mirror of
https://github.com/JKornev/hidden
synced 2024-06-20 22:18:04 +00:00
Added an ability to configure hiding processes over a registry
This commit is contained in:
parent
a2e5e8e901
commit
9e89ad1da0
@ -12,6 +12,7 @@ typedef struct _HidConfigContext {
|
|||||||
UNICODE_STRING hideRegValues;
|
UNICODE_STRING hideRegValues;
|
||||||
UNICODE_STRING ignoreImages;
|
UNICODE_STRING ignoreImages;
|
||||||
UNICODE_STRING protectImages;
|
UNICODE_STRING protectImages;
|
||||||
|
UNICODE_STRING hideImages;
|
||||||
} HidConfigContext, *PHidConfigContext;
|
} HidConfigContext, *PHidConfigContext;
|
||||||
|
|
||||||
PHidConfigContext g_configContext = NULL;
|
PHidConfigContext g_configContext = NULL;
|
||||||
@ -59,6 +60,7 @@ NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath)
|
|||||||
|
|
||||||
QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL);
|
QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL);
|
||||||
QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL);
|
QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL);
|
||||||
|
QueryAndAllocRegistryData(hkey, L"Hid_HideImages", REG_MULTI_SZ, &config.hideImages, NULL);
|
||||||
|
|
||||||
ZwClose(hkey);
|
ZwClose(hkey);
|
||||||
|
|
||||||
@ -135,6 +137,9 @@ NTSTATUS CfgEnumConfigsTable(enum CfgMultiStringTables Table, CfgMultiStringCall
|
|||||||
case ProtectImagesTable:
|
case ProtectImagesTable:
|
||||||
table = &g_configContext->protectImages;
|
table = &g_configContext->protectImages;
|
||||||
break;
|
break;
|
||||||
|
case HideImagesTable:
|
||||||
|
table = &g_configContext->hideImages;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
return STATUS_INVALID_VARIANT;
|
return STATUS_INVALID_VARIANT;
|
||||||
}
|
}
|
||||||
@ -182,6 +187,7 @@ VOID ReleaseConfigContext(PHidConfigContext context)
|
|||||||
ReleaseRegistryData(&context->hideRegValues);
|
ReleaseRegistryData(&context->hideRegValues);
|
||||||
ReleaseRegistryData(&context->ignoreImages);
|
ReleaseRegistryData(&context->ignoreImages);
|
||||||
ReleaseRegistryData(&context->protectImages);
|
ReleaseRegistryData(&context->protectImages);
|
||||||
|
ReleaseRegistryData(&context->hideImages);
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default)
|
NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default)
|
||||||
|
@ -15,6 +15,7 @@ enum CfgMultiStringTables {
|
|||||||
HideRegValuesTable,
|
HideRegValuesTable,
|
||||||
IgnoreImagesTable,
|
IgnoreImagesTable,
|
||||||
ProtectImagesTable,
|
ProtectImagesTable,
|
||||||
|
HideImagesTable,
|
||||||
MaxTableEntries,
|
MaxTableEntries,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -617,6 +617,18 @@ VOID LoadIgnoredRulesCallback(PUNICODE_STRING Str, PVOID Params)
|
|||||||
AddExcludedImage(&path, inherit, FALSE, &ruleId);
|
AddExcludedImage(&path, inherit, FALSE, &ruleId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
VOID LoadHiddenRulesCallback(PUNICODE_STRING Str, PVOID Params)
|
||||||
|
{
|
||||||
|
UNICODE_STRING path;
|
||||||
|
ULONG inherit;
|
||||||
|
PsRuleEntryId ruleId;
|
||||||
|
|
||||||
|
UNREFERENCED_PARAMETER(Params);
|
||||||
|
|
||||||
|
if (NT_SUCCESS(ParsePsConfigEntry(Str, &path, &inherit)))
|
||||||
|
AddHiddenImage(&path, inherit, FALSE, &ruleId);
|
||||||
|
}
|
||||||
|
|
||||||
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||||
{
|
{
|
||||||
const USHORT maxBufSize = 512;
|
const USHORT maxBufSize = 512;
|
||||||
@ -726,14 +738,15 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
|||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
//TODO: load hidden config
|
// Load entries from the config
|
||||||
|
CfgEnumConfigsTable(HideImagesTable, &LoadHiddenRulesCallback, NULL);
|
||||||
|
|
||||||
// Process table
|
// Process table
|
||||||
|
|
||||||
ExInitializeFastMutex(&g_processTableLock);
|
ExInitializeFastMutex(&g_processTableLock);
|
||||||
KeInitializeGuardedMutex(&g_activeProcListLock);
|
KeInitializeGuardedMutex(&g_activeProcListLock);
|
||||||
|
|
||||||
status = InitializeProcessTable(CheckProcessFlags);
|
status = InitializeProcessTable(&CheckProcessFlags);
|
||||||
if (!NT_SUCCESS(status))
|
if (!NT_SUCCESS(status))
|
||||||
{
|
{
|
||||||
DestroyPsRuleListContext(g_excludeProcessRules);
|
DestroyPsRuleListContext(g_excludeProcessRules);
|
||||||
@ -775,7 +788,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
|||||||
|
|
||||||
// Register rocess create\destroy callback
|
// Register rocess create\destroy callback
|
||||||
|
|
||||||
status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, FALSE);
|
status = PsSetCreateProcessNotifyRoutineEx(&CreateProcessNotifyCallback, FALSE);
|
||||||
if (!NT_SUCCESS(status))
|
if (!NT_SUCCESS(status))
|
||||||
{
|
{
|
||||||
LogError("Error, process notify registartion failed with code:%08x", status);
|
LogError("Error, process notify registartion failed with code:%08x", status);
|
||||||
@ -808,14 +821,14 @@ NTSTATUS DestroyPsMonitor()
|
|||||||
g_obRegCallback = NULL;
|
g_obRegCallback = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyCallback, TRUE);
|
PsSetCreateProcessNotifyRoutineEx(&CreateProcessNotifyCallback, TRUE);
|
||||||
|
|
||||||
DestroyPsRuleListContext(g_excludeProcessRules);
|
DestroyPsRuleListContext(g_excludeProcessRules);
|
||||||
DestroyPsRuleListContext(g_protectProcessRules);
|
DestroyPsRuleListContext(g_protectProcessRules);
|
||||||
DestroyPsRuleListContext(g_hideProcessRules);
|
DestroyPsRuleListContext(g_hideProcessRules);
|
||||||
|
|
||||||
ExAcquireFastMutex(&g_processTableLock);
|
ExAcquireFastMutex(&g_processTableLock);
|
||||||
ClearProcessTable(CleanupHiddenProcessCallback);
|
ClearProcessTable(&CleanupHiddenProcessCallback);
|
||||||
ExReleaseFastMutex(&g_processTableLock);
|
ExReleaseFastMutex(&g_processTableLock);
|
||||||
|
|
||||||
g_psMonitorInited = FALSE;
|
g_psMonitorInited = FALSE;
|
||||||
|
@ -55,7 +55,7 @@ bool PrintUsage(Arguments& args)
|
|||||||
L"commands:\n"
|
L"commands:\n"
|
||||||
L"\n"
|
L"\n"
|
||||||
L" /state <on|off>\n"
|
L" /state <on|off>\n"
|
||||||
L" Enable or disable hidden\n"
|
L" Turn on\\off hidden\n"
|
||||||
L"\n"
|
L"\n"
|
||||||
L" /query state\n"
|
L" /query state\n"
|
||||||
L" Get enforcement state\n"
|
L" Get enforcement state\n"
|
||||||
@ -70,13 +70,13 @@ bool PrintUsage(Arguments& args)
|
|||||||
L" Hide process by its PID\n"
|
L" Hide process by its PID\n"
|
||||||
L"\n"
|
L"\n"
|
||||||
L" /unhide <file|dir|regval|regkey|image|pid> all\n"
|
L" /unhide <file|dir|regval|regkey|image|pid> all\n"
|
||||||
L" Unhide all filesystem or registry object by selected type\n"
|
L" Unhide all filesystem, registry or process object by selected type\n"
|
||||||
L"\n"
|
L"\n"
|
||||||
L" /unhide <file|dir|regval|regkey|image> <%ruleid%>\n"
|
L" /unhide <file|dir|regval|regkey|image> <%ruleid%>\n"
|
||||||
L" Unhide all filesystem or registry object by selected type and rule ID\n"
|
L" Unhide all filesystem or registry object by selected type and rule ID\n"
|
||||||
L"\n"
|
L"\n"
|
||||||
L" /unhide pid <%pid%>\n"
|
L" /unhide pid <%pid%>\n"
|
||||||
L" Unhide a specific process by it's PID\n"
|
L" Unhide a specific process by PID\n"
|
||||||
L"\n"
|
L"\n"
|
||||||
L" /ignore image [inherit:<none|always|once>] [apply:<fornew|forall>] <%path%>\n"
|
L" /ignore image [inherit:<none|always|once>] [apply:<fornew|forall>] <%path%>\n"
|
||||||
L" Set rule that allows to see hidden filesystem and registry objects for\n"
|
L" Set rule that allows to see hidden filesystem and registry objects for\n"
|
||||||
|
@ -123,36 +123,46 @@ void CommandHide::InstallCommand(RegistryKey& configKey)
|
|||||||
vector<wstring> commands;
|
vector<wstring> commands;
|
||||||
const wchar_t* valueName;
|
const wchar_t* valueName;
|
||||||
HidStatus status;
|
HidStatus status;
|
||||||
wstring entry;
|
wstring entry, normilized;
|
||||||
|
|
||||||
entry.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
|
normilized.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0');
|
||||||
|
|
||||||
switch (m_hideType)
|
switch (m_hideType)
|
||||||
{
|
{
|
||||||
case EObjTypes::TypeFile:
|
case EObjTypes::TypeFile:
|
||||||
valueName = L"Hid_HideFsFiles";
|
valueName = L"Hid_HideFsFiles";
|
||||||
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
|
||||||
break;
|
break;
|
||||||
case EObjTypes::TypeDir:
|
case EObjTypes::TypeDir:
|
||||||
valueName = L"Hid_HideFsDirs";
|
valueName = L"Hid_HideFsDirs";
|
||||||
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
status = Hid_NormalizeFilePath(m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
|
||||||
break;
|
break;
|
||||||
case EObjTypes::TypeRegKey:
|
case EObjTypes::TypeRegKey:
|
||||||
valueName = L"Hid_HideRegKeys";
|
valueName = L"Hid_HideRegKeys";
|
||||||
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
|
||||||
break;
|
break;
|
||||||
case EObjTypes::TypeRegVal:
|
case EObjTypes::TypeRegVal:
|
||||||
valueName = L"Hid_HideRegValues";
|
valueName = L"Hid_HideRegValues";
|
||||||
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
|
||||||
break;
|
break;
|
||||||
case EObjTypes::TypePsImg:
|
case EObjTypes::TypePsImg:
|
||||||
valueName = L"Hid_HidePsImages";
|
valueName = L"Hid_HideImages";
|
||||||
status = Hid_NormalizeFilePath(m_image.c_str(), const_cast<wchar_t*>(entry.c_str()), entry.size());
|
status = Hid_NormalizeFilePath(m_image.c_str(), const_cast<wchar_t*>(normilized.c_str()), normilized.size());
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'hide'");
|
throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'hide'");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!HID_STATUS_SUCCESSFUL(status))
|
||||||
|
throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'hide' rejected");
|
||||||
|
|
||||||
|
entry += normilized.c_str();
|
||||||
|
if (m_hideType == EObjTypes::TypePsImg)
|
||||||
|
{
|
||||||
|
entry += L";";
|
||||||
|
entry += ConvertInheritTypeToUnicode(m_inheritType);
|
||||||
|
}
|
||||||
|
|
||||||
configKey.GetMultiStrValue(valueName, commands);
|
configKey.GetMultiStrValue(valueName, commands);
|
||||||
commands.push_back(entry);
|
commands.push_back(entry);
|
||||||
configKey.SetMultiStrValue(valueName, commands);
|
configKey.SetMultiStrValue(valueName, commands);
|
||||||
@ -168,6 +178,7 @@ void CommandHide::UninstallCommand(RegistryKey& configKey)
|
|||||||
try { configKey.RemoveValue(L"Hid_HideFsDirs"); } catch (...) { errors++; }
|
try { configKey.RemoveValue(L"Hid_HideFsDirs"); } catch (...) { errors++; }
|
||||||
try { configKey.RemoveValue(L"Hid_HideRegKeys"); } catch (...) { errors++; }
|
try { configKey.RemoveValue(L"Hid_HideRegKeys"); } catch (...) { errors++; }
|
||||||
try { configKey.RemoveValue(L"Hid_HideRegValues"); } catch (...) { errors++; }
|
try { configKey.RemoveValue(L"Hid_HideRegValues"); } catch (...) { errors++; }
|
||||||
|
try { configKey.RemoveValue(L"Hid_HideImages"); } catch (...) { errors++; }
|
||||||
|
|
||||||
if (errors < 4)
|
if (errors < 4)
|
||||||
g_stderr << L"Uninstall 'hide' successful" << endl;
|
g_stderr << L"Uninstall 'hide' successful" << endl;
|
||||||
|
Loading…
Reference in New Issue
Block a user