HiddenCLI first steps

2016-12-04 22:27:46 +03:00 · 2016-12-04 22:27:46 +03:00 · 96c5e6eb40
parent 241e8bb296
commit 96c5e6eb40
12 changed files with 230 additions and 137 deletions
--- a/.gitignore
+++ b/.gitignore
@ -33,3 +33,5 @@
 /HiddenLib/x64/Release
 /HiddenTests/x64/Release/HiddenTests.tlog
 /HiddenTests/x64/Release
+/Hidden/Debug
+/Hidden/x64/Debug
--- a/Hidden.sln
+++ b/Hidden.sln
@ -58,7 +58,6 @@ Global
 		{D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93}.Release|x64.Deploy.0 = Release|x64
 		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.ActiveCfg = Debug|Win32
 		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.Build.0 = Debug|Win32
-		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|Win32.Deploy.0 = Debug|Win32
 		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|x64.ActiveCfg = Debug|x64
 		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|x64.Build.0 = Debug|x64
 		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Debug|x64.Deploy.0 = Debug|x64
@ -70,7 +69,6 @@ Global
 		{EFECF76B-C3A8-4444-9314-70F72A0A48D8}.Release|x64.Deploy.0 = Release|x64
 		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.ActiveCfg = Debug|Win32
 		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.Build.0 = Debug|Win32
-		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|Win32.Deploy.0 = Debug|Win32
 		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|x64.ActiveCfg = Debug|x64
 		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|x64.Build.0 = Debug|x64
 		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Debug|x64.Deploy.0 = Debug|x64
@ -82,7 +80,6 @@ Global
 		{E6A7AAAD-4877-4F05-A5A1-F42707895996}.Release|x64.Deploy.0 = Release|x64
 		{023C63A1-726C-48D9-AA17-E62A7EFD862D}.Debug|Win32.ActiveCfg = Debug|Win32
 		{023C63A1-726C-48D9-AA17-E62A7EFD862D}.Debug|Win32.Build.0 = Debug|Win32
-		{023C63A1-726C-48D9-AA17-E62A7EFD862D}.Debug|Win32.Deploy.0 = Debug|Win32
 		{023C63A1-726C-48D9-AA17-E62A7EFD862D}.Debug|x64.ActiveCfg = Debug|x64
 		{023C63A1-726C-48D9-AA17-E62A7EFD862D}.Debug|x64.Build.0 = Debug|x64
 		{023C63A1-726C-48D9-AA17-E62A7EFD862D}.Debug|x64.Deploy.0 = Debug|x64
--- a/Hidden/todo.txt
+++ b/Hidden/todo.txt
@ -42,10 +42,10 @@
 	+ Реализовать usermode библиотеку для работы с IOCTL API
 		+ Слинковать с IOCTL API lib
 + Добавить поддержку флага автоприсвоение состояния существующим процессам для Hid_AddExcludedImage\Hid_AddProtectedImage
- Проверить как ведёт себя файловый фильтр с файлами открытыми по ID или по короткому пути
+ Проверить как ведёт себя файловый фильтр с файлами открытыми по ID или по короткому пути
 - Реализовать HiddenCLI
 + Портировать драйвер под архитектуру x64
- Портировать под версии Windows 8, 8.1, 10
+ Портировать под версии Windows 8, 8.1, 10
 + Залить проект на Git
 	+ Переименовать проект драйвера в Hidden
 	+ Привести в порядок все версии билда Release, Debug, ...
@ -56,5 +56,6 @@
 		- Отреверсить установщик VMBox tools
 - Реализовать поддержку вкл\выкл драйвера
 - Реализовать steals mode
+- Реализовать поддержку загрузки дефольтных конфигов из реестра
 - Насодить на ETL и DbgPrintEx

--- a/HiddenCLI/Commands.cpp
+++ b/HiddenCLI/Commands.cpp
@ -0,0 +1,2 @@
+#include "Commands.h"
+
--- a/HiddenCLI/Commands.h
+++ b/HiddenCLI/Commands.h
@ -0,0 +1,9 @@
+#pragma once
+
+#include "Helper.h"
+
+class Commands
+{
+public:
+	Commands(Arguments& args){}
+};
--- a/HiddenCLI/Connection.cpp
+++ b/HiddenCLI/Connection.cpp
@ -0,0 +1,2 @@
+#include "Connection.h"
+
--- a/HiddenCLI/Connection.h
+++ b/HiddenCLI/Connection.h
@ -0,0 +1,9 @@
+#pragma once
+
+#include "Helper.h"
+
+class Connection
+{
+public:
+	Connection(Arguments& args){}
+};
--- a/HiddenCLI/Helper.cpp
+++ b/HiddenCLI/Helper.cpp
@ -0,0 +1,69 @@
+#include "helper.h"
+
+using namespace std;
+
+WException::WException(unsigned int Code, wchar_t* Format, ...) :
+	m_errorCode(Code)
+{
+	wchar_t buffer[256];
+
+	va_list args;
+	va_start(args, Format);
+	_vsnwprintf_s(buffer, _countof(buffer), _TRUNCATE, Format, args);
+	va_end(args);
+
+	m_errorMessage = buffer;
+}
+
+const wchar_t* WException::What()
+{
+	return m_errorMessage.c_str();
+}
+
+unsigned int WException::Code()
+{
+	return m_errorCode;
+}
+
+Arguments::Arguments(int argc, wchar_t* argv[]) :
+	m_argPointer(0)
+{
+	for (int i = 1; i < argc; i++)
+		m_arguments.push_back(argv[i]);
+}
+
+size_t Arguments::ArgsCount()
+{
+	return m_arguments.size();
+}
+
+bool Arguments::GetNext(wstring& arg)
+{
+	if (m_argPointer >= m_arguments.size())
+		return false;
+
+	arg = m_arguments[m_argPointer++];
+	return true;
+}
+
+Handle::Handle(HANDLE handle) : 
+	m_handle(handle), 
+	m_error(::GetLastError())
+{
+}
+
+Handle::~Handle()
+{
+	if (m_handle != INVALID_HANDLE_VALUE) 
+		::CloseHandle(m_handle);
+}
+
+HANDLE Handle::Get()
+{
+	return m_handle; 
+}
+
+DWORD Handle::Error()
+{
+	return m_error;
+}
--- a/HiddenCLI/Helper.h
+++ b/HiddenCLI/Helper.h
@ -0,0 +1,51 @@
+#pragma once
+
+#include <string>
+#include <vector>
+#include <stdio.h>
+#include <stdarg.h>
+#include <Windows.h>
+
+class WException
+{
+	std::wstring m_errorMessage;
+	unsigned int m_errorCode;
+
+public:
+
+	WException(unsigned int Code, wchar_t* Format, ...);
+
+	const wchar_t* What();
+	unsigned int Code();
+};
+
+class Arguments
+{
+	std::vector<std::wstring> m_arguments;
+	unsigned int    m_argPointer;
+
+public:
+
+	Arguments(int argc, wchar_t* argv[]);
+
+	size_t ArgsCount();
+
+	bool ProbNext(std::wstring& arg);
+	bool GetNext(std::wstring& arg);
+};
+
+class Handle
+{
+private:
+	DWORD m_error;
+	HANDLE m_handle;
+
+public:
+
+	Handle(HANDLE handle);
+	~Handle();
+
+	HANDLE Get();
+	DWORD Error();
+
+};
--- a/HiddenCLI/HiddenCLI.cpp
+++ b/HiddenCLI/HiddenCLI.cpp
@ -1,150 +1,40 @@
 #include <Windows.h>
 #include <iostream>
 #include <stdio.h>
+#include "Helper.h"
+#include "Connection.h"
+#include "Commands.h"

 #include "../HiddenLib/HiddenLib.h"

 using namespace std;

-// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-// !!!!! HiddenCLI ISN'T IMPLEMENTED YET, IT CONTAINS TEST CODE !!!!!
-// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
-CONST PWCHAR g_excludeFiles[] = {
-//	L"c:\\Windows\\System32\\calc.exe",
-//	L"c:\\test.txt",
-//	L"c:\\abcd\\test.txt",
-	//L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
-	L"\\??\\C:\\test.txt",
-	//L"c:\\Program Files\\VMware",
-};
-
-CONST PWCHAR g_excludeDirs[] = {
-	L"c:\\Program Files\\VMware",
-	L"c:\\ProgramData\\VMware",
-	L"c:\\Windows\\Temp\\vmware-SYSTEM",
-	L"c:\\Program Files\\Common Files\\VMware",
-};
-
-typedef struct _RegEntry {
-	HidRegRootTypes root;
-	LPWSTR path;
-} RegEntry, *PRegEntry;
-
-CONST RegEntry g_excludeRegKeys[] = {
-	{ RegHKLM, L"Software\\VMware, Inc." },
-	{ RegHKLM, L"System\\ControlSet001\\Control\\Print\\Monitors\\ThinPrint Print Port Monitor for VMWare" },
-	{ RegHKLM, L"System\\ControlSet002\\Control\\Print\\Monitors\\ThinPrint Print Port Monitor for VMWare" },
-	{ RegHKLM, L"System\\CurrentControlSet\\Control\\Print\\Monitors\\ThinPrint Print Port Monitor for VMWare" },
-	{ RegHKCU, L"Software\\VMware, Inc." },
-};
-
-CONST RegEntry g_excludeRegValues[] = {
-	{ RegHKLM, L"Hardware\\Description\\System\\BIOS\\SystemManufacturer" },
-	{ RegHKLM, L"Hardware\\Description\\System\\BIOS\\SystemProductName" },
-};
-
-CONST PWCHAR g_protectProcesses[] = {
-	L"c:\\Windows\\System32\\calc.exe",
-	L"c:\\Windows\\System32\\calc2.exe",
-};
-
-CONST PWCHAR g_excludeProcesses[] = {
-	L"C:\\Windows\\System32\\Services.exe",
-	L"C:\\Windows\\System32\\csrss.exe",
-	L"C:\\Windows\\System32\\vssvc.exe",
-	L"C:\\Windows\\System32\\spoolsv.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\rpctool.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\rvmSetup.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnect.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\TPVCGateway.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\VMwareHgfsClient.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\VMwareHostOpen.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\VMwareResolutionSet.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\VMwareToolboxCmd.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\VMwareXferlogs.exe",
-	L"C:\\Program Files\\VMware\\VMware Tools\\zip.exe",
-};
-
-int wmain(int argc, wchar_t *argv[])
+int wmain(int argc, wchar_t* argv[])
 {
-	HidContext hid_context;
-	HidStatus  hid_status;
-	int count;
-
-	cout << "Start!" << endl;
-
-	hid_status = Hid_Initialize(&hid_context);
-	if (!HID_STATUS_SUCCESSFUL(hid_status))
+	try 
 	{
-		cout << "Error, HiddenLib initialization failed with code: " << HID_STATUS_CODE(hid_status) << endl;
-		return 1;
-	}
+		Arguments arguments(argc, argv);

-	// Load Reg Keys
-	count = _countof(g_excludeRegKeys);
-	for (int i = 0; i < count; i++)
+		if (!arguments.ArgsCount())
+			throw WException(
+				-2,
+				L"Welcome to HiddenCLI, please use 'hiddencli help'"
+			);
+
+		Connection connection(arguments);
+		Commands commands(arguments);
+
+	}
+	catch (WException& exception)
 	{
-		HidObjId objId;
-		hid_status = Hid_AddHiddenRegKey(hid_context, g_excludeRegKeys[i].root, g_excludeRegKeys[i].path, &objId);
-		if (!HID_STATUS_SUCCESSFUL(hid_status))
-			cout << "Error, Hid_AddHiddenRegKey failed with code: " << HID_STATUS_CODE(hid_status) << endl;
+		wcerr << exception.What() << endl;
+		return exception.Code();
 	}
-
-	// Load Reg Values
-	count = _countof(g_excludeRegValues);
-	for (int i = 0; i < count; i++)
+	catch (exception& exception)
 	{
-		HidObjId objId;
-		hid_status = Hid_AddHiddenRegValue(hid_context, g_excludeRegValues[i].root, g_excludeRegValues[i].path, &objId);
-		if (!HID_STATUS_SUCCESSFUL(hid_status))
-			cout << "Error, Hid_AddHiddenRegValue failed with code: " << HID_STATUS_CODE(hid_status) << endl;
+		cerr << exception.what() << endl;
+		return -1;
 	}

-	// Load Files
-	count = _countof(g_excludeFiles);
-	for (int i = 0; i < count; i++)
-	{
-		HidObjId objId;
-		hid_status = Hid_AddHiddenFile(hid_context, g_excludeFiles[i], &objId);
-		if (!HID_STATUS_SUCCESSFUL(hid_status))
-			cout << "Error, Hid_AddHiddenFile failed with code: " << HID_STATUS_CODE(hid_status) << endl;
-	}
-
-	// Load Dirs
-	count = _countof(g_excludeDirs);
-	for (int i = 0; i < count; i++)
-	{
-		HidObjId objId;
-		hid_status = Hid_AddHiddenDir(hid_context, g_excludeDirs[i], &objId);
-		if (!HID_STATUS_SUCCESSFUL(hid_status))
-			cout << "Error, Hid_AddHiddenDir failed with code: " << HID_STATUS_CODE(hid_status) << endl;
-	}
-
-	// Load excluded processes
-	count = _countof(g_excludeProcesses);
-	for (int i = 0; i < count; i++)
-	{
-		HidObjId objId;
-		hid_status = Hid_AddExcludedImage(hid_context, g_excludeProcesses[i], WithoutInherit, TRUE, &objId);
-		if (!HID_STATUS_SUCCESSFUL(hid_status))
-			cout << "Error, Hid_AddExcludedImage failed with code: " << HID_STATUS_CODE(hid_status) << endl;
-	}
-
-	// Load protected processes
-	count = _countof(g_protectProcesses);
-	for (int i = 0; i < count; i++)
-	{
-		HidObjId objId;
-		hid_status = Hid_AddProtectedImage(hid_context, g_protectProcesses[i], WithoutInherit, TRUE, &objId);
-		if (!HID_STATUS_SUCCESSFUL(hid_status))
-			cout << "Error, Hid_AddProtectedImage failed with code: " << HID_STATUS_CODE(hid_status) << endl;
-	}
-
-	Hid_Destroy(hid_context);
-	cout << "Completed!" << endl;
-
 	return 0;
 }
--- a/HiddenCLI/HiddenCLI.vcxproj
+++ b/HiddenCLI/HiddenCLI.vcxproj
@ -151,8 +151,19 @@
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
+    <ClCompile Include="Commands.cpp" />
+    <ClCompile Include="Connection.cpp" />
+    <ClCompile Include="Helper.cpp" />
    <ClCompile Include="HiddenCLI.cpp" />
  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Commands.h" />
+    <ClInclude Include="Connection.h" />
+    <ClInclude Include="Helper.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <Text Include="cli.txt" />
+  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
--- a/HiddenCLI/cli.txt
+++ b/HiddenCLI/cli.txt
@ -0,0 +1,50 @@
+
+hiddencli [connection] <command>
+
+connection:
+
+commands:
+
+	hide <file|dir|regval|regkey> <%path%>
+		Hide filesystem or registry object by path
+		
+	unhide <file|dir|regval|regkey> all
+		Unhide all filesystem or registry object by selected type
+	
+	unhide <file|dir|regval|regkey> <%ruleid%>
+		Unhide all filesystem or registry object by selected type and rule ID
+
+
+	ignore image [inherit:<none|always|once>] [apply:<fornew|forall>] <%path%>
+		Set rule that allows to see hidden filesystem and registry objects for processes with specific image path
+		
+	unignore <%ruleid%>
+		Remove rule that allows to see hidden filesystem and registry objects by rule ID
+		
+	unignore all
+		Remove all rules that allow to see hidden filesystem and registry objects
+	
+	ignore pid [inherit:<none|always|once>] <%pid%>
+		Turn on abillity to see hidden filesystem and registry objects for specific process by PID
+		
+	unignore pid <%pid%>
+		Turn off abillity to see hidden filesystem and registry objects for specific process by PID
+
+
+	protect image [inherit:<none|always|once>] [apply:<fornew|forall>] <%path%>
+		Set rule that allows to enable process protection for processes with specific image path
+	
+	unprotect <%ruleid%>
+		Remove rule that enables process protection by rule ID
+	
+	unprotect all
+		Remove all rules that enable process protection
+
+	protect pid [inherit:<none|always|once>] <%pid%>
+		Turn on protection for specific process by PID
+		
+	unprotect pid <%pid%>
+		Turn off protection for specific process by PID
+
+	query <%pid%>
+		Query information about state of the process by PID