mirror of
https://github.com/JKornev/hidden
synced 2024-06-20 14:08:05 +00:00
Fixed a bug with a process initialization flag in PsMonitor
This commit is contained in:
parent
108db10892
commit
5a678ce3c4
@ -193,7 +193,7 @@ BOOLEAN InitializeDisasm()
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
//TODO: mb we need to remove it
|
//TODO: mb we need remove it
|
||||||
if (!ZYAN_SUCCESS(ZydisFormatterInit(&s_disasmFormatter, ZYDIS_FORMATTER_STYLE_INTEL)))
|
if (!ZYAN_SUCCESS(ZydisFormatterInit(&s_disasmFormatter, ZYDIS_FORMATTER_STYLE_INTEL)))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
|
@ -76,9 +76,26 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Not-inited process can open any process (parent, csrss, etc)
|
||||||
if (!destInfo->inited)
|
if (!destInfo->inited)
|
||||||
result = FALSE; // If the process isn't inited yet it can be opened by any process
|
{
|
||||||
else if (!destInfo->protected)
|
BOOLEAN initialized = FALSE;
|
||||||
|
// Update if source is subsystem and destination isn't inited
|
||||||
|
if (srcInfo->subsystem)
|
||||||
|
{
|
||||||
|
destInfo->inited = TRUE;
|
||||||
|
initialized = TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExReleaseFastMutex(&g_processTableLock);
|
||||||
|
|
||||||
|
if (initialized)
|
||||||
|
LogTrace("Process has been initialized:%Iu", destInfo->processId);
|
||||||
|
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!destInfo->protected)
|
||||||
result = FALSE;
|
result = FALSE;
|
||||||
else if (srcInfo->protected)
|
else if (srcInfo->protected)
|
||||||
result = FALSE;
|
result = FALSE;
|
||||||
@ -519,6 +536,7 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
|||||||
// Check hidden flag
|
// Check hidden flag
|
||||||
|
|
||||||
Entry->hidden = FALSE;
|
Entry->hidden = FALSE;
|
||||||
|
Entry->postponeHiding = FALSE;
|
||||||
Entry->inheritStealth = PsRuleTypeWithoutInherit;
|
Entry->inheritStealth = PsRuleTypeWithoutInherit;
|
||||||
|
|
||||||
if (FindInheritanceInPsRuleList(g_hideProcessRules, ImgPath, &inheritType))
|
if (FindInheritanceInPsRuleList(g_hideProcessRules, ImgPath, &inheritType))
|
||||||
@ -554,17 +572,17 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
|||||||
// hiding code. But if a process isn't initialized (for instance on a ps create notification) we
|
// hiding code. But if a process isn't initialized (for instance on a ps create notification) we
|
||||||
// need to postpone removing from PspCidTable because in a current step it would break a process
|
// need to postpone removing from PspCidTable because in a current step it would break a process
|
||||||
// initialization
|
// initialization
|
||||||
if (Entry->inited)
|
Entry->postponeHiding = (!Entry->inited ? TRUE : FALSE);
|
||||||
HideProcess(Entry);
|
|
||||||
else
|
if (Entry->postponeHiding)
|
||||||
UnlinkProcessFromActiveProcessLinks(Entry);
|
UnlinkProcessFromActiveProcessLinks(Entry);
|
||||||
|
else
|
||||||
|
HideProcess(Entry);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID LoadProcessImageNotifyCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo)
|
VOID LoadProcessImageNotifyCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo)
|
||||||
{
|
{
|
||||||
PProcessTableEntry lookup;
|
|
||||||
|
|
||||||
LogInfo(
|
LogInfo(
|
||||||
"Load image pid:%Iu, img:%wZ, addr:%p",
|
"Load image pid:%Iu, img:%wZ, addr:%p",
|
||||||
ProcessId,
|
ProcessId,
|
||||||
@ -574,14 +592,11 @@ VOID LoadProcessImageNotifyCallback(PUNICODE_STRING FullImageName, HANDLE Proces
|
|||||||
|
|
||||||
ExAcquireFastMutex(&g_processTableLock);
|
ExAcquireFastMutex(&g_processTableLock);
|
||||||
|
|
||||||
lookup = GetProcessInProcessTable(ProcessId);
|
PProcessTableEntry lookup = GetProcessInProcessTable(ProcessId);
|
||||||
if (lookup && !lookup->inited)
|
if (lookup && lookup->postponeHiding && lookup->hidden)
|
||||||
{
|
{
|
||||||
lookup->inited = TRUE;
|
UnlinkProcessFromCidTable(lookup);
|
||||||
LogTrace("Process has been initialized:%Iu", ProcessId);
|
lookup->postponeHiding = FALSE;
|
||||||
|
|
||||||
if (lookup->hidden)
|
|
||||||
UnlinkProcessFromCidTable(lookup);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ExReleaseFastMutex(&g_processTableLock);
|
ExReleaseFastMutex(&g_processTableLock);
|
||||||
@ -662,7 +677,7 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
|||||||
{
|
{
|
||||||
ExAcquireFastMutex(&g_processTableLock);
|
ExAcquireFastMutex(&g_processTableLock);
|
||||||
PProcessTableEntry entry = GetProcessInProcessTable(ProcessId);
|
PProcessTableEntry entry = GetProcessInProcessTable(ProcessId);
|
||||||
if (entry && entry->hidden)
|
if (entry && entry->hidden)//TODO: move logic to Remove callback
|
||||||
RestoreProcessInCidTable(entry);
|
RestoreProcessInCidTable(entry);
|
||||||
result = RemoveProcessFromProcessTable(ProcessId);
|
result = RemoveProcessFromProcessTable(ProcessId);
|
||||||
ExReleaseFastMutex(&g_processTableLock);
|
ExReleaseFastMutex(&g_processTableLock);
|
||||||
@ -975,6 +990,7 @@ VOID CleanupHiddenProcessCallback(PProcessTableEntry entry)
|
|||||||
RestoreHiddenProcess(entry);
|
RestoreHiddenProcess(entry);
|
||||||
|
|
||||||
entry->hidden = FALSE;
|
entry->hidden = FALSE;
|
||||||
|
entry->postponeHiding = FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS DestroyPsMonitor()
|
NTSTATUS DestroyPsMonitor()
|
||||||
@ -1084,6 +1100,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
|
|||||||
HideProcess(entry);
|
HideProcess(entry);
|
||||||
|
|
||||||
entry->hidden = TRUE;
|
entry->hidden = TRUE;
|
||||||
|
entry->postponeHiding = FALSE;
|
||||||
entry->inheritStealth = PsRuleTypeWithoutInherit;
|
entry->inheritStealth = PsRuleTypeWithoutInherit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -13,6 +13,7 @@ typedef struct _ProcessTableEntry {
|
|||||||
ULONG inheritProtection;
|
ULONG inheritProtection;
|
||||||
|
|
||||||
BOOLEAN hidden;
|
BOOLEAN hidden;
|
||||||
|
BOOLEAN postponeHiding;
|
||||||
ULONG inheritStealth;
|
ULONG inheritStealth;
|
||||||
PEPROCESS reference;
|
PEPROCESS reference;
|
||||||
HANDLE_TABLE_ENTRY cidEntryBackup;
|
HANDLE_TABLE_ENTRY cidEntryBackup;
|
||||||
|
Loading…
Reference in New Issue
Block a user