Mirrors
/
hidden
mirror of https://github.com/JKornev/hidden
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix for BSOD and vmware.conf

This commit is contained in:
JKornev 2016-12-28 00:31:00 +03:00
parent 8a9ba43e23
commit 67355c72c4
3 changed files with 49 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Hidden/ExcludeList.c
View File

@ -17,7 +17,7 @@ typedef struct _EXCLUDE_FILE_LIST_ENTRY {
typedef struct _EXCLUDE_FILE_CONTEXT {
LIST_ENTRY listHead;
KSPIN_LOCK listLock;
FAST_MUTEX listLock;
ULONGLONG guidCounter;
UINT32 type;
} EXCLUDE_FILE_CONTEXT, *PEXCLUDE_FILE_CONTEXT;
@ -54,7 +54,7 @@ NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type)
}
InitializeListHead(&cntx->listHead);
KeInitializeSpinLock(&cntx->listLock);
ExInitializeFastMutex(&cntx->listLock);
cntx->guidCounter = 1;
cntx->type = Type;
@ -94,7 +94,7 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U
{
enum { MAX_PATH_SIZE = 1024 };
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry, head;
UNICODE_STRING temp;
SIZE_T size;
@ -158,10 +158,10 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U
head = (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead;
}
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry->guid = cntx->guidCounter++;
InsertTailList((PLIST_ENTRY)head, (PLIST_ENTRY)entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
*EntryId = entry->guid;
@ -172,10 +172,10 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
{
NTSTATUS status = STATUS_NOT_FOUND;
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
@ -191,7 +191,7 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
return status;
}
@ -199,10 +199,10 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
@ -213,7 +213,7 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
ExFreePoolWithTag(remove, EXCLUDE_ALLOC_TAG);
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
return STATUS_SUCCESS;
}
@ -221,11 +221,11 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
BOOLEAN result = FALSE;
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
@ -239,7 +239,7 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
return result;
}
@ -247,7 +247,7 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory, dir;
BOOLEAN result = FALSE;
@ -256,7 +256,7 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\')
Directory.Length -= sizeof(WCHAR);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
@ -285,7 +285,7 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
return result;
}
@ -293,7 +293,7 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory;
BOOLEAN result = FALSE;
@ -303,7 +303,7 @@ BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PC
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\')
Directory.Length -= sizeof(WCHAR);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
@ -318,7 +318,7 @@ BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PC
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
return result;
}
@ -331,7 +331,7 @@ BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key)
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
KLOCK_QUEUE_HANDLE lockHandle;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory;
BOOLEAN result = FALSE;
@ -342,7 +342,7 @@ BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING
if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR)-1] == L'\\')
Directory.Length -= sizeof(WCHAR);
KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle);
ExAcquireFastMutex(&cntx->listLock);
entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink;
while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead)
@ -371,7 +371,7 @@ BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING
entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&cntx->listLock);
return result;
}

8
Hidden/PsMonitor.c
View File

@ -184,7 +184,10 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
RtlZeroMemory(&lookup, sizeof(lookup));
Entry->inited = (!g_psMonitorInited ? TRUE : FALSE);
Entry->subsystem = RtlEqualUnicodeString(&g_csrssPath, ImgPath, TRUE);
//if (Entry->processId == (HANDLE)4)
// Entry->subsystem = TRUE;
//else
Entry->subsystem = RtlEqualUnicodeString(&g_csrssPath, ImgPath, TRUE);
// Check exclude flag
@ -337,7 +340,8 @@ BOOLEAN IsProcessExcluded(HANDLE ProcessId)
if (!result)
return FALSE;
return entry.excluded;
//return ((entry.excluded || entry.subsystem) ? TRUE : FALSE);
return ((entry.excluded || ProcessId == (HANDLE)4) ? TRUE : FALSE);
}
BOOLEAN IsProcessProtected(HANDLE ProcessId)

43
HiddenCLI/vmware.conf
View File

@ -5,13 +5,6 @@
; Enable driver if it's disabled
/state on
; Cleanup configs
/unhide file all
/unhide dir all
/unhide regval all
/unhide regkey all
; Following config used for hidding VMWare components
/hide dir "c:\Program Files\VMware"
@ -28,22 +21,26 @@
/hide regval "HKLM\Hardware\Description\System\BIOS\SystemManufacturer"
/hide regval "HKLM\Hardware\Description\System\BIOS\SystemProductName"
/ignore image inherit:none apply:forall "C:\Windows\System32\services.exe"
/ignore image inherit:none apply:forall "C:\Windows\System32\csrss.exe"
/ignore image inherit:none apply:forall "C:\Windows\System32\vssvc.exe"
/ignore image inherit:none apply:forall "C:\Windows\System32\spoolsv.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\rpctool.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\rvmSetup.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareHgfsClient.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareXferlogs.exe"
/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\zip.exe"
/ignore image inherit:none "C:\Windows\System32\services.exe"
/ignore image inherit:none "C:\Windows\System32\csrss.exe"
/ignore image inherit:none "C:\Windows\System32\vssvc.exe"
/ignore image inherit:none "C:\Windows\System32\spoolsv.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\rpctool.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\rvmSetup.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareHgfsClient.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareXferlogs.exe"
/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\zip.exe"
/protect image inherit:none "C:\Windows\System32\services.exe"
/protect image inherit:none "C:\Windows\System32\csrss.exe"
/protect image inherit:none "C:\Windows\System32\lsass.exe"
; Isn't supported yet
; /stealth on "my_stealth_gate"