mirror of
https://github.com/JKornev/hidden
synced 2024-06-28 09:52:05 +00:00
initial commit
This commit is contained in:
parent
1c857ec226
commit
228b3fb1fc
339
Hidden Package/Hidden Package.vcxproj
Normal file
339
Hidden Package/Hidden Package.vcxproj
Normal file
@ -0,0 +1,339 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Win8.1 Debug|Win32">
|
||||
<Configuration>Win8.1 Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8.1 Release|Win32">
|
||||
<Configuration>Win8.1 Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Debug|Win32">
|
||||
<Configuration>Win8 Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Release|Win32">
|
||||
<Configuration>Win8 Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Debug|Win32">
|
||||
<Configuration>Win7 Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Release|Win32">
|
||||
<Configuration>Win7 Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8.1 Debug|x64">
|
||||
<Configuration>Win8.1 Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8.1 Release|x64">
|
||||
<Configuration>Win8.1 Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Debug|x64">
|
||||
<Configuration>Win8 Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Release|x64">
|
||||
<Configuration>Win8 Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Debug|x64">
|
||||
<Configuration>Win7 Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Release|x64">
|
||||
<Configuration>Win7 Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}</ProjectGuid>
|
||||
<TemplateGuid>{4605da2c-74a5-4865-98e1-152ef136825f}</TemplateGuid>
|
||||
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
|
||||
<MinimumVisualStudioVersion>11.0</MinimumVisualStudioVersion>
|
||||
<Configuration>Win8.1 Debug</Configuration>
|
||||
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
|
||||
<RootNamespace>Hidden_Package</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Utility</ConfigurationType>
|
||||
<DriverType>Package</DriverType>
|
||||
<DisableFastUpToDateCheck>true</DisableFastUpToDateCheck>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
<EnableDeployment>False</EnableDeployment>
|
||||
<RemoveDriver>True</RemoveDriver>
|
||||
<HardwareIdString />
|
||||
<CommandLine />
|
||||
<DeployFiles />
|
||||
<EnableVerifier>False</EnableVerifier>
|
||||
<AllDrivers>False</AllDrivers>
|
||||
<VerifyProjectOutput>True</VerifyProjectOutput>
|
||||
<VerifyDrivers />
|
||||
<VerifyFlags>133563</VerifyFlags>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
|
||||
<Inf2Cat>
|
||||
<UseLocalTime>true</UseLocalTime>
|
||||
</Inf2Cat>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Hidden\Hidden.vcxproj">
|
||||
<Project>{3e4bbcd0-dc35-4825-9a8d-8686cdfaa6a8}</Project>
|
||||
</ProjectReference>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
9
Hidden Package/Hidden Package.vcxproj.filters
Normal file
9
Hidden Package/Hidden Package.vcxproj.filters
Normal file
@ -0,0 +1,9 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Driver Files">
|
||||
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
|
||||
<Extensions>inf;inv;inx;mof;mc;</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
</Project>
|
200
Hidden.sln
Normal file
200
Hidden.sln
Normal file
@ -0,0 +1,200 @@
|
||||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio 2013
|
||||
VisualStudioVersion = 12.0.21005.1
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Hidden", "Hidden\Hidden.vcxproj", "{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Hidden Package", "Hidden Package\Hidden Package.vcxproj", "{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}"
|
||||
ProjectSection(ProjectDependencies) = postProject
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8} = {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}
|
||||
EndProjectSection
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HiddenLib", "HiddenLib\HiddenLib.vcxproj", "{EFECF76B-C3A8-4444-9314-70F72A0A48D8}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HiddenCLI", "HiddenCLI\HiddenCLI.vcxproj", "{E6A7AAAD-4877-4F05-A5A1-F42707895996}"
|
||||
ProjectSection(ProjectDependencies) = postProject
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8} = {EFECF76B-C3A8-4444-9314-70F72A0A48D8}
|
||||
EndProjectSection
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Win32 = Debug|Win32
|
||||
Debug|x64 = Debug|x64
|
||||
Release|Win32 = Release|Win32
|
||||
Release|x64 = Release|x64
|
||||
Win7 Debug|Win32 = Win7 Debug|Win32
|
||||
Win7 Debug|x64 = Win7 Debug|x64
|
||||
Win7 Release|Win32 = Win7 Release|Win32
|
||||
Win7 Release|x64 = Win7 Release|x64
|
||||
Win8 Debug|Win32 = Win8 Debug|Win32
|
||||
Win8 Debug|x64 = Win8 Debug|x64
|
||||
Win8 Release|Win32 = Win8 Release|Win32
|
||||
Win8 Release|x64 = Win8 Release|x64
|
||||
Win8.1 Debug|Win32 = Win8.1 Debug|Win32
|
||||
Win8.1 Debug|x64 = Win8.1 Debug|x64
|
||||
Win8.1 Release|Win32 = Win8.1 Release|Win32
|
||||
Win8.1 Release|x64 = Win8.1 Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.Build.0 = Win8.1 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.Build.0 = Win8.1 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.ActiveCfg = Win8.1 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.Build.0 = Win8.1 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|x64.Build.0 = Win7 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|x64.Build.0 = Win8 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|Win32.Build.0 = Win8 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|x64.ActiveCfg = Win8 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|x64.Build.0 = Win8 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8 Release|x64.Deploy.0 = Win8 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64
|
||||
{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Debug|x64.Build.0 = Win8.1 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|Win32.Build.0 = Win8.1 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|x64.ActiveCfg = Win8.1 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|x64.Build.0 = Win8.1 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|x64.Build.0 = Win7 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|x64.Build.0 = Win8 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|Win32.Build.0 = Win8 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|x64.ActiveCfg = Win8 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|x64.Build.0 = Win8 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8 Release|x64.Deploy.0 = Win8 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64
|
||||
{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|x64.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|Win32.Build.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|Win32.Deploy.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|x64.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|Win32.Build.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Debug|x64.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|Win32.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|Win32.Build.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|Win32.Deploy.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win7 Release|x64.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|Win32.Build.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Debug|x64.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|Win32.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|Win32.Build.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|Win32.Deploy.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8 Release|x64.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|Win32.Build.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Debug|x64.ActiveCfg = Debug|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|Win32.ActiveCfg = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|Win32.Build.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|Win32.Deploy.0 = Release|Win32
|
||||
{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Win8.1 Release|x64.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|x64.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|Win32.Build.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|Win32.Deploy.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|x64.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|Win32.Build.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Debug|x64.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|Win32.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|Win32.Build.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|Win32.Deploy.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win7 Release|x64.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|Win32.Build.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Debug|x64.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|Win32.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|Win32.Build.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|Win32.Deploy.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8 Release|x64.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|Win32.Build.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|Win32.Deploy.0 = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Debug|x64.ActiveCfg = Debug|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|Win32.ActiveCfg = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|Win32.Build.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|Win32.Deploy.0 = Release|Win32
|
||||
{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Win8.1 Release|x64.ActiveCfg = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
262
Hidden/Device.c
Normal file
262
Hidden/Device.c
Normal file
@ -0,0 +1,262 @@
|
||||
#include "RegFilter.h"
|
||||
#include "FsFilter.h"
|
||||
#include "Device.h"
|
||||
#include "DeviceAPI.h"
|
||||
|
||||
|
||||
PDEVICE_OBJECT g_deviceObject = NULL;
|
||||
|
||||
// =========================================================================================
|
||||
|
||||
NTSTATUS DeviceDeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
|
||||
Irp->IoStatus.Status = STATUS_SUCCESS;
|
||||
Irp->IoStatus.Information = 0;
|
||||
IoCompleteRequest(Irp, IO_NO_INCREMENT);
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!!\n");
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS DeviceDeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
|
||||
Irp->IoStatus.Status = STATUS_SUCCESS;
|
||||
Irp->IoStatus.Information = 0;
|
||||
IoCompleteRequest(Irp, IO_NO_INCREMENT);
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!!\n");
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
NTSTATUS DeviceDeviceCleanup(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
|
||||
Irp->IoStatus.Status = STATUS_SUCCESS;
|
||||
Irp->IoStatus.Information = 0;
|
||||
IoCompleteRequest(Irp, IO_NO_INCREMENT);
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!!\n");
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenObject(PHid_HideObjectPacket packet, USHORT size, PULONGLONG objId)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING path;
|
||||
USHORT i, count;
|
||||
|
||||
if (size < sizeof(Hid_HideObjectPacket) || size < packet->size + sizeof(Hid_HideObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Unpack string to UNICODE_STRING
|
||||
|
||||
path.Buffer = (LPWSTR)((PCHAR)packet + sizeof(Hid_HideObjectPacket));
|
||||
path.MaximumLength = size;
|
||||
|
||||
count = packet->size / sizeof(WCHAR);
|
||||
for (i = 0; i < count; i++)
|
||||
if (path.Buffer[i] == L'\0')
|
||||
break;
|
||||
|
||||
path.Length = i * sizeof(WCHAR);
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
{
|
||||
case RegKeyObject:
|
||||
status = AddHiddenRegKey(&path, objId);
|
||||
break;
|
||||
case RegValueObject:
|
||||
status = AddHiddenRegValue(&path, objId);
|
||||
break;
|
||||
case FsFileObject:
|
||||
status = AddHiddenFile(&path, objId);
|
||||
break;
|
||||
case FsDirObject:
|
||||
status = AddHiddenDir(&path, objId);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unknown object type: %u\n", packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveHiddenObject(PHid_UnhideObjectPacket packet, USHORT size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (size != sizeof(Hid_UnhideObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
{
|
||||
case RegKeyObject:
|
||||
status = RemoveHiddenRegKey(packet->id);
|
||||
break;
|
||||
case RegValueObject:
|
||||
status = RemoveHiddenRegValue(packet->id);
|
||||
break;
|
||||
case FsFileObject:
|
||||
status = RemoveHiddenFile(packet->id);
|
||||
break;
|
||||
case FsDirObject:
|
||||
status = RemoveHiddenDir(packet->id);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unknown object type: %u\n", packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket packet, USHORT size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (size != sizeof(Hid_UnhideAllObjectsPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
{
|
||||
case RegKeyObject:
|
||||
status = RemoveAllHiddenRegKeys();
|
||||
break;
|
||||
case RegValueObject:
|
||||
status = RemoveAllHiddenRegValues();
|
||||
break;
|
||||
case FsFileObject:
|
||||
status = RemoveAllHiddenFiles();
|
||||
break;
|
||||
case FsDirObject:
|
||||
status = RemoveAllHiddenDirs();
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unknown object type: %u\n", packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS DeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
PIO_STACK_LOCATION irpStack;
|
||||
Hid_StatusPacket result;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
PVOID inputBuffer, outputBuffer;
|
||||
ULONG ioctl, inputBufferSize, outputBufferSize, outputBufferMaxSize;
|
||||
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
|
||||
// Get irp information
|
||||
|
||||
irpStack = IoGetCurrentIrpStackLocation(Irp);
|
||||
ioctl = irpStack->Parameters.DeviceIoControl.IoControlCode;
|
||||
|
||||
inputBuffer = outputBuffer = Irp->AssociatedIrp.SystemBuffer;
|
||||
inputBufferSize = irpStack->Parameters.DeviceIoControl.InputBufferLength;
|
||||
outputBufferMaxSize = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
|
||||
outputBufferSize = 0;
|
||||
|
||||
RtlZeroMemory(&result, sizeof(result));
|
||||
|
||||
// Check output buffer size
|
||||
|
||||
if (outputBufferMaxSize < sizeof(result))
|
||||
{
|
||||
status = STATUS_INVALID_PARAMETER;
|
||||
goto EndProc;
|
||||
}
|
||||
|
||||
switch (ioctl)
|
||||
{
|
||||
case HID_IOCTL_ADD_HIDDEN_OBJECT:
|
||||
result.status = AddHiddenObject((PHid_HideObjectPacket)inputBuffer, (USHORT)inputBufferSize, &result.info.id);
|
||||
break;
|
||||
case HID_IOCTL_REMOVE_HIDDEN_OBJECT:
|
||||
result.status = RemoveHiddenObject((PHid_UnhideObjectPacket)inputBuffer, (USHORT)inputBufferSize);
|
||||
break;
|
||||
case HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS:
|
||||
result.status = RemoveAllHiddenObjects((PHid_UnhideAllObjectsPacket)inputBuffer, (USHORT)inputBufferSize);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": unknown IOCTL code:%08x\n", ioctl);
|
||||
status = STATUS_INVALID_PARAMETER;
|
||||
goto EndProc;
|
||||
}
|
||||
|
||||
EndProc:
|
||||
|
||||
// Copy result to output buffer
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
outputBufferSize = sizeof(result);
|
||||
RtlCopyMemory(outputBuffer, &result, sizeof(result));
|
||||
}
|
||||
|
||||
Irp->IoStatus.Status = status;
|
||||
Irp->IoStatus.Information = outputBufferSize;
|
||||
IoCompleteRequest(Irp, IO_NO_INCREMENT);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING deviceName = RTL_CONSTANT_STRING(DEVICE_NAME);
|
||||
UNICODE_STRING dosDeviceName = RTL_CONSTANT_STRING(DOS_DEVICES_LINK_NAME);
|
||||
PDEVICE_OBJECT deviceObject = NULL;
|
||||
|
||||
status = IoCreateDevice(DriverObject, 0, &deviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": device creation failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
status = IoCreateSymbolicLink(&dosDeviceName, &deviceName);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
IoDeleteDevice(deviceObject);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": symbolic link creation failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceDeviceCreate;
|
||||
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceDeviceClose;
|
||||
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = DeviceDeviceCleanup;
|
||||
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControlHandler;
|
||||
g_deviceObject = deviceObject;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS DestroyDevice()
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING dosDeviceName = RTL_CONSTANT_STRING(DOS_DEVICES_LINK_NAME);
|
||||
|
||||
status = IoDeleteSymbolicLink(&dosDeviceName);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": symbolic link deletion failed with code:%08x\n", status);
|
||||
|
||||
IoDeleteDevice(g_deviceObject);
|
||||
|
||||
return status;
|
||||
}
|
4
Hidden/Device.h
Normal file
4
Hidden/Device.h
Normal file
@ -0,0 +1,4 @@
|
||||
#pragma once
|
||||
|
||||
NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject);
|
||||
NTSTATUS DestroyDevice();
|
82
Hidden/DeviceAPI.h
Normal file
82
Hidden/DeviceAPI.h
Normal file
@ -0,0 +1,82 @@
|
||||
#pragma once
|
||||
|
||||
// ========================================
|
||||
// Device information
|
||||
|
||||
#define DEVICE_NAME L"\\Device\\HiddenGate"
|
||||
#define DOS_DEVICES_LINK_NAME L"\\DosDevices\\HiddenGate"
|
||||
#define DEVICE_WIN32_NAME L"\\\\.\\HiddenGate"
|
||||
|
||||
// ========================================
|
||||
// IOCTL codes
|
||||
|
||||
#define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_SET_STEALTH_MODE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 2), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
/*#define HID_IOCTL_ADD_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 10), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 11), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_KEYS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 12), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 20), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 21), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_VALUES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 22), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 30), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 31), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_FILES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 32), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 40), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 41), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_DIRS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 42), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 50), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_ATTACH_PROTECTED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 51), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 52), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_PROTECTED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 53), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 54), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_ATTACH_EXCLUDED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 55), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 56), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_EXCLUDED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 57), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)*/
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 60), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 61), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 62), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
enum Hid_ObjectTypes {
|
||||
RegKeyObject,
|
||||
RegValueObject,
|
||||
FsFileObject,
|
||||
FsDirObject,
|
||||
PsProcObject,
|
||||
};
|
||||
|
||||
#pragma pack(push, 4)
|
||||
|
||||
typedef struct _Hid_HideObjectPacket {
|
||||
unsigned short objType;
|
||||
unsigned short size;
|
||||
} Hid_HideObjectPacket, *PHid_HideObjectPacket;
|
||||
|
||||
typedef struct _Hid_UnhideObjectPacket {
|
||||
unsigned short objType;
|
||||
unsigned short reserved;
|
||||
unsigned long long id;
|
||||
} Hid_UnhideObjectPacket, *PHid_UnhideObjectPacket;
|
||||
|
||||
typedef struct _Hid_UnhideAllObjectsPacket {
|
||||
unsigned short objType;
|
||||
unsigned short reserved;
|
||||
} Hid_UnhideAllObjectsPacket, *PHid_UnhideAllObjectsPacket;
|
||||
|
||||
typedef struct _Hid_StatusPacket {
|
||||
unsigned int status;
|
||||
union {
|
||||
unsigned long long id;
|
||||
unsigned long state;
|
||||
} info;
|
||||
} Hid_StatusPacket, *PHid_StatusPacket;
|
||||
|
||||
#pragma pack(pop)
|
69
Hidden/Driver.c
Normal file
69
Hidden/Driver.c
Normal file
@ -0,0 +1,69 @@
|
||||
#include <fltKernel.h>
|
||||
#include <Ntddk.h>
|
||||
#include "ExcludeList.h"
|
||||
|
||||
#include "RegFilter.h"
|
||||
#include "FsFilter.h"
|
||||
#include "PsMonitor.h"
|
||||
#include "Device.h"
|
||||
#include "Driver.h"
|
||||
|
||||
|
||||
PDRIVER_OBJECT g_driverObject = NULL;
|
||||
|
||||
BOOLEAN g_driverActive = FALSE;
|
||||
|
||||
// =========================================================================================
|
||||
|
||||
VOID SetDriverActivityState(BOOLEAN state)
|
||||
{
|
||||
g_driverActive = state;
|
||||
}
|
||||
|
||||
BOOLEAN GetDriverActiviteState()
|
||||
{
|
||||
return g_driverActive;
|
||||
}
|
||||
|
||||
// =========================================================================================
|
||||
|
||||
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DriverObject);
|
||||
|
||||
DestroyDevice();
|
||||
DestroyRegistryFilter();
|
||||
DestroyFSMiniFilter();
|
||||
DestroyPsMonitor();
|
||||
}
|
||||
|
||||
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
UNREFERENCED_PARAMETER(RegistryPath);
|
||||
|
||||
g_driverActive = TRUE;
|
||||
|
||||
status = InitializePsMonitor(DriverObject);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": object monitor didn't start\n");
|
||||
|
||||
status = InitializeFSMiniFilter(DriverObject);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": file-system mini-filter didn't start\n");
|
||||
|
||||
status = InitializeRegistryFilter(DriverObject);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": registry filter didn't start\n");
|
||||
|
||||
status = InitializeDevice(DriverObject);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't create device\n");
|
||||
|
||||
DriverObject->DriverUnload = DriverUnload;
|
||||
g_driverObject = DriverObject;
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
4
Hidden/Driver.h
Normal file
4
Hidden/Driver.h
Normal file
@ -0,0 +1,4 @@
|
||||
#pragma once
|
||||
|
||||
VOID SetDriverActivityState(BOOLEAN state);
|
||||
BOOLEAN GetDriverActiviteState();
|
504
Hidden/ExcludeList.c
Normal file
504
Hidden/ExcludeList.c
Normal file
@ -0,0 +1,504 @@
|
||||
#include "ExcludeList.h"
|
||||
//#include <Ntifs.h>
|
||||
|
||||
#define EXCLUDE_ALLOC_TAG 'LcxE'
|
||||
|
||||
typedef struct _EXCULE_FILE_PATH {
|
||||
UNICODE_STRING fullPath;
|
||||
UNICODE_STRING dirName;
|
||||
UNICODE_STRING fileName;
|
||||
} EXCULE_FILE_PATH, *PEXCULE_FILE_PATH;
|
||||
|
||||
typedef struct _EXCLUDE_FILE_LIST_ENTRY {
|
||||
LIST_ENTRY list;
|
||||
ULONGLONG guid;
|
||||
EXCULE_FILE_PATH path;
|
||||
//UINT32 dirCrc32;
|
||||
//UINT32 type;
|
||||
} EXCLUDE_FILE_LIST_ENTRY, *PEXCLUDE_FILE_LIST_ENTRY;
|
||||
|
||||
typedef struct _EXCLUDE_FILE_CONTEXT {
|
||||
LIST_ENTRY listHead;
|
||||
KSPIN_LOCK listLock;
|
||||
ULONGLONG guidCounter;
|
||||
//UINT32 IVector;
|
||||
UINT32 type;
|
||||
} EXCLUDE_FILE_CONTEXT, *PEXCLUDE_FILE_CONTEXT;
|
||||
|
||||
NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, UINT32 Type, PExcludeEntryId EntryId);
|
||||
|
||||
BOOLEAN InitFilePathByString(PEXCULE_FILE_PATH path, PUNICODE_STRING FilePath, PUINT32 DirCrc32, UINT32 iv);
|
||||
BOOLEAN FillDirectoryFromPath(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath);
|
||||
//BOOLEAN InitFilePathByDirectory(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath, PUINT32 DirCrc32, UINT32 iv);
|
||||
|
||||
unsigned int GetCrc32(void* buf, unsigned int size, unsigned int ivect);
|
||||
|
||||
NTSTATUS RtlDowncaseUnicodeString(
|
||||
PUNICODE_STRING DestinationString,
|
||||
_In_ PCUNICODE_STRING SourceString,
|
||||
_In_ BOOLEAN AllocateDestinationString
|
||||
);
|
||||
|
||||
// ==========================================================================================
|
||||
|
||||
NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx;
|
||||
|
||||
if (Type >= ExcludeMaxType)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": error, invalid exclude list type: %d\n", Type);
|
||||
return STATUS_INVALID_MEMBER;
|
||||
}
|
||||
|
||||
cntx = (PEXCLUDE_FILE_CONTEXT)ExAllocatePoolWithTag(NonPagedPool, sizeof(EXCLUDE_FILE_CONTEXT), EXCLUDE_ALLOC_TAG);
|
||||
if (!cntx)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate memory for context: %p\n", Context);
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
InitializeListHead(&cntx->listHead);
|
||||
KeInitializeSpinLock(&cntx->listLock);
|
||||
cntx->guidCounter = 0;
|
||||
cntx->type = Type;
|
||||
//cntx->IVector = (UINT32)&InitializeExcludeListContext;
|
||||
|
||||
*Context = cntx;
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
VOID DestroyExcludeListContext(ExcludeContext Context)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
/*KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
PEXCLUDE_FILE_LIST_ENTRY remove = entry;
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
RemoveEntryList((PLIST_ENTRY)remove);
|
||||
ExFreePoolWithTag(remove, EXCLUDE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);*/
|
||||
|
||||
RemoveAllExcludeListEntries(Context);
|
||||
ExFreePoolWithTag(cntx, EXCLUDE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
NTSTATUS AddExcludeListFile(ExcludeContext Context, PUNICODE_STRING FilePath, PExcludeEntryId EntryId)
|
||||
{
|
||||
return AddExcludeListEntry(Context, FilePath, ExcludeFile, EntryId);
|
||||
}
|
||||
|
||||
NTSTATUS AddExcludeListDirectory(ExcludeContext Context, PUNICODE_STRING DirPath, PExcludeEntryId EntryId)
|
||||
{
|
||||
return AddExcludeListEntry(Context, DirPath, ExcludeDirectory, EntryId);
|
||||
}
|
||||
|
||||
NTSTATUS AddExcludeListRegistryKey(ExcludeContext Context, PUNICODE_STRING KeyPath, PExcludeEntryId EntryId)
|
||||
{
|
||||
return AddExcludeListEntry(Context, KeyPath, ExcludeRegKey, EntryId);
|
||||
}
|
||||
|
||||
NTSTATUS AddExcludeListRegistryValue(ExcludeContext Context, PUNICODE_STRING ValuePath, PExcludeEntryId EntryId)
|
||||
{
|
||||
return AddExcludeListEntry(Context, ValuePath, ExcludeRegValue, EntryId);
|
||||
}
|
||||
|
||||
NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, UINT32 Type, PExcludeEntryId EntryId)
|
||||
{
|
||||
enum { MAX_PATH_SIZE = 1024 };
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry, head;
|
||||
UNICODE_STRING temp;
|
||||
//NTSTATUS status;
|
||||
SIZE_T size;
|
||||
|
||||
UNREFERENCED_PARAMETER(Type);
|
||||
|
||||
if (cntx->type != Type)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, type isn't equal: %d != %d\n", cntx->type, Type);
|
||||
return STATUS_INVALID_MEMBER;
|
||||
}
|
||||
|
||||
if (FilePath->Length == 0 || FilePath->Length >= MAX_PATH_SIZE)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, invalid string size : %d\n", (UINT32)FilePath->Length);
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
// Allocate and fill new list entry
|
||||
|
||||
size = sizeof(EXCLUDE_FILE_LIST_ENTRY) + FilePath->Length + sizeof(WCHAR);
|
||||
entry = ExAllocatePoolWithTag(NonPagedPool, size, EXCLUDE_ALLOC_TAG);
|
||||
if (entry == NULL)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, exclude file list is not NULL : %p\n", cntx);
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
RtlZeroMemory(entry, size);
|
||||
|
||||
temp.Buffer = (PWCH)((PCHAR)entry + sizeof(EXCLUDE_FILE_LIST_ENTRY));
|
||||
temp.Length = 0;
|
||||
temp.MaximumLength = FilePath->Length;
|
||||
|
||||
//status = RtlDowncaseUnicodeString(&temp, FilePath, FALSE);
|
||||
RtlCopyUnicodeString(&temp, FilePath);
|
||||
|
||||
//if (!InitFilePathByString(&entry->path, &temp, &entry->dirCrc32, cntx->IVector))
|
||||
if (!FillDirectoryFromPath(&entry->path, &temp))
|
||||
{
|
||||
ExFreePoolWithTag(entry, EXCLUDE_ALLOC_TAG);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": warning, exclude file list is not NULL : %p\n", cntx);
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
//entry->type = Type;
|
||||
|
||||
// Push new list entry to context
|
||||
|
||||
if (Type == ExcludeRegKey || Type == ExcludeRegValue)
|
||||
{
|
||||
// We should add new entry in alphabet order
|
||||
head = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (head != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
//INT res = StrCmpW(&entry->path.fullPath, &head->path.fullPath);
|
||||
INT res = RtlCompareUnicodeString(&entry->path.fullPath, &head->path.fullPath, TRUE);
|
||||
if (res <= 0)
|
||||
break;
|
||||
|
||||
head = (PEXCLUDE_FILE_LIST_ENTRY)head->list.Flink;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
head = (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead;
|
||||
}
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
entry->guid = cntx->guidCounter++;
|
||||
InsertTailList((PLIST_ENTRY)head, (PLIST_ENTRY)entry);
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
*EntryId = entry->guid;
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
if (EntryId == entry->guid)
|
||||
{
|
||||
RemoveEntryList((PLIST_ENTRY)entry);
|
||||
ExFreePoolWithTag(entry, EXCLUDE_ALLOC_TAG);
|
||||
status = STATUS_SUCCESS;
|
||||
break;
|
||||
}
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
PEXCLUDE_FILE_LIST_ENTRY remove = entry;
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
RemoveEntryList((PLIST_ENTRY)remove);
|
||||
ExFreePoolWithTag(remove, EXCLUDE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
BOOLEAN result = FALSE;
|
||||
//UINT32 crc32;
|
||||
|
||||
//crc32 = GetCrc32(Path->Buffer, Path->Length, cntx->IVector);
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
if (/*entry->type == ExcludeFile
|
||||
&& entry->dirCrc32 == crc32 // TEMPORARY DISABLED, because checksum isn't support case-insensetive string
|
||||
&&*/ RtlCompareUnicodeString(&entry->path.fullPath, Path, TRUE) == 0)
|
||||
{
|
||||
result = TRUE;
|
||||
break;
|
||||
}
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
UNICODE_STRING Directory, dir;
|
||||
BOOLEAN result = FALSE;
|
||||
|
||||
Directory = *Path;
|
||||
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\')
|
||||
Directory.Length -= sizeof(WCHAR);
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
dir = Directory;
|
||||
|
||||
if (dir.Length >= entry->path.fullPath.Length)
|
||||
{
|
||||
BOOLEAN compare = TRUE;
|
||||
|
||||
if (dir.Length > entry->path.fullPath.Length)
|
||||
{
|
||||
if (dir.Buffer[entry->path.fullPath.Length / sizeof(WCHAR)] != L'\\')
|
||||
compare = FALSE;
|
||||
else
|
||||
dir.Length = entry->path.fullPath.Length;
|
||||
}
|
||||
|
||||
if (compare && RtlCompareUnicodeString(&entry->path.fullPath, &dir, TRUE) == 0)
|
||||
{
|
||||
result = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
UNICODE_STRING Directory;
|
||||
BOOLEAN result = FALSE;
|
||||
|
||||
Directory = *Dir;
|
||||
|
||||
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\')
|
||||
Directory.Length -= sizeof(WCHAR);
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
if (RtlCompareUnicodeString(&entry->path.dirName, &Directory, TRUE) == 0
|
||||
&& RtlCompareUnicodeString(&entry->path.fileName, File, TRUE) == 0)
|
||||
{
|
||||
result = TRUE;
|
||||
break;
|
||||
}
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key)
|
||||
{
|
||||
return CheckExcludeListDirectory(Context, Key);
|
||||
}
|
||||
|
||||
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament)
|
||||
{
|
||||
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PEXCLUDE_FILE_LIST_ENTRY entry;
|
||||
UNICODE_STRING Directory;
|
||||
BOOLEAN result = FALSE;
|
||||
|
||||
Directory = *Key;
|
||||
*Increament = 0;
|
||||
|
||||
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR)-1] == L'\\')
|
||||
Directory.Length -= sizeof(WCHAR);
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
|
||||
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
|
||||
{
|
||||
if (RtlCompareUnicodeString(&entry->path.dirName, &Directory, TRUE) == 0)
|
||||
{
|
||||
INT res;
|
||||
|
||||
res = RtlCompareUnicodeString(&entry->path.fileName, Name, TRUE);
|
||||
if (res == 0)
|
||||
{
|
||||
(*Increament)++;
|
||||
result = TRUE;
|
||||
break;
|
||||
}
|
||||
else if (res < 0)
|
||||
{
|
||||
(*Increament)++;
|
||||
}
|
||||
else if (res > 0)
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
// ==========================================================================================
|
||||
|
||||
BOOLEAN FillDirectoryFromPath(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath)
|
||||
{
|
||||
USHORT i, count;
|
||||
LPWSTR buffer = filePath->Buffer;
|
||||
|
||||
count = filePath->Length / sizeof(WCHAR);
|
||||
for (i = count - 1; i < count; i--)
|
||||
{
|
||||
if (buffer[i] == L'\\')
|
||||
{
|
||||
if (i + 1 >= count)
|
||||
return FALSE;
|
||||
|
||||
path->fileName.Buffer = buffer + i + 1;
|
||||
path->fileName.Length = (count - i - 1) * sizeof(WCHAR);
|
||||
path->fileName.MaximumLength = path->fileName.Length;
|
||||
|
||||
path->fullPath = *filePath;
|
||||
|
||||
path->dirName.Buffer = filePath->Buffer;
|
||||
path->dirName.Length = i * sizeof(WCHAR);
|
||||
path->dirName.MaximumLength = path->dirName.Length;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
BOOLEAN InitFilePathByString(PEXCULE_FILE_PATH path, PUNICODE_STRING FilePath, PUINT32 DirCrc32, UINT32 iv)
|
||||
{
|
||||
if (!FillDirectoryFromPath(path, FilePath))
|
||||
return FALSE;
|
||||
|
||||
if (DirCrc32)
|
||||
*DirCrc32 = GetCrc32(path->dirName.Buffer, path->dirName.Length, iv);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static const unsigned int g_crc32Table [256] = {
|
||||
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535,
|
||||
0x9E6495A3, 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD,
|
||||
0xE7B82D07, 0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D,
|
||||
0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC,
|
||||
0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
|
||||
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA, 0x42B2986C,
|
||||
0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC,
|
||||
0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
|
||||
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB,
|
||||
0xB6662D3D, 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
|
||||
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB,
|
||||
0x086D3D2D, 0x91646C97, 0xE6635C01, 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
|
||||
0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA,
|
||||
0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65, 0x4DB26158, 0x3AB551CE,
|
||||
0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
|
||||
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
|
||||
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409,
|
||||
0xCE61E49F, 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81,
|
||||
0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739,
|
||||
0x9DD277AF, 0x04DB2615, 0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
|
||||
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344, 0x8708A3D2, 0x1E01F268,
|
||||
0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0,
|
||||
0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, 0xD6D6A3E8,
|
||||
0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
|
||||
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
|
||||
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703,
|
||||
0x220216B9, 0x5505262F, 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7,
|
||||
0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A,
|
||||
0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713, 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE,
|
||||
0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
|
||||
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777, 0x88085AE6,
|
||||
0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
|
||||
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D,
|
||||
0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5,
|
||||
0x47B2CF7F, 0x30B5FFE9, 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
|
||||
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
|
||||
0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
|
||||
};
|
||||
|
||||
unsigned int GetCrc32(void* buf, unsigned int size, unsigned int ivect)
|
||||
{
|
||||
unsigned char *src = (unsigned char*)buf;
|
||||
unsigned int crc = ~ivect;
|
||||
|
||||
while (size--)
|
||||
crc = (crc >> 8) ^ g_crc32Table[(crc ^ *src++) & 0xFF];
|
||||
|
||||
return 0xFFFFFFFF ^ crc;
|
||||
}
|
39
Hidden/ExcludeList.h
Normal file
39
Hidden/ExcludeList.h
Normal file
@ -0,0 +1,39 @@
|
||||
#pragma once
|
||||
|
||||
//#include <ntifs.h>
|
||||
#include <Ntddk.h>
|
||||
|
||||
enum ExcludeObjectType {
|
||||
ExcludeFile,
|
||||
ExcludeDirectory,
|
||||
ExcludeRegKey,
|
||||
ExcludeRegValue ,
|
||||
ExcludeMaxType,
|
||||
};
|
||||
|
||||
typedef PVOID ExcludeContext;
|
||||
typedef ExcludeContext* PExcludeContext;
|
||||
|
||||
typedef ULONGLONG ExcludeEntryId;
|
||||
typedef ExcludeEntryId* PExcludeEntryId;
|
||||
|
||||
typedef ULONGLONG ExcludeEnumId;
|
||||
typedef ExcludeEnumId* PExcludeEnumId;
|
||||
|
||||
NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type);
|
||||
VOID DestroyExcludeListContext(ExcludeContext Context);
|
||||
|
||||
NTSTATUS AddExcludeListFile(ExcludeContext Context, PUNICODE_STRING FilePath, PExcludeEntryId EntryId);
|
||||
NTSTATUS AddExcludeListDirectory(ExcludeContext Context, PUNICODE_STRING DirPath, PExcludeEntryId EntryId);
|
||||
NTSTATUS AddExcludeListRegistryKey(ExcludeContext Context, PUNICODE_STRING KeyPath, PExcludeEntryId EntryId);
|
||||
NTSTATUS AddExcludeListRegistryValue(ExcludeContext Context, PUNICODE_STRING ValuePath, PExcludeEntryId EntryId);
|
||||
|
||||
NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId);
|
||||
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context);
|
||||
|
||||
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path);
|
||||
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path);
|
||||
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File);
|
||||
|
||||
BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key);
|
||||
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament);
|
892
Hidden/FsFilter.c
Normal file
892
Hidden/FsFilter.c
Normal file
@ -0,0 +1,892 @@
|
||||
// =========================================================================================
|
||||
// Filesystem Minifilter
|
||||
// =========================================================================================
|
||||
|
||||
#include <fltKernel.h>
|
||||
#include "ExcludeList.h"
|
||||
#include "FsFilter.h"
|
||||
#include "Helper.h"
|
||||
#include "PsMonitor.h"
|
||||
|
||||
NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType);
|
||||
|
||||
FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext);
|
||||
//FLT_POSTOP_CALLBACK_STATUS FltCreatePostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags);
|
||||
FLT_PREOP_CALLBACK_STATUS FltDirCtrlPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext);
|
||||
FLT_POSTOP_CALLBACK_STATUS FltDirCtrlPostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags);
|
||||
|
||||
NTSTATUS CleanFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
|
||||
NTSTATUS CleanFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
|
||||
NTSTATUS CleanFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
|
||||
NTSTATUS CleanFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
|
||||
NTSTATUS CleanFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
|
||||
NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName);
|
||||
|
||||
|
||||
const FLT_CONTEXT_REGISTRATION Contexts[] = {
|
||||
{ FLT_CONTEXT_END }
|
||||
};
|
||||
|
||||
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
|
||||
{ IRP_MJ_CREATE, 0, FltCreatePreOperation, /*FltCreatePostOperation*/ NULL },
|
||||
{ IRP_MJ_DIRECTORY_CONTROL, 0, FltDirCtrlPreOperation, FltDirCtrlPostOperation },
|
||||
{ IRP_MJ_OPERATION_END }
|
||||
};
|
||||
|
||||
CONST FLT_REGISTRATION FilterRegistration = {
|
||||
sizeof(FLT_REGISTRATION), // Size
|
||||
FLT_REGISTRATION_VERSION, // Version
|
||||
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP, // Flags
|
||||
Contexts, // Context
|
||||
Callbacks, // Operation callbacks
|
||||
/*FilterUnload*/NULL, // MiniFilterUnload
|
||||
FilterSetup, // InstanceSetup
|
||||
NULL, // InstanceQueryTeardown
|
||||
NULL, // InstanceTeardownStart
|
||||
NULL, // InstanceTeardownComplete
|
||||
NULL, // GenerateFileName
|
||||
NULL, // GenerateDestinationFileName
|
||||
NULL // NormalizeNameComponent
|
||||
};
|
||||
|
||||
PFLT_FILTER gFilterHandle = NULL;
|
||||
|
||||
ExcludeContext g_excludeFileContext;
|
||||
ExcludeContext g_excludeDirectoryContext;
|
||||
|
||||
CONST PWCHAR g_excludeFiles[] = {
|
||||
// L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
||||
// L"\\Device\\HarddiskVolume1\\test.txt",
|
||||
// L"\\Device\\HarddiskVolume1\\abcd\\test.txt",
|
||||
NULL
|
||||
};
|
||||
|
||||
CONST PWCHAR g_excludeDirs[] = {
|
||||
// L"\\Device\\HarddiskVolume1\\abc",
|
||||
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
|
||||
// L"\\Device\\HarddiskVolume1\\New folder",
|
||||
NULL
|
||||
};
|
||||
|
||||
NTSTATUS DestroyFSMiniFilter()
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
|
||||
FltUnregisterFilter(gFilterHandle);
|
||||
gFilterHandle = NULL;
|
||||
|
||||
DestroyExcludeListContext(g_excludeFileContext);
|
||||
DestroyExcludeListContext(g_excludeDirectoryContext);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(FltObjects);
|
||||
UNREFERENCED_PARAMETER(Flags);
|
||||
UNREFERENCED_PARAMETER(VolumeDeviceType);
|
||||
UNREFERENCED_PARAMETER(VolumeFilesystemType);
|
||||
|
||||
PAGED_CODE();
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
enum {
|
||||
FoundExcludeFile = 1,
|
||||
FoundExcludeDir = 2,
|
||||
};
|
||||
|
||||
FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(
|
||||
_Inout_ PFLT_CALLBACK_DATA Data,
|
||||
_In_ PCFLT_RELATED_OBJECTS FltObjects,
|
||||
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext)
|
||||
{
|
||||
UINT32 disposition, options;
|
||||
PFLT_FILE_NAME_INFORMATION fltName;
|
||||
NTSTATUS status;
|
||||
BOOLEAN neededPrevent = FALSE;
|
||||
|
||||
UNREFERENCED_PARAMETER(FltObjects);
|
||||
UNREFERENCED_PARAMETER(CompletionContext);
|
||||
|
||||
//DbgPrint("!!!!! " __FUNCTION__ ": Entered %d\n", (ULONG)KeGetCurrentIrql());
|
||||
//DbgPrint("%wZ %x\n", &Data->Iopb->TargetFileObject->FileName, Data->Iopb->Parameters.Create.Options);
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
||||
}
|
||||
|
||||
options = Data->Iopb->Parameters.Create.Options & 0x00FFFFFF;
|
||||
disposition = (Data->Iopb->Parameters.Create.Options & 0xFF000000) >> 24;
|
||||
|
||||
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED, &fltName);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
if (status != STATUS_OBJECT_PATH_NOT_FOUND)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": FltGetFileNameInformation failed with code:%08x\n", status);
|
||||
|
||||
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
||||
}
|
||||
|
||||
if (!(options & FILE_DIRECTORY_FILE))
|
||||
{
|
||||
// If it is create file event
|
||||
if (CheckExcludeListDirectory(g_excludeFileContext, &fltName->Name))
|
||||
neededPrevent = TRUE;
|
||||
}
|
||||
|
||||
// If it is create directory/file event
|
||||
if (!neededPrevent && CheckExcludeListDirectory(g_excludeDirectoryContext, &fltName->Name))
|
||||
neededPrevent = TRUE;
|
||||
|
||||
FltReleaseFileNameInformation(fltName);
|
||||
|
||||
if (neededPrevent)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Create file\\dir operation canceled for: %wZ\n", &Data->Iopb->TargetFileObject->FileName);
|
||||
Data->IoStatus.Status = STATUS_NO_SUCH_FILE;
|
||||
return FLT_PREOP_COMPLETE;
|
||||
}
|
||||
|
||||
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
||||
}
|
||||
|
||||
FLT_PREOP_CALLBACK_STATUS FltDirCtrlPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext)
|
||||
{
|
||||
PAGED_CODE();
|
||||
|
||||
UNREFERENCED_PARAMETER(FltObjects);
|
||||
UNREFERENCED_PARAMETER(CompletionContext);
|
||||
|
||||
//DbgPrint("!!!!! " __FUNCTION__ ": Entered\n");
|
||||
//DbgPrint("%wZ\n", &Data->Iopb->TargetFileObject->FileName);
|
||||
|
||||
if (Data->Iopb->MinorFunction != IRP_MN_QUERY_DIRECTORY)
|
||||
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
||||
|
||||
switch (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass)
|
||||
{
|
||||
case FileIdFullDirectoryInformation:
|
||||
case FileIdBothDirectoryInformation:
|
||||
case FileBothDirectoryInformation:
|
||||
case FileDirectoryInformation:
|
||||
case FileFullDirectoryInformation:
|
||||
case FileNamesInformation:
|
||||
break;
|
||||
default:
|
||||
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
||||
}
|
||||
|
||||
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
|
||||
}
|
||||
|
||||
FLT_POSTOP_CALLBACK_STATUS FltDirCtrlPostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags)
|
||||
{
|
||||
PFLT_PARAMETERS params = &Data->Iopb->Parameters;
|
||||
PFLT_FILE_NAME_INFORMATION fltName;
|
||||
NTSTATUS status;
|
||||
|
||||
UNREFERENCED_PARAMETER(FltObjects);
|
||||
UNREFERENCED_PARAMETER(CompletionContext);
|
||||
UNREFERENCED_PARAMETER(Flags);
|
||||
|
||||
PAGED_CODE();
|
||||
|
||||
if (!NT_SUCCESS(Data->IoStatus.Status))
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
|
||||
//DbgPrint("!!!!! " __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
//DbgPrint("%wZ\n", &Data->Iopb->TargetFileObject->FileName);
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
}
|
||||
|
||||
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED, &fltName);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": FltGetFileNameInformation failed with code:%08x\n", status);
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
}
|
||||
|
||||
__try
|
||||
{
|
||||
status = STATUS_SUCCESS;
|
||||
|
||||
switch (params->DirectoryControl.QueryDirectory.FileInformationClass)
|
||||
{
|
||||
case FileFullDirectoryInformation:
|
||||
status = CleanFileFullDirectoryInformation((PFILE_FULL_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
|
||||
break;
|
||||
case FileBothDirectoryInformation:
|
||||
status = CleanFileBothDirectoryInformation((PFILE_BOTH_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
|
||||
break;
|
||||
case FileDirectoryInformation:
|
||||
status = CleanFileDirectoryInformation((PFILE_DIRECTORY_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
|
||||
break;
|
||||
case FileIdFullDirectoryInformation:
|
||||
status = CleanFileIdFullDirectoryInformation((PFILE_ID_FULL_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
|
||||
break;
|
||||
case FileIdBothDirectoryInformation:
|
||||
status = CleanFileIdBothDirectoryInformation((PFILE_ID_BOTH_DIR_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
|
||||
break;
|
||||
case FileNamesInformation:
|
||||
status = CleanFileNamesInformation((PFILE_NAMES_INFORMATION)params->DirectoryControl.QueryDirectory.DirectoryBuffer, fltName);
|
||||
break;
|
||||
}
|
||||
|
||||
Data->IoStatus.Status = status;
|
||||
}
|
||||
__finally
|
||||
{
|
||||
FltReleaseFileNameInformation(fltName);
|
||||
}
|
||||
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
}
|
||||
|
||||
NTSTATUS CleanFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
|
||||
{
|
||||
PFILE_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL;
|
||||
UNICODE_STRING fileName;
|
||||
UINT32 offset, moveLength;
|
||||
BOOLEAN matched, search;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
offset = 0;
|
||||
search = TRUE;
|
||||
|
||||
do
|
||||
{
|
||||
fileName.Buffer = info->FileName;
|
||||
fileName.Length = (USHORT)info->FileNameLength;
|
||||
fileName.MaximumLength = (USHORT)info->FileNameLength;
|
||||
|
||||
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
|
||||
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
|
||||
else
|
||||
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
|
||||
|
||||
if (matched)
|
||||
{
|
||||
BOOLEAN retn = FALSE;
|
||||
|
||||
if (prevInfo != NULL)
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
prevInfo->NextEntryOffset += info->NextEntryOffset;
|
||||
offset = info->NextEntryOffset;
|
||||
}
|
||||
else
|
||||
{
|
||||
prevInfo->NextEntryOffset = 0;
|
||||
status = STATUS_SUCCESS;
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
|
||||
moveLength = 0;
|
||||
while (nextInfo->NextEntryOffset != 0)
|
||||
{
|
||||
moveLength += FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
|
||||
}
|
||||
|
||||
moveLength += FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
|
||||
}
|
||||
else
|
||||
{
|
||||
status = STATUS_NO_MORE_ENTRIES;
|
||||
retn = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
|
||||
|
||||
if (retn)
|
||||
return status;
|
||||
|
||||
info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
continue;
|
||||
}
|
||||
|
||||
offset = info->NextEntryOffset;
|
||||
prevInfo = info;
|
||||
info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
|
||||
if (offset == 0)
|
||||
search = FALSE;
|
||||
} while (search);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS CleanFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
|
||||
{
|
||||
PFILE_BOTH_DIR_INFORMATION nextInfo, prevInfo = NULL;
|
||||
UNICODE_STRING fileName;
|
||||
UINT32 offset, moveLength;
|
||||
BOOLEAN matched, search;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
offset = 0;
|
||||
search = TRUE;
|
||||
|
||||
do
|
||||
{
|
||||
fileName.Buffer = info->FileName;
|
||||
fileName.Length = (USHORT)info->FileNameLength;
|
||||
fileName.MaximumLength = (USHORT)info->FileNameLength;
|
||||
|
||||
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
|
||||
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
|
||||
else
|
||||
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
|
||||
|
||||
if (matched)
|
||||
{
|
||||
BOOLEAN retn = FALSE;
|
||||
|
||||
if (prevInfo != NULL)
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
prevInfo->NextEntryOffset += info->NextEntryOffset;
|
||||
offset = info->NextEntryOffset;
|
||||
}
|
||||
else
|
||||
{
|
||||
prevInfo->NextEntryOffset = 0;
|
||||
status = STATUS_SUCCESS;
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
nextInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
|
||||
moveLength = 0;
|
||||
while (nextInfo->NextEntryOffset != 0)
|
||||
{
|
||||
moveLength += FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
nextInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
|
||||
}
|
||||
|
||||
moveLength += FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
|
||||
}
|
||||
else
|
||||
{
|
||||
status = STATUS_NO_MORE_ENTRIES;
|
||||
retn = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
|
||||
|
||||
if (retn)
|
||||
return status;
|
||||
|
||||
info = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
continue;
|
||||
}
|
||||
|
||||
offset = info->NextEntryOffset;
|
||||
prevInfo = info;
|
||||
info = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
|
||||
if (offset == 0)
|
||||
search = FALSE;
|
||||
} while (search);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS CleanFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
|
||||
{
|
||||
PFILE_DIRECTORY_INFORMATION nextInfo, prevInfo = NULL;
|
||||
UNICODE_STRING fileName;
|
||||
UINT32 offset, moveLength;
|
||||
BOOLEAN matched, search;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
offset = 0;
|
||||
search = TRUE;
|
||||
|
||||
do
|
||||
{
|
||||
fileName.Buffer = info->FileName;
|
||||
fileName.Length = (USHORT)info->FileNameLength;
|
||||
fileName.MaximumLength = (USHORT)info->FileNameLength;
|
||||
|
||||
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
|
||||
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
|
||||
else
|
||||
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
|
||||
|
||||
if (matched)
|
||||
{
|
||||
BOOLEAN retn = FALSE;
|
||||
|
||||
if (prevInfo != NULL)
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
prevInfo->NextEntryOffset += info->NextEntryOffset;
|
||||
offset = info->NextEntryOffset;
|
||||
}
|
||||
else
|
||||
{
|
||||
prevInfo->NextEntryOffset = 0;
|
||||
status = STATUS_SUCCESS;
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
nextInfo = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
|
||||
moveLength = 0;
|
||||
while (nextInfo->NextEntryOffset != 0)
|
||||
{
|
||||
moveLength += FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
nextInfo = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
|
||||
}
|
||||
|
||||
moveLength += FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
|
||||
}
|
||||
else
|
||||
{
|
||||
status = STATUS_NO_MORE_ENTRIES;
|
||||
retn = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
|
||||
|
||||
if (retn)
|
||||
return status;
|
||||
|
||||
info = (PFILE_DIRECTORY_INFORMATION)((PCHAR)info + offset);
|
||||
continue;
|
||||
}
|
||||
|
||||
offset = info->NextEntryOffset;
|
||||
prevInfo = info;
|
||||
info = (PFILE_DIRECTORY_INFORMATION)((PCHAR)info + offset);
|
||||
|
||||
if (offset == 0)
|
||||
search = FALSE;
|
||||
} while (search);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS CleanFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
|
||||
{
|
||||
PFILE_ID_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL;
|
||||
UNICODE_STRING fileName;
|
||||
UINT32 offset, moveLength;
|
||||
BOOLEAN matched, search;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
offset = 0;
|
||||
search = TRUE;
|
||||
|
||||
do
|
||||
{
|
||||
fileName.Buffer = info->FileName;
|
||||
fileName.Length = (USHORT)info->FileNameLength;
|
||||
fileName.MaximumLength = (USHORT)info->FileNameLength;
|
||||
|
||||
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
|
||||
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
|
||||
else
|
||||
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
|
||||
|
||||
if (matched)
|
||||
{
|
||||
BOOLEAN retn = FALSE;
|
||||
|
||||
if (prevInfo != NULL)
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
prevInfo->NextEntryOffset += info->NextEntryOffset;
|
||||
offset = info->NextEntryOffset;
|
||||
}
|
||||
else
|
||||
{
|
||||
prevInfo->NextEntryOffset = 0;
|
||||
status = STATUS_SUCCESS;
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
nextInfo = (PFILE_ID_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
|
||||
moveLength = 0;
|
||||
while (nextInfo->NextEntryOffset != 0)
|
||||
{
|
||||
moveLength += FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
nextInfo = (PFILE_ID_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
|
||||
}
|
||||
|
||||
moveLength += FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
|
||||
}
|
||||
else
|
||||
{
|
||||
status = STATUS_NO_MORE_ENTRIES;
|
||||
retn = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
|
||||
|
||||
if (retn)
|
||||
return status;
|
||||
|
||||
info = (PFILE_ID_FULL_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
continue;
|
||||
}
|
||||
|
||||
offset = info->NextEntryOffset;
|
||||
prevInfo = info;
|
||||
info = (PFILE_ID_FULL_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
|
||||
if (offset == 0)
|
||||
search = FALSE;
|
||||
} while (search);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS CleanFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
|
||||
{
|
||||
PFILE_ID_BOTH_DIR_INFORMATION nextInfo, prevInfo = NULL;
|
||||
UNICODE_STRING fileName;
|
||||
UINT32 offset, moveLength;
|
||||
BOOLEAN matched, search;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
offset = 0;
|
||||
search = TRUE;
|
||||
|
||||
do
|
||||
{
|
||||
fileName.Buffer = info->FileName;
|
||||
fileName.Length = (USHORT)info->FileNameLength;
|
||||
fileName.MaximumLength = (USHORT)info->FileNameLength;
|
||||
|
||||
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
|
||||
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
|
||||
else
|
||||
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
|
||||
|
||||
if (matched)
|
||||
{
|
||||
BOOLEAN retn = FALSE;
|
||||
|
||||
if (prevInfo != NULL)
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
prevInfo->NextEntryOffset += info->NextEntryOffset;
|
||||
offset = info->NextEntryOffset;
|
||||
}
|
||||
else
|
||||
{
|
||||
prevInfo->NextEntryOffset = 0;
|
||||
status = STATUS_SUCCESS;
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
nextInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
|
||||
moveLength = 0;
|
||||
while (nextInfo->NextEntryOffset != 0)
|
||||
{
|
||||
moveLength += FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
nextInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
|
||||
}
|
||||
|
||||
moveLength += FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
|
||||
}
|
||||
else
|
||||
{
|
||||
status = STATUS_NO_MORE_ENTRIES;
|
||||
retn = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
|
||||
|
||||
if (retn)
|
||||
return status;
|
||||
|
||||
info = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
continue;
|
||||
}
|
||||
|
||||
offset = info->NextEntryOffset;
|
||||
prevInfo = info;
|
||||
info = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)info + offset);
|
||||
|
||||
if (offset == 0)
|
||||
search = FALSE;
|
||||
} while (search);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
|
||||
{
|
||||
PFILE_NAMES_INFORMATION nextInfo, prevInfo = NULL;
|
||||
UNICODE_STRING fileName;
|
||||
UINT32 offset, moveLength;
|
||||
BOOLEAN search;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
offset = 0;
|
||||
search = TRUE;
|
||||
|
||||
do
|
||||
{
|
||||
fileName.Buffer = info->FileName;
|
||||
fileName.Length = (USHORT)info->FileNameLength;
|
||||
fileName.MaximumLength = (USHORT)info->FileNameLength;
|
||||
|
||||
//TODO: check, are there can be directories?
|
||||
if (CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName))
|
||||
{
|
||||
BOOLEAN retn = FALSE;
|
||||
|
||||
if (prevInfo != NULL)
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
prevInfo->NextEntryOffset += info->NextEntryOffset;
|
||||
offset = info->NextEntryOffset;
|
||||
}
|
||||
else
|
||||
{
|
||||
prevInfo->NextEntryOffset = 0;
|
||||
status = STATUS_SUCCESS;
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (info->NextEntryOffset != 0)
|
||||
{
|
||||
nextInfo = (PFILE_NAMES_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
|
||||
moveLength = 0;
|
||||
while (nextInfo->NextEntryOffset != 0)
|
||||
{
|
||||
moveLength += FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
nextInfo = (PFILE_NAMES_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
|
||||
}
|
||||
|
||||
moveLength += FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName) + nextInfo->FileNameLength;
|
||||
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
|
||||
}
|
||||
else
|
||||
{
|
||||
status = STATUS_NO_MORE_ENTRIES;
|
||||
retn = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": removed: %wZ\\%wZ\n", &fltName->Name, &fileName);
|
||||
|
||||
if (retn)
|
||||
return status;
|
||||
|
||||
info = (PFILE_NAMES_INFORMATION)((PCHAR)info + offset);
|
||||
continue;
|
||||
}
|
||||
|
||||
offset = info->NextEntryOffset;
|
||||
prevInfo = info;
|
||||
info = (PFILE_NAMES_INFORMATION)((PCHAR)info + offset);
|
||||
|
||||
if (offset == 0)
|
||||
search = FALSE;
|
||||
} while (search);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
NTSTATUS status;
|
||||
UNICODE_STRING str;
|
||||
UINT32 i;
|
||||
ExcludeEntryId id;
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
|
||||
// Initialize and fill exclude file\dir lists
|
||||
|
||||
status = InitializeExcludeListContext(&g_excludeFileContext, ExcludeFile);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude file list initialization failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_excludeFiles[i]; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_excludeFiles[i]);
|
||||
AddExcludeListFile(g_excludeFileContext, &str, &id);
|
||||
}
|
||||
|
||||
status = InitializeExcludeListContext(&g_excludeDirectoryContext, ExcludeDirectory);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude file list initialization failed with code:%08x\n", status);
|
||||
DestroyExcludeListContext(g_excludeFileContext);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_excludeDirs[i]; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_excludeDirs[i]);
|
||||
AddExcludeListDirectory(g_excludeDirectoryContext, &str, &id);
|
||||
}
|
||||
|
||||
// Filesystem mini-filter initialization
|
||||
|
||||
status = FltRegisterFilter(DriverObject, &FilterRegistration, &gFilterHandle);
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
status = FltStartFiltering(gFilterHandle);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
FltUnregisterFilter(gFilterHandle);
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Completed status:%08x\n", status);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId)
|
||||
{
|
||||
const USHORT maxBufSize = FilePath->Length + NORMALIZE_INCREAMENT;
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
if (!normalized.Buffer)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
|
||||
return STATUS_MEMORY_NOT_ALLOCATED;
|
||||
}
|
||||
|
||||
status = NormalizeDevicePath(FilePath, &normalized);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, FilePath);
|
||||
ExFreePool(normalized.Buffer);
|
||||
return status;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add file:%wZ\n", &normalized);
|
||||
status = AddExcludeListFile(g_excludeFileContext, &normalized, ObjId);
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveHiddenFile(ULONGLONG ObjId)
|
||||
{
|
||||
return RemoveExcludeListEntry(g_excludeFileContext, ObjId);
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllHiddenFiles()
|
||||
{
|
||||
return RemoveAllExcludeListEntries(g_excludeFileContext);
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId)
|
||||
{
|
||||
const USHORT maxBufSize = DirPath->Length + NORMALIZE_INCREAMENT;
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
if (!normalized.Buffer)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
|
||||
return STATUS_MEMORY_NOT_ALLOCATED;
|
||||
}
|
||||
|
||||
status = NormalizeDevicePath(DirPath, &normalized);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, DirPath);
|
||||
ExFreePool(normalized.Buffer);
|
||||
return status;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add dir:%wZ\n", &normalized);
|
||||
status = AddExcludeListDirectory(g_excludeDirectoryContext, &normalized, ObjId);
|
||||
ExFreePool(normalized.Buffer);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveHiddenDir(ULONGLONG ObjId)
|
||||
{
|
||||
return RemoveExcludeListEntry(g_excludeDirectoryContext, ObjId);
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllHiddenDirs()
|
||||
{
|
||||
return RemoveAllExcludeListEntries(g_excludeDirectoryContext);
|
||||
}
|
14
Hidden/FsFilter.h
Normal file
14
Hidden/FsFilter.h
Normal file
@ -0,0 +1,14 @@
|
||||
#pragma once
|
||||
|
||||
#include <Ntddk.h>
|
||||
|
||||
NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject);
|
||||
NTSTATUS DestroyFSMiniFilter();
|
||||
|
||||
NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId);
|
||||
NTSTATUS RemoveHiddenFile(ULONGLONG ObjId);
|
||||
NTSTATUS RemoveAllHiddenFiles();
|
||||
|
||||
NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId);
|
||||
NTSTATUS RemoveHiddenDir(ULONGLONG ObjId);
|
||||
NTSTATUS RemoveAllHiddenDirs();
|
168
Hidden/Helper.c
Normal file
168
Hidden/Helper.c
Normal file
@ -0,0 +1,168 @@
|
||||
#include "Helper.h"
|
||||
|
||||
#define HELPER_ALLOC_TAG 'rplH'
|
||||
|
||||
NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize)
|
||||
{
|
||||
PVOID info = NULL;
|
||||
NTSTATUS status;
|
||||
ULONG size = 0, written = 0;
|
||||
|
||||
// Query required size
|
||||
status = NtQuerySystemInformation(Class, 0, 0, &size);
|
||||
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
||||
return status;
|
||||
|
||||
while (status == STATUS_INFO_LENGTH_MISMATCH)
|
||||
{
|
||||
size += written; // We should allocate little bit more space
|
||||
|
||||
if (info)
|
||||
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
|
||||
|
||||
info = ExAllocatePoolWithTag(NonPagedPool, size, HELPER_ALLOC_TAG);
|
||||
if (!info)
|
||||
break;
|
||||
|
||||
status = NtQuerySystemInformation(Class, info, size, &written);
|
||||
}
|
||||
|
||||
if (!info)
|
||||
return STATUS_ACCESS_DENIED;
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
*InfoBuffer = info;
|
||||
*InfoSize = size;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE Process, PVOID* InfoBuffer, PSIZE_T InfoSize)
|
||||
{
|
||||
PVOID info = NULL;
|
||||
NTSTATUS status;
|
||||
ULONG size = 0, written = 0;
|
||||
|
||||
// Query required size
|
||||
status = NtQueryInformationProcess(Process, Class, 0, 0, &size);
|
||||
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
||||
return status;
|
||||
|
||||
while (status == STATUS_INFO_LENGTH_MISMATCH)
|
||||
{
|
||||
size += written; // We should allocate little bit more space
|
||||
|
||||
if (info)
|
||||
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
|
||||
|
||||
info = ExAllocatePoolWithTag(NonPagedPool, size, HELPER_ALLOC_TAG);
|
||||
if (!info)
|
||||
break;
|
||||
|
||||
status = NtQueryInformationProcess(Process, Class, info, size, &written);
|
||||
}
|
||||
|
||||
if (!info)
|
||||
return STATUS_ACCESS_DENIED;
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
ExFreePoolWithTag(info, HELPER_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
*InfoBuffer = info;
|
||||
*InfoSize = size;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
VOID FreeInformation(PVOID Buffer)
|
||||
{
|
||||
ExFreePoolWithTag(Buffer, HELPER_ALLOC_TAG);
|
||||
}
|
||||
|
||||
//
|
||||
// Convertion template:
|
||||
// \\??\\C:\\Windows -> \\Device\\HarddiskVolume1\\Windows
|
||||
//
|
||||
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized)
|
||||
{
|
||||
UNICODE_STRING globalPrefix , dvcPrefix;
|
||||
NTSTATUS status;
|
||||
|
||||
RtlInitUnicodeString(&globalPrefix, L"\\??\\");
|
||||
RtlInitUnicodeString(&dvcPrefix, L"\\Device\\");
|
||||
|
||||
if (RtlPrefixUnicodeString(&globalPrefix, Path, TRUE))
|
||||
{
|
||||
OBJECT_ATTRIBUTES attribs;
|
||||
UNICODE_STRING subPath;
|
||||
HANDLE hsymLink;
|
||||
ULONG i, written, size;
|
||||
|
||||
subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + globalPrefix.Length);
|
||||
subPath.Length = Path->Length - globalPrefix.Length;
|
||||
|
||||
for (i = 0; i < subPath.Length; i++)
|
||||
{
|
||||
if (subPath.Buffer[i] == L'\\')
|
||||
{
|
||||
subPath.Length = (USHORT)(i * sizeof(WCHAR));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (subPath.Length == 0)
|
||||
return STATUS_INVALID_PARAMETER_1;
|
||||
|
||||
subPath.Buffer = Path->Buffer;
|
||||
subPath.Length += globalPrefix.Length;
|
||||
|
||||
// Open symlink
|
||||
|
||||
InitializeObjectAttributes(&attribs, &subPath, OBJ_KERNEL_HANDLE, NULL, NULL);
|
||||
|
||||
status = ZwOpenSymbolicLinkObject(&hsymLink, GENERIC_READ, &attribs);
|
||||
if (!NT_SUCCESS(status))
|
||||
return status;
|
||||
|
||||
// Query original name
|
||||
|
||||
status = ZwQuerySymbolicLinkObject(hsymLink, Normalized, &written);
|
||||
ZwClose(hsymLink);
|
||||
if (!NT_SUCCESS(status))
|
||||
return status;
|
||||
|
||||
// Construct new variable
|
||||
|
||||
size = Path->Length - subPath.Length + Normalized->Length;
|
||||
if (size > Normalized->MaximumLength)
|
||||
return STATUS_BUFFER_OVERFLOW;
|
||||
|
||||
subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + subPath.Length);
|
||||
subPath.Length = Path->Length - subPath.Length;
|
||||
|
||||
status = RtlAppendUnicodeStringToString(Normalized, &subPath);
|
||||
if (!NT_SUCCESS(status))
|
||||
return status;
|
||||
}
|
||||
else if (RtlPrefixUnicodeString(&dvcPrefix, Path, TRUE))
|
||||
{
|
||||
Normalized->Length = 0;
|
||||
status = RtlAppendUnicodeStringToString(Normalized, Path);
|
||||
if (!NT_SUCCESS(status))
|
||||
return status;
|
||||
}
|
||||
else
|
||||
{
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
58
Hidden/Helper.h
Normal file
58
Hidden/Helper.h
Normal file
@ -0,0 +1,58 @@
|
||||
#pragma once
|
||||
|
||||
#include <Ntddk.h>
|
||||
|
||||
typedef enum _SYSTEM_INFORMATION_CLASS {
|
||||
SystemBasicInformation = 0,
|
||||
SystemPerformanceInformation = 2,
|
||||
SystemTimeOfDayInformation = 3,
|
||||
SystemProcessInformation = 5,
|
||||
SystemProcessorPerformanceInformation = 8,
|
||||
SystemInterruptInformation = 23,
|
||||
SystemExceptionInformation = 33,
|
||||
SystemRegistryQuotaInformation = 37,
|
||||
SystemLookasideInformation = 45,
|
||||
SystemPolicyInformation = 134,
|
||||
} SYSTEM_INFORMATION_CLASS;
|
||||
|
||||
typedef struct _SYSTEM_PROCESS_INFORMATION {
|
||||
ULONG NextEntryOffset;
|
||||
ULONG NumberOfThreads;
|
||||
LARGE_INTEGER Reserved[3];
|
||||
LARGE_INTEGER CreateTime;
|
||||
LARGE_INTEGER UserTime;
|
||||
LARGE_INTEGER KernelTime;
|
||||
UNICODE_STRING ImageName;
|
||||
KPRIORITY BasePriority;
|
||||
HANDLE ProcessId;
|
||||
HANDLE InheritedFromProcessId;
|
||||
ULONG HandleCount;
|
||||
UCHAR Reserved4[4];
|
||||
PVOID Reserved5[11];
|
||||
SIZE_T PeakPagefileUsage;
|
||||
SIZE_T PrivatePageCount;
|
||||
LARGE_INTEGER Reserved6[6];
|
||||
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
|
||||
|
||||
NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation(
|
||||
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||
_Inout_ PVOID SystemInformation,
|
||||
_In_ ULONG SystemInformationLength,
|
||||
_Out_opt_ PULONG ReturnLength
|
||||
);
|
||||
|
||||
NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess(
|
||||
_In_ HANDLE ProcessHandle,
|
||||
_In_ PROCESSINFOCLASS ProcessInformationClass,
|
||||
_Out_ PVOID ProcessInformation,
|
||||
_In_ ULONG ProcessInformationLength,
|
||||
_Out_opt_ PULONG ReturnLength
|
||||
);
|
||||
|
||||
NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);
|
||||
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
|
||||
VOID FreeInformation(PVOID Buffer);
|
||||
|
||||
#define NORMALIZE_INCREAMENT (USHORT)64
|
||||
|
||||
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);
|
100
Hidden/Hidden.inf
Normal file
100
Hidden/Hidden.inf
Normal file
@ -0,0 +1,100 @@
|
||||
;;;
|
||||
;;; Hidden
|
||||
;;;
|
||||
|
||||
[Version]
|
||||
Signature = "$Windows NT$"
|
||||
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963
|
||||
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
|
||||
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value
|
||||
;Class = "_TODO_Change_Class_appropriately_"
|
||||
;ClassGuid = {_TODO_Change_ClassGuid_appropriately_}
|
||||
Provider = %ManufacturerName%
|
||||
DriverVer = 3/27/2016
|
||||
CatalogFile = Hidden.cat
|
||||
|
||||
[DestinationDirs]
|
||||
DefaultDestDir = 12
|
||||
MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers
|
||||
|
||||
;;
|
||||
;; Default install sections
|
||||
;;
|
||||
|
||||
[DefaultInstall]
|
||||
OptionDesc = %ServiceDescription%
|
||||
CopyFiles = MiniFilter.DriverFiles
|
||||
|
||||
[DefaultInstall.Services]
|
||||
AddService = %ServiceName%,,MiniFilter.Service
|
||||
|
||||
;;
|
||||
;; Default uninstall sections
|
||||
;;
|
||||
|
||||
[DefaultUninstall]
|
||||
DelFiles = MiniFilter.DriverFiles
|
||||
|
||||
[DefaultUninstall.Services]
|
||||
DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting
|
||||
|
||||
;
|
||||
; Services Section
|
||||
;
|
||||
|
||||
[MiniFilter.Service]
|
||||
DisplayName = %ServiceName%
|
||||
Description = %ServiceDescription%
|
||||
ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
|
||||
Dependencies = "FltMgr"
|
||||
ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
|
||||
StartType = 3 ;SERVICE_DEMAND_START
|
||||
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
|
||||
; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
|
||||
LoadOrderGroup = "FSFilter Activity Monitor"
|
||||
;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
|
||||
AddReg = MiniFilter.AddRegistry
|
||||
|
||||
;
|
||||
; Registry Modifications
|
||||
;
|
||||
|
||||
[MiniFilter.AddRegistry]
|
||||
HKR,,"DebugFlags",0x00010001 ,0x0
|
||||
HKR,,"SupportedFeatures",0x00010001,0x3
|
||||
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
|
||||
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
|
||||
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
|
||||
|
||||
;
|
||||
; Copy Files
|
||||
;
|
||||
|
||||
[MiniFilter.DriverFiles]
|
||||
%DriverName%.sys
|
||||
|
||||
[SourceDisksFiles]
|
||||
Hidden.sys = 1,,
|
||||
|
||||
[SourceDisksNames]
|
||||
1 = %DiskId1%,,,
|
||||
|
||||
;;
|
||||
;; String Section
|
||||
;;
|
||||
|
||||
[Strings]
|
||||
; TODO - Add your manufacturer
|
||||
ManufacturerName = "Template"
|
||||
ServiceDescription = "Hidden Kernel Driver"
|
||||
ServiceName = "Hidden"
|
||||
DriverName = "Hidden"
|
||||
DiskId1 = "Hidden Device Installation Disk"
|
||||
|
||||
;Instances specific information.
|
||||
DefaultInstance = "Hidden Instance"
|
||||
Instance1.Name = "Hidden Instance"
|
||||
; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
|
||||
Instance1.Altitude = "370030"
|
||||
;Instance.Altitude = "_TODO_Change_Altitude_appropriately_"
|
||||
Instance1.Flags = 0x0 ; Allow all attachments
|
10
Hidden/Hidden.rc
Normal file
10
Hidden/Hidden.rc
Normal file
@ -0,0 +1,10 @@
|
||||
#include <windows.h>
|
||||
|
||||
#include <ntverp.h>
|
||||
|
||||
#define VER_FILETYPE VFT_DRV
|
||||
#define VER_FILESUBTYPE VFT2_DRV_SYSTEM
|
||||
#define VER_FILEDESCRIPTION_STR "Hidden Kernel Driver"
|
||||
#define VER_INTERNALNAME_STR "Hidden.sys"
|
||||
|
||||
#include "common.ver"
|
290
Hidden/Hidden.vcxproj
Normal file
290
Hidden/Hidden.vcxproj
Normal file
@ -0,0 +1,290 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Win8.1 Debug|Win32">
|
||||
<Configuration>Win8.1 Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8.1 Release|Win32">
|
||||
<Configuration>Win8.1 Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Debug|Win32">
|
||||
<Configuration>Win8 Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Release|Win32">
|
||||
<Configuration>Win8 Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Debug|Win32">
|
||||
<Configuration>Win7 Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Release|Win32">
|
||||
<Configuration>Win7 Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8.1 Debug|x64">
|
||||
<Configuration>Win8.1 Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8.1 Release|x64">
|
||||
<Configuration>Win8.1 Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Debug|x64">
|
||||
<Configuration>Win8 Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win8 Release|x64">
|
||||
<Configuration>Win8 Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Debug|x64">
|
||||
<Configuration>Win7 Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Win7 Release|x64">
|
||||
<Configuration>Win7 Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Device.c" />
|
||||
<ClCompile Include="FsFilter.c" />
|
||||
<ClCompile Include="Helper.c" />
|
||||
<ClCompile Include="PsMonitor.c" />
|
||||
<ClCompile Include="PsTable.c" />
|
||||
<ClCompile Include="RegFilter.c" />
|
||||
<ResourceCompile Include="Hidden.rc" />
|
||||
<ClCompile Include="ExcludeList.c" />
|
||||
<ClCompile Include="Driver.c" />
|
||||
<Inf Include="Hidden.inf" />
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}</ProjectGuid>
|
||||
<TemplateGuid>{f2f62967-0815-4fd7-9b86-6eedcac766eb}</TemplateGuid>
|
||||
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
|
||||
<MinimumVisualStudioVersion>11.0</MinimumVisualStudioVersion>
|
||||
<Configuration>Win8.1 Debug</Configuration>
|
||||
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
|
||||
<RootNamespace>Hidden</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'" Label="Configuration">
|
||||
<TargetVersion>WindowsV6.3</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows8</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
|
||||
<ConfigurationType>Driver</ConfigurationType>
|
||||
<DriverType>WDM</DriverType>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
|
||||
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
|
||||
<Link>
|
||||
<AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<FilesToPackage Include="$(TargetPath)" />
|
||||
<FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Text Include="back.txt" />
|
||||
<Text Include="todo.txt" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Device.h" />
|
||||
<ClInclude Include="DeviceAPI.h" />
|
||||
<ClInclude Include="ExcludeList.h" />
|
||||
<ClInclude Include="FsFilter.h" />
|
||||
<ClInclude Include="Driver.h" />
|
||||
<ClInclude Include="Helper.h" />
|
||||
<ClInclude Include="PsMonitor.h" />
|
||||
<ClInclude Include="PsTable.h" />
|
||||
<ClInclude Include="RegFilter.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="Hidden.inf" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
90
Hidden/Hidden.vcxproj.filters
Normal file
90
Hidden/Hidden.vcxproj.filters
Normal file
@ -0,0 +1,90 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Resource Files">
|
||||
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Driver Files">
|
||||
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
|
||||
<Extensions>inf;inv;inx;mof;mc;</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Inf Include="FsFilter1.inf">
|
||||
<Filter>Driver Files</Filter>
|
||||
</Inf>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="ExcludeList.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="RegFilter.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Driver.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="FsFilter.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="PsMonitor.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Device.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Helper.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="PsTable.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ResourceCompile Include="FsFilter1.rc">
|
||||
<Filter>Resource Files</Filter>
|
||||
</ResourceCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Text Include="back.txt" />
|
||||
<Text Include="todo.txt" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="ExcludeList.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="RegFilter.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="FsFilter.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="PsMonitor.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="Driver.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="DeviceAPI.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="Device.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="Helper.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="PsTable.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
</Project>
|
355
Hidden/PsMonitor.c
Normal file
355
Hidden/PsMonitor.c
Normal file
@ -0,0 +1,355 @@
|
||||
#include "PsMonitor.h"
|
||||
#include "ExcludeList.h"
|
||||
#include "Helper.h"
|
||||
#include "PsTable.h"
|
||||
|
||||
PVOID g_obRegCallback = NULL;
|
||||
|
||||
OB_OPERATION_REGISTRATION g_regOperation[2];
|
||||
OB_CALLBACK_REGISTRATION g_regCallback;
|
||||
|
||||
ExcludeContext g_excludeProcessContext;
|
||||
ExcludeContext g_protectProcessContext;
|
||||
|
||||
CONST PWCHAR g_excludeProcesses[] = {
|
||||
L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\reg.exe",
|
||||
NULL
|
||||
};
|
||||
|
||||
CONST PWCHAR g_protectProcesses[] = {
|
||||
L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\csrss.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\services.exe",
|
||||
NULL
|
||||
};
|
||||
|
||||
CONST PWCHAR g_systemProcesses[] = {
|
||||
L"\\??\\C:\\Windows\\System32\\smss.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\csrss.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\wininit.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\services.exe",
|
||||
NULL
|
||||
};
|
||||
|
||||
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
|
||||
|
||||
OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(RegistrationContext);
|
||||
|
||||
if (OperationInformation->KernelHandle)
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
(OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
);
|
||||
|
||||
if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object)))
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
if (IsProcessProtected(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId());
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected process %d\n", PsGetCurrentProcessId());
|
||||
|
||||
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
|
||||
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
|
||||
else
|
||||
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
|
||||
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(RegistrationContext);
|
||||
|
||||
if (OperationInformation->KernelHandle)
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
(OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
);
|
||||
|
||||
if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object)))
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
if (IsProcessProtected(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId());
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected thread %d\n", PsGetCurrentProcessId());
|
||||
|
||||
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
|
||||
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION);
|
||||
else
|
||||
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION);
|
||||
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDLE ParentId)
|
||||
{
|
||||
ProcessTableEntry lookup;
|
||||
RtlZeroMemory(&lookup, sizeof(lookup));
|
||||
|
||||
// Check exclude flag
|
||||
|
||||
if (CheckExcludeListFile(g_excludeProcessContext, ImgPath))
|
||||
{
|
||||
Entry->excluded = TRUE;
|
||||
}
|
||||
else if (ParentId != 0)
|
||||
{
|
||||
lookup.processId = ParentId;
|
||||
if (!GetProcessInProcessTable(&lookup))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't find parent process(pid:%d) in process table (exclude)\n", ParentId);
|
||||
else
|
||||
Entry->excluded = lookup.excluded;
|
||||
}
|
||||
|
||||
// Check protected flag
|
||||
|
||||
if (CheckExcludeListFile(g_protectProcessContext, ImgPath))
|
||||
{
|
||||
Entry->protected = TRUE;
|
||||
}
|
||||
else if (ParentId != 0)
|
||||
{
|
||||
if (!lookup.processId)
|
||||
{
|
||||
lookup.processId = ParentId;
|
||||
if (!GetProcessInProcessTable(&lookup))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't find parent process(pid:%d) in process table (protected)\n", ParentId);
|
||||
else
|
||||
Entry->protected = lookup.protected;
|
||||
}
|
||||
else
|
||||
{
|
||||
Entry->protected = lookup.protected;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
|
||||
{
|
||||
ProcessTableEntry entry;
|
||||
|
||||
UNREFERENCED_PARAMETER(Process);
|
||||
|
||||
if (CreateInfo)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! new process: %d (%d:%d), %wZ\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId(), CreateInfo->ImageFileName);
|
||||
else
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! destroy process: %d (%d:%d)\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId());
|
||||
|
||||
RtlZeroMemory(&entry, sizeof(entry));
|
||||
entry.processId = ProcessId;
|
||||
|
||||
if (CreateInfo)
|
||||
{
|
||||
const USHORT maxBufSize = CreateInfo->ImageFileName->Length + NORMALIZE_INCREAMENT;
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
if (!normalized.Buffer)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
|
||||
return;
|
||||
}
|
||||
|
||||
status = NormalizeDevicePath(CreateInfo->ImageFileName, &normalized);
|
||||
ExFreePool(normalized.Buffer);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, CreateInfo->ImageFileName);
|
||||
return;
|
||||
}
|
||||
|
||||
CheckProcessFlags(&entry, CreateInfo->ImageFileName, CreateInfo->ParentProcessId);
|
||||
|
||||
if (entry.excluded)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%d\n", ProcessId);
|
||||
|
||||
if (entry.protected)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
|
||||
|
||||
if (!AddProcessToProcessTable(&entry))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!RemoveProcessFromProcessTable(&entry))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
BOOLEAN IsProcessExcluded(HANDLE ProcessId)
|
||||
{
|
||||
ProcessTableEntry entry;
|
||||
|
||||
entry.processId = ProcessId;
|
||||
if (!GetProcessInProcessTable(&entry))
|
||||
return FALSE;
|
||||
|
||||
return entry.excluded;
|
||||
}
|
||||
|
||||
BOOLEAN IsProcessProtected(HANDLE ProcessId)
|
||||
{
|
||||
ProcessTableEntry entry;
|
||||
|
||||
entry.processId = ProcessId;
|
||||
if (!GetProcessInProcessTable(&entry))
|
||||
return FALSE;
|
||||
|
||||
return entry.protected;
|
||||
}
|
||||
|
||||
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
const USHORT maxBufSize = 512;
|
||||
NTSTATUS status;
|
||||
UNICODE_STRING str, normalized;
|
||||
UINT32 i;
|
||||
ExcludeEntryId id;
|
||||
|
||||
UNREFERENCED_PARAMETER(DriverObject);
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(NonPagedPool, maxBufSize);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
if (!normalized.Buffer)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": allocation failed\n");
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
// Initialize and fill exclude file\dir lists
|
||||
|
||||
status = InitializeExcludeListContext(&g_excludeProcessContext, ExcludeFile);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude process list initialization failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_excludeProcesses[i]; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_excludeProcesses[i]);
|
||||
|
||||
status = NormalizeDevicePath(&str, &normalized);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str);
|
||||
continue;
|
||||
}
|
||||
|
||||
AddExcludeListFile(g_excludeProcessContext, &normalized, &id);
|
||||
}
|
||||
|
||||
status = InitializeExcludeListContext(&g_protectProcessContext, ExcludeDirectory);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protect process list initialization failed with code:%08x\n", status);
|
||||
DestroyExcludeListContext(g_excludeProcessContext);
|
||||
ExFreePool(normalized.Buffer);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_protectProcesses[i]; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_protectProcesses[i]);
|
||||
|
||||
status = NormalizeDevicePath(&str, &normalized);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str);
|
||||
continue;
|
||||
}
|
||||
|
||||
AddExcludeListDirectory(g_protectProcessContext, &normalized, &id);
|
||||
}
|
||||
|
||||
status = InitializeProcessTable(CheckProcessFlags);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DestroyExcludeListContext(g_excludeProcessContext);
|
||||
DestroyExcludeListContext(g_protectProcessContext);
|
||||
ExFreePool(normalized.Buffer);
|
||||
return status;
|
||||
}
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
|
||||
// Register ps\thr pre create\duplicate object callback
|
||||
|
||||
g_regOperation[0].ObjectType = PsProcessType;
|
||||
g_regOperation[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
|
||||
g_regOperation[0].PreOperation = ProcessPreCallback;
|
||||
g_regOperation[0].PostOperation = NULL;
|
||||
|
||||
g_regOperation[1].ObjectType = PsThreadType;
|
||||
g_regOperation[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
|
||||
g_regOperation[1].PreOperation = ThreadPreCallback;
|
||||
g_regOperation[1].PostOperation = NULL;
|
||||
|
||||
g_regCallback.Version = OB_FLT_REGISTRATION_VERSION;
|
||||
g_regCallback.OperationRegistrationCount = 2;
|
||||
g_regCallback.RegistrationContext = NULL;
|
||||
g_regCallback.OperationRegistration = g_regOperation;
|
||||
RtlInitUnicodeString(&g_regCallback.Altitude, L"1000");
|
||||
|
||||
status = ObRegisterCallbacks(&g_regCallback, &g_obRegCallback);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Object filter registration failed with code:%08x\n", status);
|
||||
DestroyPsMonitor();
|
||||
return status;
|
||||
}
|
||||
|
||||
// Register rocess create\destroy callback
|
||||
|
||||
status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, FALSE);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": process notify registartion failed with code:%08x\n", status);
|
||||
DestroyPsMonitor();
|
||||
return status;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS DestroyPsMonitor()
|
||||
{
|
||||
if (g_obRegCallback)
|
||||
{
|
||||
ObUnRegisterCallbacks(g_obRegCallback);
|
||||
g_obRegCallback = NULL;
|
||||
}
|
||||
|
||||
PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, TRUE);
|
||||
|
||||
DestroyExcludeListContext(g_excludeProcessContext);
|
||||
DestroyExcludeListContext(g_protectProcessContext);
|
||||
|
||||
DestroyProcessTable();
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
9
Hidden/PsMonitor.h
Normal file
9
Hidden/PsMonitor.h
Normal file
@ -0,0 +1,9 @@
|
||||
#pragma once
|
||||
|
||||
#include <Ntddk.h>
|
||||
|
||||
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject);
|
||||
NTSTATUS DestroyPsMonitor();
|
||||
|
||||
BOOLEAN IsProcessExcluded(HANDLE ProcessId);
|
||||
BOOLEAN IsProcessProtected(HANDLE ProcessId);
|
201
Hidden/PsTable.c
Normal file
201
Hidden/PsTable.c
Normal file
@ -0,0 +1,201 @@
|
||||
#include "PsTable.h"
|
||||
#include "Helper.h"
|
||||
|
||||
#define PSTREE_ALLOC_TAG 'rTsP'
|
||||
|
||||
RTL_AVL_TABLE g_processTable;
|
||||
KSPIN_LOCK g_processTableLock;
|
||||
|
||||
RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
|
||||
{
|
||||
PProcessTableEntry first = (PProcessTableEntry)FirstStruct;
|
||||
PProcessTableEntry second = (PProcessTableEntry)SecondStruct;
|
||||
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
|
||||
if (first->processId > second->processId)
|
||||
return GenericGreaterThan;
|
||||
|
||||
if (first->processId < second->processId)
|
||||
return GenericLessThan;
|
||||
|
||||
return GenericEqual;
|
||||
}
|
||||
|
||||
PVOID AllocateProcessTableEntry(struct _RTL_AVL_TABLE *Table, CLONG ByteSize)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
return ExAllocatePoolWithTag(NonPagedPool, ByteSize, PSTREE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
VOID FreeProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
ExFreePoolWithTag(Buffer, PSTREE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
// API
|
||||
|
||||
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry)
|
||||
{
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
BOOLEAN result = FALSE;
|
||||
PVOID buf;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||
buf = RtlInsertElementGenericTableAvl(&g_processTable, entry, sizeof(ProcessTableEntry), &result);
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
if (buf == NULL)
|
||||
return FALSE;
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry)
|
||||
{
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
BOOLEAN result;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||
result = RtlDeleteElementGenericTableAvl(&g_processTable, entry);
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry)
|
||||
{
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PProcessTableEntry entry2;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
if (!entry2)
|
||||
return FALSE;
|
||||
|
||||
RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry));
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
|
||||
{
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PProcessTableEntry entry2;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
|
||||
if (!entry2)
|
||||
return FALSE;
|
||||
|
||||
RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Initialization
|
||||
|
||||
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE))
|
||||
{
|
||||
PSYSTEM_PROCESS_INFORMATION processInfo = NULL, first;
|
||||
NTSTATUS status;
|
||||
ULONG size = 0, offset;
|
||||
|
||||
// Init process table
|
||||
|
||||
KeInitializeSpinLock(&g_processTableLock);
|
||||
RtlInitializeGenericTableAvl(&g_processTable, CompareProcessTableEntry, AllocateProcessTableEntry, FreeProcessTableEntry, NULL);
|
||||
|
||||
// We should query processes information for creation process table for existing processes
|
||||
|
||||
status = QuerySystemInformation(SystemProcessInformation, &processInfo, &size);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": query system information(pslist) failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
offset = 0;
|
||||
first = processInfo;
|
||||
do
|
||||
{
|
||||
ProcessTableEntry entry;
|
||||
PUNICODE_STRING procName;
|
||||
CLIENT_ID clientId;
|
||||
OBJECT_ATTRIBUTES attribs;
|
||||
HANDLE hProcess;
|
||||
SIZE_T size;
|
||||
|
||||
// Get process path
|
||||
|
||||
processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset);
|
||||
|
||||
InitializeObjectAttributes(&attribs, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
|
||||
clientId.UniqueProcess = processInfo->ProcessId;
|
||||
clientId.UniqueThread = 0;
|
||||
|
||||
status = NtOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
continue;
|
||||
}
|
||||
|
||||
status = QueryProcessInformation(ProcessImageFileName, hProcess, &procName, &size);
|
||||
ZwClose(hProcess);
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
continue;
|
||||
}
|
||||
|
||||
// Add process in process table
|
||||
|
||||
RtlZeroMemory(&entry, sizeof(entry));
|
||||
entry.processId = processInfo->ProcessId;
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add process: %d, %wZ\n", processInfo->ProcessId, procName);
|
||||
|
||||
InitProcessEntryCallback(&entry, procName, processInfo->InheritedFromProcessId);
|
||||
if (!AddProcessToProcessTable(&entry))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", processInfo->ProcessId);
|
||||
|
||||
// Go to next
|
||||
|
||||
FreeInformation(procName);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
}
|
||||
while (offset);
|
||||
|
||||
FreeInformation(first);
|
||||
return status;
|
||||
}
|
||||
|
||||
VOID DestroyProcessTable()
|
||||
{
|
||||
KLOCK_QUEUE_HANDLE lockHandle;
|
||||
PProcessTableEntry entry;
|
||||
PVOID restartKey = NULL;
|
||||
|
||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||
|
||||
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey);
|
||||
entry != NULL;
|
||||
entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey))
|
||||
{
|
||||
if (!RtlDeleteElementGenericTableAvl(&g_processTable, entry))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process table, looks like memory leak\n");
|
||||
|
||||
restartKey = NULL; // reset enum
|
||||
}
|
||||
|
||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||
}
|
18
Hidden/PsTable.h
Normal file
18
Hidden/PsTable.h
Normal file
@ -0,0 +1,18 @@
|
||||
#pragma once
|
||||
|
||||
#include <Ntddk.h>
|
||||
|
||||
typedef struct _ProcessTableEntry{
|
||||
HANDLE processId;
|
||||
BOOLEAN excluded;
|
||||
BOOLEAN protected;
|
||||
} ProcessTableEntry, *PProcessTableEntry;
|
||||
|
||||
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));
|
||||
VOID DestroyProcessTable();
|
||||
|
||||
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry);
|
||||
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry);
|
||||
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry);
|
||||
BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry);
|
||||
|
520
Hidden/RegFilter.c
Normal file
520
Hidden/RegFilter.c
Normal file
@ -0,0 +1,520 @@
|
||||
// =========================================================================================
|
||||
// Registry filter
|
||||
// =========================================================================================
|
||||
|
||||
#include "RegFilter.h"
|
||||
#include "ExcludeList.h"
|
||||
#include "PsMonitor.h"
|
||||
|
||||
#define FILTER_ALLOC_TAG 'FRlF'
|
||||
|
||||
ExcludeContext g_excludeRegKeyContext;
|
||||
ExcludeContext g_excludeRegValueContext;
|
||||
|
||||
CONST PWCHAR g_excludeRegKeys[] = {
|
||||
// L"\\REGISTRY\\MACHINE\\SOFTWARE\\test",
|
||||
// L"\\Registry\\MACHINE\\SOFTWARE\\test2",
|
||||
NULL
|
||||
};
|
||||
|
||||
CONST PWCHAR g_excludeRegValues[] = {
|
||||
// L"\\REGISTRY\\MACHINE\\SOFTWARE\\aaa",
|
||||
// L"\\Registry\\MACHINE\\SOFTWARE\\xxx",
|
||||
// L"\\Registry\\MACHINE\\SOFTWARE\\aa",
|
||||
// L"\\Registry\\MACHINE\\SOFTWARE\\aaa",
|
||||
// L"\\Registry\\MACHINE\\SOFTWARE\\aaaa",
|
||||
// L"\\Registry\\MACHINE\\SOFTWARE\\zz",
|
||||
NULL
|
||||
};
|
||||
|
||||
LARGE_INTEGER g_regCookie = { 0 };
|
||||
|
||||
BOOLEAN CheckRegistryKeyInExcludeList(PVOID RootObject, PUNICODE_STRING keyPath)
|
||||
{
|
||||
PCUNICODE_STRING regPath;
|
||||
NTSTATUS status;
|
||||
BOOLEAN found = FALSE;
|
||||
|
||||
// Check is the registry path matched to exclude list
|
||||
|
||||
if (keyPath->Length > sizeof(WCHAR) && keyPath->Buffer[0] == L'\\')
|
||||
{
|
||||
// Check absolute path
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": absolute %wZ\n", keyPath);
|
||||
found = CheckExcludeListRegKey(g_excludeRegKeyContext, keyPath);
|
||||
}
|
||||
else
|
||||
{
|
||||
// Check relative path
|
||||
enum { LOCAL_BUF_SIZE = 256 };
|
||||
WCHAR localBuffer[LOCAL_BUF_SIZE];
|
||||
LPWSTR dynBuffer = NULL;
|
||||
UNICODE_STRING fullRegPath;
|
||||
USHORT totalSize;
|
||||
|
||||
// Obtain root key path
|
||||
|
||||
status = CmCallbackGetKeyObjectID(&g_regCookie, RootObject, NULL, ®Path);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Concatenate root path + sub key path
|
||||
|
||||
totalSize = regPath->Length + keyPath->Length + sizeof(WCHAR);
|
||||
if (totalSize / sizeof(WCHAR) > LOCAL_BUF_SIZE)
|
||||
{
|
||||
// local buffer too small, we should allocate memory
|
||||
dynBuffer = (LPWSTR)ExAllocatePoolWithTag(NonPagedPool, totalSize, FILTER_ALLOC_TAG);
|
||||
if (!dynBuffer)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Memory allocation failed with code:%08x\n", status);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
memcpy(dynBuffer, regPath->Buffer, regPath->Length);
|
||||
fullRegPath.Buffer = dynBuffer;
|
||||
}
|
||||
else
|
||||
{
|
||||
// use local buffer
|
||||
fullRegPath.Buffer = localBuffer;
|
||||
}
|
||||
|
||||
// copy root path + sub key path to new buffer
|
||||
memcpy(fullRegPath.Buffer, regPath->Buffer, regPath->Length);
|
||||
fullRegPath.Buffer[regPath->Length / sizeof(WCHAR)] = L'\\';
|
||||
memcpy(
|
||||
(PCHAR)fullRegPath.Buffer + regPath->Length + sizeof(WCHAR),
|
||||
keyPath->Buffer,
|
||||
keyPath->Length);
|
||||
|
||||
fullRegPath.Length = totalSize;
|
||||
fullRegPath.MaximumLength = fullRegPath.Length;
|
||||
|
||||
// Compare to exclude list
|
||||
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": relative %wZ\n", &fullRegPath);
|
||||
found = CheckExcludeListRegKey(g_excludeRegKeyContext, &fullRegPath);
|
||||
|
||||
if (dynBuffer)
|
||||
ExFreePoolWithTag(dynBuffer, FILTER_ALLOC_TAG);
|
||||
}
|
||||
|
||||
return found;
|
||||
}
|
||||
|
||||
NTSTATUS RegPreCreateKey(PVOID context, PREG_PRE_CREATE_KEY_INFORMATION info)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(context);
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": RegPreCreateKey(absolute) %wZ\n", info->CompleteName);
|
||||
|
||||
if (CheckExcludeListRegKey(g_excludeRegKeyContext, info->CompleteName))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS RegPreCreateKeyEx(PVOID context, PREG_CREATE_KEY_INFORMATION info)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(context);
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
if (CheckRegistryKeyInExcludeList(info->RootObject, info->CompleteName))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS RegPreOpenKey(PVOID context, PREG_PRE_OPEN_KEY_INFORMATION info)
|
||||
{//TODO: isn't used?
|
||||
UNREFERENCED_PARAMETER(context);
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": RegPreCreateKey(absolute) %wZ\n", info->CompleteName);
|
||||
|
||||
if (CheckExcludeListRegKey(g_excludeRegKeyContext, info->CompleteName))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
|
||||
return STATUS_NOT_FOUND;
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS RegPreOpenKeyEx(PVOID context, PREG_OPEN_KEY_INFORMATION info)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(context);
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
if (CheckRegistryKeyInExcludeList(info->RootObject, info->CompleteName))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": found!\n");
|
||||
return STATUS_NOT_FOUND;
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOLEAN GetNameFromEnumKeyPreInfo(KEY_INFORMATION_CLASS infoClass, PVOID infoBuffer, PUNICODE_STRING keyName)
|
||||
{
|
||||
switch (infoClass)
|
||||
{
|
||||
case KeyBasicInformation:
|
||||
{
|
||||
PKEY_BASIC_INFORMATION keyInfo = (PKEY_BASIC_INFORMATION)infoBuffer;
|
||||
keyName->Buffer = keyInfo->Name;
|
||||
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
|
||||
}
|
||||
break;
|
||||
case KeyNameInformation:
|
||||
{
|
||||
PKEY_NAME_INFORMATION keyInfo = (PKEY_NAME_INFORMATION)infoBuffer;
|
||||
keyName->Buffer = keyInfo->Name;
|
||||
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
NTSTATUS RegPostEnumKey(PVOID context, PREG_POST_OPERATION_INFORMATION info)
|
||||
{
|
||||
PREG_ENUMERATE_KEY_INFORMATION preInfo;
|
||||
PCUNICODE_STRING regPath;
|
||||
UNICODE_STRING keyName;
|
||||
UINT32 incIndex;
|
||||
NTSTATUS status;
|
||||
|
||||
UNREFERENCED_PARAMETER(context);
|
||||
|
||||
if (!NT_SUCCESS(info->Status))
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, ®Path);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
preInfo = (PREG_ENUMERATE_KEY_INFORMATION)info->PreInformation;
|
||||
|
||||
if (!GetNameFromEnumKeyPreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
incIndex = 0;
|
||||
if (CheckExcludeListRegKeyValueName(g_excludeRegKeyContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ (inc: %d)\n", regPath, incIndex);//TODO: remove it
|
||||
|
||||
if (incIndex > 0)
|
||||
{
|
||||
HANDLE Key;
|
||||
ULONG resLen, i;
|
||||
BOOLEAN infinite = TRUE;
|
||||
|
||||
status = ObOpenObjectByPointer(info->Object, OBJ_KERNEL_HANDLE, NULL, KEY_ALL_ACCESS, *CmKeyObjectType, KernelMode, &Key);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": ObOpenObjectByPointer() failed with code:%08x\n", status);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
for (i = 0; infinite; i++)
|
||||
{
|
||||
status = ZwEnumerateKey(Key, preInfo->Index + incIndex, preInfo->KeyInformationClass, preInfo->KeyInformation, preInfo->Length, &resLen);
|
||||
if (!NT_SUCCESS(status))
|
||||
break;
|
||||
|
||||
if (!GetNameFromEnumKeyPreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
|
||||
break;
|
||||
|
||||
if (!CheckExcludeListRegKeyValueName(g_excludeRegKeyContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
|
||||
{
|
||||
*preInfo->ResultLength = resLen;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
info->ReturnStatus = status;
|
||||
|
||||
ZwClose(Key);
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOLEAN GetNameFromEnumValuePreInfo(KEY_VALUE_INFORMATION_CLASS infoClass, PVOID infoBuffer, PUNICODE_STRING keyName)
|
||||
{
|
||||
switch (infoClass)
|
||||
{
|
||||
case KeyValueBasicInformation:
|
||||
{
|
||||
PKEY_VALUE_BASIC_INFORMATION keyInfo = (PKEY_VALUE_BASIC_INFORMATION)infoBuffer;
|
||||
keyName->Buffer = keyInfo->Name;
|
||||
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
|
||||
}
|
||||
break;
|
||||
case KeyValueFullInformation:
|
||||
case KeyValueFullInformationAlign64:
|
||||
{
|
||||
PKEY_VALUE_FULL_INFORMATION keyInfo = (PKEY_VALUE_FULL_INFORMATION)infoBuffer;
|
||||
keyName->Buffer = keyInfo->Name;
|
||||
keyName->Length = keyName->MaximumLength = (USHORT)keyInfo->NameLength;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
NTSTATUS RegPostEnumValue(PVOID context, PREG_POST_OPERATION_INFORMATION info)
|
||||
{
|
||||
PREG_ENUMERATE_KEY_INFORMATION preInfo;
|
||||
PCUNICODE_STRING regPath;
|
||||
UNICODE_STRING keyName;
|
||||
UINT32 incIndex;
|
||||
NTSTATUS status;
|
||||
|
||||
UNREFERENCED_PARAMETER(context);
|
||||
|
||||
if (!NT_SUCCESS(info->Status))
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, ®Path);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
preInfo = (PREG_ENUMERATE_KEY_INFORMATION)info->PreInformation;
|
||||
|
||||
if (!GetNameFromEnumValuePreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
incIndex = 0;
|
||||
if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ (inc: %d)\n", regPath, incIndex);
|
||||
|
||||
if (incIndex > 0)
|
||||
{
|
||||
HANDLE Key;
|
||||
ULONG resLen, i;
|
||||
BOOLEAN infinite = TRUE;
|
||||
|
||||
status = ObOpenObjectByPointer(info->Object, OBJ_KERNEL_HANDLE, NULL, KEY_ALL_ACCESS, *CmKeyObjectType, KernelMode, &Key);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": ObOpenObjectByPointer() failed with code:%08x\n", status);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
for (i = 0; infinite; i++)
|
||||
{
|
||||
status = ZwEnumerateValueKey(Key, preInfo->Index + incIndex, preInfo->KeyInformationClass, preInfo->KeyInformation, preInfo->Length, &resLen);
|
||||
if (!NT_SUCCESS(status))
|
||||
break;
|
||||
|
||||
if (!GetNameFromEnumValuePreInfo(preInfo->KeyInformationClass, preInfo->KeyInformation, &keyName))
|
||||
break;
|
||||
|
||||
if (!CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, &keyName, &incIndex))
|
||||
{
|
||||
*preInfo->ResultLength = resLen;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
info->ReturnStatus = status;
|
||||
|
||||
ZwClose(Key);
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
|
||||
{
|
||||
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
|
||||
NTSTATUS status;
|
||||
|
||||
switch (notifyClass)
|
||||
{
|
||||
case RegNtPreCreateKey:
|
||||
status = RegPreCreateKey(CallbackContext, (PREG_PRE_CREATE_KEY_INFORMATION)Argument2);
|
||||
break;
|
||||
case RegNtPreCreateKeyEx:
|
||||
status = RegPreCreateKeyEx(CallbackContext, (PREG_CREATE_KEY_INFORMATION)Argument2);
|
||||
break;
|
||||
case RegNtPreOpenKey:
|
||||
status = RegPreCreateKey(CallbackContext, (PREG_PRE_OPEN_KEY_INFORMATION)Argument2);
|
||||
break;
|
||||
case RegNtPreOpenKeyEx:
|
||||
status = RegPreOpenKeyEx(CallbackContext, (PREG_OPEN_KEY_INFORMATION)Argument2);
|
||||
break;
|
||||
case RegNtPostEnumerateKey:
|
||||
status = RegPostEnumKey(CallbackContext, (PREG_POST_OPERATION_INFORMATION)Argument2);
|
||||
break;
|
||||
case RegNtPostEnumerateValueKey:
|
||||
status = RegPostEnumValue(CallbackContext, (PREG_POST_OPERATION_INFORMATION)Argument2);
|
||||
break;
|
||||
default:
|
||||
status = STATUS_SUCCESS;
|
||||
break;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
NTSTATUS status;
|
||||
UNICODE_STRING altitude, str;
|
||||
ExcludeEntryId id;
|
||||
UINT32 i;
|
||||
|
||||
// Fill exclude lists
|
||||
|
||||
status = InitializeExcludeListContext(&g_excludeRegKeyContext, ExcludeRegKey);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude registry key list initialization failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_excludeRegKeys[i]; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_excludeRegKeys[i]);
|
||||
AddExcludeListRegistryKey(g_excludeRegKeyContext, &str, &id);
|
||||
}
|
||||
|
||||
status = InitializeExcludeListContext(&g_excludeRegValueContext, ExcludeRegValue);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude registry value list initialization failed with code:%08x\n", status);
|
||||
DestroyExcludeListContext(g_excludeRegKeyContext);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_excludeRegValues[i]; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_excludeRegValues[i]);
|
||||
AddExcludeListRegistryValue(g_excludeRegValueContext, &str, &id);
|
||||
}
|
||||
|
||||
// Register registry filter
|
||||
|
||||
RtlInitUnicodeString(&altitude, L"320000");
|
||||
|
||||
status = CmRegisterCallbackEx(&RegistryFilterCallback, &altitude, DriverObject, NULL, &g_regCookie, NULL);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry filter registration failed with code:%08x\n", status);
|
||||
DestroyExcludeListContext(g_excludeRegKeyContext);
|
||||
DestroyExcludeListContext(g_excludeRegValueContext);
|
||||
return status;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS DestroyRegistryFilter()
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
status = CmUnRegisterCallback(g_regCookie);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry filter unregistration failed with code:%08x\n", status);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenRegKey(PUNICODE_STRING KeyPath, PULONGLONG ObjId)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
// TODO: normalize registry key path
|
||||
|
||||
status = AddExcludeListRegistryKey(g_excludeRegKeyContext, KeyPath, ObjId);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveHiddenRegKey(ULONGLONG ObjId)
|
||||
{
|
||||
return RemoveExcludeListEntry(g_excludeRegKeyContext, ObjId);
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllHiddenRegKeys()
|
||||
{
|
||||
return RemoveAllExcludeListEntries(g_excludeRegKeyContext);
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenRegValue(PUNICODE_STRING ValuePath, PULONGLONG ObjId)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
// TODO: normalize registry value path
|
||||
|
||||
status = AddExcludeListRegistryValue(g_excludeRegValueContext, ValuePath, ObjId);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveHiddenRegValue(ULONGLONG ObjId)
|
||||
{
|
||||
return RemoveExcludeListEntry(g_excludeRegValueContext, ObjId);
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllHiddenRegValues()
|
||||
{
|
||||
return RemoveAllExcludeListEntries(g_excludeRegValueContext);
|
||||
}
|
15
Hidden/RegFilter.h
Normal file
15
Hidden/RegFilter.h
Normal file
@ -0,0 +1,15 @@
|
||||
#pragma once
|
||||
|
||||
#include <Ntifs.h>
|
||||
|
||||
NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject);
|
||||
NTSTATUS DestroyRegistryFilter();
|
||||
|
||||
NTSTATUS AddHiddenRegKey(PUNICODE_STRING KeyPath, PULONGLONG ObjId);
|
||||
NTSTATUS RemoveHiddenRegKey(ULONGLONG ObjId);
|
||||
NTSTATUS RemoveAllHiddenRegKeys();
|
||||
|
||||
NTSTATUS AddHiddenRegValue(PUNICODE_STRING ValuePath, PULONGLONG ObjId);
|
||||
NTSTATUS RemoveHiddenRegValue(ULONGLONG ObjId);
|
||||
NTSTATUS RemoveAllHiddenRegValues();
|
||||
|
1
Hidden/back.txt
Normal file
1
Hidden/back.txt
Normal file
@ -0,0 +1 @@
|
||||
|
41
Hidden/todo.txt
Normal file
41
Hidden/todo.txt
Normal file
@ -0,0 +1,41 @@
|
||||
TODO:
|
||||
+ Добавить поддержку фильтрации открытия и создания key
|
||||
+ Добавить поддержку фильтрации перечисления key
|
||||
+ Добавить поддержку фильтрации перечисления value
|
||||
- Почистить Exclude List
|
||||
+ Добавить в Exclude List поддержку case insensetive crc32 (если возможно, например русские буквы) (*Нет необхлжимости)
|
||||
- Добавить в Exclude List для файлов такую же лексическую сортировку как и в реестру, возможно обьеденить ф-и
|
||||
- Переписать всё на основе AVL или других buildin generic trees
|
||||
+ Вынести fs filter и reg filter в отдельные файлы
|
||||
+ Протестировать фишки с ObRegisterCallback
|
||||
+ Стерание всех флагов
|
||||
- Реализовать PsMonitor со всеми вытекающими
|
||||
- Реализовать рабочий прототип
|
||||
+ Для Exclude
|
||||
- Для Protected
|
||||
- Для System
|
||||
- Реализовать интерфейс для IOCTL
|
||||
- Реализовать интерфейс для File & Reg мониторов
|
||||
+ Вынести Process Table в отдельный файл
|
||||
+ Переименовать Process Tree в Process Table
|
||||
- Реализовать конвертирование NT path в кернел путь \\Deivce\\HardDisk..
|
||||
+ Портировать в PsMonitor
|
||||
- Портировать в Device API
|
||||
+ FS filter
|
||||
- Reg filter
|
||||
+ Реализовать RemoveAllExcludeListEntries
|
||||
- Реализовать IOCTL протокол управления
|
||||
- Реализовать usermode библиотеку для работы с IOCTL API
|
||||
- Реализовать программу управления драйвером, средствами IOCTL API
|
||||
+ Слинковать с IOCTL API lib
|
||||
|
||||
- Проверить работу на x64
|
||||
- Залить проект на Git
|
||||
- Переименовать проект драйвера в Hidden
|
||||
- Привести в порядок все версии билда Release, Debug, ...
|
||||
- Добавить в проект конфигурации для сокрытия виртуалок
|
||||
- Сокрытие VMWare Tools
|
||||
- Отреверсить установщик VMWare tools
|
||||
- Сокрытие VMBox Tools
|
||||
- Отреверсить установщик VMBox tools
|
||||
- Насодить на ETL и DbgPrintEx
|
101
HiddenCLI/HiddenCLI.cpp
Normal file
101
HiddenCLI/HiddenCLI.cpp
Normal file
@ -0,0 +1,101 @@
|
||||
#include <Windows.h>
|
||||
#include <iostream>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "../HiddenLib/HiddenLib.h"
|
||||
|
||||
using namespace std;
|
||||
|
||||
CONST PWCHAR g_excludeFiles[] = {
|
||||
// L"c:\\Windows\\System32\\calc.exe",
|
||||
// L"c:\\test.txt",
|
||||
// L"c:\\abcd\\test.txt",
|
||||
L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
||||
L"\\??\\C:\\test.txt",
|
||||
L"\\??\\C:\\abcd\\test.txt",
|
||||
};
|
||||
|
||||
CONST PWCHAR g_excludeDirs[] = {
|
||||
// L"\\Device\\HarddiskVolume1\\abc",
|
||||
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
|
||||
// L"\\Device\\HarddiskVolume1\\New folder",
|
||||
L"\\Device\\HarddiskVolume1\\abc",
|
||||
L"\\??\\C:\\abcd\\abc",
|
||||
L"\\??\\C:\\New folder",
|
||||
};
|
||||
|
||||
CONST PWCHAR g_excludeRegKeys[] = {
|
||||
L"\\REGISTRY\\MACHINE\\SOFTWARE\\test",
|
||||
L"\\Registry\\MACHINE\\SOFTWARE\\test2",
|
||||
};
|
||||
|
||||
CONST PWCHAR g_excludeRegValues[] = {
|
||||
L"\\REGISTRY\\MACHINE\\SOFTWARE\\aaa",
|
||||
L"\\Registry\\MACHINE\\SOFTWARE\\xxx",
|
||||
L"\\Registry\\MACHINE\\SOFTWARE\\aa",
|
||||
L"\\Registry\\MACHINE\\SOFTWARE\\aaa",
|
||||
L"\\Registry\\MACHINE\\SOFTWARE\\aaaa",
|
||||
L"\\Registry\\MACHINE\\SOFTWARE\\zz",
|
||||
};
|
||||
|
||||
|
||||
int wmain(int argc, wchar_t *argv[])
|
||||
{
|
||||
HidContext hid_context;
|
||||
HidStatus hid_status;
|
||||
int count;
|
||||
|
||||
cout << "Start!" << endl;
|
||||
|
||||
hid_status = Hid_Initialize(&hid_context);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
cout << "Error, HiddenLib initialization failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Load Reg Keys
|
||||
count = _countof(g_excludeRegKeys);
|
||||
for (int i = 0; i < count; i++)
|
||||
{
|
||||
HidObjId objId;
|
||||
hid_status = Hid_AddHiddenRegKey(hid_context, g_excludeRegKeys[i], &objId);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
cout << "Error, Hid_AddHiddenRegKey failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
}
|
||||
|
||||
// Load Reg Values
|
||||
count = _countof(g_excludeRegValues);
|
||||
for (int i = 0; i < count; i++)
|
||||
{
|
||||
HidObjId objId;
|
||||
hid_status = Hid_AddHiddenRegValue(hid_context, g_excludeRegValues[i], &objId);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
cout << "Error, Hid_AddHiddenRegValue failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
}
|
||||
|
||||
// Load Files
|
||||
count = _countof(g_excludeFiles);
|
||||
for (int i = 0; i < count; i++)
|
||||
{
|
||||
HidObjId objId;
|
||||
hid_status = Hid_AddHiddenFile(hid_context, g_excludeFiles[i], &objId);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
cout << "Error, Hid_AddHiddenFile failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
}
|
||||
|
||||
// Load Dirs
|
||||
count = _countof(g_excludeDirs);
|
||||
for (int i = 0; i < count; i++)
|
||||
{
|
||||
HidObjId objId;
|
||||
hid_status = Hid_AddHiddenDir(hid_context, g_excludeDirs[i], &objId);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
cout << "Error, Hid_AddHiddenDir failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
}
|
||||
|
||||
Hid_Destroy(hid_context);
|
||||
cout << "Completed!" << endl;
|
||||
|
||||
return 0;
|
||||
}
|
90
HiddenCLI/HiddenCLI.vcxproj
Normal file
90
HiddenCLI/HiddenCLI.vcxproj
Normal file
@ -0,0 +1,90 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{E6A7AAAD-4877-4F05-A5A1-F42707895996}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>HiddenCLI</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<AdditionalDependencies>HiddenLib.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalLibraryDirectories>$(SolutionDir)$(Configuration)\</AdditionalLibraryDirectories>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<AdditionalLibraryDirectories>$(SolutionDir)$(Configuration)\</AdditionalLibraryDirectories>
|
||||
<AdditionalDependencies>HiddenLib.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="HiddenCLI.cpp" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
6
HiddenCLI/HiddenCLI.vcxproj.filters
Normal file
6
HiddenCLI/HiddenCLI.vcxproj.filters
Normal file
@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<ClCompile Include="HiddenCLI.cpp" />
|
||||
</ItemGroup>
|
||||
</Project>
|
212
HiddenLib/HiddenLib.cpp
Normal file
212
HiddenLib/HiddenLib.cpp
Normal file
@ -0,0 +1,212 @@
|
||||
#include <Windows.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <malloc.h>
|
||||
|
||||
#include "HiddenLib.h"
|
||||
#include "..\\FsFilter1\DeviceAPI.h"
|
||||
|
||||
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
|
||||
|
||||
typedef struct _HidContextInternal {
|
||||
HANDLE hdevice;
|
||||
} HidContextInternal, *PHidContextInternal;
|
||||
|
||||
HidStatus Hid_Initialize(PHidContext pcontext)
|
||||
{
|
||||
HANDLE hdevice = INVALID_HANDLE_VALUE;
|
||||
PHidContextInternal context;
|
||||
|
||||
hdevice = CreateFileW(
|
||||
DEVICE_WIN32_NAME,
|
||||
GENERIC_READ | GENERIC_WRITE,
|
||||
0,
|
||||
NULL,
|
||||
OPEN_EXISTING,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL
|
||||
);
|
||||
if (hdevice == INVALID_HANDLE_VALUE)
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
context = (PHidContextInternal)malloc(sizeof(HidContextInternal));
|
||||
if (context == nullptr)
|
||||
{
|
||||
CloseHandle(hdevice);
|
||||
return HID_SET_STATUS(FALSE, ERROR_NOT_ENOUGH_MEMORY);
|
||||
}
|
||||
|
||||
context->hdevice = hdevice;
|
||||
*pcontext = (HidContext)context;
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
void Hid_Destroy(HidContext context)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
CloseHandle(cntx->hdevice);
|
||||
free(cntx);
|
||||
}
|
||||
|
||||
HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidObjId* objId)
|
||||
{
|
||||
PHid_HideObjectPacket hide;
|
||||
Hid_StatusPacket result;
|
||||
size_t size, len, total;
|
||||
DWORD returned;
|
||||
|
||||
len = wcslen(path);
|
||||
if (len == 0 || len > 1024)
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
// Pack data to packet
|
||||
|
||||
total = (len + 1) * sizeof(wchar_t);
|
||||
size = sizeof(Hid_HideObjectPacket) + total;
|
||||
hide = (PHid_HideObjectPacket)_alloca(size);
|
||||
hide->size = total;
|
||||
hide->objType = type;
|
||||
|
||||
memcpy((char*)hide + sizeof(Hid_HideObjectPacket), path, total);
|
||||
|
||||
// Send IOCTL to device
|
||||
|
||||
if (!DeviceIoControl(context->hdevice, HID_IOCTL_ADD_HIDDEN_OBJECT, hide, size, &result, sizeof(result), &returned, NULL))
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
// Check result
|
||||
|
||||
if (returned != sizeof(result))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
if (!NT_SUCCESS(result.status))
|
||||
return HID_SET_STATUS(FALSE, result.status);
|
||||
|
||||
if (objId)
|
||||
*objId = result.info.id;
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus SendIoctlUnhideObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId)
|
||||
{
|
||||
Hid_UnhideObjectPacket unhide;
|
||||
Hid_StatusPacket result;
|
||||
DWORD returned;
|
||||
|
||||
unhide.objType = type;
|
||||
unhide.id = objId;
|
||||
|
||||
// Send IOCTL to device
|
||||
|
||||
if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_HIDDEN_OBJECT, &unhide, sizeof(unhide), &result, sizeof(result), &returned, NULL))
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
// Check result
|
||||
|
||||
if (returned != sizeof(result))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
if (!NT_SUCCESS(result.status))
|
||||
return HID_SET_STATUS(FALSE, result.status);
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus SendIoctlUnhideAllObjectsPacket(PHidContextInternal context, unsigned short type)
|
||||
{
|
||||
Hid_UnhideAllObjectsPacket unhide;
|
||||
Hid_StatusPacket result;
|
||||
DWORD returned;
|
||||
|
||||
unhide.objType = type;
|
||||
|
||||
// Send IOCTL to device
|
||||
|
||||
if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS, &unhide, sizeof(unhide), &result, sizeof(result), &returned, NULL))
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
// Check result
|
||||
|
||||
if (returned != sizeof(result))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
if (!NT_SUCCESS(result.status))
|
||||
return HID_SET_STATUS(FALSE, result.status);
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus Hid_SetState(HidContext context, int state)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus Hid_GetState(HidContext context, int* pstate)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegKeyObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_AddHiddenRegValue(HidContext context, wchar_t* regValue, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegValueObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenRegValues(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegValueObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_AddHiddenFile(HidContext context, wchar_t* filePath, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, filePath, FsFileObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenFile(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsFileObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenFiles(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsFileObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, dirPath, FsDirObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsDirObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenDirs(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsDirObject);
|
||||
}
|
64
HiddenLib/HiddenLib.h
Normal file
64
HiddenLib/HiddenLib.h
Normal file
@ -0,0 +1,64 @@
|
||||
#pragma once
|
||||
|
||||
typedef unsigned int HidStatus;
|
||||
|
||||
#define HID_STATUS_SUCCESSFUL(status) (status & 1)
|
||||
#define HID_STATUS_CODE(status) (status >> 1)
|
||||
|
||||
#define HID_SET_STATUS(state, code) (code << 1 | (state ? 1 : 0))
|
||||
|
||||
typedef void* HidContext;
|
||||
typedef HidContext* PHidContext;
|
||||
|
||||
typedef unsigned long long HidObjId;
|
||||
|
||||
HidStatus Hid_Initialize(PHidContext pcontext);
|
||||
void Hid_Destroy(HidContext context);
|
||||
|
||||
/*#define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 10), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 11), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_KEYS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 12), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 20), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 21), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_VALUES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 22), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 30), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 31), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_FILES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 32), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 40), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 41), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_DIRS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 42), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 50), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_ATTACH_PROTECTED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 51), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 52), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_PROTECTED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 53), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 54), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_ATTACH_EXCLUDED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 55), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 56), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_EXCLUDED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 57), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)*/
|
||||
|
||||
HidStatus Hid_SetState(HidContext context, int state);
|
||||
HidStatus Hid_GetState(HidContext context, int* pstate);
|
||||
|
||||
HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId);
|
||||
HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context);
|
||||
|
||||
HidStatus Hid_AddHiddenRegValue(HidContext context, wchar_t* regValue, HidObjId* objId);
|
||||
HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllHiddenRegValues(HidContext context);
|
||||
|
||||
HidStatus Hid_AddHiddenFile(HidContext context, wchar_t* filePath, HidObjId* objId);
|
||||
HidStatus Hid_RemoveHiddenFile(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllHiddenFiles(HidContext context);
|
||||
|
||||
HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId);
|
||||
HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllHiddenDirs(HidContext context);
|
84
HiddenLib/HiddenLib.vcxproj
Normal file
84
HiddenLib/HiddenLib.vcxproj
Normal file
@ -0,0 +1,84 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="HiddenLib.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="HiddenLib.h" />
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{EFECF76B-C3A8-4444-9314-70F72A0A48D8}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>HiddenLib</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup />
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
9
HiddenLib/HiddenLib.vcxproj.filters
Normal file
9
HiddenLib/HiddenLib.vcxproj.filters
Normal file
@ -0,0 +1,9 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<ClCompile Include="HiddenLib.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="HiddenLib.h" />
|
||||
</ItemGroup>
|
||||
</Project>
|
29
HiddenLib/ReadMe.txt
Normal file
29
HiddenLib/ReadMe.txt
Normal file
@ -0,0 +1,29 @@
|
||||
========================================================================
|
||||
STATIC LIBRARY : HiddenLib Project Overview
|
||||
========================================================================
|
||||
|
||||
AppWizard has created this HiddenLib library project for you.
|
||||
|
||||
No source files were created as part of your project.
|
||||
|
||||
|
||||
HiddenLib.vcxproj
|
||||
This is the main project file for VC++ projects generated using an Application Wizard.
|
||||
It contains information about the version of Visual C++ that generated the file, and
|
||||
information about the platforms, configurations, and project features selected with the
|
||||
Application Wizard.
|
||||
|
||||
HiddenLib.vcxproj.filters
|
||||
This is the filters file for VC++ projects generated using an Application Wizard.
|
||||
It contains information about the association between the files in your project
|
||||
and the filters. This association is used in the IDE to show grouping of files with
|
||||
similar extensions under a specific node (for e.g. ".cpp" files are associated with the
|
||||
"Source Files" filter).
|
||||
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
Other notes:
|
||||
|
||||
AppWizard uses "TODO:" comments to indicate parts of the source code you
|
||||
should add to or customize.
|
||||
|
||||
/////////////////////////////////////////////////////////////////////////////
|
Loading…
Reference in New Issue
Block a user