mirror of
https://github.com/JKornev/hidden
synced 2024-06-16 03:58:04 +00:00
Added Get\Set process exclude\protect state
Fixed issue with the hidden.inf and etc
This commit is contained in:
parent
9ba217714e
commit
80b89c2f28
192
Hidden/Device.c
192
Hidden/Device.c
@ -47,27 +47,27 @@ NTSTATUS IrpDeviceCleanup(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenObject(PHid_HideObjectPacket packet, USHORT size, PULONGLONG objId)
|
||||
NTSTATUS AddHiddenObject(PHid_HideObjectPacket Packet, USHORT Size, PULONGLONG ObjId)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING path;
|
||||
USHORT i, count;
|
||||
|
||||
// Check can we access to the packet
|
||||
if (size < sizeof(Hid_HideObjectPacket))
|
||||
if (Size < sizeof(Hid_HideObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Check packet data size overflow
|
||||
if (size < packet->size + sizeof(Hid_HideObjectPacket))
|
||||
if (Size < Packet->dataSize + sizeof(Hid_HideObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Unpack string to UNICODE_STRING
|
||||
|
||||
path.Buffer = (LPWSTR)((PCHAR)packet + sizeof(Hid_HideObjectPacket));
|
||||
path.MaximumLength = size - sizeof(Hid_HideObjectPacket);
|
||||
path.Buffer = (LPWSTR)((PCHAR)Packet + sizeof(Hid_HideObjectPacket));
|
||||
path.MaximumLength = Size - sizeof(Hid_HideObjectPacket);
|
||||
|
||||
// Just checking for zero-end string ends in the middle
|
||||
count = packet->size / sizeof(WCHAR);
|
||||
count = Packet->dataSize / sizeof(WCHAR);
|
||||
for (i = 0; i < count; i++)
|
||||
if (path.Buffer[i] == L'\0')
|
||||
break;
|
||||
@ -76,69 +76,69 @@ NTSTATUS AddHiddenObject(PHid_HideObjectPacket packet, USHORT size, PULONGLONG o
|
||||
|
||||
// Perform the packet
|
||||
|
||||
switch (packet->objType)
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case RegKeyObject:
|
||||
status = AddHiddenRegKey(&path, objId);
|
||||
status = AddHiddenRegKey(&path, ObjId);
|
||||
break;
|
||||
case RegValueObject:
|
||||
status = AddHiddenRegValue(&path, objId);
|
||||
status = AddHiddenRegValue(&path, ObjId);
|
||||
break;
|
||||
case FsFileObject:
|
||||
status = AddHiddenFile(&path, objId);
|
||||
status = AddHiddenFile(&path, ObjId);
|
||||
break;
|
||||
case FsDirObject:
|
||||
status = AddHiddenDir(&path, objId);
|
||||
status = AddHiddenDir(&path, ObjId);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveHiddenObject(PHid_UnhideObjectPacket packet, USHORT size)
|
||||
NTSTATUS RemoveHiddenObject(PHid_UnhideObjectPacket Packet, USHORT Size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (size != sizeof(Hid_UnhideObjectPacket))
|
||||
if (Size != sizeof(Hid_UnhideObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case RegKeyObject:
|
||||
status = RemoveHiddenRegKey(packet->id);
|
||||
status = RemoveHiddenRegKey(Packet->id);
|
||||
break;
|
||||
case RegValueObject:
|
||||
status = RemoveHiddenRegValue(packet->id);
|
||||
status = RemoveHiddenRegValue(Packet->id);
|
||||
break;
|
||||
case FsFileObject:
|
||||
status = RemoveHiddenFile(packet->id);
|
||||
status = RemoveHiddenFile(Packet->id);
|
||||
break;
|
||||
case FsDirObject:
|
||||
status = RemoveHiddenDir(packet->id);
|
||||
status = RemoveHiddenDir(Packet->id);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket packet, USHORT size)
|
||||
NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket Packet, USHORT Size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (size != sizeof(Hid_UnhideAllObjectsPacket))
|
||||
if (Size != sizeof(Hid_UnhideAllObjectsPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case RegKeyObject:
|
||||
status = RemoveAllHiddenRegKeys();
|
||||
@ -153,34 +153,34 @@ NTSTATUS RemoveAllHiddenObjects(PHid_UnhideAllObjectsPacket packet, USHORT size)
|
||||
status = RemoveAllHiddenDirs();
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS AddPsObject(PHid_AddPsObjectPacket packet, USHORT size, PULONGLONG objId)
|
||||
NTSTATUS AddPsObject(PHid_AddPsObjectPacket Packet, USHORT Size, PULONGLONG ObjId)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING path;
|
||||
USHORT i, count;
|
||||
|
||||
// Check can we access to the packet
|
||||
if (size < sizeof(Hid_AddPsObjectPacket))
|
||||
if (Size < sizeof(Hid_AddPsObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Check packet data size overflow
|
||||
if (size < packet->size + sizeof(Hid_AddPsObjectPacket))
|
||||
if (Size < Packet->dataSize + sizeof(Hid_AddPsObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Unpack string to UNICODE_STRING
|
||||
|
||||
path.Buffer = (LPWSTR)((PCHAR)packet + sizeof(Hid_AddPsObjectPacket));
|
||||
path.MaximumLength = size - sizeof(Hid_AddPsObjectPacket);
|
||||
path.Buffer = (LPWSTR)((PCHAR)Packet + sizeof(Hid_AddPsObjectPacket));
|
||||
path.MaximumLength = Size - sizeof(Hid_AddPsObjectPacket);
|
||||
|
||||
// Just checking for zero-end string ends in the middle
|
||||
count = packet->size / sizeof(WCHAR);
|
||||
count = Packet->dataSize / sizeof(WCHAR);
|
||||
for (i = 0; i < count; i++)
|
||||
if (path.Buffer[i] == L'\0')
|
||||
break;
|
||||
@ -189,57 +189,121 @@ NTSTATUS AddPsObject(PHid_AddPsObjectPacket packet, USHORT size, PULONGLONG objI
|
||||
|
||||
// Perform the packet
|
||||
|
||||
switch (packet->objType)
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case PsExcludedObject:
|
||||
status = AddExcludedImage(&path, packet->inheritType, objId);
|
||||
status = AddExcludedImage(&path, Packet->inheritType, ObjId);
|
||||
break;
|
||||
case PsProtectedObject:
|
||||
status = AddProtectedImage(&path, packet->inheritType, objId);
|
||||
status = AddProtectedImage(&path, Packet->inheritType, ObjId);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemovePsObject(PHid_RemovePsObjectPacket packet, USHORT size)
|
||||
NTSTATUS GetPsObjectInfo(PHid_GetPsObjectInfoPacket Packet, USHORT Size, PHid_GetPsObjectInfoPacket OutPacket, PULONG OutSize)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
ULONG inheritType, outSize;
|
||||
BOOLEAN enable;
|
||||
|
||||
if (size != sizeof(Hid_RemovePsObjectPacket))
|
||||
outSize = *OutSize;
|
||||
*OutSize = 0;
|
||||
|
||||
if (Size < sizeof(Hid_GetPsObjectInfoPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
if (outSize < sizeof(Hid_GetPsObjectInfoPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case PsExcludedObject:
|
||||
status = RemoveExcludedImage(packet->id);
|
||||
status = GetExcludedProcessState((HANDLE)Packet->procId, &inheritType, &enable);
|
||||
break;
|
||||
case PsProtectedObject:
|
||||
status = RemoveProtectedImage(packet->id);
|
||||
status = GetProtectedProcessState((HANDLE)Packet->procId, &inheritType, &enable);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
Packet->enable = (USHORT)enable;
|
||||
Packet->inheritType = (USHORT)inheritType;
|
||||
|
||||
RtlCopyMemory(Packet, OutPacket, sizeof(Hid_GetPsObjectInfoPacket));
|
||||
*OutSize = sizeof(Hid_GetPsObjectInfoPacket);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS SetPsObjectInfo(PHid_SetPsObjectInfoPacket Packet, USHORT Size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (Size != sizeof(Hid_SetPsObjectInfoPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case PsExcludedObject:
|
||||
status = SetExcludedProcessState((HANDLE)Packet->procId, Packet->inheritType, (Packet->enable ? TRUE : FALSE));
|
||||
break;
|
||||
case PsProtectedObject:
|
||||
status = SetProtectedProcessState((HANDLE)Packet->procId, Packet->inheritType, (Packet->enable ? TRUE : FALSE));
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllPsObjects(PHid_RemoveAllPsObjectsPacket packet, USHORT size)
|
||||
NTSTATUS RemovePsObject(PHid_RemovePsObjectPacket Packet, USHORT Size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (size != sizeof(Hid_RemoveAllPsObjectsPacket))
|
||||
if (Size != sizeof(Hid_RemovePsObjectPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (packet->objType)
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case PsExcludedObject:
|
||||
status = RemoveExcludedImage(Packet->id);
|
||||
break;
|
||||
case PsProtectedObject:
|
||||
status = RemoveProtectedImage(Packet->id);
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS RemoveAllPsObjects(PHid_RemoveAllPsObjectsPacket Packet, USHORT Size)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
||||
if (Size != sizeof(Hid_RemoveAllPsObjectsPacket))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
|
||||
// Perform packet
|
||||
|
||||
switch (Packet->objType)
|
||||
{
|
||||
case PsExcludedObject:
|
||||
status = RemoveAllExcludedImages();
|
||||
@ -248,7 +312,7 @@ NTSTATUS RemoveAllPsObjects(PHid_RemoveAllPsObjectsPacket packet, USHORT size)
|
||||
status = RemoveAllProtectedImages();
|
||||
break;
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", packet->objType);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Unsupported object type: %u\n", Packet->objType);
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
@ -260,11 +324,12 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
PIO_STACK_LOCATION irpStack;
|
||||
Hid_StatusPacket result;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
PVOID inputBuffer, outputBuffer;
|
||||
ULONG ioctl, inputBufferSize, outputBufferSize, outputBufferMaxSize;
|
||||
PVOID inputBuffer, outputBuffer, outputData;
|
||||
ULONG ioctl, inputBufferSize, outputBufferSize, outputBufferMaxSize,
|
||||
outputDataMaxSize, outputDataSize;
|
||||
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
|
||||
|
||||
// Get irp information
|
||||
|
||||
irpStack = IoGetCurrentIrpStackLocation(Irp);
|
||||
@ -273,7 +338,9 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
inputBuffer = outputBuffer = Irp->AssociatedIrp.SystemBuffer;
|
||||
inputBufferSize = irpStack->Parameters.DeviceIoControl.InputBufferLength;
|
||||
outputBufferMaxSize = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
|
||||
outputBufferSize = 0;
|
||||
outputBufferSize = 0;
|
||||
outputDataSize = 0;
|
||||
outputDataMaxSize = 0;
|
||||
|
||||
RtlZeroMemory(&result, sizeof(result));
|
||||
|
||||
@ -285,6 +352,15 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
goto EndProc;
|
||||
}
|
||||
|
||||
// Prepare additional buffer for output data
|
||||
outputData = (PVOID)((UINT_PTR)outputBuffer + sizeof(result));
|
||||
outputDataMaxSize = outputBufferMaxSize - sizeof(result);
|
||||
|
||||
// Important Limitation:
|
||||
// Because both input (inputBuffer) and output data (outputData) are located in the same buffer there is a limitation for the output
|
||||
// buffer usage. When a ioctl handler is executing, it can use the input buffer only until first write to the output buffer, because
|
||||
// when you put data to the output buffer you can overwrite data in input buffer. Therefore if you gonna use both an input and output
|
||||
// data in the same time you should make the copy of input data and work with it.
|
||||
switch (ioctl)
|
||||
{
|
||||
// Reg/Fs
|
||||
@ -302,10 +378,11 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
result.status = AddPsObject((PHid_AddPsObjectPacket)inputBuffer, (USHORT)inputBufferSize, &result.info.id);
|
||||
break;
|
||||
case HID_IOCTL_GET_OBJECT_STATE:
|
||||
result.status = (ULONG)STATUS_NOT_IMPLEMENTED;
|
||||
outputDataSize = outputDataMaxSize;
|
||||
result.status = GetPsObjectInfo((PHid_SetPsObjectInfoPacket)inputBuffer, (USHORT)inputBufferSize, outputData, &outputDataSize);
|
||||
break;
|
||||
case HID_IOCTL_SET_OBJECT_STATE:
|
||||
result.status = (ULONG)STATUS_NOT_IMPLEMENTED;
|
||||
result.status = SetPsObjectInfo((PHid_SetPsObjectInfoPacket)inputBuffer, (USHORT)inputBufferSize);
|
||||
break;
|
||||
case HID_IOCTL_REMOVE_OBJECT:
|
||||
result.status = RemovePsObject((PHid_RemovePsObjectPacket)inputBuffer, (USHORT)inputBufferSize);
|
||||
@ -313,7 +390,7 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
case HID_IOCTL_REMOVE_ALL_OBJECTS:
|
||||
result.status = RemoveAllPsObjects((PHid_RemoveAllPsObjectsPacket)inputBuffer, (USHORT)inputBufferSize);
|
||||
break;
|
||||
|
||||
//
|
||||
default:
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": unknown IOCTL code:%08x\n", ioctl);
|
||||
status = STATUS_INVALID_PARAMETER;
|
||||
@ -322,6 +399,19 @@ NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
|
||||
EndProc:
|
||||
|
||||
// If additional output data has been presented
|
||||
if (NT_SUCCESS(status) && outputDataSize > 0)
|
||||
{
|
||||
if (outputDataSize > outputDataMaxSize)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": An internal error that looks like stack corruption!\n");
|
||||
outputDataSize = outputDataMaxSize;
|
||||
result.status = (ULONG)STATUS_PARTIAL_COPY;
|
||||
}
|
||||
|
||||
result.dataSize = outputDataSize;
|
||||
}
|
||||
|
||||
// Copy result to output buffer
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
|
@ -40,7 +40,7 @@ enum Hid_ObjectTypes {
|
||||
|
||||
typedef struct _Hid_HideObjectPacket {
|
||||
unsigned short objType;
|
||||
unsigned short size;
|
||||
unsigned short dataSize;
|
||||
} Hid_HideObjectPacket, *PHid_HideObjectPacket;
|
||||
|
||||
typedef struct _Hid_UnhideObjectPacket {
|
||||
@ -58,11 +58,22 @@ typedef struct _Hid_UnhideAllObjectsPacket {
|
||||
|
||||
typedef struct _Hid_AddPsObjectPacket {
|
||||
unsigned short objType;
|
||||
unsigned short size;
|
||||
unsigned short dataSize;
|
||||
unsigned short inheritType;
|
||||
unsigned short reserved;
|
||||
} Hid_AddPsObjectPacket, *PHid_AddPsObjectPacket;
|
||||
|
||||
typedef struct _Hid_GetPsObjectInfoPacket {
|
||||
unsigned short objType;
|
||||
unsigned short inheritType;
|
||||
unsigned short enable;
|
||||
unsigned short reserved;
|
||||
unsigned long procId;
|
||||
} Hid_GetPsObjectInfoPacket, *PHid_GetPsObjectInfoPacket;
|
||||
|
||||
typedef Hid_GetPsObjectInfoPacket Hid_SetPsObjectInfoPacket;
|
||||
typedef Hid_GetPsObjectInfoPacket* PHid_SetPsObjectInfoPacket;
|
||||
|
||||
typedef struct _Hid_RemovePsObjectPacket {
|
||||
unsigned short objType;
|
||||
unsigned short reserved;
|
||||
@ -78,6 +89,7 @@ typedef struct _Hid_RemoveAllPsObjectsPacket {
|
||||
|
||||
typedef struct _Hid_StatusPacket {
|
||||
unsigned int status;
|
||||
unsigned int dataSize;
|
||||
union {
|
||||
unsigned long long id;
|
||||
unsigned long state;
|
||||
|
@ -61,7 +61,6 @@
|
||||
<ResourceCompile Include="Hidden.rc" />
|
||||
<ClCompile Include="ExcludeList.c" />
|
||||
<ClCompile Include="Driver.c" />
|
||||
<Inf Include="Hidden.inf" />
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}</ProjectGuid>
|
||||
|
@ -18,11 +18,6 @@
|
||||
<Extensions>inf;inv;inx;mof;mc;</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Inf Include="FsFilter1.inf">
|
||||
<Filter>Driver Files</Filter>
|
||||
</Inf>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="ExcludeList.c">
|
||||
<Filter>Source Files</Filter>
|
||||
@ -48,9 +43,12 @@
|
||||
<ClCompile Include="PsTable.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="PsRules.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ResourceCompile Include="FsFilter1.rc">
|
||||
<ResourceCompile Include="Hidden.rc">
|
||||
<Filter>Resource Files</Filter>
|
||||
</ResourceCompile>
|
||||
</ItemGroup>
|
||||
@ -86,5 +84,13 @@
|
||||
<ClInclude Include="PsTable.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="PsRules.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Inf Include="Hidden.inf">
|
||||
<Filter>Driver Files</Filter>
|
||||
</Inf>
|
||||
</ItemGroup>
|
||||
</Project>
|
@ -17,13 +17,13 @@ PsRulesContext g_protectProcessRules;
|
||||
|
||||
CONST PWCHAR g_excludeProcesses[] = {
|
||||
//L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
L"\\??\\C:\\Windows\\System32\\reg.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\reg.exe",
|
||||
NULL
|
||||
};
|
||||
|
||||
CONST PWCHAR g_protectProcesses[] = {
|
||||
L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\csrss.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\services.exe",
|
||||
|
@ -7,7 +7,7 @@
|
||||
#include "..\\Hidden\DeviceAPI.h"
|
||||
|
||||
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
|
||||
|
||||
typedef struct _HidContextInternal {
|
||||
HANDLE hdevice;
|
||||
@ -66,7 +66,7 @@ HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path,
|
||||
total = (len + 1) * sizeof(wchar_t);
|
||||
size = sizeof(Hid_HideObjectPacket) + total;
|
||||
hide = (PHid_HideObjectPacket)_alloca(size);
|
||||
hide->size = total;
|
||||
hide->dataSize = total;
|
||||
hide->objType = type;
|
||||
|
||||
memcpy((char*)hide + sizeof(Hid_HideObjectPacket), path, total);
|
||||
|
@ -15,35 +15,6 @@ typedef unsigned long long HidObjId;
|
||||
HidStatus Hid_Initialize(PHidContext pcontext);
|
||||
void Hid_Destroy(HidContext context);
|
||||
|
||||
/*#define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 10), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_REG_KEY CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 11), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_KEYS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 12), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 20), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_REG_VALUE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 21), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_REG_VALUES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 22), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 30), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_FILE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 31), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_FILES CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 32), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 40), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_HIDDEN_DIR CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 41), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_HIDDEN_DIRS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 42), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 50), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_ATTACH_PROTECTED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 51), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_PROTECTED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 52), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_PROTECTED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 53), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
|
||||
#define HID_IOCTL_ADD_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 54), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_ATTACH_EXCLUDED_EXE_PID CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 55), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_EXCLUDED_EXE_PATH CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 56), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
||||
#define HID_IOCTL_REMOVE_ALL_EXCLUDED_EXE_PATHS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 57), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)*/
|
||||
|
||||
HidStatus Hid_SetState(HidContext context, int state);
|
||||
HidStatus Hid_GetState(HidContext context, int* pstate);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user