diff --git a/Hidden/RegFilter.c b/Hidden/RegFilter.c index 3be1be0..41e483e 100644 --- a/Hidden/RegFilter.c +++ b/Hidden/RegFilter.c @@ -381,6 +381,133 @@ NTSTATUS RegPostEnumValue(PVOID context, PREG_POST_OPERATION_INFORMATION info) return STATUS_SUCCESS; } +NTSTATUS RegPreSetValue(PVOID context, PREG_SET_VALUE_KEY_INFORMATION info) +{ + NTSTATUS status; + PCUNICODE_STRING regPath; + UINT32 incIndex; + + UNREFERENCED_PARAMETER(context); + + if (IsProcessExcluded(PsGetCurrentProcessId())) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId()); + return STATUS_SUCCESS; + } + + status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, ®Path); + if (!NT_SUCCESS(status)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status); + return STATUS_SUCCESS; + } + + incIndex = 0; + if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueName, &incIndex)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueName, incIndex); + return STATUS_NOT_FOUND; + } + + return STATUS_SUCCESS; +} + +NTSTATUS RegPreDeleteValue(PVOID context, PREG_DELETE_VALUE_KEY_INFORMATION info) +{ + NTSTATUS status; + PCUNICODE_STRING regPath; + UINT32 incIndex; + + UNREFERENCED_PARAMETER(context); + + if (IsProcessExcluded(PsGetCurrentProcessId())) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId()); + return STATUS_SUCCESS; + } + + status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, ®Path); + if (!NT_SUCCESS(status)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status); + return STATUS_SUCCESS; + } + + incIndex = 0; + if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueName, &incIndex)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueName, incIndex); + return STATUS_NOT_FOUND; + } + + return STATUS_SUCCESS; +} + +NTSTATUS RegPreQueryValue(PVOID context, PREG_QUERY_VALUE_KEY_INFORMATION info) +{ + NTSTATUS status; + PCUNICODE_STRING regPath; + UINT32 incIndex; + + UNREFERENCED_PARAMETER(context); + + if (IsProcessExcluded(PsGetCurrentProcessId())) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId()); + return STATUS_SUCCESS; + } + + status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, ®Path); + if (!NT_SUCCESS(status)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status); + return STATUS_SUCCESS; + } + + incIndex = 0; + if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueName, &incIndex)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueName, incIndex); + return STATUS_NOT_FOUND; + } + + return STATUS_SUCCESS; +} + +NTSTATUS RegPreQueryMultipleValue(PVOID context, PREG_QUERY_MULTIPLE_VALUE_KEY_INFORMATION info) +{ + NTSTATUS status; + PCUNICODE_STRING regPath; + UINT32 incIndex, i; + + UNREFERENCED_PARAMETER(context); + + if (IsProcessExcluded(PsGetCurrentProcessId())) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId()); + return STATUS_SUCCESS; + } + + status = CmCallbackGetKeyObjectID(&g_regCookie, info->Object, NULL, ®Path); + if (!NT_SUCCESS(status)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": Registry name query failed with code:%08x\n", status); + return STATUS_SUCCESS; + } + + for (i = 0; i < info->EntryCount; i++) + { + incIndex = 0; + if (CheckExcludeListRegKeyValueName(g_excludeRegValueContext, (PUNICODE_STRING)regPath, info->ValueEntries[i].ValueName, &incIndex)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! found %wZ\\%wZ (inc: %d)\n", regPath, info->ValueEntries[i].ValueName, incIndex); + return STATUS_NOT_FOUND; + } + } + + return STATUS_SUCCESS; +} + NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2) { REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1; @@ -406,6 +533,18 @@ NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Ar case RegNtPostEnumerateValueKey: status = RegPostEnumValue(CallbackContext, (PREG_POST_OPERATION_INFORMATION)Argument2); break; + case RegNtSetValueKey: + status = RegPreSetValue(CallbackContext, (PREG_SET_VALUE_KEY_INFORMATION)Argument2); + break; + case RegNtPreDeleteValueKey: + status = RegPreDeleteValue(CallbackContext, (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2); + break; + case RegNtPreQueryValueKey: + status = RegPreQueryValue(CallbackContext, (PREG_QUERY_VALUE_KEY_INFORMATION)Argument2); + break; + case RegNtPreQueryMultipleValueKey: + status = RegPreQueryMultipleValue(CallbackContext, (PREG_QUERY_MULTIPLE_VALUE_KEY_INFORMATION)Argument2); + break; default: status = STATUS_SUCCESS; break; diff --git a/Hidden/todo.txt b/Hidden/todo.txt index 08ee35b..b420991 100644 --- a/Hidden/todo.txt +++ b/Hidden/todo.txt @@ -21,6 +21,11 @@ + FS monitor - Reg filter - Ps filter +- Добавить в Reg filter поддержку всех возможных операций над value + - set value + - delete value + - query value + - query multiple value - Почистить Exclude List + Добавить в Exclude List поддержку case insensetive crc32 (если возможно, например русские буквы) (*Нет необхлжимости) - Добавить в Exclude List для файлов такую же лексическую сортировку как и в реестру, возможно обьеденить ф-и