diff --git a/Hidden/Device.c b/Hidden/Device.c index 3961d4e..908765b 100644 --- a/Hidden/Device.c +++ b/Hidden/Device.c @@ -4,7 +4,7 @@ #include "Device.h" #include "DeviceAPI.h" - +BOOLEAN g_deviceInited = FALSE; PDEVICE_OBJECT g_deviceObject = NULL; // ========================================================================================= @@ -453,6 +453,7 @@ NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject) DriverObject->MajorFunction[IRP_MJ_CLEANUP] = IrpDeviceCleanup; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceControlHandler; g_deviceObject = deviceObject; + g_deviceInited = TRUE; return status; } @@ -462,11 +463,16 @@ NTSTATUS DestroyDevice() NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING dosDeviceName = RTL_CONSTANT_STRING(DOS_DEVICES_LINK_NAME); + if (!g_deviceInited) + return STATUS_NOT_FOUND; + status = IoDeleteSymbolicLink(&dosDeviceName); if (!NT_SUCCESS(status)) DbgPrint("FsFilter1!" __FUNCTION__ ": symbolic link deletion failed with code:%08x\n", status); IoDeleteDevice(g_deviceObject); + g_deviceInited = FALSE; + return status; } diff --git a/Hidden/FsFilter.c b/Hidden/FsFilter.c index 6590d79..b523af5 100644 --- a/Hidden/FsFilter.c +++ b/Hidden/FsFilter.c @@ -49,6 +49,7 @@ CONST FLT_REGISTRATION FilterRegistration = { NULL // NormalizeNameComponent }; +BOOLEAN g_fsMonitorInited = FALSE; PFLT_FILTER gFilterHandle = NULL; ExcludeContext g_excludeFileContext; @@ -68,19 +69,6 @@ CONST PWCHAR g_excludeDirs[] = { NULL }; -NTSTATUS DestroyFSMiniFilter() -{ - DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql()); - - FltUnregisterFilter(gFilterHandle); - gFilterHandle = NULL; - - DestroyExcludeListContext(g_excludeFileContext); - DestroyExcludeListContext(g_excludeDirectoryContext); - - return STATUS_SUCCESS; -} - NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType) { UNREFERENCED_PARAMETER(FltObjects); @@ -799,15 +787,40 @@ NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject) status = FltStartFiltering(gFilterHandle); if (!NT_SUCCESS(status)) { + DbgPrint("FsFilter1!" __FUNCTION__ ": can't start filtering, code:%08x\n", status); FltUnregisterFilter(gFilterHandle); } } - DbgPrint("FsFilter1!" __FUNCTION__ ": Completed status:%08x\n", status); + if (!NT_SUCCESS(status)) + { + DestroyExcludeListContext(g_excludeFileContext); + DestroyExcludeListContext(g_excludeDirectoryContext); + return status; + } + + g_fsMonitorInited = TRUE; return status; } +NTSTATUS DestroyFSMiniFilter() +{ + DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql()); + + if (!g_fsMonitorInited) + return STATUS_NOT_FOUND; + + FltUnregisterFilter(gFilterHandle); + gFilterHandle = NULL; + + DestroyExcludeListContext(g_excludeFileContext); + DestroyExcludeListContext(g_excludeDirectoryContext); + g_fsMonitorInited = FALSE; + + return STATUS_SUCCESS; +} + NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId) { const USHORT maxBufSize = FilePath->Length + NORMALIZE_INCREAMENT; diff --git a/Hidden/Helper.h b/Hidden/Helper.h index a26c6b8..05a954d 100644 --- a/Hidden/Helper.h +++ b/Hidden/Helper.h @@ -53,6 +53,6 @@ NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffe NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize); VOID FreeInformation(PVOID Buffer); -#define NORMALIZE_INCREAMENT (USHORT)64 +#define NORMALIZE_INCREAMENT (USHORT)128 NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized); diff --git a/Hidden/PsMonitor.c b/Hidden/PsMonitor.c index 19226a3..4f22156 100644 --- a/Hidden/PsMonitor.c +++ b/Hidden/PsMonitor.c @@ -7,6 +7,7 @@ #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000 #define SYSTEM_PROCESS_ID (HANDLE)4 +BOOLEAN g_psMonitorInited = FALSE; PVOID g_obRegCallback = NULL; OB_OPERATION_REGISTRATION g_regOperation[2]; @@ -15,20 +16,71 @@ OB_CALLBACK_REGISTRATION g_regCallback; PsRulesContext g_excludeProcessRules; PsRulesContext g_protectProcessRules; +typedef struct _ProcessListEntry { + LPCWSTR path; + ULONG inherit; +} ProcessListEntry, *PProcessListEntry; + // Use this variable for hard code full path to applications that can see hidden objects // For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe", // Notice: this array should be NULL terminated -CONST PWCHAR g_excludeProcesses[] = { - NULL +CONST ProcessListEntry g_excludeProcesses[] = { + { NULL, 0 } }; // Use this variable for hard code full path to applications that will be protected // For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe", // Notice: this array should be NULL terminated -CONST PWCHAR g_protectProcesses[] = { - NULL +CONST ProcessListEntry g_protectProcesses[] = { + { NULL, 0 } }; +#define CSRSS_PAHT_BUFFER_SIZE 256 + +UNICODE_STRING g_csrssPath; +WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE]; + +BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) +{ + ProcessTableEntry srcInfo, destInfo; + + if (Source == Destination) + return FALSE; + + destInfo.processId = Destination; + if (!GetProcessInProcessTable(&destInfo)) + return FALSE; + + srcInfo.processId = Source; + if (!GetProcessInProcessTable(&srcInfo)) + return FALSE; + + // Not-inited process can open any process (parent, csrss, etc) + if (!destInfo.inited) + { + // Update if source is subsystem and destination isn't inited + if (srcInfo.subsystem) + { + destInfo.inited = TRUE; + if (!UpdateProcessInProcessTable(&destInfo)) + DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId); + } + + return FALSE; + } + + if (!destInfo.protected) + return FALSE; + + if (srcInfo.protected) + return FALSE; + + if (srcInfo.subsystem) + return FALSE; + + return TRUE; +} + OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) { UNREFERENCED_PARAMETER(RegistrationContext); @@ -36,16 +88,13 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O if (OperationInformation->KernelHandle) return OB_PREOP_SUCCESS; - if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object))) - return OB_PREOP_SUCCESS; + //DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n", + // PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(), + // (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"), + // (OperationInformation->KernelHandle ? "kernel" : "user") + //); - DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n", - PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(), - (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"), - (OperationInformation->KernelHandle ? "kernel" : "user") - ); - - if (IsProcessProtected(PsGetCurrentProcessId())) + if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object))) { DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId()); return OB_PREOP_SUCCESS; @@ -68,16 +117,13 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP if (OperationInformation->KernelHandle) return OB_PREOP_SUCCESS; - if (!IsProcessProtected(PsGetProcessId(OperationInformation->Object))) - return OB_PREOP_SUCCESS; + //DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n", + // PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(), + // (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"), + // (OperationInformation->KernelHandle ? "kernel" : "user") + //); - DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n", - PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(), - (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"), - (OperationInformation->KernelHandle ? "kernel" : "user") - ); - - if (IsProcessProtected(PsGetCurrentProcessId())) + if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object))) { DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId()); return OB_PREOP_SUCCESS; @@ -100,6 +146,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL RtlZeroMemory(&lookup, sizeof(lookup)); + Entry->inited = (!g_psMonitorInited ? TRUE : FALSE); + Entry->subsystem = RtlEqualUnicodeString(&g_csrssPath, ImgPath, TRUE); + // Check exclude flag Entry->excluded = FALSE; @@ -242,12 +291,31 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) { const USHORT maxBufSize = 512; NTSTATUS status; - UNICODE_STRING str, normalized; + UNICODE_STRING str, normalized, csrss; UINT32 i; PsRuleEntryId ruleId; UNREFERENCED_PARAMETER(DriverObject); + // Set csrss path + + RtlZeroMemory(g_csrssPathBuffer, sizeof(g_csrssPathBuffer)); + g_csrssPath.Buffer = g_csrssPathBuffer; + g_csrssPath.Length = 0; + g_csrssPath.MaximumLength = sizeof(g_csrssPathBuffer); + + RtlInitUnicodeString(&csrss, L"\\SystemRoot\\System32\\csrss.exe"); + status = NormalizeDevicePath(&csrss, &g_csrssPath); + if (!NT_SUCCESS(status)) + { + DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem path normalization failed with code:%08x\n", status); + return status; + } + + DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem path: %wZ\n", &g_csrssPath); + + // Init normalization buffer + normalized.Buffer = (PWCH)ExAllocatePool(NonPagedPool, maxBufSize); normalized.Length = 0; normalized.MaximumLength = maxBufSize; @@ -260,27 +328,28 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) // Initialize and fill exclude file\dir lists // exclude + status = InitializePsRuleListContext(&g_excludeProcessRules); if (!NT_SUCCESS(status)) { - DbgPrint("FsFilter1!" __FUNCTION__ ": exclude process rules initialization failed with code:%08x\n", status); + DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process rules initialization failed with code:%08x\n", status); ExFreePool(normalized.Buffer); return status; } - for (i = 0; g_excludeProcesses[i]; i++) + for (i = 0; g_excludeProcesses[i].path; i++) { - RtlInitUnicodeString(&str, g_excludeProcesses[i]); + RtlInitUnicodeString(&str, g_excludeProcesses[i].path); status = NormalizeDevicePath(&str, &normalized); - DbgPrint("FsFilter1!" __FUNCTION__ ": normalized exclude %wZ\n", &normalized); + DbgPrint("FsFilter1!" __FUNCTION__ ": normalized excluded %wZ\n", &normalized); if (!NT_SUCCESS(status)) { DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str); continue; } - AddRuleToPsRuleList(g_excludeProcessRules, &normalized, PsRuleTypeWithoutInherit, &ruleId); + AddRuleToPsRuleList(g_excludeProcessRules, &normalized, g_excludeProcesses[i].inherit, &ruleId); } // protected @@ -288,25 +357,25 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) status = InitializePsRuleListContext(&g_protectProcessRules); if (!NT_SUCCESS(status)) { - DbgPrint("FsFilter1!" __FUNCTION__ ": exclude process rules initialization failed with code:%08x\n", status); + DbgPrint("FsFilter1!" __FUNCTION__ ": protected process rules initialization failed with code:%08x\n", status); DestroyPsRuleListContext(g_excludeProcessRules); ExFreePool(normalized.Buffer); return status; } - for (i = 0; g_protectProcesses[i]; i++) + for (i = 0; g_protectProcesses[i].path; i++) { - RtlInitUnicodeString(&str, g_protectProcesses[i]); + RtlInitUnicodeString(&str, g_protectProcesses[i].path); status = NormalizeDevicePath(&str, &normalized); - DbgPrint("FsFilter1!" __FUNCTION__ ": normalized exclude %wZ\n", &normalized); + DbgPrint("FsFilter1!" __FUNCTION__ ": normalized protected %wZ\n", &normalized); if (!NT_SUCCESS(status)) { DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &str); continue; } - AddRuleToPsRuleList(g_protectProcessRules, &normalized, PsRuleTypeWithoutInherit, &ruleId); + AddRuleToPsRuleList(g_protectProcessRules, &normalized, g_protectProcesses[i].inherit, &ruleId); } status = InitializeProcessTable(CheckProcessFlags); @@ -320,6 +389,8 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) ExFreePool(normalized.Buffer); + g_psMonitorInited = TRUE; + // Register ps\thr pre create\duplicate object callback g_regOperation[0].ObjectType = PsProcessType; @@ -361,6 +432,9 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) NTSTATUS DestroyPsMonitor() { + if (!g_psMonitorInited) + return STATUS_ALREADY_DISCONNECTED; + if (g_obRegCallback) { ObUnRegisterCallbacks(g_obRegCallback); @@ -373,6 +447,7 @@ NTSTATUS DestroyPsMonitor() DestroyPsRuleListContext(g_protectProcessRules); DestroyProcessTable(); + g_psMonitorInited = FALSE; return STATUS_SUCCESS; } @@ -407,8 +482,6 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, PULONGL ExFreePool(normalized.Buffer); return status; - //DbgPrint("FsFilter1!" __FUNCTION__ ": protect image: %wZ\n", ImagePath); - //return AddRuleToPsRuleList(g_protectProcessRules, ImagePath, InheritType, ObjId); } NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable) diff --git a/Hidden/PsTable.c b/Hidden/PsTable.c index e390502..6894def 100644 --- a/Hidden/PsTable.c +++ b/Hidden/PsTable.c @@ -3,8 +3,8 @@ #define PSTREE_ALLOC_TAG 'rTsP' -RTL_AVL_TABLE g_processTable; -KSPIN_LOCK g_processTableLock; +RTL_AVL_TABLE g_processTable; +KSPIN_LOCK g_processTableLock; RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct) { @@ -179,6 +179,9 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt if (entry.protected) DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", entry.processId); + if (entry.subsystem) + DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem process:%d\n", entry.processId); + // Go to next FreeInformation(procName); diff --git a/Hidden/PsTable.h b/Hidden/PsTable.h index 7194208..c4c23da 100644 --- a/Hidden/PsTable.h +++ b/Hidden/PsTable.h @@ -1,9 +1,8 @@ #pragma once #include -#include "PsTable.h" -typedef struct _ProcessTableEntry{ +typedef struct _ProcessTableEntry { HANDLE processId; BOOLEAN excluded; @@ -12,6 +11,9 @@ typedef struct _ProcessTableEntry{ BOOLEAN protected; ULONG inheritProtection; + BOOLEAN subsystem; + BOOLEAN inited; + } ProcessTableEntry, *PProcessTableEntry; NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE)); diff --git a/Hidden/RegFilter.c b/Hidden/RegFilter.c index 48eea6b..e581d7b 100644 --- a/Hidden/RegFilter.c +++ b/Hidden/RegFilter.c @@ -8,6 +8,8 @@ #define FILTER_ALLOC_TAG 'FRlF' +BOOLEAN g_regFilterInited = FALSE; + ExcludeContext g_excludeRegKeyContext; ExcludeContext g_excludeRegValueContext; @@ -602,6 +604,7 @@ NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject) return status; } + g_regFilterInited = TRUE; return status; } @@ -609,10 +612,18 @@ NTSTATUS DestroyRegistryFilter() { NTSTATUS status; + if (!g_regFilterInited) + return STATUS_NOT_FOUND; + status = CmUnRegisterCallback(g_regCookie); if (!NT_SUCCESS(status)) DbgPrint("FsFilter1!" __FUNCTION__ ": Registry filter unregistration failed with code:%08x\n", status); + DestroyExcludeListContext(g_excludeRegKeyContext); + DestroyExcludeListContext(g_excludeRegValueContext); + + g_regFilterInited = FALSE; + return status; } diff --git a/Hidden/todo.txt b/Hidden/todo.txt index c801617..30f7c75 100644 --- a/Hidden/todo.txt +++ b/Hidden/todo.txt @@ -35,9 +35,9 @@ + FS filter + Reg filter + Реализовать RemoveAllExcludeListEntries -- Реализовать все ф-и Ps monitor - - Добавить в библиотеку поддержку get\set state - - Решить проблему с protected (возможно разрешить создавать такие процессы только из protected\system) ++ Реализовать все ф-и Ps monitor + + Добавить в библиотеку поддержку get\set state + + Решить проблему с protected (возможно разрешить создавать такие процессы только из protected\system) - Реализовать IOCTL протокол управления + Реализовать usermode библиотеку для работы с IOCTL API - Реализовать программу управления драйвером, средствами IOCTL API diff --git a/HiddenCLI/HiddenCLI.cpp b/HiddenCLI/HiddenCLI.cpp index bcefa2a..c98a647 100644 --- a/HiddenCLI/HiddenCLI.cpp +++ b/HiddenCLI/HiddenCLI.cpp @@ -39,13 +39,13 @@ CONST PWCHAR g_excludeRegValues[] = { }; CONST PWCHAR g_protectProcesses[] = { - L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe", - L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc2.exe", + L"c:\\Windows\\System32\\calc.exe", + L"c:\\Windows\\System32\\calc2.exe", }; CONST PWCHAR g_excludeProcesses[] = { - L"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe", - L"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd2.exe", + L"c:\\Windows\\System32\\cmd.exe", + L"c:\\Windows\\System32\\cmd2.exe", }; int wmain(int argc, wchar_t *argv[]) diff --git a/HiddenTests/HiddenTests.cpp b/HiddenTests/HiddenTests.cpp index 0514dae..6fd64ce 100644 --- a/HiddenTests/HiddenTests.cpp +++ b/HiddenTests/HiddenTests.cpp @@ -400,7 +400,7 @@ void do_regmon_tests(HidContext context) hid_status = Hid_RemoveHiddenRegValue(context, objId[1]); if (!HID_STATUS_SUCCESSFUL(hid_status)) { - wcout << L"Error, unhidden reg value hasn't been found, code: " << error_code << endl; + wcout << L"Error, unhidden reg value hasn't been found, code: " << HID_STATUS_CODE(hid_status) << endl; throw exception(); } @@ -440,12 +440,195 @@ void do_regmon_tests(HidContext context) Hid_RemoveAllHiddenRegValues(context); } -void do_psmon_tests(HidContext context) +void do_psmon_prot_tests(HidContext context) +{ + HidStatus hid_status; + unsigned int error_code; + STARTUPINFOW si; + PROCESS_INFORMATION pi; + wchar_t path[] = L"c:\\windows\\system32\\calc.exe"; + HidObjId objId[3]; + HANDLE hproc = 0; + HidActiveState state; + HidPsInheritTypes inheritType; + + wcout << L"--------------------------------" << endl; + wcout << L"Process monitor prot tests result:" << endl; + wcout << L"--------------------------------" << endl; + + try + { + //TODO: + // test 1: create proc, protect, check, unprotect + + wcout << L"Test 1: create process, protect, check, unprotect" << endl; + + memset(&si, 0, sizeof(si)); + memset(&pi, 0, sizeof(pi)); + si.cb = sizeof(si); + + wcout << L"step" << 1 << endl; + + hid_status = Hid_GetProtectedState(context, GetCurrentProcessId(), &state, &inheritType); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't get self state, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + if (state != HidActiveState::StateDisabled) + { + wcout << L"Error, state isn't StateDisabled, state: " << state << " " << inheritType << endl; + throw exception(); + } + + wcout << L"step" << 2 << endl; + hid_status = Hid_AttachProtectedState(context, GetCurrentProcessId(), HidPsInheritTypes::WithoutInherit); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't protect self image, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + hid_status = Hid_GetProtectedState(context, GetCurrentProcessId(), &state, &inheritType); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't get self status, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + if (state != HidActiveState::StateEnabled || inheritType != HidPsInheritTypes::WithoutInherit) + { + wcout << L"Error, state isn't StateEnabled, state: " << state << " " << inheritType << endl; + throw exception(); + } + + wcout << L"step" << 3 << endl; + hid_status = Hid_AddProtectedImage(context, path, HidPsInheritTypes::WithoutInherit, &objId[1]); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't protect image, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + wcout << L"step" << 3 << endl; + //hid_status = Hid_AttachProtectedState(context, 420, HidPsInheritTypes::WithoutInherit); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't protect csrss image, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + + wcout << L"step" << 4 << endl; + if (!CreateProcessW(NULL, path, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) + { + error_code = GetLastError(); + wcout << L"Error, CreateProcessW() failed with code: " << error_code << endl; + throw exception(); + } + + wcout << L"step" << 5 << endl; + CloseHandle(pi.hThread); + + hid_status = Hid_RemoveProtectedState(context, GetCurrentProcessId()); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't can't remove self protection, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + wcout << L"step" << 6 << endl; + hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId); + if (!hproc) + { + error_code = GetLastError(); + wcout << L"Error, OpenProcess() failed with code: " << error_code << endl; + throw exception(); + } + + wcout << L"step" << 7 << endl; + if (VirtualAllocEx(hproc, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) + { + wcout << L"Error, process protection doesn't work" << endl; + throw exception(); + } + + CloseHandle(hproc); + hproc = 0; + + wcout << L"step" << 8 << endl; + hid_status = Hid_RemoveProtectedImage(context, objId[1]); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't remove protected rule, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + hid_status = Hid_RemoveProtectedState(context, pi.dwProcessId); + if (!HID_STATUS_SUCCESSFUL(hid_status)) + { + wcout << L"Error, can't unprotect image, code: " << HID_STATUS_CODE(hid_status) << endl; + throw exception(); + } + + hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId); + if (!hproc) + { + error_code = GetLastError(); + wcout << L"Error, OpenProcess() failed with code " << error_code << endl; + throw exception(); + } + + if (!VirtualAllocEx(hproc, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) + { + error_code = GetLastError(); + wcout << L"Error, VirtualAllocEx() failed with code: " << error_code << endl; + throw exception(); + } + + CloseHandle(hproc); + hproc = 0; + + wcout << L" successful!" << endl; + + + } + catch (exception&) + { + wcout << L" failed!" << endl; + } + + if (hproc) + CloseHandle(hproc); + + if (pi.hProcess) + { + CloseHandle(hproc); + TerminateProcess(pi.hProcess, 0); + } + + Hid_RemoveAllProtectedImages(context); +} + +void do_psmon_excl_tests(HidContext context) { //HidStatus hid_status; + wcout << L"--------------------------------" << endl; - wcout << L"Process monitor tests result:" << endl; + wcout << L"Process monitor excl tests result:" << endl; wcout << L"--------------------------------" << endl; + + try + { + + } + catch (exception&) + { + wcout << L" failed!" << endl; + } + + } int wmain(int argc, wchar_t* argv[]) @@ -464,7 +647,8 @@ int wmain(int argc, wchar_t* argv[]) do_fsmon_tests(hid_context); do_regmon_tests(hid_context); - do_psmon_tests(hid_context); + do_psmon_prot_tests(hid_context); + do_psmon_excl_tests(hid_context); //Hid_Destroy(hid_context);