6
0
mirror of https://github.com/JKornev/hidden synced 2024-06-20 22:18:04 +00:00

Added an ability to configure hiding processes over a registry

This commit is contained in:
JKornev 2021-07-30 13:36:00 +03:00
parent a2e5e8e901
commit 9e89ad1da0
5 changed files with 47 additions and 16 deletions

@ -12,6 +12,7 @@ typedef struct _HidConfigContext {
UNICODE_STRING hideRegValues; UNICODE_STRING hideRegValues;
UNICODE_STRING ignoreImages; UNICODE_STRING ignoreImages;
UNICODE_STRING protectImages; UNICODE_STRING protectImages;
UNICODE_STRING hideImages;
} HidConfigContext, *PHidConfigContext; } HidConfigContext, *PHidConfigContext;
PHidConfigContext g_configContext = NULL; PHidConfigContext g_configContext = NULL;
@ -59,6 +60,7 @@ NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath)
QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL); QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL); QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_HideImages", REG_MULTI_SZ, &config.hideImages, NULL);
ZwClose(hkey); ZwClose(hkey);
@ -135,6 +137,9 @@ NTSTATUS CfgEnumConfigsTable(enum CfgMultiStringTables Table, CfgMultiStringCall
case ProtectImagesTable: case ProtectImagesTable:
table = &g_configContext->protectImages; table = &g_configContext->protectImages;
break; break;
case HideImagesTable:
table = &g_configContext->hideImages;
break;
default: default:
return STATUS_INVALID_VARIANT; return STATUS_INVALID_VARIANT;
} }
@ -182,6 +187,7 @@ VOID ReleaseConfigContext(PHidConfigContext context)
ReleaseRegistryData(&context->hideRegValues); ReleaseRegistryData(&context->hideRegValues);
ReleaseRegistryData(&context->ignoreImages); ReleaseRegistryData(&context->ignoreImages);
ReleaseRegistryData(&context->protectImages); ReleaseRegistryData(&context->protectImages);
ReleaseRegistryData(&context->hideImages);
} }
NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default) NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default)

@ -15,6 +15,7 @@ enum CfgMultiStringTables {
HideRegValuesTable, HideRegValuesTable,
IgnoreImagesTable, IgnoreImagesTable,
ProtectImagesTable, ProtectImagesTable,
HideImagesTable,
MaxTableEntries, MaxTableEntries,
}; };

@ -617,6 +617,18 @@ VOID LoadIgnoredRulesCallback(PUNICODE_STRING Str, PVOID Params)
AddExcludedImage(&path, inherit, FALSE, &ruleId); AddExcludedImage(&path, inherit, FALSE, &ruleId);
} }
VOID LoadHiddenRulesCallback(PUNICODE_STRING Str, PVOID Params)
{
UNICODE_STRING path;
ULONG inherit;
PsRuleEntryId ruleId;
UNREFERENCED_PARAMETER(Params);
if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit)))
AddHiddenImage(&path, inherit, FALSE, &ruleId);
}
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
{ {
const USHORT maxBufSize = 512; const USHORT maxBufSize = 512;
@ -726,14 +738,15 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
return status; return status;
} }
//TODO: load hidden config // Load entries from the config
CfgEnumConfigsTable(HideImagesTable, &LoadHiddenRulesCallback, NULL);
// Process table // Process table
ExInitializeFastMutex(&g_processTableLock); ExInitializeFastMutex(&g_processTableLock);
KeInitializeGuardedMutex(&g_activeProcListLock); KeInitializeGuardedMutex(&g_activeProcListLock);
status = InitializeProcessTable(CheckProcessFlags); status = InitializeProcessTable(&CheckProcessFlags);
if (!NT_SUCCESS(status)) if (!NT_SUCCESS(status))
{ {
DestroyPsRuleListContext(g_excludeProcessRules); DestroyPsRuleListContext(g_excludeProcessRules);
@ -775,7 +788,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
// Register rocess create\destroy callback // Register rocess create\destroy callback
status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, FALSE); status = PsSetCreateProcessNotifyRoutineEx(&CreateProcessNotifyCallback, FALSE);
if (!NT_SUCCESS(status)) if (!NT_SUCCESS(status))
{ {
LogError("Error, process notify registartion failed with code:%08x", status); LogError("Error, process notify registartion failed with code:%08x", status);
@ -808,14 +821,14 @@ NTSTATUS DestroyPsMonitor()
g_obRegCallback = NULL; g_obRegCallback = NULL;
} }
PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, TRUE); PsSetCreateProcessNotifyRoutineEx(&CreateProcessNotifyCallback, TRUE);
DestroyPsRuleListContext(g_excludeProcessRules); DestroyPsRuleListContext(g_excludeProcessRules);
DestroyPsRuleListContext(g_protectProcessRules); DestroyPsRuleListContext(g_protectProcessRules);
DestroyPsRuleListContext(g_hideProcessRules); DestroyPsRuleListContext(g_hideProcessRules);
ExAcquireFastMutex(&g_processTableLock); ExAcquireFastMutex(&g_processTableLock);
ClearProcessTable(CleanupHiddenProcessCallback); ClearProcessTable(&CleanupHiddenProcessCallback);
ExReleaseFastMutex(&g_processTableLock); ExReleaseFastMutex(&g_processTableLock);
g_psMonitorInited = FALSE; g_psMonitorInited = FALSE;

@ -55,7 +55,7 @@ bool PrintUsage(Arguments& args)
L"commands:\n" L"commands:\n"
L"\n" L"\n"
L" /state <on|off>\n" L" /state <on|off>\n"
L" Enable or disable hidden\n" L" Turn on\\off hidden\n"
L"\n" L"\n"
L" /query state\n" L" /query state\n"
L" Get enforcement state\n" L" Get enforcement state\n"
@ -70,13 +70,13 @@ bool PrintUsage(Arguments& args)
L" Hide process by its PID\n" L" Hide process by its PID\n"
L"\n" L"\n"
L" /unhide <file|dir|regval|regkey|image|pid> all\n" L" /unhide <file|dir|regval|regkey|image|pid> all\n"
L" Unhide all filesystem or registry object by selected type\n" L" Unhide all filesystem, registry or process object by selected type\n"
L"\n" L"\n"
L" /unhide <file|dir|regval|regkey|image> <%ruleid%>\n" L" /unhide <file|dir|regval|regkey|image> <%ruleid%>\n"
L" Unhide all filesystem or registry object by selected type and rule ID\n" L" Unhide all filesystem or registry object by selected type and rule ID\n"
L"\n" L"\n"
L" /unhide pid <%pid%>\n" L" /unhide pid <%pid%>\n"
L" Unhide a specific process by it's PID\n" L" Unhide a specific process by PID\n"
L"\n" L"\n"
L" /ignore image [inherit:<none|always|once>] [apply:<fornew|forall>] <%path%>\n" L" /ignore image [inherit:<none|always|once>] [apply:<fornew|forall>] <%path%>\n"
L" Set rule that allows to see hidden filesystem and registry objects for\n" L" Set rule that allows to see hidden filesystem and registry objects for\n"

@ -123,36 +123,46 @@ void CommandHide::InstallCommand(RegistryKey& configKey)
vector<wstring> commands; vector<wstring> commands;
const wchar_t* valueName; const wchar_t* valueName;
HidStatus status; HidStatus status;
wstring entry; wstring entry, normilized;
entry.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); normilized.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
switch (m_hideType) switch (m_hideType)
{ {
case EObjTypes::TypeFile: case EObjTypes::TypeFile:
valueName = L"Hid_HideFsFiles"; valueName = L"Hid_HideFsFiles";
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size()); status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
break; break;
case EObjTypes::TypeDir: case EObjTypes::TypeDir:
valueName = L"Hid_HideFsDirs"; valueName = L"Hid_HideFsDirs";
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size()); status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
break; break;
case EObjTypes::TypeRegKey: case EObjTypes::TypeRegKey:
valueName = L"Hid_HideRegKeys"; valueName = L"Hid_HideRegKeys";
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size()); status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
break; break;
case EObjTypes::TypeRegVal: case EObjTypes::TypeRegVal:
valueName = L"Hid_HideRegValues"; valueName = L"Hid_HideRegValues";
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size()); status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
break; break;
case EObjTypes::TypePsImg: case EObjTypes::TypePsImg:
valueName = L"Hid_HidePsImages"; valueName = L"Hid_HideImages";
status = Hid_NormalizeFilePath(m_image.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size()); status = Hid_NormalizeFilePath(m_image.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
break; break;
default: default:
throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'hide'"); throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'hide'");
} }
if (!HID_STATUS_SUCCESSFUL(status))
throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'hide' rejected");
entry += normilized.c_str();
if (m_hideType == EObjTypes::TypePsImg)
{
entry += L";";
entry += ConvertInheritTypeToUnicode(m_inheritType);
}
configKey.GetMultiStrValue(valueName, commands); configKey.GetMultiStrValue(valueName, commands);
commands.push_back(entry); commands.push_back(entry);
configKey.SetMultiStrValue(valueName, commands); configKey.SetMultiStrValue(valueName, commands);
@ -168,6 +178,7 @@ void CommandHide::UninstallCommand(RegistryKey& configKey)
try { configKey.RemoveValue(L"Hid_HideFsDirs"); } catch (...) { errors++; } try { configKey.RemoveValue(L"Hid_HideFsDirs"); } catch (...) { errors++; }
try { configKey.RemoveValue(L"Hid_HideRegKeys"); } catch (...) { errors++; } try { configKey.RemoveValue(L"Hid_HideRegKeys"); } catch (...) { errors++; }
try { configKey.RemoveValue(L"Hid_HideRegValues"); } catch (...) { errors++; } try { configKey.RemoveValue(L"Hid_HideRegValues"); } catch (...) { errors++; }
try { configKey.RemoveValue(L"Hid_HideImages"); } catch (...) { errors++; }
if (errors < 4) if (errors < 4)
g_stderr << L"Uninstall 'hide' successful" << endl; g_stderr << L"Uninstall 'hide' successful" << endl;