mirror of
https://github.com/JKornev/hidden
synced 2024-06-30 10:51:59 +00:00
Multiple changes
- Fixed issue with signing Release driver builds - Renamed all Nt* functions to Zw* (access denied fix, KTHREAD!PreviousMode) - Added "apply to all processes" feature for adding exluded\protected images api - Fixed sync issues for process table, sync primitives moved to external code etc
This commit is contained in:
parent
3e5e5e8679
commit
3851dcd17d
@ -440,6 +440,16 @@
|
|||||||
<UseLocalTime>true</UseLocalTime>
|
<UseLocalTime>true</UseLocalTime>
|
||||||
</Inf2Cat>
|
</Inf2Cat>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<Inf2Cat>
|
||||||
|
<UseLocalTime>true</UseLocalTime>
|
||||||
|
</Inf2Cat>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Inf2Cat>
|
||||||
|
<UseLocalTime>true</UseLocalTime>
|
||||||
|
</Inf2Cat>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
|
<FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
@ -192,10 +192,10 @@ NTSTATUS AddPsObject(PHid_AddPsObjectPacket Packet, USHORT Size, PULONGLONG ObjI
|
|||||||
switch (Packet->objType)
|
switch (Packet->objType)
|
||||||
{
|
{
|
||||||
case PsExcludedObject:
|
case PsExcludedObject:
|
||||||
status = AddExcludedImage(&path, Packet->inheritType, ObjId);
|
status = AddExcludedImage(&path, Packet->inheritType, (Packet->applyForProcesses ? TRUE : FALSE), ObjId);
|
||||||
break;
|
break;
|
||||||
case PsProtectedObject:
|
case PsProtectedObject:
|
||||||
status = AddProtectedImage(&path, Packet->inheritType, ObjId);
|
status = AddProtectedImage(&path, Packet->inheritType, (Packet->applyForProcesses ? TRUE : FALSE), ObjId);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||||
|
@ -60,7 +60,7 @@ typedef struct _Hid_AddPsObjectPacket {
|
|||||||
unsigned short objType;
|
unsigned short objType;
|
||||||
unsigned short dataSize;
|
unsigned short dataSize;
|
||||||
unsigned short inheritType;
|
unsigned short inheritType;
|
||||||
unsigned short reserved;
|
unsigned short applyForProcesses;
|
||||||
} Hid_AddPsObjectPacket, *PHid_AddPsObjectPacket;
|
} Hid_AddPsObjectPacket, *PHid_AddPsObjectPacket;
|
||||||
|
|
||||||
typedef struct _Hid_GetPsObjectInfoPacket {
|
typedef struct _Hid_GetPsObjectInfoPacket {
|
||||||
|
@ -106,7 +106,7 @@ FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
return FLT_PREOP_SUCCESS_NO_CALLBACK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -137,7 +137,7 @@ FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(
|
|||||||
|
|
||||||
if (neededPrevent)
|
if (neededPrevent)
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Create file\\dir operation canceled for: %wZ\n", &Data->Iopb->TargetFileObject->FileName);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": Create file\\dir operation canceled for: %wZ, %d\n", &Data->Iopb->TargetFileObject->FileName, PsGetCurrentProcessId());
|
||||||
Data->IoStatus.Status = STATUS_NO_SUCH_FILE;
|
Data->IoStatus.Status = STATUS_NO_SUCH_FILE;
|
||||||
return FLT_PREOP_COMPLETE;
|
return FLT_PREOP_COMPLETE;
|
||||||
}
|
}
|
||||||
|
@ -9,7 +9,7 @@ NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffe
|
|||||||
ULONG size = 0, written = 0;
|
ULONG size = 0, written = 0;
|
||||||
|
|
||||||
// Query required size
|
// Query required size
|
||||||
status = NtQuerySystemInformation(Class, 0, 0, &size);
|
status = ZwQuerySystemInformation(Class, 0, 0, &size);
|
||||||
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
||||||
return status;
|
return status;
|
||||||
|
|
||||||
@ -24,7 +24,7 @@ NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffe
|
|||||||
if (!info)
|
if (!info)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
status = NtQuerySystemInformation(Class, info, size, &written);
|
status = ZwQuerySystemInformation(Class, info, size, &written);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!info)
|
if (!info)
|
||||||
@ -49,7 +49,7 @@ NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE Process, PVOID*
|
|||||||
ULONG size = 0, written = 0;
|
ULONG size = 0, written = 0;
|
||||||
|
|
||||||
// Query required size
|
// Query required size
|
||||||
status = NtQueryInformationProcess(Process, Class, 0, 0, &size);
|
status = ZwQueryInformationProcess(Process, Class, 0, 0, &size);
|
||||||
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
||||||
return status;
|
return status;
|
||||||
|
|
||||||
@ -64,7 +64,7 @@ NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE Process, PVOID*
|
|||||||
if (!info)
|
if (!info)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
status = NtQueryInformationProcess(Process, Class, info, size, &written);
|
status = ZwQueryInformationProcess(Process, Class, info, size, &written);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!info)
|
if (!info)
|
||||||
|
@ -34,14 +34,14 @@ typedef struct _SYSTEM_PROCESS_INFORMATION {
|
|||||||
LARGE_INTEGER Reserved6[6];
|
LARGE_INTEGER Reserved6[6];
|
||||||
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
|
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
|
||||||
|
|
||||||
NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation(
|
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
|
||||||
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||||
_Inout_ PVOID SystemInformation,
|
_Inout_ PVOID SystemInformation,
|
||||||
_In_ ULONG SystemInformationLength,
|
_In_ ULONG SystemInformationLength,
|
||||||
_Out_opt_ PULONG ReturnLength
|
_Out_opt_ PULONG ReturnLength
|
||||||
);
|
);
|
||||||
|
|
||||||
NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess(
|
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(
|
||||||
_In_ HANDLE ProcessHandle,
|
_In_ HANDLE ProcessHandle,
|
||||||
_In_ PROCESSINFOCLASS ProcessInformationClass,
|
_In_ PROCESSINFOCLASS ProcessInformationClass,
|
||||||
_Out_ PVOID ProcessInformation,
|
_Out_ PVOID ProcessInformation,
|
||||||
|
@ -16,6 +16,8 @@ OB_CALLBACK_REGISTRATION g_regCallback;
|
|||||||
PsRulesContext g_excludeProcessRules;
|
PsRulesContext g_excludeProcessRules;
|
||||||
PsRulesContext g_protectProcessRules;
|
PsRulesContext g_protectProcessRules;
|
||||||
|
|
||||||
|
KSPIN_LOCK g_processTableLock;
|
||||||
|
|
||||||
typedef struct _ProcessListEntry {
|
typedef struct _ProcessListEntry {
|
||||||
LPCWSTR path;
|
LPCWSTR path;
|
||||||
ULONG inherit;
|
ULONG inherit;
|
||||||
@ -43,32 +45,57 @@ WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE];
|
|||||||
BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
|
BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
|
||||||
{
|
{
|
||||||
ProcessTableEntry srcInfo, destInfo;
|
ProcessTableEntry srcInfo, destInfo;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
if (Source == Destination)
|
if (Source == Destination)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
destInfo.processId = Destination;
|
srcInfo.processId = Source;
|
||||||
if (!GetProcessInProcessTable(&destInfo))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&srcInfo);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
srcInfo.processId = Source;
|
destInfo.processId = Destination;
|
||||||
if (!GetProcessInProcessTable(&srcInfo))
|
|
||||||
|
// Spinlock is locked once for both Get\Update process table functions
|
||||||
|
// because we want to prevent situations when another thread can change
|
||||||
|
// any state of process beetwen get and update functions on this place
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
|
||||||
|
if (!GetProcessInProcessTable(&destInfo))
|
||||||
|
{
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
// Not-inited process can open any process (parent, csrss, etc)
|
// Not-inited process can open any process (parent, csrss, etc)
|
||||||
if (!destInfo.inited)
|
if (!destInfo.inited)
|
||||||
{
|
{
|
||||||
|
result = TRUE;
|
||||||
|
|
||||||
// Update if source is subsystem and destination isn't inited
|
// Update if source is subsystem and destination isn't inited
|
||||||
if (srcInfo.subsystem)
|
if (srcInfo.subsystem)
|
||||||
{
|
{
|
||||||
destInfo.inited = TRUE;
|
destInfo.inited = TRUE;
|
||||||
if (!UpdateProcessInProcessTable(&destInfo))
|
if (!UpdateProcessInProcessTable(&destInfo))
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId);
|
result = FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
|
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId);
|
||||||
|
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
if (!destInfo.protected)
|
if (!destInfo.protected)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
@ -143,6 +170,8 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
|||||||
{
|
{
|
||||||
ProcessTableEntry lookup;
|
ProcessTableEntry lookup;
|
||||||
ULONG inheritType;
|
ULONG inheritType;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
RtlZeroMemory(&lookup, sizeof(lookup));
|
RtlZeroMemory(&lookup, sizeof(lookup));
|
||||||
|
|
||||||
@ -162,7 +191,12 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
|||||||
else if (ParentId != 0)
|
else if (ParentId != 0)
|
||||||
{
|
{
|
||||||
lookup.processId = ParentId;
|
lookup.processId = ParentId;
|
||||||
if (GetProcessInProcessTable(&lookup))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&lookup);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (result)
|
||||||
{
|
{
|
||||||
if (lookup.inheritExclusion == PsRuleTypeInherit)
|
if (lookup.inheritExclusion == PsRuleTypeInherit)
|
||||||
{
|
{
|
||||||
@ -190,7 +224,12 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
|||||||
else if (ParentId != 0)
|
else if (ParentId != 0)
|
||||||
{
|
{
|
||||||
lookup.processId = ParentId;
|
lookup.processId = ParentId;
|
||||||
if (GetProcessInProcessTable(&lookup))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&lookup);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (result)
|
||||||
{
|
{
|
||||||
if (lookup.inheritProtection == PsRuleTypeInherit)
|
if (lookup.inheritProtection == PsRuleTypeInherit)
|
||||||
{
|
{
|
||||||
@ -209,6 +248,8 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
|||||||
VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
|
VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
|
||||||
{
|
{
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
UNREFERENCED_PARAMETER(Process);
|
UNREFERENCED_PARAMETER(Process);
|
||||||
|
|
||||||
@ -252,14 +293,22 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
|||||||
if (entry.protected)
|
if (entry.protected)
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
|
||||||
|
|
||||||
if (!AddProcessToProcessTable(&entry))
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = AddProcessToProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
|
||||||
|
|
||||||
ExFreePool(normalized.Buffer);
|
ExFreePool(normalized.Buffer);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (!RemoveProcessFromProcessTable(&entry))
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = RemoveProcessFromProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -268,9 +317,16 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
|||||||
BOOLEAN IsProcessExcluded(HANDLE ProcessId)
|
BOOLEAN IsProcessExcluded(HANDLE ProcessId)
|
||||||
{
|
{
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
entry.processId = ProcessId;
|
entry.processId = ProcessId;
|
||||||
if (!GetProcessInProcessTable(&entry))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
return entry.excluded;
|
return entry.excluded;
|
||||||
@ -279,9 +335,16 @@ BOOLEAN IsProcessExcluded(HANDLE ProcessId)
|
|||||||
BOOLEAN IsProcessProtected(HANDLE ProcessId)
|
BOOLEAN IsProcessProtected(HANDLE ProcessId)
|
||||||
{
|
{
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
entry.processId = ProcessId;
|
entry.processId = ProcessId;
|
||||||
if (!GetProcessInProcessTable(&entry))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
return entry.protected;
|
return entry.protected;
|
||||||
@ -378,6 +441,10 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
|||||||
AddRuleToPsRuleList(g_protectProcessRules, &normalized, g_protectProcesses[i].inherit, &ruleId);
|
AddRuleToPsRuleList(g_protectProcessRules, &normalized, g_protectProcesses[i].inherit, &ruleId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Process table
|
||||||
|
|
||||||
|
KeInitializeSpinLock(&g_processTableLock);
|
||||||
|
|
||||||
status = InitializeProcessTable(CheckProcessFlags);
|
status = InitializeProcessTable(CheckProcessFlags);
|
||||||
if (!NT_SUCCESS(status))
|
if (!NT_SUCCESS(status))
|
||||||
{
|
{
|
||||||
@ -432,6 +499,8 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
|||||||
|
|
||||||
NTSTATUS DestroyPsMonitor()
|
NTSTATUS DestroyPsMonitor()
|
||||||
{
|
{
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
|
||||||
if (!g_psMonitorInited)
|
if (!g_psMonitorInited)
|
||||||
return STATUS_ALREADY_DISCONNECTED;
|
return STATUS_ALREADY_DISCONNECTED;
|
||||||
|
|
||||||
@ -446,13 +515,112 @@ NTSTATUS DestroyPsMonitor()
|
|||||||
DestroyPsRuleListContext(g_excludeProcessRules);
|
DestroyPsRuleListContext(g_excludeProcessRules);
|
||||||
DestroyPsRuleListContext(g_protectProcessRules);
|
DestroyPsRuleListContext(g_protectProcessRules);
|
||||||
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
DestroyProcessTable();
|
DestroyProcessTable();
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
g_psMonitorInited = FALSE;
|
g_psMonitorInited = FALSE;
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGLONG ObjId)
|
NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Excluded, BOOLEAN Protected)
|
||||||
|
{
|
||||||
|
PSYSTEM_PROCESS_INFORMATION processInfo = NULL, first;
|
||||||
|
SIZE_T size = 0, offset;
|
||||||
|
NTSTATUS status;
|
||||||
|
|
||||||
|
status = QuerySystemInformation(SystemProcessInformation, &processInfo, &size);
|
||||||
|
if (!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
DbgPrint("FsFilter1!" __FUNCTION__ ": query system information(pslist) failed with code:%08x\n", status);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
offset = 0;
|
||||||
|
first = processInfo;
|
||||||
|
do
|
||||||
|
{
|
||||||
|
HANDLE hProcess;
|
||||||
|
CLIENT_ID clientId;
|
||||||
|
OBJECT_ATTRIBUTES attribs;
|
||||||
|
PUNICODE_STRING procName;
|
||||||
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
|
||||||
|
processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset);
|
||||||
|
|
||||||
|
if (processInfo->ProcessId == 0)
|
||||||
|
{
|
||||||
|
offset = processInfo->NextEntryOffset;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
InitializeObjectAttributes(&attribs, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
|
||||||
|
clientId.UniqueProcess = processInfo->ProcessId;
|
||||||
|
clientId.UniqueThread = 0;
|
||||||
|
|
||||||
|
status = ZwOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
|
||||||
|
if (!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||||
|
offset = processInfo->NextEntryOffset;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
status = QueryProcessInformation(ProcessImageFileName, hProcess, &procName, &size);
|
||||||
|
ZwClose(hProcess);
|
||||||
|
|
||||||
|
if (!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||||
|
offset = processInfo->NextEntryOffset;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
entry.processId = processInfo->ProcessId;
|
||||||
|
if (RtlCompareUnicodeString(procName, ImagePath, TRUE) == 0)
|
||||||
|
{
|
||||||
|
BOOLEAN result = TRUE;
|
||||||
|
|
||||||
|
// Spinlock is locked once for both Get\Update process table functions
|
||||||
|
// because we want to prevent situations when another thread can change
|
||||||
|
// any state of process beetwen get and update functions on this place
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
|
||||||
|
if (GetProcessInProcessTable(&entry))
|
||||||
|
{
|
||||||
|
if (Excluded)
|
||||||
|
{
|
||||||
|
entry.excluded = TRUE;
|
||||||
|
entry.inheritExclusion = PsRuleTypeWithoutInherit;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (Protected)
|
||||||
|
{
|
||||||
|
entry.protected = TRUE;
|
||||||
|
entry.inheritProtection = PsRuleTypeWithoutInherit;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!UpdateProcessInProcessTable(&entry))
|
||||||
|
result = FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
|
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %d\n", processInfo->ProcessId);
|
||||||
|
}
|
||||||
|
|
||||||
|
FreeInformation(procName);
|
||||||
|
offset = processInfo->NextEntryOffset;
|
||||||
|
} while (offset);
|
||||||
|
|
||||||
|
FreeInformation(first);
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId)
|
||||||
{
|
{
|
||||||
const USHORT maxBufSize = ImagePath->Length + NORMALIZE_INCREAMENT;
|
const USHORT maxBufSize = ImagePath->Length + NORMALIZE_INCREAMENT;
|
||||||
UNICODE_STRING normalized;
|
UNICODE_STRING normalized;
|
||||||
@ -479,6 +647,9 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGL
|
|||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protect image: %wZ\n", &normalized);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": protect image: %wZ\n", &normalized);
|
||||||
status = AddRuleToPsRuleList(g_protectProcessRules, &normalized, InheritType, ObjId);
|
status = AddRuleToPsRuleList(g_protectProcessRules, &normalized, InheritType, ObjId);
|
||||||
|
|
||||||
|
if (ApplyForProcesses)
|
||||||
|
SetStateForProcessesByImage(&normalized, FALSE, TRUE);
|
||||||
|
|
||||||
ExFreePool(normalized.Buffer);
|
ExFreePool(normalized.Buffer);
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
@ -487,9 +658,16 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGL
|
|||||||
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
|
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
|
||||||
{
|
{
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
entry.processId = ProcessId;
|
entry.processId = ProcessId;
|
||||||
if (!GetProcessInProcessTable(&entry))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
|
|
||||||
*Enable = entry.protected;
|
*Enable = entry.protected;
|
||||||
@ -502,9 +680,16 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E
|
|||||||
{
|
{
|
||||||
NTSTATUS status = STATUS_SUCCESS;
|
NTSTATUS status = STATUS_SUCCESS;
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
entry.processId = ProcessId;
|
entry.processId = ProcessId;
|
||||||
if (!GetProcessInProcessTable(&entry))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
|
|
||||||
if (Enable)
|
if (Enable)
|
||||||
@ -517,7 +702,11 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E
|
|||||||
entry.protected = FALSE;
|
entry.protected = FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!UpdateProcessInProcessTable(&entry))
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = UpdateProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
@ -533,7 +722,7 @@ NTSTATUS RemoveAllProtectedImages()
|
|||||||
return RemoveAllRulesFromPsRuleList(g_protectProcessRules);
|
return RemoveAllRulesFromPsRuleList(g_protectProcessRules);
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGLONG ObjId)
|
NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId)
|
||||||
{
|
{
|
||||||
const USHORT maxBufSize = ImagePath->Length + NORMALIZE_INCREAMENT;
|
const USHORT maxBufSize = ImagePath->Length + NORMALIZE_INCREAMENT;
|
||||||
UNICODE_STRING normalized;
|
UNICODE_STRING normalized;
|
||||||
@ -560,6 +749,9 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGLO
|
|||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude image: %wZ\n", &normalized);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude image: %wZ\n", &normalized);
|
||||||
status = AddRuleToPsRuleList(g_excludeProcessRules, &normalized, InheritType, ObjId);
|
status = AddRuleToPsRuleList(g_excludeProcessRules, &normalized, InheritType, ObjId);
|
||||||
|
|
||||||
|
if (ApplyForProcesses)
|
||||||
|
SetStateForProcessesByImage(&normalized, TRUE, FALSE);
|
||||||
|
|
||||||
ExFreePool(normalized.Buffer);
|
ExFreePool(normalized.Buffer);
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
@ -568,9 +760,16 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGLO
|
|||||||
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
|
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
|
||||||
{
|
{
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
entry.processId = ProcessId;
|
entry.processId = ProcessId;
|
||||||
if (!GetProcessInProcessTable(&entry))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
|
|
||||||
*Enable = entry.excluded;
|
*Enable = entry.excluded;
|
||||||
@ -583,9 +782,16 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En
|
|||||||
{
|
{
|
||||||
NTSTATUS status = STATUS_SUCCESS;
|
NTSTATUS status = STATUS_SUCCESS;
|
||||||
ProcessTableEntry entry;
|
ProcessTableEntry entry;
|
||||||
|
KLOCK_QUEUE_HANDLE lockHandle;
|
||||||
|
BOOLEAN result;
|
||||||
|
|
||||||
entry.processId = ProcessId;
|
entry.processId = ProcessId;
|
||||||
if (!GetProcessInProcessTable(&entry))
|
|
||||||
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = GetProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
|
|
||||||
if (Enable)
|
if (Enable)
|
||||||
@ -598,7 +804,11 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En
|
|||||||
entry.excluded = FALSE;
|
entry.excluded = FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!UpdateProcessInProcessTable(&entry))
|
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
||||||
|
result = UpdateProcessInProcessTable(&entry);
|
||||||
|
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
||||||
|
|
||||||
|
if (!result)
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
|
@ -13,13 +13,13 @@ NTSTATUS DestroyPsMonitor();
|
|||||||
BOOLEAN IsProcessExcluded(HANDLE ProcessId);
|
BOOLEAN IsProcessExcluded(HANDLE ProcessId);
|
||||||
BOOLEAN IsProcessProtected(HANDLE ProcessId);
|
BOOLEAN IsProcessProtected(HANDLE ProcessId);
|
||||||
|
|
||||||
NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGLONG ObjId);
|
NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId);
|
||||||
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
|
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
|
||||||
NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
|
NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
|
||||||
NTSTATUS RemoveProtectedImage(ULONGLONG ObjId);
|
NTSTATUS RemoveProtectedImage(ULONGLONG ObjId);
|
||||||
NTSTATUS RemoveAllProtectedImages();
|
NTSTATUS RemoveAllProtectedImages();
|
||||||
|
|
||||||
NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGLONG ObjId);
|
NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId);
|
||||||
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
|
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
|
||||||
NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
|
NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
|
||||||
NTSTATUS RemoveExcludedImage(ULONGLONG ObjId);
|
NTSTATUS RemoveExcludedImage(ULONGLONG ObjId);
|
||||||
|
@ -4,7 +4,6 @@
|
|||||||
#define PSTREE_ALLOC_TAG 'rTsP'
|
#define PSTREE_ALLOC_TAG 'rTsP'
|
||||||
|
|
||||||
RTL_AVL_TABLE g_processTable;
|
RTL_AVL_TABLE g_processTable;
|
||||||
KSPIN_LOCK g_processTableLock;
|
|
||||||
|
|
||||||
RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
|
RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
|
||||||
{
|
{
|
||||||
@ -38,15 +37,9 @@ VOID FreeProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer)
|
|||||||
|
|
||||||
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry)
|
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry)
|
||||||
{
|
{
|
||||||
KLOCK_QUEUE_HANDLE lockHandle;
|
|
||||||
BOOLEAN result = FALSE;
|
BOOLEAN result = FALSE;
|
||||||
PVOID buf;
|
|
||||||
|
|
||||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
if (RtlInsertElementGenericTableAvl(&g_processTable, entry, sizeof(ProcessTableEntry), &result) == NULL)
|
||||||
buf = RtlInsertElementGenericTableAvl(&g_processTable, entry, sizeof(ProcessTableEntry), &result);
|
|
||||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
|
||||||
|
|
||||||
if (buf == NULL)
|
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
return result;
|
return result;
|
||||||
@ -54,46 +47,29 @@ BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry)
|
|||||||
|
|
||||||
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry)
|
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry)
|
||||||
{
|
{
|
||||||
KLOCK_QUEUE_HANDLE lockHandle;
|
return RtlDeleteElementGenericTableAvl(&g_processTable, entry);
|
||||||
BOOLEAN result;
|
|
||||||
|
|
||||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
|
||||||
result = RtlDeleteElementGenericTableAvl(&g_processTable, entry);
|
|
||||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry)
|
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry)
|
||||||
{
|
{
|
||||||
KLOCK_QUEUE_HANDLE lockHandle;
|
|
||||||
PProcessTableEntry entry2;
|
PProcessTableEntry entry2;
|
||||||
|
|
||||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
|
||||||
|
|
||||||
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
|
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
|
||||||
if (entry2)
|
if (entry2)
|
||||||
RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry));
|
RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry));
|
||||||
|
|
||||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
|
||||||
|
|
||||||
return (entry2 ? TRUE : FALSE);
|
return (entry2 ? TRUE : FALSE);
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
|
BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
|
||||||
{
|
{
|
||||||
KLOCK_QUEUE_HANDLE lockHandle;
|
|
||||||
PProcessTableEntry entry2;
|
PProcessTableEntry entry2;
|
||||||
|
|
||||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
|
||||||
|
|
||||||
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
|
entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
|
||||||
|
|
||||||
if (entry2)
|
if (entry2)
|
||||||
RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));
|
RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));
|
||||||
|
|
||||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
|
||||||
|
|
||||||
return (entry2 ? TRUE : FALSE);
|
return (entry2 ? TRUE : FALSE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -107,7 +83,6 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
|||||||
|
|
||||||
// Init process table
|
// Init process table
|
||||||
|
|
||||||
KeInitializeSpinLock(&g_processTableLock);
|
|
||||||
RtlInitializeGenericTableAvl(&g_processTable, CompareProcessTableEntry, AllocateProcessTableEntry, FreeProcessTableEntry, NULL);
|
RtlInitializeGenericTableAvl(&g_processTable, CompareProcessTableEntry, AllocateProcessTableEntry, FreeProcessTableEntry, NULL);
|
||||||
|
|
||||||
// We should query processes information for creation process table for existing processes
|
// We should query processes information for creation process table for existing processes
|
||||||
@ -144,7 +119,7 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
|||||||
clientId.UniqueProcess = processInfo->ProcessId;
|
clientId.UniqueProcess = processInfo->ProcessId;
|
||||||
clientId.UniqueThread = 0;
|
clientId.UniqueThread = 0;
|
||||||
|
|
||||||
status = NtOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
|
status = ZwOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
|
||||||
if (!NT_SUCCESS(status))
|
if (!NT_SUCCESS(status))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||||
@ -195,12 +170,9 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
|||||||
|
|
||||||
VOID DestroyProcessTable()
|
VOID DestroyProcessTable()
|
||||||
{
|
{
|
||||||
KLOCK_QUEUE_HANDLE lockHandle;
|
|
||||||
PProcessTableEntry entry;
|
PProcessTableEntry entry;
|
||||||
PVOID restartKey = NULL;
|
PVOID restartKey = NULL;
|
||||||
|
|
||||||
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
|
|
||||||
|
|
||||||
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey);
|
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey);
|
||||||
entry != NULL;
|
entry != NULL;
|
||||||
entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey))
|
entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey))
|
||||||
@ -210,6 +182,4 @@ VOID DestroyProcessTable()
|
|||||||
|
|
||||||
restartKey = NULL; // reset enum
|
restartKey = NULL; // reset enum
|
||||||
}
|
}
|
||||||
|
|
||||||
KeReleaseInStackQueuedSpinLock(&lockHandle);
|
|
||||||
}
|
}
|
||||||
|
@ -19,6 +19,12 @@ typedef struct _ProcessTableEntry {
|
|||||||
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));
|
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));
|
||||||
VOID DestroyProcessTable();
|
VOID DestroyProcessTable();
|
||||||
|
|
||||||
|
// Important notice:
|
||||||
|
// Keep in mind that internal sync mechanisms removed from functions below (including DestroyProcessTable)
|
||||||
|
// because in some situations we need to perform two operation under one lock, for instance we should
|
||||||
|
// perform GetProcessInProcessTable and UpdateProcessInProcessTable under one lock. So in this case all
|
||||||
|
// functions, excluding InitializeProcessTable, should be synced manualy from external code
|
||||||
|
|
||||||
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry);
|
BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry);
|
||||||
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry);
|
BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry);
|
||||||
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry);
|
BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry);
|
||||||
|
@ -114,7 +114,7 @@ NTSTATUS RegPreCreateKey(PVOID context, PREG_PRE_CREATE_KEY_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -135,7 +135,7 @@ NTSTATUS RegPreCreateKeyEx(PVOID context, PREG_CREATE_KEY_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -154,7 +154,7 @@ NTSTATUS RegPreOpenKey(PVOID context, PREG_PRE_OPEN_KEY_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -175,7 +175,7 @@ NTSTATUS RegPreOpenKeyEx(PVOID context, PREG_OPEN_KEY_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -228,7 +228,7 @@ NTSTATUS RegPostEnumKey(PVOID context, PREG_POST_OPERATION_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -326,7 +326,7 @@ NTSTATUS RegPostEnumValue(PVOID context, PREG_POST_OPERATION_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -393,7 +393,7 @@ NTSTATUS RegPreSetValue(PVOID context, PREG_SET_VALUE_KEY_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -424,7 +424,7 @@ NTSTATUS RegPreDeleteValue(PVOID context, PREG_DELETE_VALUE_KEY_INFORMATION info
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -455,7 +455,7 @@ NTSTATUS RegPreQueryValue(PVOID context, PREG_QUERY_VALUE_KEY_INFORMATION info)
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -486,7 +486,7 @@ NTSTATUS RegPreQueryMultipleValue(PVOID context, PREG_QUERY_MULTIPLE_VALUE_KEY_I
|
|||||||
|
|
||||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||||
{
|
{
|
||||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -41,8 +41,10 @@
|
|||||||
+ Реализовать IOCTL протокол управления
|
+ Реализовать IOCTL протокол управления
|
||||||
+ Реализовать usermode библиотеку для работы с IOCTL API
|
+ Реализовать usermode библиотеку для работы с IOCTL API
|
||||||
+ Слинковать с IOCTL API lib
|
+ Слинковать с IOCTL API lib
|
||||||
|
+ Добавить поддержку флага автоприсвоение состояния существующим процессам для Hid_AddExcludedImage\Hid_AddProtectedImage
|
||||||
- Реализовать HiddenCLI
|
- Реализовать HiddenCLI
|
||||||
+ Портировать драйвер под архитектуру x64
|
+ Портировать драйвер под архитектуру x64
|
||||||
|
- Портировать под версии Windows 8, 8.1, 10
|
||||||
+ Залить проект на Git
|
+ Залить проект на Git
|
||||||
+ Переименовать проект драйвера в Hidden
|
+ Переименовать проект драйвера в Hidden
|
||||||
+ Привести в порядок все версии билда Release, Debug, ...
|
+ Привести в порядок все версии билда Release, Debug, ...
|
||||||
|
@ -10,18 +10,18 @@ CONST PWCHAR g_excludeFiles[] = {
|
|||||||
// L"c:\\Windows\\System32\\calc.exe",
|
// L"c:\\Windows\\System32\\calc.exe",
|
||||||
// L"c:\\test.txt",
|
// L"c:\\test.txt",
|
||||||
// L"c:\\abcd\\test.txt",
|
// L"c:\\abcd\\test.txt",
|
||||||
L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
//L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
||||||
L"\\??\\C:\\test.txt",
|
L"\\??\\C:\\test.txt",
|
||||||
L"\\??\\C:\\abcd\\test.txt",
|
//L"c:\\Program Files\\VMware",
|
||||||
};
|
};
|
||||||
|
|
||||||
CONST PWCHAR g_excludeDirs[] = {
|
CONST PWCHAR g_excludeDirs[] = {
|
||||||
// L"\\Device\\HarddiskVolume1\\abc",
|
// L"\\Device\\HarddiskVolume1\\abc",
|
||||||
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
|
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
|
||||||
// L"\\Device\\HarddiskVolume1\\New folder",
|
// L"\\Device\\HarddiskVolume1\\New folder",
|
||||||
L"\\Device\\HarddiskVolume1\\abc",
|
//L"\\Device\\HarddiskVolume1\\abc",
|
||||||
L"\\??\\C:\\abcd\\abc",
|
//L"\\??\\C:\\abcd\\abc",
|
||||||
L"\\??\\C:\\New folder",
|
L"c:\\Program Files\\VMware",
|
||||||
};
|
};
|
||||||
|
|
||||||
CONST PWCHAR g_excludeRegKeys[] = {
|
CONST PWCHAR g_excludeRegKeys[] = {
|
||||||
@ -44,8 +44,20 @@ CONST PWCHAR g_protectProcesses[] = {
|
|||||||
};
|
};
|
||||||
|
|
||||||
CONST PWCHAR g_excludeProcesses[] = {
|
CONST PWCHAR g_excludeProcesses[] = {
|
||||||
L"c:\\Windows\\System32\\cmd.exe",
|
L"C:\\Windows\\System32\\Services.exe",
|
||||||
L"c:\\Windows\\System32\\cmd2.exe",
|
L"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\rpctool.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\rvmSetup.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnect.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\TPVCGateway.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\VMwareHgfsClient.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\VMwareHostOpen.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\VMwareResolutionSet.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\VMwareToolboxCmd.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\VMwareXferlogs.exe",
|
||||||
|
L"C:\\Program Files\\VMware\\VMware Tools\\zip.exe",
|
||||||
|
L"c:\\Windows\\System32\\vssvc.exe",
|
||||||
};
|
};
|
||||||
|
|
||||||
int wmain(int argc, wchar_t *argv[])
|
int wmain(int argc, wchar_t *argv[])
|
||||||
@ -108,7 +120,7 @@ int wmain(int argc, wchar_t *argv[])
|
|||||||
for (int i = 0; i < count; i++)
|
for (int i = 0; i < count; i++)
|
||||||
{
|
{
|
||||||
HidObjId objId;
|
HidObjId objId;
|
||||||
hid_status = Hid_AddExcludedImage(hid_context, g_excludeProcesses[i], WithoutInherit, &objId);
|
hid_status = Hid_AddExcludedImage(hid_context, g_excludeProcesses[i], WithoutInherit, TRUE, &objId);
|
||||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||||
cout << "Error, Hid_AddExcludedImage failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
cout << "Error, Hid_AddExcludedImage failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||||
}
|
}
|
||||||
@ -118,11 +130,15 @@ int wmain(int argc, wchar_t *argv[])
|
|||||||
for (int i = 0; i < count; i++)
|
for (int i = 0; i < count; i++)
|
||||||
{
|
{
|
||||||
HidObjId objId;
|
HidObjId objId;
|
||||||
hid_status = Hid_AddProtectedImage(hid_context, g_protectProcesses[i], WithoutInherit, &objId);
|
hid_status = Hid_AddProtectedImage(hid_context, g_protectProcesses[i], WithoutInherit, TRUE, &objId);
|
||||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||||
cout << "Error, Hid_AddProtectedImage failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
cout << "Error, Hid_AddProtectedImage failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//hid_status = Hid_AttachExcludedState(hid_context, 528, WithoutInherit);
|
||||||
|
//if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||||
|
// cout << "Error, Hid_AttachExcludedState failed with code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||||
|
|
||||||
Hid_Destroy(hid_context);
|
Hid_Destroy(hid_context);
|
||||||
cout << "Completed!" << endl;
|
cout << "Completed!" << endl;
|
||||||
|
|
||||||
|
@ -338,7 +338,7 @@ HidStatus SendIoctl_UnhideAllObjectsPacket(PHidContextInternal context, unsigned
|
|||||||
return HID_SET_STATUS(TRUE, 0);
|
return HID_SET_STATUS(TRUE, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
HidStatus SendIoctl_AddPsObjectPacket(PHidContextInternal context, const wchar_t* path, unsigned short type, HidPsInheritTypes inheritType, HidObjId* objId)
|
HidStatus SendIoctl_AddPsObjectPacket(PHidContextInternal context, const wchar_t* path, unsigned short type, HidPsInheritTypes inheritType, bool applyForProcess, HidObjId* objId)
|
||||||
{
|
{
|
||||||
PHid_AddPsObjectPacket hide;
|
PHid_AddPsObjectPacket hide;
|
||||||
Hid_StatusPacket result;
|
Hid_StatusPacket result;
|
||||||
@ -357,6 +357,7 @@ HidStatus SendIoctl_AddPsObjectPacket(PHidContextInternal context, const wchar_t
|
|||||||
hide->dataSize = (unsigned short)total;
|
hide->dataSize = (unsigned short)total;
|
||||||
hide->objType = type;
|
hide->objType = type;
|
||||||
hide->inheritType = inheritType;
|
hide->inheritType = inheritType;
|
||||||
|
hide->applyForProcesses = applyForProcess;
|
||||||
|
|
||||||
memcpy((char*)hide + sizeof(Hid_AddPsObjectPacket), path, total);
|
memcpy((char*)hide + sizeof(Hid_AddPsObjectPacket), path, total);
|
||||||
|
|
||||||
@ -613,7 +614,7 @@ HidStatus _API Hid_RemoveAllHiddenDirs(HidContext context)
|
|||||||
|
|
||||||
// Process exclude interface
|
// Process exclude interface
|
||||||
|
|
||||||
HidStatus _API Hid_AddExcludedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId)
|
HidStatus _API Hid_AddExcludedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, bool applyForProcess, HidObjId* objId)
|
||||||
{
|
{
|
||||||
HidStatus status;
|
HidStatus status;
|
||||||
wchar_t* normalized;
|
wchar_t* normalized;
|
||||||
@ -622,7 +623,7 @@ HidStatus _API Hid_AddExcludedImage(HidContext context, const wchar_t* imagePath
|
|||||||
if (!HID_STATUS_SUCCESSFUL(status))
|
if (!HID_STATUS_SUCCESSFUL(status))
|
||||||
return status;
|
return status;
|
||||||
|
|
||||||
status = SendIoctl_AddPsObjectPacket((PHidContextInternal)context, normalized, PsExcludedObject, inheritType, objId);
|
status = SendIoctl_AddPsObjectPacket((PHidContextInternal)context, normalized, PsExcludedObject, inheritType, applyForProcess, objId);
|
||||||
FreeNormalizedPath(normalized);
|
FreeNormalizedPath(normalized);
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
@ -655,7 +656,7 @@ HidStatus _API Hid_RemoveExcludedState(HidContext context, HidProcId procId)
|
|||||||
|
|
||||||
// Process protect interface
|
// Process protect interface
|
||||||
|
|
||||||
HidStatus _API Hid_AddProtectedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId)
|
HidStatus _API Hid_AddProtectedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, bool applyForProcess, HidObjId* objId)
|
||||||
{
|
{
|
||||||
HidStatus status;
|
HidStatus status;
|
||||||
wchar_t* normalized;
|
wchar_t* normalized;
|
||||||
@ -664,7 +665,7 @@ HidStatus _API Hid_AddProtectedImage(HidContext context, const wchar_t* imagePat
|
|||||||
if (!HID_STATUS_SUCCESSFUL(status))
|
if (!HID_STATUS_SUCCESSFUL(status))
|
||||||
return status;
|
return status;
|
||||||
|
|
||||||
status = SendIoctl_AddPsObjectPacket((PHidContextInternal)context, normalized, PsProtectedObject, inheritType, objId);
|
status = SendIoctl_AddPsObjectPacket((PHidContextInternal)context, normalized, PsProtectedObject, inheritType, applyForProcess, objId);
|
||||||
FreeNormalizedPath(normalized);
|
FreeNormalizedPath(normalized);
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
|
@ -65,14 +65,14 @@ HidStatus _API Hid_RemoveAllHiddenDirs(HidContext context);
|
|||||||
|
|
||||||
// Ps
|
// Ps
|
||||||
|
|
||||||
HidStatus _API Hid_AddExcludedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId);
|
HidStatus _API Hid_AddExcludedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, bool applyForProcess, HidObjId* objId);
|
||||||
HidStatus _API Hid_RemoveExcludedImage(HidContext context, HidObjId objId);
|
HidStatus _API Hid_RemoveExcludedImage(HidContext context, HidObjId objId);
|
||||||
HidStatus _API Hid_RemoveAllExcludedImages(HidContext context);
|
HidStatus _API Hid_RemoveAllExcludedImages(HidContext context);
|
||||||
HidStatus _API Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
HidStatus _API Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
||||||
HidStatus _API Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType);
|
HidStatus _API Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType);
|
||||||
HidStatus _API Hid_RemoveExcludedState(HidContext context, HidProcId procId);
|
HidStatus _API Hid_RemoveExcludedState(HidContext context, HidProcId procId);
|
||||||
|
|
||||||
HidStatus _API Hid_AddProtectedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId);
|
HidStatus _API Hid_AddProtectedImage(HidContext context, const wchar_t* imagePath, HidPsInheritTypes inheritType, bool applyForProcess, HidObjId* objId);
|
||||||
HidStatus _API Hid_RemoveProtectedImage(HidContext context, HidObjId objId);
|
HidStatus _API Hid_RemoveProtectedImage(HidContext context, HidObjId objId);
|
||||||
HidStatus _API Hid_RemoveAllProtectedImages(HidContext context);
|
HidStatus _API Hid_RemoveAllProtectedImages(HidContext context);
|
||||||
HidStatus _API Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
HidStatus _API Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
||||||
|
@ -524,7 +524,7 @@ void do_psmon_prot_tests(HidContext context)
|
|||||||
|
|
||||||
wcout << L"Test 2: create process, protect, check, unprotect" << endl;
|
wcout << L"Test 2: create process, protect, check, unprotect" << endl;
|
||||||
|
|
||||||
hid_status = Hid_AddProtectedImage(context, path, HidPsInheritTypes::WithoutInherit, &objId[1]);
|
hid_status = Hid_AddProtectedImage(context, path, HidPsInheritTypes::WithoutInherit, FALSE, &objId[1]);
|
||||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||||
{
|
{
|
||||||
wcout << L"Error, can't protect image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
wcout << L"Error, can't protect image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||||
@ -786,7 +786,7 @@ void do_psmon_excl_tests(HidContext context)
|
|||||||
CloseHandle(pi.hProcess);
|
CloseHandle(pi.hProcess);
|
||||||
memset(&pi, 0, sizeof(pi));
|
memset(&pi, 0, sizeof(pi));
|
||||||
|
|
||||||
hid_status = Hid_AddExcludedImage(context, L"c:\\windows\\system32\\cmd.exe", HidPsInheritTypes::InheritOnce, &objId[1]);
|
hid_status = Hid_AddExcludedImage(context, L"c:\\windows\\system32\\cmd.exe", HidPsInheritTypes::InheritOnce, FALSE, &objId[1]);
|
||||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||||
{
|
{
|
||||||
wcout << L"Error, can't add excluded image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
wcout << L"Error, can't add excluded image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||||
|
Loading…
Reference in New Issue
Block a user