Mirrors/hidden
6
0
Fork 0
mirror of https://github.com/JKornev/hidden synced 2024-06-25 00:18:04 +00:00
Code Issues Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
JKornev 2016-07-22 02:02:31 +03:00
parent 1c857ec226
commit 228b3fb1fc
34 changed files with 4889 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

339
Hidden Package/Hidden Package.vcxproj Normal file
View File

@ -0,0 +1,339 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Win8.1 Debug|Win32">
<Configuration>Win8.1 Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8.1 Release|Win32">
<Configuration>Win8.1 Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Debug|Win32">
<Configuration>Win8 Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Release|Win32">
<Configuration>Win8 Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Debug|Win32">
<Configuration>Win7 Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Release|Win32">
<Configuration>Win7 Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8.1 Debug|x64">
<Configuration>Win8.1 Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8.1 Release|x64">
<Configuration>Win8.1 Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Debug|x64">
<Configuration>Win8 Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Release|x64">
<Configuration>Win8 Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Debug|x64">
<Configuration>Win7 Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Release|x64">
<Configuration>Win7 Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}</ProjectGuid>
<TemplateGuid>{4605da2c-74a5-4865-98e1-152ef136825f}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>11.0</MinimumVisualStudioVersion>
<Configuration>Win8.1 Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>Hidden_Package</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Utility</ConfigurationType>
<DriverType>Package</DriverType>
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableDeployment>False</EnableDeployment>
<RemoveDriver>True</RemoveDriver>
<HardwareIdString />
<CommandLine />
<DeployFiles />
<EnableVerifier>False</EnableVerifier>
<AllDrivers>False</AllDrivers>
<VerifyProjectOutput>True</VerifyProjectOutput>
<VerifyDrivers />
<VerifyFlags>133563</VerifyFlags>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
<Inf2Cat>
<UseLocalTime>true</UseLocalTime>
</Inf2Cat>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Hidden\Hidden.vcxproj">
<Project>{3e4bbcd0-dc35-4825-9a8d-8686cdfaa6a8}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

9
Hidden Package/Hidden Package.vcxproj.filters Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
</Project>

200
Hidden.sln Normal file
View File

@ -0,0 +1,200 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Hidden", "Hidden\Hidden.vcxproj", "{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Hidden Package", "Hidden Package\Hidden Package.vcxproj", "{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}"
ProjectSection(ProjectDependencies) = postProject
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8} = {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HiddenLib", "HiddenLib\HiddenLib.vcxproj", "{EFECF76B-C3A8-4444-9314-70F72A0A48D8}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HiddenCLI", "HiddenCLI\HiddenCLI.vcxproj", "{E6A7AAAD-4877-4F05-A5A1-F42707895996}"
ProjectSection(ProjectDependencies) = postProject
{EFECF76B-C3A8-4444-9314-70F72A0A48D8} = {EFECF76B-C3A8-4444-9314-70F72A0A48D8}
EndProjectSection
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
Win7 Debug|Win32 = Win7 Debug|Win32
Win7 Debug|x64 = Win7 Debug|x64
Win7 Release|Win32 = Win7 Release|Win32
Win7 Release|x64 = Win7 Release|x64
Win8 Debug|Win32 = Win8 Debug|Win32
Win8 Debug|x64 = Win8 Debug|x64
Win8 Release|Win32 = Win8 Release|Win32
Win8 Release|x64 = Win8 Release|x64
Win8.1 Debug|Win32 = Win8.1 Debug|Win32
Win8.1 Debug|x64 = Win8.1 Debug|x64
Win8.1 Release|Win32 = Win8.1 Release|Win32
Win8.1 Release|x64 = Win8.1 Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.Build.0 = Win8.1 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.Build.0 = Win8.1 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.ActiveCfg = Win8.1 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.Build.0 = Win8.1 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|x64.Build.0 = Win7 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|x64.Build.0 = Win8 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|Win32.Build.0 = Win8 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|x64.ActiveCfg = Win8 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|x64.Build.0 = Win8 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|x64.Deploy.0 = Win8 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|x64.Build.0 = Win8.1 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|Win32.Build.0 = Win8.1 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|x64.ActiveCfg = Win8.1 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|x64.Build.0 = Win8.1 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|x64.Build.0 = Win7 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|x64.Build.0 = Win8 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|Win32.Build.0 = Win8 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|x64.ActiveCfg = Win8 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|x64.Build.0 = Win8 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|x64.Deploy.0 = Win8 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.Build.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.Deploy.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|x64.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|Win32.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|Win32.Build.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|Win32.Deploy.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|x64.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|Win32.Build.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|x64.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|Win32.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|Win32.Build.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|Win32.Deploy.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|x64.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|Win32.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|Win32.Build.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|Win32.Deploy.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|x64.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|Win32.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|Win32.Build.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|Win32.Deploy.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|x64.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|Win32.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|Win32.Build.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|Win32.Deploy.0 = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|x64.ActiveCfg = Debug|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|Win32.ActiveCfg = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|Win32.Build.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|Win32.Deploy.0 = Release|Win32
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|x64.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.Build.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.Deploy.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|x64.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|Win32.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|Win32.Build.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|Win32.Deploy.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|x64.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|Win32.Build.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|x64.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|Win32.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|Win32.Build.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|Win32.Deploy.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|x64.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|Win32.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|Win32.Build.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|Win32.Deploy.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|x64.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|Win32.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|Win32.Build.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|Win32.Deploy.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|x64.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|Win32.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|Win32.Build.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|Win32.Deploy.0 = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|x64.ActiveCfg = Debug|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|Win32.ActiveCfg = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|Win32.Build.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|Win32.Deploy.0 = Release|Win32
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|x64.ActiveCfg = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

262
Hidden/Device.c Normal file
View File

@ -0,0 +1,262 @@
#include "RegFilter.h"
#include "FsFilter.h"
#include "Device.h"
#include "DeviceAPI.h"
PDEVICE_OBJECT g_deviceObject = NULL;
// =========================================================================================
NTSTATUS DeviceDeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!!\n");
return STATUS_SUCCESS;
}
NTSTATUS DeviceDeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!!\n");
return STATUS_SUCCESS;
}
NTSTATUS DeviceDeviceCleanup(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!!\n");
return STATUS_SUCCESS;
}
NTSTATUS AddHiddenObject(PHid_HideObjectPacket packet, USHORT size, PULONGLONG objId)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING path;
USHORT i, count;
if (size < sizeof(Hid_HideObjectPacket) || size < packet->size + sizeof(Hid_HideObjectPacket))
return STATUS_INVALID_PARAMETER;
// Unpack string to UNICODE_STRING
path.Buffer = (LPWSTR)((PCHAR)packet + sizeof(Hid_HideObjectPacket));
path.MaximumLength = size;
count = packet->size / sizeof(WCHAR);
for (i = 0; i < count; i++)
if (path.Buffer[i] == L'\0')
break;
path.Length = i * sizeof(WCHAR);
// Perform packet
switch (packet->objType)
{
case RegKeyObject:
status = AddHiddenRegKey(&path, objId);
break;
case RegValueObject:
status = AddHiddenRegValue(&path, objId);
break;
case FsFileObject:
status = AddHiddenFile(&path, objId);
break;
case FsDirObject:
status = AddHiddenDir(&path, objId);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unknown object type: %u\n", packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemoveHiddenObject(PHid_UnhideObjectPacket packet, USHORT size)
{
NTSTATUS status = STATUS_SUCCESS;
if (size != sizeof(Hid_UnhideObjectPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (packet->objType)
{
case RegKeyObject:
status = RemoveHiddenRegKey(packet->id);
break;
case RegValueObject:
status = RemoveHiddenRegValue(packet->id);
break;
case FsFileObject:
status = RemoveHiddenFile(packet->id);
break;
case FsDirObject:
status = RemoveHiddenDir(packet->id);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unknown object type: %u\n", packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket packet, USHORT size)
{
NTSTATUS status = STATUS_SUCCESS;
if (size != sizeof(Hid_UnhideAllObjectsPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (packet->objType)
{
case RegKeyObject:
status = RemoveAllHiddenRegKeys();
break;
case RegValueObject:
status = RemoveAllHiddenRegValues();
break;
case FsFileObject:
status = RemoveAllHiddenFiles();
break;
case FsDirObject:
status = RemoveAllHiddenDirs();
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unknown object type: %u\n", packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS DeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
PIO_STACK_LOCATION irpStack;
Hid_StatusPacket result;
NTSTATUS status = STATUS_SUCCESS;
PVOID inputBuffer, outputBuffer;
ULONG ioctl, inputBufferSize, outputBufferSize, outputBufferMaxSize;
UNREFERENCED_PARAMETER(DeviceObject);
// Get irp information
irpStack = IoGetCurrentIrpStackLocation(Irp);
ioctl = irpStack->Parameters.DeviceIoControl.IoControlCode;
inputBuffer = outputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferSize = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBufferMaxSize = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
outputBufferSize = 0;
RtlZeroMemory(&result, sizeof(result));
// Check output buffer size
if (outputBufferMaxSize < sizeof(result))
{
status = STATUS_INVALID_PARAMETER;
goto EndProc;
}
switch (ioctl)
{
case HID_IOCTL_ADD_HIDDEN_OBJECT:
result.status = AddHiddenObject((PHid_HideObjectPacket)inputBuffer, (USHORT)inputBufferSize, &result.info.id);
break;
case HID_IOCTL_REMOVE_HIDDEN_OBJECT:
result.status = RemoveHiddenObject((PHid_UnhideObjectPacket)inputBuffer, (USHORT)inputBufferSize);
break;
case HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS:
result.status = RemoveAllHiddenObjects((PHid_UnhideAllObjectsPacket)inputBuffer, (USHORT)inputBufferSize);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": unknown IOCTL code:%08x\n", ioctl);
status = STATUS_INVALID_PARAMETER;
goto EndProc;
}
EndProc:
// Copy result to output buffer
if (NT_SUCCESS(status))
{
outputBufferSize = sizeof(result);
RtlCopyMemory(outputBuffer, &result, sizeof(result));
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = outputBufferSize;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING deviceName = RTL_CONSTANT_STRING(DEVICE_NAME);
UNICODE_STRING dosDeviceName = RTL_CONSTANT_STRING(DOS_DEVICES_LINK_NAME);
PDEVICE_OBJECT deviceObject = NULL;
status = IoCreateDevice(DriverObject, 0, &deviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": device creation failed with code:%08x\n", status);
return status;
}
status = IoCreateSymbolicLink(&dosDeviceName, &deviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
DbgPrint("FsFilter1!" __FUNCTION__ ": symbolic link creation failed with code:%08x\n", status);
return status;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceDeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceDeviceClose;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = DeviceDeviceCleanup;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControlHandler;
g_deviceObject = deviceObject;
return status;
}
NTSTATUS DestroyDevice()
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING dosDeviceName = RTL_CONSTANT_STRING(DOS_DEVICES_LINK_NAME);
status = IoDeleteSymbolicLink(&dosDeviceName);
if (!NT_SUCCESS(status))
DbgPrint("FsFilter1!" __FUNCTION__ ": symbolic link deletion failed with code:%08x\n", status);
IoDeleteDevice(g_deviceObject);
return status;
}

4
Hidden/Device.h Normal file
View File

@ -0,0 +1,4 @@
#pragma once
NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject);
NTSTATUS DestroyDevice();

82
Hidden/DeviceAPI.h Normal file
View File

@ -0,0 +1,82 @@
#pragma once
// ========================================
// Device information
#define DEVICE_NAME L"\\Device\\HiddenGate"
#define DOS_DEVICES_LINK_NAME L"\\DosDevices\\HiddenGate"
#define DEVICE_WIN32_NAME L"\\\\.\\HiddenGate"
// ========================================
// IOCTL codes
#define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_SET_STEALTH_MODE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 2), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
/*#define HID_IOCTL_ADD_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 10), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 11), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_KEYS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 12), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 20), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 21), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_VALUES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 22), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 30), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 31), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_FILES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 32), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 40), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 41), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_DIRS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 42), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 50), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ATTACH_PROTECTED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 51), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 52), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_PROTECTED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 53), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 54), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ATTACH_EXCLUDED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 55), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 56), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_EXCLUDED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 57), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)*/
#define HID_IOCTL_ADD_HIDDEN_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 60), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 61), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 62), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
enum Hid_ObjectTypes {
RegKeyObject,
RegValueObject,
FsFileObject,
FsDirObject,
PsProcObject,
};
#pragma pack(push, 4)
typedef struct _Hid_HideObjectPacket {
unsigned short objType;
unsigned short size;
} Hid_HideObjectPacket, *PHid_HideObjectPacket;
typedef struct _Hid_UnhideObjectPacket {
unsigned short objType;
unsigned short reserved;
unsigned long long id;
} Hid_UnhideObjectPacket, *PHid_UnhideObjectPacket;
typedef struct _Hid_UnhideAllObjectsPacket {
unsigned short objType;
unsigned short reserved;
} Hid_UnhideAllObjectsPacket, *PHid_UnhideAllObjectsPacket;
typedef struct _Hid_StatusPacket {
unsigned int status;
union {
unsigned long long id;
unsigned long state;
} info;
} Hid_StatusPacket, *PHid_StatusPacket;
#pragma pack(pop)

69
Hidden/Driver.c Normal file
View File

@ -0,0 +1,69 @@
#include <fltKernel.h>
#include <Ntddk.h>
#include "ExcludeList.h"
#include "RegFilter.h"
#include "FsFilter.h"
#include "PsMonitor.h"
#include "Device.h"
#include "Driver.h"
PDRIVER_OBJECT g_driverObject = NULL;
BOOLEAN g_driverActive = FALSE;
// =========================================================================================
VOID SetDriverActivityState(BOOLEAN state)
{
g_driverActive = state;
}
BOOLEAN GetDriverActiviteState()
{
return g_driverActive;
}
// =========================================================================================
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
UNREFERENCED_PARAMETER(DriverObject);
DestroyDevice();
DestroyRegistryFilter();
DestroyFSMiniFilter();
DestroyPsMonitor();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNREFERENCED_PARAMETER(RegistryPath);
g_driverActive = TRUE;
status = InitializePsMonitor(DriverObject);
if (!NT_SUCCESS(status))
DbgPrint("FsFilter1!" __FUNCTION__ ": object monitor didn't start\n");
status = InitializeFSMiniFilter(DriverObject);
if (!NT_SUCCESS(status))
DbgPrint("FsFilter1!" __FUNCTION__ ": file-system mini-filter didn't start\n");
status = InitializeRegistryFilter(DriverObject);
if (!NT_SUCCESS(status))
DbgPrint("FsFilter1!" __FUNCTION__ ": registry filter didn't start\n");
status = InitializeDevice(DriverObject);
if (!NT_SUCCESS(status))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't create device\n");
DriverObject->DriverUnload = DriverUnload;
g_driverObject = DriverObject;
return STATUS_SUCCESS;
}

4
Hidden/Driver.h Normal file
View File

@ -0,0 +1,4 @@
#pragma once
VOID SetDriverActivityState(BOOLEAN state);
BOOLEAN GetDriverActiviteState();

504
Hidden/ExcludeList.c Normal file
View File

@ -0,0 +1,504 @@
#include "ExcludeList.h"
//#include <Ntifs.h>
#define EXCLUDE_ALLOC_TAG 'LcxE'
typedef struct _EXCULE_FILE_PATH {
UNICODE_STRING fullPath;
UNICODE_STRING dirName;
UNICODE_STRING fileName;
} EXCULE_FILE_PATH, *PEXCULE_FILE_PATH;
typedef struct _EXCLUDE_FILE_LIST_ENTRY {
LIST_ENTRY list;
ULONGLONG guid;
EXCULE_FILE_PATH path;
//UINT32 dirCrc32;
//UINT32 type;
} EXCLUDE_FILE_LIST_ENTRY, *PEXCLUDE_FILE_LIST_ENTRY;
typedef struct _EXCLUDE_FILE_CONTEXT {
LIST_ENTRY listHead;
KSPIN_LOCK listLock;
ULONGLONG guidCounter;
//UINT32 IVector;
UINT32 type;
} EXCLUDE_FILE_CONTEXT, *PEXCLUDE_FILE_CONTEXT;
NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, UINT32 Type, PExcludeEntryId EntryId);
BOOLEAN InitFilePathByString(PEXCULE_FILE_PATH path, PUNICODE_STRING FilePath, PUINT32 DirCrc32, UINT32 iv);
BOOLEAN FillDirectoryFromPath(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath);
//BOOLEAN InitFilePathByDirectory(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath, PUINT32 DirCrc32, UINT32 iv);
unsigned int GetCrc32(void* buf, unsigned int size, unsigned int ivect);
NTSTATUS RtlDowncaseUnicodeString(
PUNICODE_STRING DestinationString,
_In_ PCUNICODE_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString
);
// ==========================================================================================
NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type)
{
PEXCLUDE_FILE_CONTEXT cntx;
if (Type >= ExcludeMaxType)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": error, invalid exclude list type: %d\n", Type);
return STATUS_INVALID_MEMBER;
}
cntx = (PEXCLUDE_FILE_CONTEXT)ExAllocatePoolWithTag(NonPagedPool, sizeof(EXCLUDE_FILE_CONTEXT), EXCLUDE_ALLOC_TAG);
if (!cntx)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate memory for context: %p\n", Context);
return STATUS_ACCESS_DENIED;
}
InitializeListHead(&cntx->listHead);
KeInitializeSpinLock(&cntx->listLock);
cntx->guidCounter = 0;
cntx->type = Type;
//cntx->IVector = (UINT32)&InitializeExcludeListContext;
*Context = cntx;
return STATUS_SUCCESS;
}
VOID DestroyExcludeListContext(ExcludeContext Context)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
/*KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
PEXCLUDE_FILE_LIST_ENTRY remove = entry;
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
RemoveEntryList((PLIST_ENTRY)remove);
ExFreePoolWithTag(remove, EXCLUDE_ALLOC_TAG);
}
KeReleaseInStackQueuedSpinLock(&lockHandle);*/
RemoveAllExcludeListEntries(Context);
ExFreePoolWithTag(cntx, EXCLUDE_ALLOC_TAG);
}
NTSTATUS AddExcludeListFile(ExcludeContext Context, PUNICODE_STRING FilePath, PExcludeEntryId EntryId)
{
return AddExcludeListEntry(Context, FilePath, ExcludeFile, EntryId);
}
NTSTATUS AddExcludeListDirectory(ExcludeContext Context, PUNICODE_STRING DirPath, PExcludeEntryId EntryId)
{
return AddExcludeListEntry(Context, DirPath, ExcludeDirectory, EntryId);
}
NTSTATUS AddExcludeListRegistryKey(ExcludeContext Context, PUNICODE_STRING KeyPath, PExcludeEntryId EntryId)
{
return AddExcludeListEntry(Context, KeyPath, ExcludeRegKey, EntryId);
}
NTSTATUS AddExcludeListRegistryValue(ExcludeContext Context, PUNICODE_STRING ValuePath, PExcludeEntryId EntryId)
{
return AddExcludeListEntry(Context, ValuePath, ExcludeRegValue, EntryId);
}
NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, UINT32 Type, PExcludeEntryId EntryId)
{
enum { MAX_PATH_SIZE = 1024 };
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry, head;
UNICODE_STRING temp;
//NTSTATUS status;
SIZE_T size;
UNREFERENCED_PARAMETER(Type);
if (cntx->type != Type)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, type isn't equal: %d != %d\n", cntx->type, Type);
return STATUS_INVALID_MEMBER;
}
if (FilePath->Length == 0 || FilePath->Length >= MAX_PATH_SIZE)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, invalid string size : %d\n", (UINT32)FilePath->Length);
return STATUS_ACCESS_DENIED;
}
// Allocate and fill new list entry
size = sizeof(EXCLUDE_FILE_LIST_ENTRY) + FilePath->Length + sizeof(WCHAR);
entry = ExAllocatePoolWithTag(NonPagedPool, size, EXCLUDE_ALLOC_TAG);
if (entry == NULL)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, exclude file list is not NULL : %p\n", cntx);
return STATUS_ACCESS_DENIED;
}
RtlZeroMemory(entry, size);
temp.Buffer = (PWCH)((PCHAR)entry + sizeof(EXCLUDE_FILE_LIST_ENTRY));
temp.Length = 0;
temp.MaximumLength = FilePath->Length;
//status = RtlDowncaseUnicodeString(&temp, FilePath, FALSE);
RtlCopyUnicodeString(&temp, FilePath);
//if (!InitFilePathByString(&entry->path, &temp, &entry->dirCrc32, cntx->IVector))
if (!FillDirectoryFromPath(&entry->path, &temp))
{
ExFreePoolWithTag(entry, EXCLUDE_ALLOC_TAG);
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, exclude file list is not NULL : %p\n", cntx);
return STATUS_ACCESS_DENIED;
}
//entry->type = Type;
// Push new list entry to context
if (Type == ExcludeRegKey || Type == ExcludeRegValue)
{
// We should add new entry in alphabet order
head = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (head != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
//INT res = StrCmpW(&entry->path.fullPath, &head->path.fullPath);
INT res = RtlCompareUnicodeString(&entry->path.fullPath, &head->path.fullPath, TRUE);
if (res <= 0)
break;
head = (PEXCLUDE_FILE_LIST_ENTRY)head->list.Flink;
}
}
else
{
head = (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead;
}
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry->guid = cntx->guidCounter++;
InsertTailList((PLIST_ENTRY)head, (PLIST_ENTRY)entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
*EntryId = entry->guid;
return STATUS_SUCCESS;
}
NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
{
NTSTATUS status = STATUS_SUCCESS;
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
if (EntryId == entry->guid)
{
RemoveEntryList((PLIST_ENTRY)entry);
ExFreePoolWithTag(entry, EXCLUDE_ALLOC_TAG);
status = STATUS_SUCCESS;
break;
}
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
return status;
}
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
PEXCLUDE_FILE_LIST_ENTRY remove = entry;
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
RemoveEntryList((PLIST_ENTRY)remove);
ExFreePoolWithTag(remove, EXCLUDE_ALLOC_TAG);
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
return STATUS_SUCCESS;
}
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
BOOLEAN result = FALSE;
//UINT32 crc32;
//crc32 = GetCrc32(Path->Buffer, Path->Length, cntx->IVector);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
if (/*entry->type == ExcludeFile
&& entry->dirCrc32 == crc32 // TEMPORARY DISABLED, because checksum isn't support case-insensetive string
&&*/ RtlCompareUnicodeString(&entry->path.fullPath, Path, TRUE) == 0)
{
result = TRUE;
break;
}
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
return result;
}
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory, dir;
BOOLEAN result = FALSE;
Directory = *Path;
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\')
Directory.Length -= sizeof(WCHAR);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
dir = Directory;
if (dir.Length >= entry->path.fullPath.Length)
{
BOOLEAN compare = TRUE;
if (dir.Length > entry->path.fullPath.Length)
{
if (dir.Buffer[entry->path.fullPath.Length / sizeof(WCHAR)] != L'\\')
compare = FALSE;
else
dir.Length = entry->path.fullPath.Length;
}
if (compare && RtlCompareUnicodeString(&entry->path.fullPath, &dir, TRUE) == 0)
{
result = TRUE;
break;
}
}
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
return result;
}
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory;
BOOLEAN result = FALSE;
Directory = *Dir;
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\')
Directory.Length -= sizeof(WCHAR);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
if (RtlCompareUnicodeString(&entry->path.dirName, &Directory, TRUE) == 0
&& RtlCompareUnicodeString(&entry->path.fileName, File, TRUE) == 0)
{
result = TRUE;
break;
}
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
return result;
}
BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key)
{
return CheckExcludeListDirectory(Context, Key);
}
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory;
BOOLEAN result = FALSE;
Directory = *Key;
*Increament = 0;
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR)-1] == L'\\')
Directory.Length -= sizeof(WCHAR);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
{
if (RtlCompareUnicodeString(&entry->path.dirName, &Directory, TRUE) == 0)
{
INT res;
res = RtlCompareUnicodeString(&entry->path.fileName, Name, TRUE);
if (res == 0)
{
(*Increament)++;
result = TRUE;
break;
}
else if (res < 0)
{
(*Increament)++;
}
else if (res > 0)
{
break;
}
}
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
return result;
}
// ==========================================================================================
BOOLEAN FillDirectoryFromPath(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath)
{
USHORT i, count;
LPWSTR buffer = filePath->Buffer;
count = filePath->Length / sizeof(WCHAR);
for (i = count - 1; i < count; i--)
{
if (buffer[i] == L'\\')
{
if (i + 1 >= count)
return FALSE;
path->fileName.Buffer = buffer + i + 1;
path->fileName.Length = (count - i - 1) * sizeof(WCHAR);
path->fileName.MaximumLength = path->fileName.Length;
path->fullPath = *filePath;
path->dirName.Buffer = filePath->Buffer;
path->dirName.Length = i * sizeof(WCHAR);
path->dirName.MaximumLength = path->dirName.Length;
return TRUE;
}
}
return FALSE;
}
BOOLEAN InitFilePathByString(PEXCULE_FILE_PATH path, PUNICODE_STRING FilePath, PUINT32 DirCrc32, UINT32 iv)
{
if (!FillDirectoryFromPath(path, FilePath))
return FALSE;
if (DirCrc32)
*DirCrc32 = GetCrc32(path->dirName.Buffer, path->dirName.Length, iv);
return TRUE;
}
static const unsigned int g_crc32Table [256] = {
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535,
0x9E6495A3, 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD,
0xE7B82D07, 0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D,
0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC,
0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA, 0x42B2986C,
0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC,
0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB,
0xB6662D3D, 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB,
0x086D3D2D, 0x91646C97, 0xE6635C01, 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA,
0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65, 0x4DB26158, 0x3AB551CE,
0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409,
0xCE61E49F, 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81,
0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739,
0x9DD277AF, 0x04DB2615, 0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344, 0x8708A3D2, 0x1E01F268,
0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0,
0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, 0xD6D6A3E8,
0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703,
0x220216B9, 0x5505262F, 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7,
0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A,
0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713, 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE,
0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777, 0x88085AE6,
0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D,
0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5,
0x47B2CF7F, 0x30B5FFE9, 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
};
unsigned int GetCrc32(void* buf, unsigned int size, unsigned int ivect)
{
unsigned char *src = (unsigned char*)buf;
unsigned int crc = ~ivect;
while (size--)
crc = (crc >> 8) ^ g_crc32Table[(crc ^ *src++) & 0xFF];
return 0xFFFFFFFF ^ crc;
}

39
Hidden/ExcludeList.h Normal file
View File

@ -0,0 +1,39 @@
#pragma once
//#include <ntifs.h>
#include <Ntddk.h>
enum ExcludeObjectType {
ExcludeFile,
ExcludeDirectory,
ExcludeRegKey,
ExcludeRegValue ,
ExcludeMaxType,
};
typedef PVOID ExcludeContext;
typedef ExcludeContext* PExcludeContext;
typedef ULONGLONG ExcludeEntryId;
typedef ExcludeEntryId* PExcludeEntryId;
typedef ULONGLONG ExcludeEnumId;
typedef ExcludeEnumId* PExcludeEnumId;
NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type);
VOID DestroyExcludeListContext(ExcludeContext Context);
NTSTATUS AddExcludeListFile(ExcludeContext Context, PUNICODE_STRING FilePath, PExcludeEntryId EntryId);
NTSTATUS AddExcludeListDirectory(ExcludeContext Context, PUNICODE_STRING DirPath, PExcludeEntryId EntryId);
NTSTATUS AddExcludeListRegistryKey(ExcludeContext Context, PUNICODE_STRING KeyPath, PExcludeEntryId EntryId);
NTSTATUS AddExcludeListRegistryValue(ExcludeContext Context, PUNICODE_STRING ValuePath, PExcludeEntryId EntryId);
NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId);
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context);
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path);
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path);
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File);
BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key);
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament);

892
Hidden/FsFilter.c Normal file
View File

@ -0,0 +1,892 @@
// =========================================================================================
// Filesystem Minifilter
// =========================================================================================
#include <fltKernel.h>
#include "ExcludeList.h"
#include "FsFilter.h"
#include "Helper.h"
#include "PsMonitor.h"
NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType);
FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext);
//FLT_POSTOP_CALLBACK_STATUS FltCreatePostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS FltDirCtrlPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext);
FLT_POSTOP_CALLBACK_STATUS FltDirCtrlPostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags);
NTSTATUS CleanFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
NTSTATUS CleanFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
NTSTATUS CleanFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
NTSTATUS CleanFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
NTSTATUS CleanFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
const FLT_CONTEXT_REGISTRATION Contexts[] = {
{ FLT_CONTEXT_END }
};
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE, 0, FltCreatePreOperation, /*FltCreatePostOperation*/ NULL },
{ IRP_MJ_DIRECTORY_CONTROL, 0, FltDirCtrlPreOperation, FltDirCtrlPostOperation },
{ IRP_MJ_OPERATION_END }
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof(FLT_REGISTRATION), // Size
FLT_REGISTRATION_VERSION, // Version
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP, // Flags
Contexts, // Context
Callbacks, // Operation callbacks
/*FilterUnload*/NULL, // MiniFilterUnload
FilterSetup, // InstanceSetup
NULL, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
PFLT_FILTER gFilterHandle = NULL;
ExcludeContext g_excludeFileContext;
ExcludeContext g_excludeDirectoryContext;
CONST PWCHAR g_excludeFiles[] = {
// L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
// L"\\Device\\HarddiskVolume1\\test.txt",
// L"\\Device\\HarddiskVolume1\\abcd\\test.txt",
NULL
};
CONST PWCHAR g_excludeDirs[] = {
// L"\\Device\\HarddiskVolume1\\abc",
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
// L"\\Device\\HarddiskVolume1\\New folder",
NULL
};
NTSTATUS DestroyFSMiniFilter()
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
FltUnregisterFilter(gFilterHandle);
gFilterHandle = NULL;
DestroyExcludeListContext(g_excludeFileContext);
DestroyExcludeListContext(g_excludeDirectoryContext);
return STATUS_SUCCESS;
}
NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(Flags);
UNREFERENCED_PARAMETER(VolumeDeviceType);
UNREFERENCED_PARAMETER(VolumeFilesystemType);
PAGED_CODE();
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
return STATUS_SUCCESS;
}
enum {
FoundExcludeFile = 1,
FoundExcludeDir = 2,
};
FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext)
{
UINT32 disposition, options;
PFLT_FILE_NAME_INFORMATION fltName;
NTSTATUS status;
BOOLEAN neededPrevent = FALSE;
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
//DbgPrint("!!!!! " __FUNCTION__ ": Entered %d\n", (ULONG)KeGetCurrentIrql());
//DbgPrint("%wZ %x\n", &Data->Iopb->TargetFileObject->FileName, Data->Iopb->Parameters.Create.Options);
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
options = Data->Iopb->Parameters.Create.Options & 0x00FFFFFF;
disposition = (Data->Iopb->Parameters.Create.Options & 0xFF000000) >> 24;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED, &fltName);
if (!NT_SUCCESS(status))
{
if (status != STATUS_OBJECT_PATH_NOT_FOUND)
DbgPrint("FsFilter1!" __FUNCTION__ ": FltGetFileNameInformation failed with code:%08x\n", status);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if (!(options & FILE_DIRECTORY_FILE))
{
// If it is create file event
if (CheckExcludeListDirectory(g_excludeFileContext, &fltName->Name))
neededPrevent = TRUE;
}
// If it is create directory/file event
if (!neededPrevent && CheckExcludeListDirectory(g_excludeDirectoryContext, &fltName->Name))
neededPrevent = TRUE;
FltReleaseFileNameInformation(fltName);
if (neededPrevent)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Create file\\dir operation canceled for: %wZ\n", &Data->Iopb->TargetFileObject->FileName);
Data->IoStatus.Status = STATUS_NO_SUCH_FILE;
return FLT_PREOP_COMPLETE;
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
FLT_PREOP_CALLBACK_STATUS FltDirCtrlPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext)
{
PAGED_CODE();
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
//DbgPrint("!!!!! " __FUNCTION__ ": Entered\n");
//DbgPrint("%wZ\n", &Data->Iopb->TargetFileObject->FileName);
if (Data->Iopb->MinorFunction != IRP_MN_QUERY_DIRECTORY)
return FLT_PREOP_SUCCESS_NO_CALLBACK;
switch (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass)
{
case FileIdFullDirectoryInformation:
case FileIdBothDirectoryInformation:
case FileBothDirectoryInformation:
case FileDirectoryInformation:
case FileFullDirectoryInformation:
case FileNamesInformation:
break;
default:
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS FltDirCtrlPostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags)
{
PFLT_PARAMETERS params = &Data->Iopb->Parameters;
PFLT_FILE_NAME_INFORMATION fltName;
NTSTATUS status;
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
UNREFERENCED_PARAMETER(Flags);
PAGED_CODE();
if (!NT_SUCCESS(Data->IoStatus.Status))
return FLT_POSTOP_FINISHED_PROCESSING;
//DbgPrint("!!!!! " __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
//DbgPrint("%wZ\n", &Data->Iopb->TargetFileObject->FileName);
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return FLT_POSTOP_FINISHED_PROCESSING;
}
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED, &fltName);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": FltGetFileNameInformation failed with code:%08x\n", status);
return FLT_POSTOP_FINISHED_PROCESSING;
}
__try
{
status = STATUS_SUCCESS;
switch (params->DirectoryControl.QueryDirectory.FileInformationClass)
{
case FileFullDirectoryInformation:
status = CleanFileFullDirectoryInformation((PFILE_FULL_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
break;
case FileBothDirectoryInformation:
status = CleanFileBothDirectoryInformation((PFILE_BOTH_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
break;
case FileDirectoryInformation:
status = CleanFileDirectoryInformation((PFILE_DIRECTORY_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
break;
case FileIdFullDirectoryInformation:
status = CleanFileIdFullDirectoryInformation((PFILE_ID_FULL_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
break;
case FileIdBothDirectoryInformation:
status = CleanFileIdBothDirectoryInformation((PFILE_ID_BOTH_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
break;
case FileNamesInformation:
status = CleanFileNamesInformation((PFILE_NAMES_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
break;
}
Data->IoStatus.Status = status;
}
__finally
{
FltReleaseFileNameInformation(fltName);
}
return FLT_POSTOP_FINISHED_PROCESSING;
}
NTSTATUS CleanFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN matched, search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
else
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
if (matched)
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(info), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return STATUS_SUCCESS;
}
NTSTATUS CleanFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_BOTH_DIR_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN matched, search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
else
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
if (matched)
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(info), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
nextInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return STATUS_SUCCESS;
}
NTSTATUS CleanFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_DIRECTORY_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN matched, search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
else
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
if (matched)
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(info), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName) + nextInfo->FileNameLength;
nextInfo = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_DIRECTORY_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_DIRECTORY_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return STATUS_SUCCESS;
}
NTSTATUS CleanFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_ID_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN matched, search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
else
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
if (matched)
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(info), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_ID_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
nextInfo = (PFILE_ID_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_ID_FULL_DIR_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_ID_FULL_DIR_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return STATUS_SUCCESS;
}
NTSTATUS CleanFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_ID_BOTH_DIR_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN matched, search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
else
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
if (matched)
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(info), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
nextInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return status;
}
NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_NAMES_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
//TODO: check, are there can be directories?
if (CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName))
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(info), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_NAMES_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName) + nextInfo->FileNameLength;
nextInfo = (PFILE_NAMES_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_NAMES_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_NAMES_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return STATUS_SUCCESS;
}
NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
{
NTSTATUS status;
UNICODE_STRING str;
UINT32 i;
ExcludeEntryId id;
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
// Initialize and fill exclude file\dir lists
status = InitializeExcludeListContext(&g_excludeFileContext, ExcludeFile);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude file list initialization failed with code:%08x\n", status);
return status;
}
for (i = 0; g_excludeFiles[i]; i++)
{
RtlInitUnicodeString(&str, g_excludeFiles[i]);
AddExcludeListFile(g_excludeFileContext, &str, &id);
}
status = InitializeExcludeListContext(&g_excludeDirectoryContext, ExcludeDirectory);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude file list initialization failed with code:%08x\n", status);
DestroyExcludeListContext(g_excludeFileContext);
return status;
}
for (i = 0; g_excludeDirs[i]; i++)
{
RtlInitUnicodeString(&str, g_excludeDirs[i]);
AddExcludeListDirectory(g_excludeDirectoryContext, &str, &id);
}
// Filesystem mini-filter initialization
status = FltRegisterFilter(DriverObject, &FilterRegistration, &gFilterHandle);
if (NT_SUCCESS(status))
{
status = FltStartFiltering(gFilterHandle);
if (!NT_SUCCESS(status))
{
FltUnregisterFilter(gFilterHandle);
}
}
DbgPrint("FsFilter1!" __FUNCTION__ ": Completed status:%08x\n", status);
return status;
}
NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId)
{
const USHORT maxBufSize = FilePath->Length + NORMALIZE_INCREAMENT;
UNICODE_STRING normalized;
NTSTATUS status;
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
normalized.Length = 0;
normalized.MaximumLength = maxBufSize;
if (!normalized.Buffer)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
return STATUS_MEMORY_NOT_ALLOCATED;
}
status = NormalizeDevicePath(FilePath, &normalized);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, FilePath);
ExFreePool(normalized.Buffer);
return status;
}
DbgPrint("FsFilter1!" __FUNCTION__ ": add file:%wZ\n", &normalized);
status = AddExcludeListFile(g_excludeFileContext, &normalized, ObjId);
ExFreePool(normalized.Buffer);
return status;
}
NTSTATUS RemoveHiddenFile(ULONGLONG ObjId)
{
return RemoveExcludeListEntry(g_excludeFileContext, ObjId);
}
NTSTATUS RemoveAllHiddenFiles()
{
return RemoveAllExcludeListEntries(g_excludeFileContext);
}
NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId)
{
const USHORT maxBufSize = DirPath->Length + NORMALIZE_INCREAMENT;
UNICODE_STRING normalized;
NTSTATUS status;
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
normalized.Length = 0;
normalized.MaximumLength = maxBufSize;
if (!normalized.Buffer)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
return STATUS_MEMORY_NOT_ALLOCATED;
}
status = NormalizeDevicePath(DirPath, &normalized);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, DirPath);
ExFreePool(normalized.Buffer);
return status;
}
DbgPrint("FsFilter1!" __FUNCTION__ ": add dir:%wZ\n", &normalized);
status = AddExcludeListDirectory(g_excludeDirectoryContext, &normalized, ObjId);
ExFreePool(normalized.Buffer);
return status;
}
NTSTATUS RemoveHiddenDir(ULONGLONG ObjId)
{
return RemoveExcludeListEntry(g_excludeDirectoryContext, ObjId);
}
NTSTATUS RemoveAllHiddenDirs()
{
return RemoveAllExcludeListEntries(g_excludeDirectoryContext);
}

14
Hidden/FsFilter.h Normal file
View File

@ -0,0 +1,14 @@
#pragma once
#include <Ntddk.h>
NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject);
NTSTATUS DestroyFSMiniFilter();
NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId);
NTSTATUS RemoveHiddenFile(ULONGLONG ObjId);
NTSTATUS RemoveAllHiddenFiles();
NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId);
NTSTATUS RemoveHiddenDir(ULONGLONG ObjId);
NTSTATUS RemoveAllHiddenDirs();

168
Hidden/Helper.c Normal file
View File

@ -0,0 +1,168 @@
#include "Helper.h"
#define HELPER_ALLOC_TAG 'rplH'
NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize)
{
PVOID info = NULL;
NTSTATUS status;
ULONG size = 0, written = 0;
// Query required size
status = NtQuerySystemInformation(Class, 0, 0, &size);
if (status != STATUS_INFO_LENGTH_MISMATCH)
return status;
while (status == STATUS_INFO_LENGTH_MISMATCH)
{
size += written; // We should allocate little bit more space
if (info)
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
info = ExAllocatePoolWithTag(NonPagedPool, size, HELPER_ALLOC_TAG);
if (!info)
break;
status = NtQuerySystemInformation(Class, info, size, &written);
}
if (!info)
return STATUS_ACCESS_DENIED;
if (!NT_SUCCESS(status))
{
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
return status;
}
*InfoBuffer = info;
*InfoSize = size;
return status;
}
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE Process, PVOID* InfoBuffer, PSIZE_T InfoSize)
{
PVOID info = NULL;
NTSTATUS status;
ULONG size = 0, written = 0;
// Query required size
status = NtQueryInformationProcess(Process, Class, 0, 0, &size);
if (status != STATUS_INFO_LENGTH_MISMATCH)
return status;
while (status == STATUS_INFO_LENGTH_MISMATCH)
{
size += written; // We should allocate little bit more space
if (info)
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
info = ExAllocatePoolWithTag(NonPagedPool, size, HELPER_ALLOC_TAG);
if (!info)
break;
status = NtQueryInformationProcess(Process, Class, info, size, &written);
}
if (!info)
return STATUS_ACCESS_DENIED;
if (!NT_SUCCESS(status))
{
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
return status;
}
*InfoBuffer = info;
*InfoSize = size;
return status;
}
VOID FreeInformation(PVOID Buffer)
{
ExFreePoolWithTag(Buffer, HELPER_ALLOC_TAG);
}
//
// Convertion template:
// \\??\\C:\\Windows -> \\Device\\HarddiskVolume1\\Windows
//
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized)
{
UNICODE_STRING globalPrefix , dvcPrefix;
NTSTATUS status;
RtlInitUnicodeString(&globalPrefix, L"\\??\\");
RtlInitUnicodeString(&dvcPrefix, L"\\Device\\");
if (RtlPrefixUnicodeString(&globalPrefix, Path, TRUE))
{
OBJECT_ATTRIBUTES attribs;
UNICODE_STRING subPath;
HANDLE hsymLink;
ULONG i, written, size;
subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + globalPrefix.Length);
subPath.Length = Path->Length - globalPrefix.Length;
for (i = 0; i < subPath.Length; i++)
{
if (subPath.Buffer[i] == L'\\')
{
subPath.Length = (USHORT)(i * sizeof(WCHAR));
break;
}
}
if (subPath.Length == 0)
return STATUS_INVALID_PARAMETER_1;
subPath.Buffer = Path->Buffer;
subPath.Length += globalPrefix.Length;
// Open symlink
InitializeObjectAttributes(&attribs, &subPath, OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenSymbolicLinkObject(&hsymLink, GENERIC_READ, &attribs);
if (!NT_SUCCESS(status))
return status;
// Query original name
status = ZwQuerySymbolicLinkObject(hsymLink, Normalized, &written);
ZwClose(hsymLink);
if (!NT_SUCCESS(status))
return status;
// Construct new variable
size = Path->Length - subPath.Length + Normalized->Length;
if (size > Normalized->MaximumLength)
return STATUS_BUFFER_OVERFLOW;
subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + subPath.Length);
subPath.Length = Path->Length - subPath.Length;
status = RtlAppendUnicodeStringToString(Normalized, &subPath);
if (!NT_SUCCESS(status))
return status;
}
else if (RtlPrefixUnicodeString(&dvcPrefix, Path, TRUE))
{
Normalized->Length = 0;
status = RtlAppendUnicodeStringToString(Normalized, Path);
if (!NT_SUCCESS(status))
return status;
}
else
{
return STATUS_INVALID_PARAMETER;
}
return STATUS_SUCCESS;
}

58
Hidden/Helper.h Normal file
View File

@ -0,0 +1,58 @@
#pragma once
#include <Ntddk.h>
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45,
SystemPolicyInformation = 134,
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
UCHAR Reserved4[4];
PVOID Reserved5[11];
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
VOID FreeInformation(PVOID Buffer);
#define NORMALIZE_INCREAMENT (USHORT)64
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);

100
Hidden/Hidden.inf Normal file
View File

@ -0,0 +1,100 @@
;;;
;;; Hidden
;;;
[Version]
Signature = "$Windows NT$"
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value
;Class = "_TODO_Change_Class_appropriately_"
;ClassGuid = {_TODO_Change_ClassGuid_appropriately_}
Provider = %ManufacturerName%
DriverVer = 3/27/2016
CatalogFile = Hidden.cat
[DestinationDirs]
DefaultDestDir = 12
MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers
;;
;; Default install sections
;;
[DefaultInstall]
OptionDesc = %ServiceDescription%
CopyFiles = MiniFilter.DriverFiles
[DefaultInstall.Services]
AddService = %ServiceName%,,MiniFilter.Service
;;
;; Default uninstall sections
;;
[DefaultUninstall]
DelFiles = MiniFilter.DriverFiles
[DefaultUninstall.Services]
DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting
;
; Services Section
;
[MiniFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
Dependencies = "FltMgr"
ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
StartType = 3 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
LoadOrderGroup = "FSFilter Activity Monitor"
;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
AddReg = MiniFilter.AddRegistry
;
; Registry Modifications
;
[MiniFilter.AddRegistry]
HKR,,"DebugFlags",0x00010001 ,0x0
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
;
; Copy Files
;
[MiniFilter.DriverFiles]
%DriverName%.sys
[SourceDisksFiles]
Hidden.sys = 1,,
[SourceDisksNames]
1 = %DiskId1%,,,
;;
;; String Section
;;
[Strings]
; TODO - Add your manufacturer
ManufacturerName = "Template"
ServiceDescription = "Hidden Kernel Driver"
ServiceName = "Hidden"
DriverName = "Hidden"
DiskId1 = "Hidden Device Installation Disk"
;Instances specific information.
DefaultInstance = "Hidden Instance"
Instance1.Name = "Hidden Instance"
; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
Instance1.Altitude = "370030"
;Instance.Altitude = "_TODO_Change_Altitude_appropriately_"
Instance1.Flags = 0x0 ; Allow all attachments

10
Hidden/Hidden.rc Normal file
View File

@ -0,0 +1,10 @@
#include <windows.h>
#include <ntverp.h>
#define VER_FILETYPE VFT_DRV
#define VER_FILESUBTYPE VFT2_DRV_SYSTEM
#define VER_FILEDESCRIPTION_STR "Hidden Kernel Driver"
#define VER_INTERNALNAME_STR "Hidden.sys"
#include "common.ver"

290
Hidden/Hidden.vcxproj Normal file
View File

@ -0,0 +1,290 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Win8.1 Debug|Win32">
<Configuration>Win8.1 Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8.1 Release|Win32">
<Configuration>Win8.1 Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Debug|Win32">
<Configuration>Win8 Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Release|Win32">
<Configuration>Win8 Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Debug|Win32">
<Configuration>Win7 Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Release|Win32">
<Configuration>Win7 Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8.1 Debug|x64">
<Configuration>Win8.1 Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8.1 Release|x64">
<Configuration>Win8.1 Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Debug|x64">
<Configuration>Win8 Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win8 Release|x64">
<Configuration>Win8 Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Debug|x64">
<Configuration>Win7 Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Win7 Release|x64">
<Configuration>Win7 Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Device.c" />
<ClCompile Include="FsFilter.c" />
<ClCompile Include="Helper.c" />
<ClCompile Include="PsMonitor.c" />
<ClCompile Include="PsTable.c" />
<ClCompile Include="RegFilter.c" />
<ResourceCompile Include="Hidden.rc" />
<ClCompile Include="ExcludeList.c" />
<ClCompile Include="Driver.c" />
<Inf Include="Hidden.inf" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}</ProjectGuid>
<TemplateGuid>{f2f62967-0815-4fd7-9b86-6eedcac766eb}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>11.0</MinimumVisualStudioVersion>
<Configuration>Win8.1 Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>Hidden</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'" Label="Configuration">
<TargetVersion>WindowsV6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'" Label="Configuration">
<TargetVersion>Windows8</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
<FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
</ItemGroup>
<ItemGroup>
<Text Include="back.txt" />
<Text Include="todo.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Device.h" />
<ClInclude Include="DeviceAPI.h" />
<ClInclude Include="ExcludeList.h" />
<ClInclude Include="FsFilter.h" />
<ClInclude Include="Driver.h" />
<ClInclude Include="Helper.h" />
<ClInclude Include="PsMonitor.h" />
<ClInclude Include="PsTable.h" />
<ClInclude Include="RegFilter.h" />
</ItemGroup>
<ItemGroup>
<None Include="Hidden.inf" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

90
Hidden/Hidden.vcxproj.filters Normal file
View File

@ -0,0 +1,90 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="FsFilter1.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="ExcludeList.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="RegFilter.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Driver.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="FsFilter.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="PsMonitor.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Device.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Helper.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="PsTable.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="FsFilter1.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<Text Include="back.txt" />
<Text Include="todo.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ExcludeList.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="RegFilter.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="FsFilter.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="PsMonitor.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Driver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="DeviceAPI.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Device.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Helper.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="PsTable.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

355
Hidden/PsMonitor.c Normal file
View File

@ -0,0 +1,355 @@
#include "PsMonitor.h"
#include "ExcludeList.h"
#include "Helper.h"
#include "PsTable.h"
PVOID g_obRegCallback = NULL;
OB_OPERATION_REGISTRATION g_regOperation[2];
OB_CALLBACK_REGISTRATION g_regCallback;
ExcludeContext g_excludeProcessContext;
ExcludeContext g_protectProcessContext;
CONST PWCHAR g_excludeProcesses[] = {
L"\\??\\C:\\Windows\\System32\\calc.exe",
L"\\??\\C:\\Windows\\System32\\cmd.exe",
L"\\??\\C:\\Windows\\System32\\reg.exe",
NULL
};
CONST PWCHAR g_protectProcesses[] = {
L"\\??\\C:\\Windows\\System32\\cmd.exe",
L"\\??\\C:\\Windows\\System32\\csrss.exe",
L"\\??\\C:\\Windows\\System32\\services.exe",
NULL
};
CONST PWCHAR g_systemProcesses[] = {
L"\\??\\C:\\Windows\\System32\\smss.exe",
L"\\??\\C:\\Windows\\System32\\csrss.exe",
L"\\??\\C:\\Windows\\System32\\wininit.exe",
L"\\??\\C:\\Windows\\System32\\services.exe",
NULL
};
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{
UNREFERENCED_PARAMETER(RegistrationContext);
if (OperationInformation->KernelHandle)
return OB_PREOP_SUCCESS;
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n",
PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
(OperationInformation->KernelHandle ? "kernel" : "user")
);
if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object)))
return OB_PREOP_SUCCESS;
if (IsProcessProtected(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId());
return OB_PREOP_SUCCESS;
}
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected process %d\n", PsGetCurrentProcessId());
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
else
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
return OB_PREOP_SUCCESS;
}
OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{
UNREFERENCED_PARAMETER(RegistrationContext);
if (OperationInformation->KernelHandle)
return OB_PREOP_SUCCESS;
DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n",
PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
(OperationInformation->KernelHandle ? "kernel" : "user")
);
if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object)))
return OB_PREOP_SUCCESS;
if (IsProcessProtected(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId());
return OB_PREOP_SUCCESS;
}
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected thread %d\n", PsGetCurrentProcessId());
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION);
else
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION);
return OB_PREOP_SUCCESS;
}
VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDLE ParentId)
{
ProcessTableEntry lookup;
RtlZeroMemory(&lookup, sizeof(lookup));
// Check exclude flag
if (CheckExcludeListFile(g_excludeProcessContext, ImgPath))
{
Entry->excluded = TRUE;
}
else if (ParentId != 0)
{
lookup.processId = ParentId;
if (!GetProcessInProcessTable(&lookup))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't find parent process(pid:%d) in process table (exclude)\n", ParentId);
else
Entry->excluded = lookup.excluded;
}
// Check protected flag
if (CheckExcludeListFile(g_protectProcessContext, ImgPath))
{
Entry->protected = TRUE;
}
else if (ParentId != 0)
{
if (!lookup.processId)
{
lookup.processId = ParentId;
if (!GetProcessInProcessTable(&lookup))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't find parent process(pid:%d) in process table (protected)\n", ParentId);
else
Entry->protected = lookup.protected;
}
else
{
Entry->protected = lookup.protected;
}
}
}
VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
ProcessTableEntry entry;
UNREFERENCED_PARAMETER(Process);
if (CreateInfo)
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! new process: %d (%d:%d), %wZ\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId(), CreateInfo->ImageFileName);
else
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! destroy process: %d (%d:%d)\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId());
RtlZeroMemory(&entry, sizeof(entry));
entry.processId = ProcessId;
if (CreateInfo)
{
const USHORT maxBufSize = CreateInfo->ImageFileName->Length + NORMALIZE_INCREAMENT;
UNICODE_STRING normalized;
NTSTATUS status;
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
normalized.Length = 0;
normalized.MaximumLength = maxBufSize;
if (!normalized.Buffer)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
return;
}
status = NormalizeDevicePath(CreateInfo->ImageFileName, &normalized);
ExFreePool(normalized.Buffer);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, CreateInfo->ImageFileName);
return;
}
CheckProcessFlags(&entry, CreateInfo->ImageFileName, CreateInfo->ParentProcessId);
if (entry.excluded)
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%d\n", ProcessId);
if (entry.protected)
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
if (!AddProcessToProcessTable(&entry))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
}
else
{
if (!RemoveProcessFromProcessTable(&entry))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
}
}
BOOLEAN IsProcessExcluded(HANDLE ProcessId)
{
ProcessTableEntry entry;
entry.processId = ProcessId;
if (!GetProcessInProcessTable(&entry))
return FALSE;
return entry.excluded;
}
BOOLEAN IsProcessProtected(HANDLE ProcessId)
{
ProcessTableEntry entry;
entry.processId = ProcessId;
if (!GetProcessInProcessTable(&entry))
return FALSE;
return entry.protected;
}
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
{
const USHORT maxBufSize = 512;
NTSTATUS status;
UNICODE_STRING str, normalized;
UINT32 i;
ExcludeEntryId id;
UNREFERENCED_PARAMETER(DriverObject);
normalized.Buffer = (PWCH)ExAllocatePool(NonPagedPool, maxBufSize);
normalized.Length = 0;
normalized.MaximumLength = maxBufSize;
if (!normalized.Buffer)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": allocation failed\n");
return STATUS_ACCESS_DENIED;
}
// Initialize and fill exclude file\dir lists
status = InitializeExcludeListContext(&g_excludeProcessContext, ExcludeFile);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude process list initialization failed with code:%08x\n", status);
return status;
}
for (i = 0; g_excludeProcesses[i]; i++)
{
RtlInitUnicodeString(&str, g_excludeProcesses[i]);
status = NormalizeDevicePath(&str, &normalized);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str);
continue;
}
AddExcludeListFile(g_excludeProcessContext, &normalized, &id);
}
status = InitializeExcludeListContext(&g_protectProcessContext, ExcludeDirectory);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": protect process list initialization failed with code:%08x\n", status);
DestroyExcludeListContext(g_excludeProcessContext);
ExFreePool(normalized.Buffer);
return status;
}
for (i = 0; g_protectProcesses[i]; i++)
{
RtlInitUnicodeString(&str, g_protectProcesses[i]);
status = NormalizeDevicePath(&str, &normalized);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str);
continue;
}
AddExcludeListDirectory(g_protectProcessContext, &normalized, &id);
}
status = InitializeProcessTable(CheckProcessFlags);
if (!NT_SUCCESS(status))
{
DestroyExcludeListContext(g_excludeProcessContext);
DestroyExcludeListContext(g_protectProcessContext);
ExFreePool(normalized.Buffer);
return status;
}
ExFreePool(normalized.Buffer);
// Register ps\thr pre create\duplicate object callback
g_regOperation[0].ObjectType = PsProcessType;
g_regOperation[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
g_regOperation[0].PreOperation = ProcessPreCallback;
g_regOperation[0].PostOperation = NULL;
g_regOperation[1].ObjectType = PsThreadType;
g_regOperation[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
g_regOperation[1].PreOperation = ThreadPreCallback;
g_regOperation[1].PostOperation = NULL;
g_regCallback.Version = OB_FLT_REGISTRATION_VERSION;
g_regCallback.OperationRegistrationCount = 2;
g_regCallback.RegistrationContext = NULL;
g_regCallback.OperationRegistration = g_regOperation;
RtlInitUnicodeString(&g_regCallback.Altitude, L"1000");
status = ObRegisterCallbacks(&g_regCallback, &g_obRegCallback);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Object filter registration failed with code:%08x\n", status);
DestroyPsMonitor();
return status;
}
// Register rocess create\destroy callback
status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": process notify registartion failed with code:%08x\n", status);
DestroyPsMonitor();
return status;
}
return status;
}
NTSTATUS DestroyPsMonitor()
{
if (g_obRegCallback)
{
ObUnRegisterCallbacks(g_obRegCallback);
g_obRegCallback = NULL;
}
PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, TRUE);
DestroyExcludeListContext(g_excludeProcessContext);
DestroyExcludeListContext(g_protectProcessContext);
DestroyProcessTable();
return STATUS_SUCCESS;
}

9
Hidden/PsMonitor.h Normal file
View File

@ -0,0 +1,9 @@
#pragma once
#include <Ntddk.h>
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject);
NTSTATUS DestroyPsMonitor();
BOOLEAN IsProcessExcluded(HANDLE ProcessId);
BOOLEAN IsProcessProtected(HANDLE ProcessId);

201
Hidden/PsTable.c Normal file
View File

@ -0,0 +1,201 @@
#include "PsTable.h"
#include "Helper.h"
#define PSTREE_ALLOC_TAG 'rTsP'
RTL_AVL_TABLE g_processTable;
KSPIN_LOCK g_processTableLock;
RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
{
PProcessTableEntry first = (PProcessTableEntry)FirstStruct;
PProcessTableEntry second = (PProcessTableEntry)SecondStruct;
UNREFERENCED_PARAMETER(Table);
if (first->processId > second->processId)
return GenericGreaterThan;
if (first->processId < second->processId)
return GenericLessThan;
return GenericEqual;
}
PVOID AllocateProcessTableEntry(struct _RTL_AVL_TABLE *Table, CLONG ByteSize)
{
UNREFERENCED_PARAMETER(Table);
return ExAllocatePoolWithTag(NonPagedPool, ByteSize, PSTREE_ALLOC_TAG);
}
VOID FreeProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer)
{
UNREFERENCED_PARAMETER(Table);
ExFreePoolWithTag(Buffer, PSTREE_ALLOC_TAG);
}
// API
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry)
{
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result = FALSE;
PVOID buf;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
buf = RtlInsertElementGenericTableAvl(&g_processTable, entry, sizeof(ProcessTableEntry), &result);
KeReleaseInStackQueuedSpinLock(&lockHandle);
if (buf == NULL)
return FALSE;
return result;
}
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry)
{
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
result = RtlDeleteElementGenericTableAvl(&g_processTable, entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
return result;
}
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry)
{
KLOCK_QUEUE_HANDLE lockHandle;
PProcessTableEntry entry2;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
if (!entry2)
return FALSE;
RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry));
return TRUE;
}
BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
{
KLOCK_QUEUE_HANDLE lockHandle;
PProcessTableEntry entry2;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
if (!entry2)
return FALSE;
RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));
return TRUE;
}
// Initialization
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE))
{
PSYSTEM_PROCESS_INFORMATION processInfo = NULL, first;
NTSTATUS status;
ULONG size = 0, offset;
// Init process table
KeInitializeSpinLock(&g_processTableLock);
RtlInitializeGenericTableAvl(&g_processTable, CompareProcessTableEntry, AllocateProcessTableEntry, FreeProcessTableEntry, NULL);
// We should query processes information for creation process table for existing processes
status = QuerySystemInformation(SystemProcessInformation, &processInfo, &size);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": query system information(pslist) failed with code:%08x\n", status);
return status;
}
offset = 0;
first = processInfo;
do
{
ProcessTableEntry entry;
PUNICODE_STRING procName;
CLIENT_ID clientId;
OBJECT_ATTRIBUTES attribs;
HANDLE hProcess;
SIZE_T size;
// Get process path
processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset);
InitializeObjectAttributes(&attribs, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
clientId.UniqueProcess = processInfo->ProcessId;
clientId.UniqueThread = 0;
status = NtOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
offset = processInfo->NextEntryOffset;
continue;
}
status = QueryProcessInformation(ProcessImageFileName, hProcess, &procName, &size);
ZwClose(hProcess);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
offset = processInfo->NextEntryOffset;
continue;
}
// Add process in process table
RtlZeroMemory(&entry, sizeof(entry));
entry.processId = processInfo->ProcessId;
DbgPrint("FsFilter1!" __FUNCTION__ ": add process: %d, %wZ\n", processInfo->ProcessId, procName);
InitProcessEntryCallback(&entry, procName, processInfo->InheritedFromProcessId);
if (!AddProcessToProcessTable(&entry))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", processInfo->ProcessId);
// Go to next
FreeInformation(procName);
offset = processInfo->NextEntryOffset;
}
while (offset);
FreeInformation(first);
return status;
}
VOID DestroyProcessTable()
{
KLOCK_QUEUE_HANDLE lockHandle;
PProcessTableEntry entry;
PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey);
entry != NULL;
entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey))
{
if (!RtlDeleteElementGenericTableAvl(&g_processTable, entry))
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process table, looks like memory leak\n");
restartKey = NULL; // reset enum
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
}

18
Hidden/PsTable.h Normal file
View File

@ -0,0 +1,18 @@
#pragma once
#include <Ntddk.h>
typedef struct _ProcessTableEntry{
HANDLE processId;
BOOLEAN excluded;
BOOLEAN protected;
} ProcessTableEntry, *PProcessTableEntry;
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));
VOID DestroyProcessTable();
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry);
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry);
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry);
BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry);

520
Hidden/RegFilter.c Normal file
View File

@ -0,0 +1,520 @@
// =========================================================================================
// Registry filter
// =========================================================================================
#include "RegFilter.h"
#include "ExcludeList.h"
#include "PsMonitor.h"
#define FILTER_ALLOC_TAG 'FRlF'
ExcludeContext g_excludeRegKeyContext;
ExcludeContext g_excludeRegValueContext;
CONST PWCHAR g_excludeRegKeys[] = {
// L"\\REGISTRY\\MACHINE\\SOFTWARE\\test",
// L"\\Registry\\MACHINE\\SOFTWARE\\test2",
NULL
};
CONST PWCHAR g_excludeRegValues[] = {
// L"\\REGISTRY\\MACHINE\\SOFTWARE\\aaa",
// L"\\Registry\\MACHINE\\SOFTWARE\\xxx",
// L"\\Registry\\MACHINE\\SOFTWARE\\aa",
// L"\\Registry\\MACHINE\\SOFTWARE\\aaa",
// L"\\Registry\\MACHINE\\SOFTWARE\\aaaa",
// L"\\Registry\\MACHINE\\SOFTWARE\\zz",
NULL
};
LARGE_INTEGER g_regCookie = { 0 };
BOOLEAN CheckRegistryKeyInExcludeList(PVOID RootObject, PUNICODE_STRING keyPath)
{
PCUNICODE_STRING regPath;
NTSTATUS status;
BOOLEAN found = FALSE;
// Check is the registry path matched to exclude list
if (keyPath->Length > sizeof(WCHAR) && keyPath->Buffer[0] == L'\\')
{
// Check absolute path
//DbgPrint("FsFilter1!" __FUNCTION__ ": absolute %wZ\n", keyPath);
found = CheckExcludeListRegKey(g_excludeRegKeyContext, keyPath);
}
else
{
// Check relative path
enum { LOCAL_BUF_SIZE = 256 };
WCHAR localBuffer[LOCAL_BUF_SIZE];
LPWSTR dynBuffer = NULL;
UNICODE_STRING fullRegPath;
USHORT totalSize;
// Obtain root key path
status = CmCallbackGetKeyObjectID(&g_regCookie, RootObject, NULL, &regPath);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
return FALSE;
}
// Concatenate root path + sub key path
totalSize = regPath->Length + keyPath->Length + sizeof(WCHAR);
if (totalSize / sizeof(WCHAR) > LOCAL_BUF_SIZE)
{
// local buffer too small, we should allocate memory
dynBuffer = (LPWSTR)ExAllocatePoolWithTag(NonPagedPool, totalSize, FILTER_ALLOC_TAG);
if (!dynBuffer)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Memory allocation failed with code:%08x\n", status);
return FALSE;
}
memcpy(dynBuffer, regPath->Buffer, regPath->Length);
fullRegPath.Buffer = dynBuffer;
}
else
{
// use local buffer
fullRegPath.Buffer = localBuffer;
}
// copy root path + sub key path to new buffer
memcpy(fullRegPath.Buffer, regPath->Buffer, regPath->Length);
fullRegPath.Buffer[regPath->Length / sizeof(WCHAR)] = L'\\';
memcpy(
(PCHAR)fullRegPath.Buffer + regPath->Length + sizeof(WCHAR),
keyPath->Buffer,
keyPath->Length);
fullRegPath.Length = totalSize;
fullRegPath.MaximumLength = fullRegPath.Length;
// Compare to exclude list
//DbgPrint("FsFilter1!" __FUNCTION__ ": relative %wZ\n", &fullRegPath);
found = CheckExcludeListRegKey(g_excludeRegKeyContext, &fullRegPath);
if (dynBuffer)
ExFreePoolWithTag(dynBuffer, FILTER_ALLOC_TAG);
}
return found;
}
NTSTATUS RegPreCreateKey(PVOID context, PREG_PRE_CREATE_KEY_INFORMATION info)
{
UNREFERENCED_PARAMETER(context);
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
DbgPrint("FsFilter1!" __FUNCTION__ ": RegPreCreateKey(absolute) %wZ\n", info->CompleteName);
if (CheckExcludeListRegKey(g_excludeRegKeyContext, info->CompleteName))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
return STATUS_ACCESS_DENIED;
}
return STATUS_SUCCESS;
}
NTSTATUS RegPreCreateKeyEx(PVOID context, PREG_CREATE_KEY_INFORMATION info)
{
UNREFERENCED_PARAMETER(context);
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
if (CheckRegistryKeyInExcludeList(info->RootObject, info->CompleteName))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
return STATUS_ACCESS_DENIED;
}
return STATUS_SUCCESS;
}
NTSTATUS RegPreOpenKey(PVOID context, PREG_PRE_OPEN_KEY_INFORMATION info)
{//TODO: isn't used?
UNREFERENCED_PARAMETER(context);
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
DbgPrint("FsFilter1!" __FUNCTION__ ": RegPreCreateKey(absolute) %wZ\n", info->CompleteName);
if (CheckExcludeListRegKey(g_excludeRegKeyContext, info->CompleteName))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
return STATUS_NOT_FOUND;
}
return STATUS_SUCCESS;
}
NTSTATUS RegPreOpenKeyEx(PVOID context, PREG_OPEN_KEY_INFORMATION info)
{
UNREFERENCED_PARAMETER(context);
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
if (CheckRegistryKeyInExcludeList(info->RootObject, info->CompleteName))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
return STATUS_NOT_FOUND;
}
return STATUS_SUCCESS;
}
BOOLEAN GetNameFromEnumKeyPreInfo(KEY_INFORMATION_CLASS infoClass, PVOID infoBuffer, PUNICODE_STRING keyName)
{
switch (infoClass)
{
case KeyBasicInformation:
{
PKEY_BASIC_INFORMATION keyInfo = (PKEY_BASIC_INFORMATION)infoBuffer;
keyName->Buffer = keyInfo->Name;
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
}
break;
case KeyNameInformation:
{
PKEY_NAME_INFORMATION keyInfo = (PKEY_NAME_INFORMATION)infoBuffer;
keyName->Buffer = keyInfo->Name;
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
}
break;
default:
return FALSE;
}
return TRUE;
}
NTSTATUS RegPostEnumKey(PVOID context, PREG_POST_OPERATION_INFORMATION info)
{
PREG_ENUMERATE_KEY_INFORMATION preInfo;
PCUNICODE_STRING regPath;
UNICODE_STRING keyName;
UINT32 incIndex;
NTSTATUS status;
UNREFERENCED_PARAMETER(context);
if (!NT_SUCCESS(info->Status))
return STATUS_SUCCESS;
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, &regPath);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
return STATUS_SUCCESS;
}
preInfo = (PREG_ENUMERATE_KEY_INFORMATION)info->PreInformation;
if (!GetNameFromEnumKeyPreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
return STATUS_SUCCESS;
incIndex = 0;
if (CheckExcludeListRegKeyValueName(g_excludeRegKeyContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ (inc: %d)\n", regPath, incIndex);//TODO: remove it
if (incIndex > 0)
{
HANDLE Key;
ULONG resLen, i;
BOOLEAN infinite = TRUE;
status = ObOpenObjectByPointer(info->Object, OBJ_KERNEL_HANDLE, NULL, KEY_ALL_ACCESS, *CmKeyObjectType, KernelMode, &Key);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": ObOpenObjectByPointer() failed with code:%08x\n", status);
return STATUS_SUCCESS;
}
for (i = 0; infinite; i++)
{
status = ZwEnumerateKey(Key, preInfo->Index + incIndex, preInfo->KeyInformationClass, preInfo->KeyInformation, preInfo->Length, &resLen);
if (!NT_SUCCESS(status))
break;
if (!GetNameFromEnumKeyPreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
break;
if (!CheckExcludeListRegKeyValueName(g_excludeRegKeyContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
{
*preInfo->ResultLength = resLen;
break;
}
}
info->ReturnStatus = status;
ZwClose(Key);
}
return STATUS_SUCCESS;
}
BOOLEAN GetNameFromEnumValuePreInfo(KEY_VALUE_INFORMATION_CLASS infoClass, PVOID infoBuffer, PUNICODE_STRING keyName)
{
switch (infoClass)
{
case KeyValueBasicInformation:
{
PKEY_VALUE_BASIC_INFORMATION keyInfo = (PKEY_VALUE_BASIC_INFORMATION)infoBuffer;
keyName->Buffer = keyInfo->Name;
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
}
break;
case KeyValueFullInformation:
case KeyValueFullInformationAlign64:
{
PKEY_VALUE_FULL_INFORMATION keyInfo = (PKEY_VALUE_FULL_INFORMATION)infoBuffer;
keyName->Buffer = keyInfo->Name;
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
}
break;
default:
return FALSE;
}
return TRUE;
}
NTSTATUS RegPostEnumValue(PVOID context, PREG_POST_OPERATION_INFORMATION info)
{
PREG_ENUMERATE_KEY_INFORMATION preInfo;
PCUNICODE_STRING regPath;
UNICODE_STRING keyName;
UINT32 incIndex;
NTSTATUS status;
UNREFERENCED_PARAMETER(context);
if (!NT_SUCCESS(info->Status))
return STATUS_SUCCESS;
if (IsProcessExcluded(PsGetCurrentProcessId()))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, &regPath);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
return STATUS_SUCCESS;
}
preInfo = (PREG_ENUMERATE_KEY_INFORMATION)info->PreInformation;
if (!GetNameFromEnumValuePreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
return STATUS_SUCCESS;
incIndex = 0;
if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ (inc: %d)\n", regPath, incIndex);
if (incIndex > 0)
{
HANDLE Key;
ULONG resLen, i;
BOOLEAN infinite = TRUE;
status = ObOpenObjectByPointer(info->Object, OBJ_KERNEL_HANDLE, NULL, KEY_ALL_ACCESS, *CmKeyObjectType, KernelMode, &Key);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": ObOpenObjectByPointer() failed with code:%08x\n", status);
return STATUS_SUCCESS;
}
for (i = 0; infinite; i++)
{
status = ZwEnumerateValueKey(Key, preInfo->Index + incIndex, preInfo->KeyInformationClass, preInfo->KeyInformation, preInfo->Length, &resLen);
if (!NT_SUCCESS(status))
break;
if (!GetNameFromEnumValuePreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
break;
if (!CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
{
*preInfo->ResultLength = resLen;
break;
}
}
info->ReturnStatus = status;
ZwClose(Key);
}
return STATUS_SUCCESS;
}
NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
{
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
NTSTATUS status;
switch (notifyClass)
{
case RegNtPreCreateKey:
status = RegPreCreateKey(CallbackContext, (PREG_PRE_CREATE_KEY_INFORMATION)Argument2);
break;
case RegNtPreCreateKeyEx:
status = RegPreCreateKeyEx(CallbackContext, (PREG_CREATE_KEY_INFORMATION)Argument2);
break;
case RegNtPreOpenKey:
status = RegPreCreateKey(CallbackContext, (PREG_PRE_OPEN_KEY_INFORMATION)Argument2);
break;
case RegNtPreOpenKeyEx:
status = RegPreOpenKeyEx(CallbackContext, (PREG_OPEN_KEY_INFORMATION)Argument2);
break;
case RegNtPostEnumerateKey:
status = RegPostEnumKey(CallbackContext, (PREG_POST_OPERATION_INFORMATION)Argument2);
break;
case RegNtPostEnumerateValueKey:
status = RegPostEnumValue(CallbackContext, (PREG_POST_OPERATION_INFORMATION)Argument2);
break;
default:
status = STATUS_SUCCESS;
break;
}
return status;
}
NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject)
{
NTSTATUS status;
UNICODE_STRING altitude, str;
ExcludeEntryId id;
UINT32 i;
// Fill exclude lists
status = InitializeExcludeListContext(&g_excludeRegKeyContext, ExcludeRegKey);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude registry key list initialization failed with code:%08x\n", status);
return status;
}
for (i = 0; g_excludeRegKeys[i]; i++)
{
RtlInitUnicodeString(&str, g_excludeRegKeys[i]);
AddExcludeListRegistryKey(g_excludeRegKeyContext, &str, &id);
}
status = InitializeExcludeListContext(&g_excludeRegValueContext, ExcludeRegValue);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude registry value list initialization failed with code:%08x\n", status);
DestroyExcludeListContext(g_excludeRegKeyContext);
return status;
}
for (i = 0; g_excludeRegValues[i]; i++)
{
RtlInitUnicodeString(&str, g_excludeRegValues[i]);
AddExcludeListRegistryValue(g_excludeRegValueContext, &str, &id);
}
// Register registry filter
RtlInitUnicodeString(&altitude, L"320000");
status = CmRegisterCallbackEx(&RegistryFilterCallback, &altitude, DriverObject, NULL, &g_regCookie, NULL);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry filter registration failed with code:%08x\n", status);
DestroyExcludeListContext(g_excludeRegKeyContext);
DestroyExcludeListContext(g_excludeRegValueContext);
return status;
}
return status;
}
NTSTATUS DestroyRegistryFilter()
{
NTSTATUS status;
status = CmUnRegisterCallback(g_regCookie);
if (!NT_SUCCESS(status))
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry filter unregistration failed with code:%08x\n", status);
return status;
}
NTSTATUS AddHiddenRegKey(PUNICODE_STRING KeyPath, PULONGLONG ObjId)
{
NTSTATUS status;
// TODO: normalize registry key path
status = AddExcludeListRegistryKey(g_excludeRegKeyContext, KeyPath, ObjId);
return status;
}
NTSTATUS RemoveHiddenRegKey(ULONGLONG ObjId)
{
return RemoveExcludeListEntry(g_excludeRegKeyContext, ObjId);
}
NTSTATUS RemoveAllHiddenRegKeys()
{
return RemoveAllExcludeListEntries(g_excludeRegKeyContext);
}
NTSTATUS AddHiddenRegValue(PUNICODE_STRING ValuePath, PULONGLONG ObjId)
{
NTSTATUS status;
// TODO: normalize registry value path
status = AddExcludeListRegistryValue(g_excludeRegValueContext, ValuePath, ObjId);
return status;
}
NTSTATUS RemoveHiddenRegValue(ULONGLONG ObjId)
{
return RemoveExcludeListEntry(g_excludeRegValueContext, ObjId);
}
NTSTATUS RemoveAllHiddenRegValues()
{
return RemoveAllExcludeListEntries(g_excludeRegValueContext);
}

15
Hidden/RegFilter.h Normal file
View File

@ -0,0 +1,15 @@
#pragma once
#include <Ntifs.h>
NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject);
NTSTATUS DestroyRegistryFilter();
NTSTATUS AddHiddenRegKey(PUNICODE_STRING KeyPath, PULONGLONG ObjId);
NTSTATUS RemoveHiddenRegKey(ULONGLONG ObjId);
NTSTATUS RemoveAllHiddenRegKeys();
NTSTATUS AddHiddenRegValue(PUNICODE_STRING ValuePath, PULONGLONG ObjId);
NTSTATUS RemoveHiddenRegValue(ULONGLONG ObjId);
NTSTATUS RemoveAllHiddenRegValues();

1
Hidden/back.txt Normal file
View File

@ -0,0 +1 @@


41
Hidden/todo.txt Normal file
View File

@ -0,0 +1,41 @@
TODO:
+ Добавить поддержку фильтрации открытия и создания key
+ Добавить поддержку фильтрации перечисления key
+ Добавить поддержку фильтрации перечисления value
- Почистить Exclude List
+ Добавить в Exclude List поддержку case insensetive crc32 (если возможно, например русские буквы) (*Нет необхлжимости)
- Добавить в Exclude List для файлов такую же лексическую сортировку как и в реестру, возможно обьеденить ф-и
- Переписать всё на основе AVL или других buildin generic trees
+ Вынести fs filter и reg filter в отдельные файлы
+ Протестировать фишки с ObRegisterCallback
+ Стерание всех флагов
- Реализовать PsMonitor со всеми вытекающими
- Реализовать рабочий прототип
+ Для Exclude
- Для Protected
- Для System
- Реализовать интерфейс для IOCTL
- Реализовать интерфейс для File & Reg мониторов
+ Вынести Process Table в отдельный файл
+ Переименовать Process Tree в Process Table
- Реализовать конвертирование NT path в кернел путь \\Deivce\\HardDisk..
+ Портировать в PsMonitor
- Портировать в Device API
+ FS filter
- Reg filter
+ Реализовать RemoveAllExcludeListEntries
- Реализовать IOCTL протокол управления
- Реализовать usermode библиотеку для работы с IOCTL API
- Реализовать программу управления драйвером, средствами IOCTL API
+ Слинковать с IOCTL API lib
- Проверить работу на x64
- Залить проект на Git
- Переименовать проект драйвера в Hidden
- Привести в порядок все версии билда Release, Debug, ...
- Добавить в проект конфигурации для сокрытия виртуалок
- Сокрытие VMWare Tools
- Отреверсить установщик VMWare tools
- Сокрытие VMBox Tools
- Отреверсить установщик VMBox tools
- Насодить на ETL и DbgPrintEx

101
HiddenCLI/HiddenCLI.cpp Normal file
View File

@ -0,0 +1,101 @@
#include <Windows.h>
#include <iostream>
#include <stdio.h>
#include "../HiddenLib/HiddenLib.h"
using namespace std;
CONST PWCHAR g_excludeFiles[] = {
// L"c:\\Windows\\System32\\calc.exe",
// L"c:\\test.txt",
// L"c:\\abcd\\test.txt",
L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
L"\\??\\C:\\test.txt",
L"\\??\\C:\\abcd\\test.txt",
};
CONST PWCHAR g_excludeDirs[] = {
// L"\\Device\\HarddiskVolume1\\abc",
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
// L"\\Device\\HarddiskVolume1\\New folder",
L"\\Device\\HarddiskVolume1\\abc",
L"\\??\\C:\\abcd\\abc",
L"\\??\\C:\\New folder",
};
CONST PWCHAR g_excludeRegKeys[] = {
L"\\REGISTRY\\MACHINE\\SOFTWARE\\test",
L"\\Registry\\MACHINE\\SOFTWARE\\test2",
};
CONST PWCHAR g_excludeRegValues[] = {
L"\\REGISTRY\\MACHINE\\SOFTWARE\\aaa",
L"\\Registry\\MACHINE\\SOFTWARE\\xxx",
L"\\Registry\\MACHINE\\SOFTWARE\\aa",
L"\\Registry\\MACHINE\\SOFTWARE\\aaa",
L"\\Registry\\MACHINE\\SOFTWARE\\aaaa",
L"\\Registry\\MACHINE\\SOFTWARE\\zz",
};
int wmain(int argc, wchar_t *argv[])
{
HidContext hid_context;
HidStatus hid_status;
int count;
cout << "Start!" << endl;
hid_status = Hid_Initialize(&hid_context);
if (!HID_STATUS_SUCCESSFUL(hid_status))
{
cout << "Error, HiddenLib initialization failed with code: " << HID_STATUS_CODE(hid_status) << endl;
return 1;
}
// Load Reg Keys
count = _countof(g_excludeRegKeys);
for (int i = 0; i < count; i++)
{
HidObjId objId;
hid_status = Hid_AddHiddenRegKey(hid_context, g_excludeRegKeys[i], &objId);
if (!HID_STATUS_SUCCESSFUL(hid_status))
cout << "Error, Hid_AddHiddenRegKey failed with code: " << HID_STATUS_CODE(hid_status) << endl;
}
// Load Reg Values
count = _countof(g_excludeRegValues);
for (int i = 0; i < count; i++)
{
HidObjId objId;
hid_status = Hid_AddHiddenRegValue(hid_context, g_excludeRegValues[i], &objId);
if (!HID_STATUS_SUCCESSFUL(hid_status))
cout << "Error, Hid_AddHiddenRegValue failed with code: " << HID_STATUS_CODE(hid_status) << endl;
}
// Load Files
count = _countof(g_excludeFiles);
for (int i = 0; i < count; i++)
{
HidObjId objId;
hid_status = Hid_AddHiddenFile(hid_context, g_excludeFiles[i], &objId);
if (!HID_STATUS_SUCCESSFUL(hid_status))
cout << "Error, Hid_AddHiddenFile failed with code: " << HID_STATUS_CODE(hid_status) << endl;
}
// Load Dirs
count = _countof(g_excludeDirs);
for (int i = 0; i < count; i++)
{
HidObjId objId;
hid_status = Hid_AddHiddenDir(hid_context, g_excludeDirs[i], &objId);
if (!HID_STATUS_SUCCESSFUL(hid_status))
cout << "Error, Hid_AddHiddenDir failed with code: " << HID_STATUS_CODE(hid_status) << endl;
}
Hid_Destroy(hid_context);
cout << "Completed!" << endl;
return 0;
}

90
HiddenCLI/HiddenCLI.vcxproj Normal file
View File

@ -0,0 +1,90 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{E6A7AAAD-4877-4F05-A5A1-F42707895996}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>HiddenCLI</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>HiddenLib.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(SolutionDir)$(Configuration)\</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalLibraryDirectories>$(SolutionDir)$(Configuration)\</AdditionalLibraryDirectories>
<AdditionalDependencies>HiddenLib.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="HiddenCLI.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

6
HiddenCLI/HiddenCLI.vcxproj.filters Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="HiddenCLI.cpp" />
</ItemGroup>
</Project>

212
HiddenLib/HiddenLib.cpp Normal file
View File

@ -0,0 +1,212 @@
#include <Windows.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include "HiddenLib.h"
#include "..\\FsFilter1\DeviceAPI.h"
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
typedef struct _HidContextInternal {
HANDLE hdevice;
} HidContextInternal, *PHidContextInternal;
HidStatus Hid_Initialize(PHidContext pcontext)
{
HANDLE hdevice = INVALID_HANDLE_VALUE;
PHidContextInternal context;
hdevice = CreateFileW(
DEVICE_WIN32_NAME,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hdevice == INVALID_HANDLE_VALUE)
return HID_SET_STATUS(FALSE, GetLastError());
context = (PHidContextInternal)malloc(sizeof(HidContextInternal));
if (context == nullptr)
{
CloseHandle(hdevice);
return HID_SET_STATUS(FALSE, ERROR_NOT_ENOUGH_MEMORY);
}
context->hdevice = hdevice;
*pcontext = (HidContext)context;
return HID_SET_STATUS(TRUE, 0);
}
void Hid_Destroy(HidContext context)
{
PHidContextInternal cntx = (PHidContextInternal)context;
CloseHandle(cntx->hdevice);
free(cntx);
}
HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidObjId* objId)
{
PHid_HideObjectPacket hide;
Hid_StatusPacket result;
size_t size, len, total;
DWORD returned;
len = wcslen(path);
if (len == 0 || len > 1024)
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
// Pack data to packet
total = (len + 1) * sizeof(wchar_t);
size = sizeof(Hid_HideObjectPacket) + total;
hide = (PHid_HideObjectPacket)_alloca(size);
hide->size = total;
hide->objType = type;
memcpy((char*)hide + sizeof(Hid_HideObjectPacket), path, total);
// Send IOCTL to device
if (!DeviceIoControl(context->hdevice, HID_IOCTL_ADD_HIDDEN_OBJECT, hide, size, &result, sizeof(result), &returned, NULL))
return HID_SET_STATUS(FALSE, GetLastError());
// Check result
if (returned != sizeof(result))
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
if (!NT_SUCCESS(result.status))
return HID_SET_STATUS(FALSE, result.status);
if (objId)
*objId = result.info.id;
return HID_SET_STATUS(TRUE, 0);
}
HidStatus SendIoctlUnhideObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId)
{
Hid_UnhideObjectPacket unhide;
Hid_StatusPacket result;
DWORD returned;
unhide.objType = type;
unhide.id = objId;
// Send IOCTL to device
if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_HIDDEN_OBJECT, &unhide, sizeof(unhide), &result, sizeof(result), &returned, NULL))
return HID_SET_STATUS(FALSE, GetLastError());
// Check result
if (returned != sizeof(result))
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
if (!NT_SUCCESS(result.status))
return HID_SET_STATUS(FALSE, result.status);
return HID_SET_STATUS(TRUE, 0);
}
HidStatus SendIoctlUnhideAllObjectsPacket(PHidContextInternal context, unsigned short type)
{
Hid_UnhideAllObjectsPacket unhide;
Hid_StatusPacket result;
DWORD returned;
unhide.objType = type;
// Send IOCTL to device
if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS, &unhide, sizeof(unhide), &result, sizeof(result), &returned, NULL))
return HID_SET_STATUS(FALSE, GetLastError());
// Check result
if (returned != sizeof(result))
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
if (!NT_SUCCESS(result.status))
return HID_SET_STATUS(FALSE, result.status);
return HID_SET_STATUS(TRUE, 0);
}
HidStatus Hid_SetState(HidContext context, int state)
{
PHidContextInternal cntx = (PHidContextInternal)context;
return HID_SET_STATUS(TRUE, 0);
}
HidStatus Hid_GetState(HidContext context, int* pstate)
{
PHidContextInternal cntx = (PHidContextInternal)context;
return HID_SET_STATUS(TRUE, 0);
}
HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId)
{
return SendIoctlHideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
}
HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId)
{
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegKeyObject, objId);
}
HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context)
{
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject);
}
HidStatus Hid_AddHiddenRegValue(HidContext context, wchar_t* regValue, HidObjId* objId)
{
return SendIoctlHideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
}
HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId)
{
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegValueObject, objId);
}
HidStatus Hid_RemoveAllHiddenRegValues(HidContext context)
{
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegValueObject);
}
HidStatus Hid_AddHiddenFile(HidContext context, wchar_t* filePath, HidObjId* objId)
{
return SendIoctlHideObjectPacket((PHidContextInternal)context, filePath, FsFileObject, objId);
}
HidStatus Hid_RemoveHiddenFile(HidContext context, HidObjId objId)
{
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsFileObject, objId);
}
HidStatus Hid_RemoveAllHiddenFiles(HidContext context)
{
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsFileObject);
}
HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId)
{
return SendIoctlHideObjectPacket((PHidContextInternal)context, dirPath, FsDirObject, objId);
}
HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId)
{
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsDirObject, objId);
}
HidStatus Hid_RemoveAllHiddenDirs(HidContext context)
{
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsDirObject);
}

64
HiddenLib/HiddenLib.h Normal file
View File

@ -0,0 +1,64 @@
#pragma once
typedef unsigned int HidStatus;
#define HID_STATUS_SUCCESSFUL(status) (status & 1)
#define HID_STATUS_CODE(status) (status >> 1)
#define HID_SET_STATUS(state, code) (code << 1 | (state ? 1 : 0))
typedef void* HidContext;
typedef HidContext* PHidContext;
typedef unsigned long long HidObjId;
HidStatus Hid_Initialize(PHidContext pcontext);
void Hid_Destroy(HidContext context);
/*#define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 10), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 11), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_KEYS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 12), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 20), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 21), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_VALUES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 22), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 30), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 31), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_FILES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 32), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 40), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 41), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_DIRS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 42), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 50), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ATTACH_PROTECTED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 51), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 52), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_PROTECTED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 53), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 54), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ATTACH_EXCLUDED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 55), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 56), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_EXCLUDED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 57), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)*/
HidStatus Hid_SetState(HidContext context, int state);
HidStatus Hid_GetState(HidContext context, int* pstate);
HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId);
HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId);
HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context);
HidStatus Hid_AddHiddenRegValue(HidContext context, wchar_t* regValue, HidObjId* objId);
HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId);
HidStatus Hid_RemoveAllHiddenRegValues(HidContext context);
HidStatus Hid_AddHiddenFile(HidContext context, wchar_t* filePath, HidObjId* objId);
HidStatus Hid_RemoveHiddenFile(HidContext context, HidObjId objId);
HidStatus Hid_RemoveAllHiddenFiles(HidContext context);
HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId);
HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId);
HidStatus Hid_RemoveAllHiddenDirs(HidContext context);

84
HiddenLib/HiddenLib.vcxproj Normal file
View File

@ -0,0 +1,84 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClCompile Include="HiddenLib.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="HiddenLib.h" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{EFECF76B-C3A8-4444-9314-70F72A0A48D8}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>HiddenLib</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

9
HiddenLib/HiddenLib.vcxproj.filters Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="HiddenLib.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="HiddenLib.h" />
</ItemGroup>
</Project>

29
HiddenLib/ReadMe.txt Normal file
View File

@ -0,0 +1,29 @@
========================================================================
STATIC LIBRARY : HiddenLib Project Overview
========================================================================
AppWizard has created this HiddenLib library project for you.
No source files were created as part of your project.
HiddenLib.vcxproj
This is the main project file for VC++ projects generated using an Application Wizard.
It contains information about the version of Visual C++ that generated the file, and
information about the platforms, configurations, and project features selected with the
Application Wizard.
HiddenLib.vcxproj.filters
This is the filters file for VC++ projects generated using an Application Wizard.
It contains information about the association between the files in your project
and the filters. This association is used in the IDE to show grouping of files with
similar extensions under a specific node (for e.g. ".cpp" files are associated with the
"Source Files" filter).
/////////////////////////////////////////////////////////////////////////////
Other notes:
AppWizard uses "TODO:" comments to indicate parts of the source code you
should add to or customize.
/////////////////////////////////////////////////////////////////////////////