Added new types of operations to Reg filter (set,query,delete value)

2024-06-20 05:58:04 +00:00 · 2016-09-18 17:22:49 +03:00 · 2016-09-18 17:22:49 +03:00 · 59b989dcc5
commit 59b989dcc5
parent 935ffa787f
2 changed files with 144 additions and 0 deletions
--- a/Hidden/RegFilter.c
+++ b/Hidden/RegFilter.c
@ -381,6 +381,133 @@ NTSTATUS RegPostEnumValue(PVOID context, PREG_POST_OPERATION_INFORMATION info)
 	return STATUS_SUCCESS;
 }

+NTSTATUS RegPreSetValue(PVOID context, PREG_SET_VALUE_KEY_INFORMATION info)
+{
+	NTSTATUS status;
+	PCUNICODE_STRING regPath;
+	UINT32 incIndex;
+
+	UNREFERENCED_PARAMETER(context);
+
+	if (IsProcessExcluded(PsGetCurrentProcessId()))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
+		return STATUS_SUCCESS;
+	}
+
+	status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, &regPath);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
+		return STATUS_SUCCESS;
+	}
+
+	incIndex = 0;
+	if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueName, &incIndex))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueName, incIndex);
+		return STATUS_NOT_FOUND;
+	}
+
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS RegPreDeleteValue(PVOID context, PREG_DELETE_VALUE_KEY_INFORMATION info)
+{
+	NTSTATUS status;
+	PCUNICODE_STRING regPath;
+	UINT32 incIndex;
+
+	UNREFERENCED_PARAMETER(context);
+
+	if (IsProcessExcluded(PsGetCurrentProcessId()))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
+		return STATUS_SUCCESS;
+	}
+
+	status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, &regPath);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
+		return STATUS_SUCCESS;
+	}
+
+	incIndex = 0;
+	if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueName, &incIndex))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueName, incIndex);
+		return STATUS_NOT_FOUND;
+	}
+
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS RegPreQueryValue(PVOID context, PREG_QUERY_VALUE_KEY_INFORMATION info)
+{
+	NTSTATUS status;
+	PCUNICODE_STRING regPath;
+	UINT32 incIndex;
+
+	UNREFERENCED_PARAMETER(context);
+
+	if (IsProcessExcluded(PsGetCurrentProcessId()))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
+		return STATUS_SUCCESS;
+	}
+
+	status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, &regPath);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
+		return STATUS_SUCCESS;
+	}
+
+	incIndex = 0;
+	if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueName, &incIndex))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueName, incIndex);
+		return STATUS_NOT_FOUND;
+	}
+
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS RegPreQueryMultipleValue(PVOID context, PREG_QUERY_MULTIPLE_VALUE_KEY_INFORMATION info)
+{
+	NTSTATUS status;
+	PCUNICODE_STRING regPath;
+	UINT32 incIndex, i;
+
+	UNREFERENCED_PARAMETER(context);
+
+	if (IsProcessExcluded(PsGetCurrentProcessId()))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
+		return STATUS_SUCCESS;
+	}
+
+	status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, &regPath);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status);
+		return STATUS_SUCCESS;
+	}
+
+	for (i = 0; i < info->EntryCount; i++)
+	{
+		incIndex = 0;
+		if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueEntries[i].ValueName, &incIndex))
+		{
+			DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueEntries[i].ValueName, incIndex);
+			return STATUS_NOT_FOUND;
+		}
+	}
+
+	return STATUS_SUCCESS;
+}
+
 NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
 {
 	REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
@ -406,6 +533,18 @@ NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Ar
 	case RegNtPostEnumerateValueKey:
 		status = RegPostEnumValue(CallbackContext, (PREG_POST_OPERATION_INFORMATION)Argument2);
 		break;
+	case RegNtSetValueKey:
+		status = RegPreSetValue(CallbackContext, (PREG_SET_VALUE_KEY_INFORMATION)Argument2);
+		break;
+	case RegNtPreDeleteValueKey:
+		status = RegPreDeleteValue(CallbackContext, (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2);
+		break;
+	case RegNtPreQueryValueKey:
+		status = RegPreQueryValue(CallbackContext, (PREG_QUERY_VALUE_KEY_INFORMATION)Argument2);
+		break;
+	case RegNtPreQueryMultipleValueKey:
+		status = RegPreQueryMultipleValue(CallbackContext, (PREG_QUERY_MULTIPLE_VALUE_KEY_INFORMATION)Argument2);
+		break;
 	default:
 		status = STATUS_SUCCESS;
 		break;
--- a/Hidden/todo.txt
+++ b/Hidden/todo.txt
@ -21,6 +21,11 @@
 		+ FS monitor
 		- Reg filter
 		- Ps filter
+- Добавить в Reg filter поддержку всех возможных операций над value
+	- set value
+	- delete value
+	- query value
+	- query multiple value
 - Почистить Exclude List
 	+ Добавить в Exclude List поддержку case insensetive crc32 (если возможно, например русские буквы) (*Нет необхлжимости)
 	- Добавить в Exclude List для файлов такую же лексическую сортировку как и в реестру, возможно обьеденить ф-и