mirror of
https://github.com/JKornev/hidden
synced 2024-06-16 03:58:04 +00:00
Major changes
- Fixed BSOD on driver deinitialization step - Fixed resources leak in the reg filter - Fixed path normalization function - Added support for inherit type in predefined process monitor configs - Added support for opening protected processes by subsystem - Added tests for protected processes and other little fixes
This commit is contained in:
parent
8a7929b310
commit
98014e750e
@ -4,7 +4,7 @@
|
||||
#include "Device.h"
|
||||
#include "DeviceAPI.h"
|
||||
|
||||
|
||||
BOOLEAN g_deviceInited = FALSE;
|
||||
PDEVICE_OBJECT g_deviceObject = NULL;
|
||||
|
||||
// =========================================================================================
|
||||
@ -453,6 +453,7 @@ NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject)
|
||||
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = IrpDeviceCleanup;
|
||||
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceControlHandler;
|
||||
g_deviceObject = deviceObject;
|
||||
g_deviceInited = TRUE;
|
||||
|
||||
return status;
|
||||
}
|
||||
@ -462,11 +463,16 @@ NTSTATUS DestroyDevice()
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING dosDeviceName = RTL_CONSTANT_STRING(DOS_DEVICES_LINK_NAME);
|
||||
|
||||
if (!g_deviceInited)
|
||||
return STATUS_NOT_FOUND;
|
||||
|
||||
status = IoDeleteSymbolicLink(&dosDeviceName);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": symbolic link deletion failed with code:%08x\n", status);
|
||||
|
||||
IoDeleteDevice(g_deviceObject);
|
||||
|
||||
g_deviceInited = FALSE;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
@ -49,6 +49,7 @@ CONST FLT_REGISTRATION FilterRegistration = {
|
||||
NULL // NormalizeNameComponent
|
||||
};
|
||||
|
||||
BOOLEAN g_fsMonitorInited = FALSE;
|
||||
PFLT_FILTER gFilterHandle = NULL;
|
||||
|
||||
ExcludeContext g_excludeFileContext;
|
||||
@ -68,19 +69,6 @@ CONST PWCHAR g_excludeDirs[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
NTSTATUS DestroyFSMiniFilter()
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
|
||||
FltUnregisterFilter(gFilterHandle);
|
||||
gFilterHandle = NULL;
|
||||
|
||||
DestroyExcludeListContext(g_excludeFileContext);
|
||||
DestroyExcludeListContext(g_excludeDirectoryContext);
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(FltObjects);
|
||||
@ -799,15 +787,40 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject)
|
||||
status = FltStartFiltering(gFilterHandle);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't start filtering, code:%08x\n", status);
|
||||
FltUnregisterFilter(gFilterHandle);
|
||||
}
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Completed status:%08x\n", status);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DestroyExcludeListContext(g_excludeFileContext);
|
||||
DestroyExcludeListContext(g_excludeDirectoryContext);
|
||||
return status;
|
||||
}
|
||||
|
||||
g_fsMonitorInited = TRUE;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS DestroyFSMiniFilter()
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
|
||||
if (!g_fsMonitorInited)
|
||||
return STATUS_NOT_FOUND;
|
||||
|
||||
FltUnregisterFilter(gFilterHandle);
|
||||
gFilterHandle = NULL;
|
||||
|
||||
DestroyExcludeListContext(g_excludeFileContext);
|
||||
DestroyExcludeListContext(g_excludeDirectoryContext);
|
||||
g_fsMonitorInited = FALSE;
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId)
|
||||
{
|
||||
const USHORT maxBufSize = FilePath->Length + NORMALIZE_INCREAMENT;
|
||||
|
@ -53,6 +53,6 @@ NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffe
|
||||
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
|
||||
VOID FreeInformation(PVOID Buffer);
|
||||
|
||||
#define NORMALIZE_INCREAMENT (USHORT)64
|
||||
#define NORMALIZE_INCREAMENT (USHORT)128
|
||||
|
||||
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);
|
||||
|
@ -7,6 +7,7 @@
|
||||
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
|
||||
#define SYSTEM_PROCESS_ID (HANDLE)4
|
||||
|
||||
BOOLEAN g_psMonitorInited = FALSE;
|
||||
PVOID g_obRegCallback = NULL;
|
||||
|
||||
OB_OPERATION_REGISTRATION g_regOperation[2];
|
||||
@ -15,20 +16,71 @@ OB_CALLBACK_REGISTRATION g_regCallback;
|
||||
PsRulesContext g_excludeProcessRules;
|
||||
PsRulesContext g_protectProcessRules;
|
||||
|
||||
typedef struct _ProcessListEntry {
|
||||
LPCWSTR path;
|
||||
ULONG inherit;
|
||||
} ProcessListEntry, *PProcessListEntry;
|
||||
|
||||
// Use this variable for hard code full path to applications that can see hidden objects
|
||||
// For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
||||
// Notice: this array should be NULL terminated
|
||||
CONST PWCHAR g_excludeProcesses[] = {
|
||||
NULL
|
||||
CONST ProcessListEntry g_excludeProcesses[] = {
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
// Use this variable for hard code full path to applications that will be protected
|
||||
// For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe",
|
||||
// Notice: this array should be NULL terminated
|
||||
CONST PWCHAR g_protectProcesses[] = {
|
||||
NULL
|
||||
CONST ProcessListEntry g_protectProcesses[] = {
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
#define CSRSS_PAHT_BUFFER_SIZE 256
|
||||
|
||||
UNICODE_STRING g_csrssPath;
|
||||
WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE];
|
||||
|
||||
BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
|
||||
{
|
||||
ProcessTableEntry srcInfo, destInfo;
|
||||
|
||||
if (Source == Destination)
|
||||
return FALSE;
|
||||
|
||||
destInfo.processId = Destination;
|
||||
if (!GetProcessInProcessTable(&destInfo))
|
||||
return FALSE;
|
||||
|
||||
srcInfo.processId = Source;
|
||||
if (!GetProcessInProcessTable(&srcInfo))
|
||||
return FALSE;
|
||||
|
||||
// Not-inited process can open any process (parent, csrss, etc)
|
||||
if (!destInfo.inited)
|
||||
{
|
||||
// Update if source is subsystem and destination isn't inited
|
||||
if (srcInfo.subsystem)
|
||||
{
|
||||
destInfo.inited = TRUE;
|
||||
if (!UpdateProcessInProcessTable(&destInfo))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId);
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (!destInfo.protected)
|
||||
return FALSE;
|
||||
|
||||
if (srcInfo.protected)
|
||||
return FALSE;
|
||||
|
||||
if (srcInfo.subsystem)
|
||||
return FALSE;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(RegistrationContext);
|
||||
@ -36,16 +88,13 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O
|
||||
if (OperationInformation->KernelHandle)
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object)))
|
||||
return OB_PREOP_SUCCESS;
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
// PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
// (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
// (OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
//);
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
(OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
);
|
||||
|
||||
if (IsProcessProtected(PsGetCurrentProcessId()))
|
||||
if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object)))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId());
|
||||
return OB_PREOP_SUCCESS;
|
||||
@ -68,16 +117,13 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP
|
||||
if (OperationInformation->KernelHandle)
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object)))
|
||||
return OB_PREOP_SUCCESS;
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
// PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
// (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
// (OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
//);
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
(OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
);
|
||||
|
||||
if (IsProcessProtected(PsGetCurrentProcessId()))
|
||||
if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object)))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId());
|
||||
return OB_PREOP_SUCCESS;
|
||||
@ -100,6 +146,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
|
||||
|
||||
RtlZeroMemory(&lookup, sizeof(lookup));
|
||||
|
||||
Entry->inited = (!g_psMonitorInited ? TRUE : FALSE);
|
||||
Entry->subsystem = RtlEqualUnicodeString(&g_csrssPath, ImgPath, TRUE);
|
||||
|
||||
// Check exclude flag
|
||||
|
||||
Entry->excluded = FALSE;
|
||||
@ -242,12 +291,31 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
const USHORT maxBufSize = 512;
|
||||
NTSTATUS status;
|
||||
UNICODE_STRING str, normalized;
|
||||
UNICODE_STRING str, normalized, csrss;
|
||||
UINT32 i;
|
||||
PsRuleEntryId ruleId;
|
||||
|
||||
UNREFERENCED_PARAMETER(DriverObject);
|
||||
|
||||
// Set csrss path
|
||||
|
||||
RtlZeroMemory(g_csrssPathBuffer, sizeof(g_csrssPathBuffer));
|
||||
g_csrssPath.Buffer = g_csrssPathBuffer;
|
||||
g_csrssPath.Length = 0;
|
||||
g_csrssPath.MaximumLength = sizeof(g_csrssPathBuffer);
|
||||
|
||||
RtlInitUnicodeString(&csrss, L"\\SystemRoot\\System32\\csrss.exe");
|
||||
status = NormalizeDevicePath(&csrss, &g_csrssPath);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem path normalization failed with code:%08x\n", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem path: %wZ\n", &g_csrssPath);
|
||||
|
||||
// Init normalization buffer
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(NonPagedPool, maxBufSize);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
@ -260,27 +328,28 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
// Initialize and fill exclude file\dir lists
|
||||
|
||||
// exclude
|
||||
|
||||
status = InitializePsRuleListContext(&g_excludeProcessRules);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude process rules initialization failed with code:%08x\n", status);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process rules initialization failed with code:%08x\n", status);
|
||||
ExFreePool(normalized.Buffer);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_excludeProcesses[i]; i++)
|
||||
for (i = 0; g_excludeProcesses[i].path; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_excludeProcesses[i]);
|
||||
RtlInitUnicodeString(&str, g_excludeProcesses[i].path);
|
||||
|
||||
status = NormalizeDevicePath(&str, &normalized);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": normalized exclude %wZ\n", &normalized);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": normalized excluded %wZ\n", &normalized);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str);
|
||||
continue;
|
||||
}
|
||||
|
||||
AddRuleToPsRuleList(g_excludeProcessRules, &normalized, PsRuleTypeWithoutInherit, &ruleId);
|
||||
AddRuleToPsRuleList(g_excludeProcessRules, &normalized, g_excludeProcesses[i].inherit, &ruleId);
|
||||
}
|
||||
|
||||
// protected
|
||||
@ -288,25 +357,25 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
status = InitializePsRuleListContext(&g_protectProcessRules);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": exclude process rules initialization failed with code:%08x\n", status);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process rules initialization failed with code:%08x\n", status);
|
||||
DestroyPsRuleListContext(g_excludeProcessRules);
|
||||
ExFreePool(normalized.Buffer);
|
||||
return status;
|
||||
}
|
||||
|
||||
for (i = 0; g_protectProcesses[i]; i++)
|
||||
for (i = 0; g_protectProcesses[i].path; i++)
|
||||
{
|
||||
RtlInitUnicodeString(&str, g_protectProcesses[i]);
|
||||
RtlInitUnicodeString(&str, g_protectProcesses[i].path);
|
||||
|
||||
status = NormalizeDevicePath(&str, &normalized);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": normalized exclude %wZ\n", &normalized);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": normalized protected %wZ\n", &normalized);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str);
|
||||
continue;
|
||||
}
|
||||
|
||||
AddRuleToPsRuleList(g_protectProcessRules, &normalized, PsRuleTypeWithoutInherit, &ruleId);
|
||||
AddRuleToPsRuleList(g_protectProcessRules, &normalized, g_protectProcesses[i].inherit, &ruleId);
|
||||
}
|
||||
|
||||
status = InitializeProcessTable(CheckProcessFlags);
|
||||
@ -320,6 +389,8 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
|
||||
g_psMonitorInited = TRUE;
|
||||
|
||||
// Register ps\thr pre create\duplicate object callback
|
||||
|
||||
g_regOperation[0].ObjectType = PsProcessType;
|
||||
@ -361,6 +432,9 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
|
||||
NTSTATUS DestroyPsMonitor()
|
||||
{
|
||||
if (!g_psMonitorInited)
|
||||
return STATUS_ALREADY_DISCONNECTED;
|
||||
|
||||
if (g_obRegCallback)
|
||||
{
|
||||
ObUnRegisterCallbacks(g_obRegCallback);
|
||||
@ -373,6 +447,7 @@ NTSTATUS DestroyPsMonitor()
|
||||
DestroyPsRuleListContext(g_protectProcessRules);
|
||||
|
||||
DestroyProcessTable();
|
||||
g_psMonitorInited = FALSE;
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
@ -407,8 +482,6 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGL
|
||||
ExFreePool(normalized.Buffer);
|
||||
|
||||
return status;
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": protect image: %wZ\n", ImagePath);
|
||||
//return AddRuleToPsRuleList(g_protectProcessRules, ImagePath, InheritType, ObjId);
|
||||
}
|
||||
|
||||
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
|
||||
|
@ -3,8 +3,8 @@
|
||||
|
||||
#define PSTREE_ALLOC_TAG 'rTsP'
|
||||
|
||||
RTL_AVL_TABLE g_processTable;
|
||||
KSPIN_LOCK g_processTableLock;
|
||||
RTL_AVL_TABLE g_processTable;
|
||||
KSPIN_LOCK g_processTableLock;
|
||||
|
||||
RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
|
||||
{
|
||||
@ -179,6 +179,9 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
||||
if (entry.protected)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", entry.processId);
|
||||
|
||||
if (entry.subsystem)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem process:%d\n", entry.processId);
|
||||
|
||||
// Go to next
|
||||
|
||||
FreeInformation(procName);
|
||||
|
@ -1,9 +1,8 @@
|
||||
#pragma once
|
||||
|
||||
#include <Ntddk.h>
|
||||
#include "PsTable.h"
|
||||
|
||||
typedef struct _ProcessTableEntry{
|
||||
typedef struct _ProcessTableEntry {
|
||||
HANDLE processId;
|
||||
|
||||
BOOLEAN excluded;
|
||||
@ -12,6 +11,9 @@ typedef struct _ProcessTableEntry{
|
||||
BOOLEAN protected;
|
||||
ULONG inheritProtection;
|
||||
|
||||
BOOLEAN subsystem;
|
||||
BOOLEAN inited;
|
||||
|
||||
} ProcessTableEntry, *PProcessTableEntry;
|
||||
|
||||
NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));
|
||||
|
@ -8,6 +8,8 @@
|
||||
|
||||
#define FILTER_ALLOC_TAG 'FRlF'
|
||||
|
||||
BOOLEAN g_regFilterInited = FALSE;
|
||||
|
||||
ExcludeContext g_excludeRegKeyContext;
|
||||
ExcludeContext g_excludeRegValueContext;
|
||||
|
||||
@ -602,6 +604,7 @@ NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject)
|
||||
return status;
|
||||
}
|
||||
|
||||
g_regFilterInited = TRUE;
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -609,10 +612,18 @@ NTSTATUS DestroyRegistryFilter()
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
if (!g_regFilterInited)
|
||||
return STATUS_NOT_FOUND;
|
||||
|
||||
status = CmUnRegisterCallback(g_regCookie);
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Registry filter unregistration failed with code:%08x\n", status);
|
||||
|
||||
DestroyExcludeListContext(g_excludeRegKeyContext);
|
||||
DestroyExcludeListContext(g_excludeRegValueContext);
|
||||
|
||||
g_regFilterInited = FALSE;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -35,9 +35,9 @@
|
||||
+ FS filter
|
||||
+ Reg filter
|
||||
+ Реализовать RemoveAllExcludeListEntries
|
||||
- Реализовать все ф-и Ps monitor
|
||||
- Добавить в библиотеку поддержку get\set state
|
||||
- Решить проблему с protected (возможно разрешить создавать такие процессы только из protected\system)
|
||||
+ Реализовать все ф-и Ps monitor
|
||||
+ Добавить в библиотеку поддержку get\set state
|
||||
+ Решить проблему с protected (возможно разрешить создавать такие процессы только из protected\system)
|
||||
- Реализовать IOCTL протокол управления
|
||||
+ Реализовать usermode библиотеку для работы с IOCTL API
|
||||
- Реализовать программу управления драйвером, средствами IOCTL API
|
||||
|
@ -39,13 +39,13 @@ CONST PWCHAR g_excludeRegValues[] = {
|
||||
};
|
||||
|
||||
CONST PWCHAR g_protectProcesses[] = {
|
||||
L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
||||
L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc2.exe",
|
||||
L"c:\\Windows\\System32\\calc.exe",
|
||||
L"c:\\Windows\\System32\\calc2.exe",
|
||||
};
|
||||
|
||||
CONST PWCHAR g_excludeProcesses[] = {
|
||||
L"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe",
|
||||
L"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd2.exe",
|
||||
L"c:\\Windows\\System32\\cmd.exe",
|
||||
L"c:\\Windows\\System32\\cmd2.exe",
|
||||
};
|
||||
|
||||
int wmain(int argc, wchar_t *argv[])
|
||||
|
@ -400,7 +400,7 @@ void do_regmon_tests(HidContext context)
|
||||
hid_status = Hid_RemoveHiddenRegValue(context, objId[1]);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, unhidden reg value hasn't been found, code: " << error_code << endl;
|
||||
wcout << L"Error, unhidden reg value hasn't been found, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
@ -440,12 +440,195 @@ void do_regmon_tests(HidContext context)
|
||||
Hid_RemoveAllHiddenRegValues(context);
|
||||
}
|
||||
|
||||
void do_psmon_tests(HidContext context)
|
||||
void do_psmon_prot_tests(HidContext context)
|
||||
{
|
||||
HidStatus hid_status;
|
||||
unsigned int error_code;
|
||||
STARTUPINFOW si;
|
||||
PROCESS_INFORMATION pi;
|
||||
wchar_t path[] = L"c:\\windows\\system32\\calc.exe";
|
||||
HidObjId objId[3];
|
||||
HANDLE hproc = 0;
|
||||
HidActiveState state;
|
||||
HidPsInheritTypes inheritType;
|
||||
|
||||
wcout << L"--------------------------------" << endl;
|
||||
wcout << L"Process monitor prot tests result:" << endl;
|
||||
wcout << L"--------------------------------" << endl;
|
||||
|
||||
try
|
||||
{
|
||||
//TODO:
|
||||
// test 1: create proc, protect, check, unprotect
|
||||
|
||||
wcout << L"Test 1: create process, protect, check, unprotect" << endl;
|
||||
|
||||
memset(&si, 0, sizeof(si));
|
||||
memset(&pi, 0, sizeof(pi));
|
||||
si.cb = sizeof(si);
|
||||
|
||||
wcout << L"step" << 1 << endl;
|
||||
|
||||
hid_status = Hid_GetProtectedState(context, GetCurrentProcessId(), &state, &inheritType);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't get self state, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
if (state != HidActiveState::StateDisabled)
|
||||
{
|
||||
wcout << L"Error, state isn't StateDisabled, state: " << state << " " << inheritType << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
wcout << L"step" << 2 << endl;
|
||||
hid_status = Hid_AttachProtectedState(context, GetCurrentProcessId(), HidPsInheritTypes::WithoutInherit);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't protect self image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
hid_status = Hid_GetProtectedState(context, GetCurrentProcessId(), &state, &inheritType);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't get self status, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
if (state != HidActiveState::StateEnabled || inheritType != HidPsInheritTypes::WithoutInherit)
|
||||
{
|
||||
wcout << L"Error, state isn't StateEnabled, state: " << state << " " << inheritType << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
wcout << L"step" << 3 << endl;
|
||||
hid_status = Hid_AddProtectedImage(context, path, HidPsInheritTypes::WithoutInherit, &objId[1]);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't protect image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
wcout << L"step" << 3 << endl;
|
||||
//hid_status = Hid_AttachProtectedState(context, 420, HidPsInheritTypes::WithoutInherit);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't protect csrss image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
|
||||
wcout << L"step" << 4 << endl;
|
||||
if (!CreateProcessW(NULL, path, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
|
||||
{
|
||||
error_code = GetLastError();
|
||||
wcout << L"Error, CreateProcessW() failed with code: " << error_code << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
wcout << L"step" << 5 << endl;
|
||||
CloseHandle(pi.hThread);
|
||||
|
||||
hid_status = Hid_RemoveProtectedState(context, GetCurrentProcessId());
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't can't remove self protection, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
wcout << L"step" << 6 << endl;
|
||||
hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId);
|
||||
if (!hproc)
|
||||
{
|
||||
error_code = GetLastError();
|
||||
wcout << L"Error, OpenProcess() failed with code: " << error_code << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
wcout << L"step" << 7 << endl;
|
||||
if (VirtualAllocEx(hproc, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE))
|
||||
{
|
||||
wcout << L"Error, process protection doesn't work" << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
CloseHandle(hproc);
|
||||
hproc = 0;
|
||||
|
||||
wcout << L"step" << 8 << endl;
|
||||
hid_status = Hid_RemoveProtectedImage(context, objId[1]);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't remove protected rule, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
hid_status = Hid_RemoveProtectedState(context, pi.dwProcessId);
|
||||
if (!HID_STATUS_SUCCESSFUL(hid_status))
|
||||
{
|
||||
wcout << L"Error, can't unprotect image, code: " << HID_STATUS_CODE(hid_status) << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId);
|
||||
if (!hproc)
|
||||
{
|
||||
error_code = GetLastError();
|
||||
wcout << L"Error, OpenProcess() failed with code " << error_code << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
if (!VirtualAllocEx(hproc, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE))
|
||||
{
|
||||
error_code = GetLastError();
|
||||
wcout << L"Error, VirtualAllocEx() failed with code: " << error_code << endl;
|
||||
throw exception();
|
||||
}
|
||||
|
||||
CloseHandle(hproc);
|
||||
hproc = 0;
|
||||
|
||||
wcout << L" successful!" << endl;
|
||||
|
||||
|
||||
}
|
||||
catch (exception&)
|
||||
{
|
||||
wcout << L" failed!" << endl;
|
||||
}
|
||||
|
||||
if (hproc)
|
||||
CloseHandle(hproc);
|
||||
|
||||
if (pi.hProcess)
|
||||
{
|
||||
CloseHandle(hproc);
|
||||
TerminateProcess(pi.hProcess, 0);
|
||||
}
|
||||
|
||||
Hid_RemoveAllProtectedImages(context);
|
||||
}
|
||||
|
||||
void do_psmon_excl_tests(HidContext context)
|
||||
{
|
||||
//HidStatus hid_status;
|
||||
|
||||
wcout << L"--------------------------------" << endl;
|
||||
wcout << L"Process monitor tests result:" << endl;
|
||||
wcout << L"Process monitor excl tests result:" << endl;
|
||||
wcout << L"--------------------------------" << endl;
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
}
|
||||
catch (exception&)
|
||||
{
|
||||
wcout << L" failed!" << endl;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
int wmain(int argc, wchar_t* argv[])
|
||||
@ -464,7 +647,8 @@ int wmain(int argc, wchar_t* argv[])
|
||||
|
||||
do_fsmon_tests(hid_context);
|
||||
do_regmon_tests(hid_context);
|
||||
do_psmon_tests(hid_context);
|
||||
do_psmon_prot_tests(hid_context);
|
||||
do_psmon_excl_tests(hid_context);
|
||||
|
||||
//Hid_Destroy(hid_context);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user