
||||
return status;
|
||||
|
||||
if (!deviceName)
|
||||
deviceName = DEVICE_WIN32_NAME;
|
||||
|
||||
@ -733,3 +743,19 @@ HidStatus _API Hid_RemoveProtectedState(HidContext context, HidProcId procId)
|
||||
{
|
||||
return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsProtectedObject, HidActiveState::StateDisabled, HidPsInheritTypes::WithoutInherit);
|
||||
}
|
||||
|
||||
HidStatus _API Hid_NormalizeFilePath(const wchar_t* filePath, wchar_t* normalized, size_t normalizedLen)
|
||||
{
|
||||
if (!ConvertToNtPath(filePath, normalized, normalizedLen))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus _API Hid_NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* regPath, wchar_t* normalized, size_t normalizedLen)
|
||||
{
|
||||
if (!NormalizeRegistryPath(root, regPath, normalized, normalizedLen))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
@ -7,6 +7,8 @@ typedef unsigned long long HidStatus;
|
||||
|
||||
#define HID_SET_STATUS(state, code) (unsigned long long)((unsigned long long)code << 1 | (state ? 1 : 0))
|
||||
|
||||
#define HID_NORMALIZATION_OVERHEAD 100
|
||||
|
||||
#define _API __cdecl
|
||||
|
||||
typedef void* HidContext;
|
||||
@ -39,6 +41,7 @@ enum HidRegRootTypes
|
||||
RegHKU
|
||||
};
|
||||
|
||||
HidStatus _API Hid_InitializeWithNoConnection();
|
||||
HidStatus _API Hid_Initialize(PHidContext pcontext, const wchar_t* deviceName = 0);
|
||||
void _API Hid_Destroy(HidContext context);
|
||||
|
||||
@ -78,3 +81,8 @@ HidStatus _API Hid_RemoveAllProtectedImages(HidContext context);
|
||||
HidStatus _API Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
||||
HidStatus _API Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType);
|
||||
HidStatus _API Hid_RemoveProtectedState(HidContext context, HidProcId procId);
|
||||
|
||||
// Misc
|
||||
|
||||
HidStatus _API Hid_NormalizeFilePath(const wchar_t* filePath, wchar_t* normalized, size_t normalizedLen);
|
||||
HidStatus _API Hid_NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* regPath, wchar_t* normalized, size_t normalizedLen);
|
||||
|
Loading…
Reference in New Issue
Block a user