From 67355c72c4d98d4b6106ea0b7161e00060a86ed4 Mon Sep 17 00:00:00 2001 From: JKornev <8bit.dosninja@gmail.com> Date: Wed, 28 Dec 2016 00:31:00 +0300 Subject: [PATCH] Fix for BSOD and vmware.conf --- Hidden/ExcludeList.c | 46 +++++++++++++++++++++---------------------- Hidden/PsMonitor.c | 8 ++++++-- HiddenCLI/vmware.conf | 43 +++++++++++++++++++--------------------- 3 files changed, 49 insertions(+), 48 deletions(-) diff --git a/Hidden/ExcludeList.c b/Hidden/ExcludeList.c index a270b55..8051e9c 100644 --- a/Hidden/ExcludeList.c +++ b/Hidden/ExcludeList.c @@ -17,7 +17,7 @@ typedef struct _EXCLUDE_FILE_LIST_ENTRY { typedef struct _EXCLUDE_FILE_CONTEXT { LIST_ENTRY listHead; - KSPIN_LOCK listLock; + FAST_MUTEX listLock; ULONGLONG guidCounter; UINT32 type; } EXCLUDE_FILE_CONTEXT, *PEXCLUDE_FILE_CONTEXT; @@ -54,7 +54,7 @@ NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type) } InitializeListHead(&cntx->listHead); - KeInitializeSpinLock(&cntx->listLock); + ExInitializeFastMutex(&cntx->listLock); cntx->guidCounter = 1; cntx->type = Type; @@ -94,7 +94,7 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U { enum { MAX_PATH_SIZE = 1024 }; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry, head; UNICODE_STRING temp; SIZE_T size; @@ -158,10 +158,10 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U head = (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead; } - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry->guid = cntx->guidCounter++; InsertTailList((PLIST_ENTRY)head, (PLIST_ENTRY)entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); *EntryId = entry->guid; @@ -172,10 +172,10 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId) { NTSTATUS status = STATUS_NOT_FOUND; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink; while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead) @@ -191,7 +191,7 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId) entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); return status; } @@ -199,10 +199,10 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId) NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink; while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead) @@ -213,7 +213,7 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context) ExFreePoolWithTag(remove, EXCLUDE_ALLOC_TAG); } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); return STATUS_SUCCESS; } @@ -221,11 +221,11 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context) BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; BOOLEAN result = FALSE; - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink; while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead) @@ -239,7 +239,7 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path) entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); return result; } @@ -247,7 +247,7 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path) BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; UNICODE_STRING Directory, dir; BOOLEAN result = FALSE; @@ -256,7 +256,7 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\') Directory.Length -= sizeof(WCHAR); - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink; while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead) @@ -285,7 +285,7 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); return result; } @@ -293,7 +293,7 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; UNICODE_STRING Directory; BOOLEAN result = FALSE; @@ -303,7 +303,7 @@ BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PC if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR) - 1] == L'\\') Directory.Length -= sizeof(WCHAR); - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink; while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead) @@ -318,7 +318,7 @@ BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PC entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); return result; } @@ -331,7 +331,7 @@ BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key) BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - KLOCK_QUEUE_HANDLE lockHandle; + //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; UNICODE_STRING Directory; BOOLEAN result = FALSE; @@ -342,7 +342,7 @@ BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING if (Directory.Length > 0 && Directory.Buffer[Directory.Length / sizeof(WCHAR)-1] == L'\\') Directory.Length -= sizeof(WCHAR); - KeAcquireInStackQueuedSpinLock(&cntx->listLock, &lockHandle); + ExAcquireFastMutex(&cntx->listLock); entry = (PEXCLUDE_FILE_LIST_ENTRY)cntx->listHead.Flink; while (entry != (PEXCLUDE_FILE_LIST_ENTRY)&cntx->listHead) @@ -371,7 +371,7 @@ BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING entry = (PEXCLUDE_FILE_LIST_ENTRY)entry->list.Flink; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&cntx->listLock); return result; } diff --git a/Hidden/PsMonitor.c b/Hidden/PsMonitor.c index a82ce59..4c958e2 100644 --- a/Hidden/PsMonitor.c +++ b/Hidden/PsMonitor.c @@ -184,7 +184,10 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL RtlZeroMemory(&lookup, sizeof(lookup)); Entry->inited = (!g_psMonitorInited ? TRUE : FALSE); - Entry->subsystem = RtlEqualUnicodeString(&g_csrssPath, ImgPath, TRUE); + //if (Entry->processId == (HANDLE)4) + // Entry->subsystem = TRUE; + //else + Entry->subsystem = RtlEqualUnicodeString(&g_csrssPath, ImgPath, TRUE); // Check exclude flag @@ -337,7 +340,8 @@ BOOLEAN IsProcessExcluded(HANDLE ProcessId) if (!result) return FALSE; - return entry.excluded; + //return ((entry.excluded || entry.subsystem) ? TRUE : FALSE); + return ((entry.excluded || ProcessId == (HANDLE)4) ? TRUE : FALSE); } BOOLEAN IsProcessProtected(HANDLE ProcessId) diff --git a/HiddenCLI/vmware.conf b/HiddenCLI/vmware.conf index c322daa..c0a79aa 100644 --- a/HiddenCLI/vmware.conf +++ b/HiddenCLI/vmware.conf @@ -5,13 +5,6 @@ ; Enable driver if it's disabled /state on -; Cleanup configs - -/unhide file all -/unhide dir all -/unhide regval all -/unhide regkey all - ; Following config used for hidding VMWare components /hide dir "c:\Program Files\VMware" @@ -28,22 +21,26 @@ /hide regval "HKLM\Hardware\Description\System\BIOS\SystemManufacturer" /hide regval "HKLM\Hardware\Description\System\BIOS\SystemProductName" -/ignore image inherit:none apply:forall "C:\Windows\System32\services.exe" -/ignore image inherit:none apply:forall "C:\Windows\System32\csrss.exe" -/ignore image inherit:none apply:forall "C:\Windows\System32\vssvc.exe" -/ignore image inherit:none apply:forall "C:\Windows\System32\spoolsv.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\rpctool.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\rvmSetup.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\TPVCGateway.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareHgfsClient.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\VMwareXferlogs.exe" -/ignore image inherit:none apply:forall "C:\Program Files\VMware\VMware Tools\zip.exe" +/ignore image inherit:none "C:\Windows\System32\services.exe" +/ignore image inherit:none "C:\Windows\System32\csrss.exe" +/ignore image inherit:none "C:\Windows\System32\vssvc.exe" +/ignore image inherit:none "C:\Windows\System32\spoolsv.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\rpctool.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\rvmSetup.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\TPVCGateway.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareHgfsClient.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\VMwareXferlogs.exe" +/ignore image inherit:none "C:\Program Files\VMware\VMware Tools\zip.exe" + +/protect image inherit:none "C:\Windows\System32\services.exe" +/protect image inherit:none "C:\Windows\System32\csrss.exe" +/protect image inherit:none "C:\Windows\System32\lsass.exe" ; Isn't supported yet ; /stealth on "my_stealth_gate"