Added new process exclusion tests

2024-06-16 03:58:04 +00:00 · 2016-10-15 00:36:32 +03:00 · 2016-10-15 00:36:32 +03:00 · 6b0777c4de
commit 6b0777c4de
parent 127c0b9c86
3 changed files with 97 additions and 9 deletions
--- a/Hidden/PsMonitor.c
+++ b/Hidden/PsMonitor.c
@ -96,7 +96,7 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O

 	if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object)))
 	{
-		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId());
+		//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId());
 		return OB_PREOP_SUCCESS;
 	}

@ -125,7 +125,7 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP

 	if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object)))
 	{
-		DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId());
+		//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId());
 		return OB_PREOP_SUCCESS;
 	}

--- a/Hidden/todo.txt
+++ b/Hidden/todo.txt
@ -20,7 +20,8 @@
 	- Реализовать тесты в проекте HiddenTest
 		+ FS monitor
 		+ Reg filter
-		- Ps filter
+		+ Ps filter
+			+ Добавить код тестирования для add\remove excluded image
 + Добавить в Reg filter поддержку всех возможных операций над value
 	+ set value
 	+ delete value
@ -38,10 +39,10 @@
 + Реализовать все ф-и Ps monitor
 	+ Добавить в библиотеку поддержку get\set state
 	+ Решить проблему с protected (возможно разрешить создавать такие процессы только из protected\system)
- Реализовать IOCTL протокол управления
+ Реализовать IOCTL протокол управления
 	+ Реализовать usermode библиотеку для работы с IOCTL API
-	- Реализовать программу управления драйвером, средствами IOCTL API
 		+ Слинковать с IOCTL API lib
+- Реализовать HiddenCLI
 - Портировать драйвер под архитектуру x64
 - Залить проект на Git
 	+ Переименовать проект драйвера в Hidden
--- a/HiddenTests/HiddenTests.cpp
+++ b/HiddenTests/HiddenTests.cpp
@ -634,8 +634,8 @@ void do_psmon_prot_tests(HidContext context)

 	if (pi.hProcess)
 	{
-		CloseHandle(hproc);
 		TerminateProcess(pi.hProcess, 0);
+		CloseHandle(pi.hProcess);
 	}

 	Hid_RemoveProtectedState(context, GetCurrentProcessId());
@ -649,11 +649,20 @@ void do_psmon_excl_tests(HidContext context)
 	HidObjId objId[3];
 	HidActiveState state;
 	HidPsInheritTypes inheritType;
+	STARTUPINFOW si;
+	PROCESS_INFORMATION pi;
+	wstring exepath;
+	HANDLE hproc = 0;
+	DWORD error_code, exit_code;

 	wcout << L"--------------------------------" << endl;
 	wcout << L"Process monitor excl tests result:" << endl;
 	wcout << L"--------------------------------" << endl;

+	memset(&si, 0, sizeof(si));
+	memset(&pi, 0, sizeof(pi));
+	si.cb = sizeof(si);
+
 	try
 	{
 		wcout << L"Test 1: hide file, add excluded process, check file" << endl;
@ -663,11 +672,11 @@ void do_psmon_excl_tests(HidContext context)
 		CHandle hfile(
 			::CreateFileW(
 			file_path.c_str(),
-			FILE_READ_ACCESS | FILE_WRITE_ACCESS,
+			GENERIC_READ | GENERIC_WRITE,
 			FILE_SHARE_READ | FILE_SHARE_WRITE,
 			NULL,
 			CREATE_ALWAYS,
-			FILE_FLAG_DELETE_ON_CLOSE,
+			0,
 			NULL
 			)
 		);
@ -744,15 +753,93 @@ void do_psmon_excl_tests(HidContext context)

 		wcout << L" successful!" << endl;

-		//TODO: add tests for other API
+		wcout << L"Test 2: " << endl;
+
+		exepath = L"c:\\windows\\system32\\cmd.exe /c type \"";
+		exepath += file_path.c_str();
+		exepath += L"\"";
+		if (!CreateProcessW(NULL, (LPWSTR)exepath.c_str(), NULL, NULL, FALSE, CREATE_NEW_CONSOLE /*| CREATE_SUSPENDED*/, NULL, NULL, &si, &pi))
+		{
+			error_code = GetLastError();
+			wcout << L"Error, CreateProcessW() failed with code: " << error_code << endl;
+			throw exception();
+		}
+
+		CloseHandle(pi.hThread);
+
+		WaitForSingleObject(pi.hProcess, INFINITE);
+
+		exit_code = 0;
+		if (!GetExitCodeProcess(pi.hProcess, &exit_code))
+		{
+			error_code = GetLastError();
+			wcout << L"Error, GetExitCodeProcess() failed with code: " << error_code << endl;
+			throw exception();
+		}
+
+		if (exit_code == 0)
+		{
+			wcout << L"Error, hidden file has been found" << endl;
+			throw exception();
+		}
+
+		CloseHandle(pi.hProcess);
+		memset(&pi, 0, sizeof(pi));
+
+		hid_status = Hid_AddExcludedImage(context, L"c:\\windows\\system32\\cmd.exe", HidPsInheritTypes::InheritOnce, &objId[1]);
+		if (!HID_STATUS_SUCCESSFUL(hid_status))
+		{
+			wcout << L"Error, can't add excluded image, code: " << HID_STATUS_CODE(hid_status) << endl;
+			throw exception();
+		}
+
+		exepath = L"c:\\windows\\system32\\cmd.exe /c type \"";
+		exepath += file_path.c_str();
+		exepath += L"\"";
+		if (!CreateProcessW(NULL, (LPWSTR)exepath.c_str(), NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+		{
+			error_code = GetLastError();
+			wcout << L"Error, CreateProcessW() failed with code: " << error_code << endl;
+			throw exception();
+		}
+
+		CloseHandle(pi.hThread);
+
+		WaitForSingleObject(pi.hProcess, INFINITE);
+
+		if (!GetExitCodeProcess(pi.hProcess, &exit_code))
+		{
+			error_code = GetLastError();
+			wcout << L"Error, GetExitCodeProcess() failed with code: " << error_code << endl;
+			throw exception();
+		}
+
+		if (exit_code != 0)
+		{
+			wcout << L"Error, process exclusion doesn't work, termination code: " << exit_code << endl;
+			throw exception();
+		}
+
+		CloseHandle(pi.hProcess);
+		memset(&pi, 0, sizeof(pi));
+
+		wcout << L" successful!" << endl;
 	}
 	catch (exception&)
 	{
 		wcout << L" failed!" << endl;
 	}

+	if (pi.hProcess)
+	{
+		TerminateProcess(pi.hProcess, 0);
+		CloseHandle(pi.hProcess);
+	}
+
 	Hid_RemoveAllHiddenFiles(context);
 	Hid_RemoveAllExcludedImages(context);
+
+	DeleteFileW(file_path.c_str());
 }

 int wmain(int argc, wchar_t* argv[])