Mirrors/hidden
6
0
Fork 0
mirror of https://github.com/JKornev/hidden synced 2024-06-16 03:58:04 +00:00
Code Issues Projects Releases Wiki Activity

Added Get\Set process exclude\protect state

Browse Source 
Fixed issue with the hidden.inf
and etc
This commit is contained in:
JKornev 2016-09-04 20:17:21 +03:00
parent 9ba217714e
commit 80b89c2f28
7 changed files with 172 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
Hidden/Device.c
View File

@ -47,27 +47,27 @@ NTSTATUS IrpDeviceCleanup(PDEVICE_OBJECT DeviceObject, PIRP Irp)
return STATUS_SUCCESS;
}
NTSTATUS AddHiddenObject(PHid_HideObjectPacket packet, USHORT size, PULONGLONG objId)
NTSTATUS AddHiddenObject(PHid_HideObjectPacket Packet, USHORT Size, PULONGLONG ObjId)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING path;
USHORT i, count;
// Check can we access to the packet
if (size < sizeof(Hid_HideObjectPacket))
if (Size < sizeof(Hid_HideObjectPacket))
return STATUS_INVALID_PARAMETER;
// Check packet data size overflow
if (size < packet->size + sizeof(Hid_HideObjectPacket))
if (Size < Packet->dataSize + sizeof(Hid_HideObjectPacket))
return STATUS_INVALID_PARAMETER;
// Unpack string to UNICODE_STRING
path.Buffer = (LPWSTR)((PCHAR)packet + sizeof(Hid_HideObjectPacket));
path.MaximumLength = size - sizeof(Hid_HideObjectPacket);
path.Buffer = (LPWSTR)((PCHAR)Packet + sizeof(Hid_HideObjectPacket));
path.MaximumLength = Size - sizeof(Hid_HideObjectPacket);
// Just checking for zero-end string ends in the middle
count = packet->size / sizeof(WCHAR);
count = Packet->dataSize / sizeof(WCHAR);
for (i = 0; i < count; i++)
if (path.Buffer[i] == L'\0')
break;
@ -76,69 +76,69 @@ NTSTATUS AddHiddenObject(PHid_HideObjectPacket packet, USHORT size, PULONGLONG o
// Perform the packet
switch (packet->objType)
switch (Packet->objType)
{
case RegKeyObject:
status = AddHiddenRegKey(&path, objId);
status = AddHiddenRegKey(&path, ObjId);
break;
case RegValueObject:
status = AddHiddenRegValue(&path, objId);
status = AddHiddenRegValue(&path, ObjId);
break;
case FsFileObject:
status = AddHiddenFile(&path, objId);
status = AddHiddenFile(&path, ObjId);
break;
case FsDirObject:
status = AddHiddenDir(&path, objId);
status = AddHiddenDir(&path, ObjId);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemoveHiddenObject(PHid_UnhideObjectPacket packet, USHORT size)
NTSTATUS RemoveHiddenObject(PHid_UnhideObjectPacket Packet, USHORT Size)
{
NTSTATUS status = STATUS_SUCCESS;
if (size != sizeof(Hid_UnhideObjectPacket))
if (Size != sizeof(Hid_UnhideObjectPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (packet->objType)
switch (Packet->objType)
{
case RegKeyObject:
status = RemoveHiddenRegKey(packet->id);
status = RemoveHiddenRegKey(Packet->id);
break;
case RegValueObject:
status = RemoveHiddenRegValue(packet->id);
status = RemoveHiddenRegValue(Packet->id);
break;
case FsFileObject:
status = RemoveHiddenFile(packet->id);
status = RemoveHiddenFile(Packet->id);
break;
case FsDirObject:
status = RemoveHiddenDir(packet->id);
status = RemoveHiddenDir(Packet->id);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket packet, USHORT size)
NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket Packet, USHORT Size)
{
NTSTATUS status = STATUS_SUCCESS;
if (size != sizeof(Hid_UnhideAllObjectsPacket))
if (Size != sizeof(Hid_UnhideAllObjectsPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (packet->objType)
switch (Packet->objType)
{
case RegKeyObject:
status = RemoveAllHiddenRegKeys();
@ -153,34 +153,34 @@ NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket packet, USHORT size)
status = RemoveAllHiddenDirs();
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS AddPsObject(PHid_AddPsObjectPacket packet, USHORT size, PULONGLONG objId)
NTSTATUS AddPsObject(PHid_AddPsObjectPacket Packet, USHORT Size, PULONGLONG ObjId)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING path;
USHORT i, count;
// Check can we access to the packet
if (size < sizeof(Hid_AddPsObjectPacket))
if (Size < sizeof(Hid_AddPsObjectPacket))
return STATUS_INVALID_PARAMETER;
// Check packet data size overflow
if (size < packet->size + sizeof(Hid_AddPsObjectPacket))
if (Size < Packet->dataSize + sizeof(Hid_AddPsObjectPacket))
return STATUS_INVALID_PARAMETER;
// Unpack string to UNICODE_STRING
path.Buffer = (LPWSTR)((PCHAR)packet + sizeof(Hid_AddPsObjectPacket));
path.MaximumLength = size - sizeof(Hid_AddPsObjectPacket);
path.Buffer = (LPWSTR)((PCHAR)Packet + sizeof(Hid_AddPsObjectPacket));
path.MaximumLength = Size - sizeof(Hid_AddPsObjectPacket);
// Just checking for zero-end string ends in the middle
count = packet->size / sizeof(WCHAR);
count = Packet->dataSize / sizeof(WCHAR);
for (i = 0; i < count; i++)
if (path.Buffer[i] == L'\0')
break;
@ -189,57 +189,121 @@ NTSTATUS AddPsObject(PHid_AddPsObjectPacket packet, USHORT size, PULONGLONG objI
// Perform the packet
switch (packet->objType)
switch (Packet->objType)
{
case PsExcludedObject:
status = AddExcludedImage(&path, packet->inheritType, objId);
status = AddExcludedImage(&path, Packet->inheritType, ObjId);
break;
case PsProtectedObject:
status = AddProtectedImage(&path, packet->inheritType, objId);
status = AddProtectedImage(&path, Packet->inheritType, ObjId);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemovePsObject(PHid_RemovePsObjectPacket packet, USHORT size)
NTSTATUS GetPsObjectInfo(PHid_GetPsObjectInfoPacket Packet, USHORT Size, PHid_GetPsObjectInfoPacket OutPacket, PULONG OutSize)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG inheritType, outSize;
BOOLEAN enable;
if (size != sizeof(Hid_RemovePsObjectPacket))
outSize = *OutSize;
*OutSize = 0;
if (Size < sizeof(Hid_GetPsObjectInfoPacket))
return STATUS_INVALID_PARAMETER;
if (outSize < sizeof(Hid_GetPsObjectInfoPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (packet->objType)
switch (Packet->objType)
{
case PsExcludedObject:
status = RemoveExcludedImage(packet->id);
status = GetExcludedProcessState((HANDLE)Packet->procId, &inheritType, &enable);
break;
case PsProtectedObject:
status = RemoveProtectedImage(packet->id);
status = GetProtectedProcessState((HANDLE)Packet->procId, &inheritType, &enable);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
Packet->enable = (USHORT)enable;
Packet->inheritType = (USHORT)inheritType;
RtlCopyMemory(Packet, OutPacket, sizeof(Hid_GetPsObjectInfoPacket));
*OutSize = sizeof(Hid_GetPsObjectInfoPacket);
return status;
}
NTSTATUS SetPsObjectInfo(PHid_SetPsObjectInfoPacket Packet, USHORT Size)
{
NTSTATUS status = STATUS_SUCCESS;
if (Size != sizeof(Hid_SetPsObjectInfoPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (Packet->objType)
{
case PsExcludedObject:
status = SetExcludedProcessState((HANDLE)Packet->procId, Packet->inheritType, (Packet->enable ? TRUE : FALSE));
break;
case PsProtectedObject:
status = SetProtectedProcessState((HANDLE)Packet->procId, Packet->inheritType, (Packet->enable ? TRUE : FALSE));
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemoveAllPsObjects(PHid_RemoveAllPsObjectsPacket packet, USHORT size)
NTSTATUS RemovePsObject(PHid_RemovePsObjectPacket Packet, USHORT Size)
{
NTSTATUS status = STATUS_SUCCESS;
if (size != sizeof(Hid_RemoveAllPsObjectsPacket))
if (Size != sizeof(Hid_RemovePsObjectPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (packet->objType)
switch (Packet->objType)
{
case PsExcludedObject:
status = RemoveExcludedImage(Packet->id);
break;
case PsProtectedObject:
status = RemoveProtectedImage(Packet->id);
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
return status;
}
NTSTATUS RemoveAllPsObjects(PHid_RemoveAllPsObjectsPacket Packet, USHORT Size)
{
NTSTATUS status = STATUS_SUCCESS;
if (Size != sizeof(Hid_RemoveAllPsObjectsPacket))
return STATUS_INVALID_PARAMETER;
// Perform packet
switch (Packet->objType)
{
case PsExcludedObject:
status = RemoveAllExcludedImages();
@ -248,7 +312,7 @@ NTSTATUS RemoveAllPsObjects(PHid_RemoveAllPsObjectsPacket packet, USHORT size)
status = RemoveAllProtectedImages();
break;
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
return STATUS_INVALID_PARAMETER;
}
@ -260,11 +324,12 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
PIO_STACK_LOCATION irpStack;
Hid_StatusPacket result;
NTSTATUS status = STATUS_SUCCESS;
PVOID inputBuffer, outputBuffer;
ULONG ioctl, inputBufferSize, outputBufferSize, outputBufferMaxSize;
PVOID inputBuffer, outputBuffer, outputData;
ULONG ioctl, inputBufferSize, outputBufferSize, outputBufferMaxSize,
outputDataMaxSize, outputDataSize;
UNREFERENCED_PARAMETER(DeviceObject);
// Get irp information
irpStack = IoGetCurrentIrpStackLocation(Irp);
@ -273,7 +338,9 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
inputBuffer = outputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferSize = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBufferMaxSize = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
outputBufferSize = 0;
outputBufferSize = 0;
outputDataSize = 0;
outputDataMaxSize = 0;
RtlZeroMemory(&result, sizeof(result));
@ -285,6 +352,15 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
goto EndProc;
}
// Prepare additional buffer for output data
outputData = (PVOID)((UINT_PTR)outputBuffer + sizeof(result));
outputDataMaxSize = outputBufferMaxSize - sizeof(result);
// Important Limitation:
// Because both input (inputBuffer) and output data (outputData) are located in the same buffer there is a limitation for the output
// buffer usage. When a ioctl handler is executing, it can use the input buffer only until first write to the output buffer, because
// when you put data to the output buffer you can overwrite data in input buffer. Therefore if you gonna use both an input and output
// data in the same time you should make the copy of input data and work with it.
switch (ioctl)
{
// Reg/Fs
@ -302,10 +378,11 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
result.status = AddPsObject((PHid_AddPsObjectPacket)inputBuffer, (USHORT)inputBufferSize, &result.info.id);
break;
case HID_IOCTL_GET_OBJECT_STATE:
result.status = (ULONG)STATUS_NOT_IMPLEMENTED;
outputDataSize = outputDataMaxSize;
result.status = GetPsObjectInfo((PHid_SetPsObjectInfoPacket)inputBuffer, (USHORT)inputBufferSize, outputData, &outputDataSize);
break;
case HID_IOCTL_SET_OBJECT_STATE:
result.status = (ULONG)STATUS_NOT_IMPLEMENTED;
result.status = SetPsObjectInfo((PHid_SetPsObjectInfoPacket)inputBuffer, (USHORT)inputBufferSize);
break;
case HID_IOCTL_REMOVE_OBJECT:
result.status = RemovePsObject((PHid_RemovePsObjectPacket)inputBuffer, (USHORT)inputBufferSize);
@ -313,7 +390,7 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
case HID_IOCTL_REMOVE_ALL_OBJECTS:
result.status = RemoveAllPsObjects((PHid_RemoveAllPsObjectsPacket)inputBuffer, (USHORT)inputBufferSize);
break;
//
default:
DbgPrint("FsFilter1!" __FUNCTION__ ": unknown IOCTL code:%08x\n", ioctl);
status = STATUS_INVALID_PARAMETER;
@ -322,6 +399,19 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
EndProc:
// If additional output data has been presented
if (NT_SUCCESS(status) && outputDataSize > 0)
{
if (outputDataSize > outputDataMaxSize)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": An internal error that looks like stack corruption!\n");
outputDataSize = outputDataMaxSize;
result.status = (ULONG)STATUS_PARTIAL_COPY;
}
result.dataSize = outputDataSize;
}
// Copy result to output buffer
if (NT_SUCCESS(status))
{

16
Hidden/DeviceAPI.h
View File

@ -40,7 +40,7 @@ enum Hid_ObjectTypes {
typedef struct _Hid_HideObjectPacket {
unsigned short objType;
unsigned short size;
unsigned short dataSize;
} Hid_HideObjectPacket, *PHid_HideObjectPacket;
typedef struct _Hid_UnhideObjectPacket {
@ -58,11 +58,22 @@ typedef struct _Hid_UnhideAllObjectsPacket {
typedef struct _Hid_AddPsObjectPacket {
unsigned short objType;
unsigned short size;
unsigned short dataSize;
unsigned short inheritType;
unsigned short reserved;
} Hid_AddPsObjectPacket, *PHid_AddPsObjectPacket;
typedef struct _Hid_GetPsObjectInfoPacket {
unsigned short objType;
unsigned short inheritType;
unsigned short enable;
unsigned short reserved;
unsigned long procId;
} Hid_GetPsObjectInfoPacket, *PHid_GetPsObjectInfoPacket;
typedef Hid_GetPsObjectInfoPacket Hid_SetPsObjectInfoPacket;
typedef Hid_GetPsObjectInfoPacket* PHid_SetPsObjectInfoPacket;
typedef struct _Hid_RemovePsObjectPacket {
unsigned short objType;
unsigned short reserved;
@ -78,6 +89,7 @@ typedef struct _Hid_RemoveAllPsObjectsPacket {
typedef struct _Hid_StatusPacket {
unsigned int status;
unsigned int dataSize;
union {
unsigned long long id;
unsigned long state;

1
Hidden/Hidden.vcxproj
View File

@ -61,7 +61,6 @@
<ResourceCompile Include="Hidden.rc" />
<ClCompile Include="ExcludeList.c" />
<ClCompile Include="Driver.c" />
<Inf Include="Hidden.inf" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}</ProjectGuid>

18
Hidden/Hidden.vcxproj.filters
View File

@ -18,11 +18,6 @@
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="FsFilter1.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="ExcludeList.c">
<Filter>Source Files</Filter>
@ -48,9 +43,12 @@
<ClCompile Include="PsTable.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="PsRules.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="FsFilter1.rc">
<ResourceCompile Include="Hidden.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
@ -86,5 +84,13 @@
<ClInclude Include="PsTable.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="PsRules.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Inf Include="Hidden.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
</Project>

6
Hidden/PsMonitor.c
View File

@ -17,13 +17,13 @@ PsRulesContext g_protectProcessRules;
CONST PWCHAR g_excludeProcesses[] = {
//L"\\??\\C:\\Windows\\System32\\calc.exe",
L"\\??\\C:\\Windows\\System32\\cmd.exe",
L"\\??\\C:\\Windows\\System32\\reg.exe",
//L"\\??\\C:\\Windows\\System32\\cmd.exe",
//L"\\??\\C:\\Windows\\System32\\reg.exe",
NULL
};
CONST PWCHAR g_protectProcesses[] = {
L"\\??\\C:\\Windows\\System32\\calc.exe",
//L"\\??\\C:\\Windows\\System32\\calc.exe",
//L"\\??\\C:\\Windows\\System32\\cmd.exe",
//L"\\??\\C:\\Windows\\System32\\csrss.exe",
//L"\\??\\C:\\Windows\\System32\\services.exe",

4
HiddenLib/HiddenLib.cpp
View File

@ -7,7 +7,7 @@
#include "..\\Hidden\DeviceAPI.h"
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
typedef struct _HidContextInternal {
HANDLE hdevice;
@ -66,7 +66,7 @@ HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path,
total = (len + 1) * sizeof(wchar_t);
size = sizeof(Hid_HideObjectPacket) + total;
hide = (PHid_HideObjectPacket)_alloca(size);
hide->size = total;
hide->dataSize = total;
hide->objType = type;
memcpy((char*)hide + sizeof(Hid_HideObjectPacket), path, total);

29
HiddenLib/HiddenLib.h
View File

@ -15,35 +15,6 @@ typedef unsigned long long HidObjId;
HidStatus Hid_Initialize(PHidContext pcontext);
void Hid_Destroy(HidContext context);
/*#define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 10), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 11), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_KEYS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 12), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 20), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 21), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_VALUES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 22), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 30), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 31), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_FILES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 32), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 40), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 41), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_HIDDEN_DIRS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 42), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 50), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ATTACH_PROTECTED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 51), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 52), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_PROTECTED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 53), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ADD_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 54), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_ATTACH_EXCLUDED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 55), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 56), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define HID_IOCTL_REMOVE_ALL_EXCLUDED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 57), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)*/
HidStatus Hid_SetState(HidContext context, int state);
HidStatus Hid_GetState(HidContext context, int* pstate);