Added Get\Set ps state ability

Fixed issue with DeviceIOControl output
Fixed issues in the PsRule & PsTable

Hidden/Device.c

@@ -238,7 +238,7 @@ NTSTATUS GetPsObjectInfo(PHid_GetPsObjectInfoPacket Packet, USHORT Size, PHid_Ge
 	Packet->enable = (USHORT)enable;
 	Packet->inheritType = (USHORT)inheritType;
 	
-	RtlCopyMemory(Packet, OutPacket, sizeof(Hid_GetPsObjectInfoPacket));
+	RtlCopyMemory(OutPacket, Packet, sizeof(Hid_GetPsObjectInfoPacket));
 	*OutSize = sizeof(Hid_GetPsObjectInfoPacket);
 
 	return status;
@@ -404,7 +404,7 @@ EndProc:
 	{
 		if (outputDataSize > outputDataMaxSize)
 		{
-			DbgPrint("FsFilter1!" __FUNCTION__ ": An internal error that looks like stack corruption!\n");
+			DbgPrint("FsFilter1!" __FUNCTION__ ": An internal error that looks like a stack corruption!\n");
 			outputDataSize = outputDataMaxSize;
 			result.status = (ULONG)STATUS_PARTIAL_COPY;
 		}
@@ -415,7 +415,7 @@ EndProc:
 	// Copy result to output buffer
 	if (NT_SUCCESS(status)) 
 	{
-		outputBufferSize = sizeof(result);
+		outputBufferSize = sizeof(result) + outputDataSize;
 		RtlCopyMemory(outputBuffer, &result, sizeof(result));
 	}
 

Hidden/PsRules.c

@@ -98,8 +98,9 @@ NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath
 	RtlCopyUnicodeString(&entry->imagePath, ImgPath);
 
 	KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle);
-	buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem);
 	guid = context->idCounter++;
+	entry->guid = guid;
+	buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem);
 	KeReleaseInStackQueuedSpinLock(&lockHandle);
 
 	if (!buf)

Hidden/PsTable.c

@@ -89,7 +89,7 @@ BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry)
 
 	entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry);
 
-	if (!entry2)
+	if (entry2)
 		RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry));
 
 	KeReleaseInStackQueuedSpinLock(&lockHandle);

HiddenLib/HiddenLib.cpp

@@ -425,6 +425,71 @@ HidStatus SendIoctl_RemoveAllPsObjectsPacket(PHidContextInternal context, unsign
 	return HID_SET_STATUS(TRUE, 0);
 }
 
+HidStatus SendIoctl_GetPsStatePacket(PHidContextInternal context, HidProcId procId, unsigned short type, HidActiveState* state, HidPsInheritTypes* inheritType)
+{
+	char buffer[sizeof(Hid_StatusPacket) + sizeof(Hid_GetPsObjectInfoPacket)];
+	PHid_GetPsObjectInfoPacket info;
+	PHid_StatusPacket result;
+	DWORD returned;
+
+	memset(buffer, 0, sizeof(buffer));
+
+	info = (PHid_GetPsObjectInfoPacket)buffer;
+	info->objType = type;
+	info->procId = procId;
+
+	// Send IOCTL to device
+
+	if (!DeviceIoControl(context->hdevice, HID_IOCTL_GET_OBJECT_STATE, info, sizeof(Hid_GetPsObjectInfoPacket), &buffer, sizeof(buffer), &returned, NULL))
+		return HID_SET_STATUS(FALSE, GetLastError());
+
+	// Check result
+
+	if (returned < sizeof(Hid_StatusPacket))
+		return HID_SET_STATUS(FALSE, ERROR_INVALID_BLOCK_LENGTH);
+
+	result = (PHid_StatusPacket)buffer;
+	info = (PHid_GetPsObjectInfoPacket)(buffer + sizeof(Hid_StatusPacket));
+
+	if (!NT_SUCCESS(result->status))
+		return HID_SET_STATUS(FALSE, result->status);
+
+	if (returned != sizeof(Hid_StatusPacket) + sizeof(Hid_GetPsObjectInfoPacket))
+		return HID_SET_STATUS(FALSE, ERROR_INVALID_BLOCK_LENGTH);
+
+	*state = (info->enable ? HidActiveState::StateEnabled : HidActiveState::StateDisabled);
+	*inheritType = (HidPsInheritTypes)info->inheritType;
+
+	return HID_SET_STATUS(TRUE, 0);
+}
+
+HidStatus SendIoctl_SetPsStatePacket(PHidContextInternal context, HidProcId procId, unsigned short type, HidActiveState state, HidPsInheritTypes inheritType)
+{
+	Hid_SetPsObjectInfoPacket info;
+	Hid_StatusPacket result;
+	DWORD returned;
+
+	info.objType = type;
+	info.procId = procId;
+	info.enable = (state == HidActiveState::StateEnabled);
+	info.inheritType = inheritType;
+
+	// Send IOCTL to device
+
+	if (!DeviceIoControl(context->hdevice, HID_IOCTL_SET_OBJECT_STATE, &info, sizeof(info), &result, sizeof(result), &returned, NULL))
+		return HID_SET_STATUS(FALSE, GetLastError());
+
+	// Check result
+
+	if (returned != sizeof(result))
+		return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
+
+	if (!NT_SUCCESS(result.status))
+		return HID_SET_STATUS(FALSE, result.status);
+
+	return HID_SET_STATUS(TRUE, 0);
+}
+
 // Control interface
 
 HidStatus Hid_SetState(HidContext context, HidActiveState state)
@@ -454,7 +519,6 @@ HidStatus Hid_AddHiddenRegKey(HidContext context, HidRegRootTypes root, const wc
 	FreeNormalizedPath(normalized);
 
 	return status;
-	//return SendIoctl_HideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
 }
 
 HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId)
@@ -480,7 +544,6 @@ HidStatus Hid_AddHiddenRegValue(HidContext context, HidRegRootTypes root, const
 	FreeNormalizedPath(normalized);
 
 	return status;
-	//return SendIoctl_HideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
 }
 
 HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId)
@@ -574,17 +637,17 @@ HidStatus Hid_RemoveAllExcludedImages(HidContext context)
 
 HidStatus Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType)
 {
-	return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
+	return SendIoctl_GetPsStatePacket((PHidContextInternal)context, procId, PsExcludedObject, state, inheritType);
 }
 
 HidStatus Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType)
 {
-	return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
+	return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsExcludedObject, HidActiveState::StateEnabled, inheritType);
 }
 
 HidStatus Hid_RemoveExcludedState(HidContext context, HidProcId procId)
 {
-	return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
+	return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsExcludedObject, HidActiveState::StateDisabled, HidPsInheritTypes::WithoutInherit);
 }
 
 // Process protect interface
@@ -616,15 +679,15 @@ HidStatus Hid_RemoveAllProtectedImages(HidContext context)
 
 HidStatus Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType)
 {
-	return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
+	return SendIoctl_GetPsStatePacket((PHidContextInternal)context, procId, PsProtectedObject, state, inheritType);
 }
 
 HidStatus Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType)
 {
-	return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
+	return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsProtectedObject, HidActiveState::StateEnabled, inheritType);
 }
 
 HidStatus Hid_RemoveProtectedState(HidContext context, HidProcId procId)
 {
-	return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
+	return SendIoctl_SetPsStatePacket((PHidContextInternal)context, procId, PsProtectedObject, HidActiveState::StateDisabled, HidPsInheritTypes::WithoutInherit);
 }

HiddenLib/HiddenLib.h

@@ -5,7 +5,7 @@ typedef unsigned long long HidStatus;
 #define HID_STATUS_SUCCESSFUL(status)                     (status & 1)
 #define HID_STATUS_CODE(status)             (unsigned int)(status >> 1)
 
-#define HID_SET_STATUS(state, code)   (unsigned long long)(code << 1 | (state ? 1 : 0))
+#define HID_SET_STATUS(state, code)   (unsigned long long)((unsigned long long)code << 1 | (state ? 1 : 0))
 
 typedef void*       HidContext;
 typedef HidContext* PHidContext;
@@ -20,6 +20,8 @@ enum HidActiveState
 	StateEnabled
 };
 
+// Important note:
+// This enum should be equal to PsRuleInheritTypes (PsRules.h)
 enum HidPsInheritTypes
 {
 	WithoutInherit = 0,