mirror of
https://github.com/JKornev/hidden
synced 2024-06-16 03:58:04 +00:00
Added usermode implementation of the PsMonitor interface
and etc
This commit is contained in:
JKornev
parent
80b89c2f28
commit
a25458a4c8
@ -54,17 +54,17 @@ PFLT_FILTER gFilterHandle = NULL;
|
||||
ExcludeContext g_excludeFileContext;
|
||||
ExcludeContext g_excludeDirectoryContext;
|
||||
|
||||
// Use this variable for hard code full file paths that you would like to hide
|
||||
// For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe"
|
||||
// Notice: this array should be NULL terminated
|
||||
CONST PWCHAR g_excludeFiles[] = {
|
||||
// L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe",
|
||||
// L"\\Device\\HarddiskVolume1\\test.txt",
|
||||
// L"\\Device\\HarddiskVolume1\\abcd\\test.txt",
|
||||
NULL
|
||||
};
|
||||
|
||||
// Use this variable for hard code full directory paths that you would like to hide
|
||||
// For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\mysecretdir"
|
||||
// Notice: this array should be NULL terminated
|
||||
CONST PWCHAR g_excludeDirs[] = {
|
||||
// L"\\Device\\HarddiskVolume1\\abc",
|
||||
// L"\\Device\\HarddiskVolume1\\abcd\\abc",
|
||||
// L"\\Device\\HarddiskVolume1\\New folder",
|
||||
NULL
|
||||
};
|
||||
|
||||
|
||||
@ -15,18 +15,17 @@ OB_CALLBACK_REGISTRATION g_regCallback;
|
||||
PsRulesContext g_excludeProcessRules;
|
||||
PsRulesContext g_protectProcessRules;
|
||||
|
||||
// Use this variable for hard code full path to applications that can see hidden objects
|
||||
// For instance: L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
// Notice: this array should be NULL terminated
|
||||
CONST PWCHAR g_excludeProcesses[] = {
|
||||
//L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\reg.exe",
|
||||
NULL
|
||||
};
|
||||
|
||||
// Use this variable for hard code full path to applications that will be protected
|
||||
// For instance: L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
// Notice: this array should be NULL terminated
|
||||
CONST PWCHAR g_protectProcesses[] = {
|
||||
//L"\\??\\C:\\Windows\\System32\\calc.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\cmd.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\csrss.exe",
|
||||
//L"\\??\\C:\\Windows\\System32\\services.exe",
|
||||
NULL
|
||||
};
|
||||
|
||||
|
||||
@ -50,7 +50,7 @@ void Hid_Destroy(HidContext context)
|
||||
free(cntx);
|
||||
}
|
||||
|
||||
HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidObjId* objId)
|
||||
HidStatus SendIoctl_HideObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidObjId* objId)
|
||||
{
|
||||
PHid_HideObjectPacket hide;
|
||||
Hid_StatusPacket result;
|
||||
@ -90,7 +90,7 @@ HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path,
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus SendIoctlUnhideObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId)
|
||||
HidStatus SendIoctl_UnhideObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId)
|
||||
{
|
||||
Hid_UnhideObjectPacket unhide;
|
||||
Hid_StatusPacket result;
|
||||
@ -115,7 +115,7 @@ HidStatus SendIoctlUnhideObjectPacket(PHidContextInternal context, unsigned shor
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus SendIoctlUnhideAllObjectsPacket(PHidContextInternal context, unsigned short type)
|
||||
HidStatus SendIoctl_UnhideAllObjectsPacket(PHidContextInternal context, unsigned short type)
|
||||
{
|
||||
Hid_UnhideAllObjectsPacket unhide;
|
||||
Hid_StatusPacket result;
|
||||
@ -139,74 +139,234 @@ HidStatus SendIoctlUnhideAllObjectsPacket(PHidContextInternal context, unsigned
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus Hid_SetState(HidContext context, int state)
|
||||
HidStatus SendIoctl_AddPsObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidPsInheritTypes inheritType, HidObjId* objId)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
PHid_AddPsObjectPacket hide;
|
||||
Hid_StatusPacket result;
|
||||
size_t size, len, total;
|
||||
DWORD returned;
|
||||
|
||||
len = wcslen(path);
|
||||
if (len == 0 || len > 1024)
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
// Pack data to packet
|
||||
|
||||
total = (len + 1) * sizeof(wchar_t);
|
||||
size = sizeof(Hid_AddPsObjectPacket) + total;
|
||||
hide = (PHid_AddPsObjectPacket)_alloca(size);
|
||||
hide->dataSize = total;
|
||||
hide->objType = type;
|
||||
hide->inheritType = inheritType;
|
||||
|
||||
memcpy((char*)hide + sizeof(Hid_AddPsObjectPacket), path, total);
|
||||
|
||||
// Send IOCTL to device
|
||||
|
||||
if (!DeviceIoControl(context->hdevice, HID_IOCTL_ADD_OBJECT, hide, size, &result, sizeof(result), &returned, NULL))
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
// Check result
|
||||
|
||||
if (returned != sizeof(result))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
if (!NT_SUCCESS(result.status))
|
||||
return HID_SET_STATUS(FALSE, result.status);
|
||||
|
||||
if (objId)
|
||||
*objId = result.info.id;
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus Hid_GetState(HidContext context, int* pstate)
|
||||
HidStatus SendIoctl_RemovePsObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
Hid_RemovePsObjectPacket remove;
|
||||
Hid_StatusPacket result;
|
||||
DWORD returned;
|
||||
|
||||
remove.objType = type;
|
||||
remove.id = objId;
|
||||
|
||||
// Send IOCTL to device
|
||||
|
||||
if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_OBJECT, &remove, sizeof(remove), &result, sizeof(result), &returned, NULL))
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
// Check result
|
||||
|
||||
if (returned != sizeof(result))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
if (!NT_SUCCESS(result.status))
|
||||
return HID_SET_STATUS(FALSE, result.status);
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
HidStatus SendIoctl_RemoveAllPsObjectsPacket(PHidContextInternal context, unsigned short type)
|
||||
{
|
||||
Hid_UnhideAllObjectsPacket remove;
|
||||
Hid_StatusPacket result;
|
||||
DWORD returned;
|
||||
|
||||
remove.objType = type;
|
||||
|
||||
// Send IOCTL to device
|
||||
|
||||
if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_ALL_OBJECTS, &remove, sizeof(remove), &result, sizeof(result), &returned, NULL))
|
||||
return HID_SET_STATUS(FALSE, GetLastError());
|
||||
|
||||
// Check result
|
||||
|
||||
if (returned != sizeof(result))
|
||||
return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER);
|
||||
|
||||
if (!NT_SUCCESS(result.status))
|
||||
return HID_SET_STATUS(FALSE, result.status);
|
||||
|
||||
return HID_SET_STATUS(TRUE, 0);
|
||||
}
|
||||
|
||||
// Control interface
|
||||
|
||||
HidStatus Hid_SetState(HidContext context, HidActiveState state)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
HidStatus Hid_GetState(HidContext context, HidActiveState* pstate)
|
||||
{
|
||||
PHidContextInternal cntx = (PHidContextInternal)context;
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
// Registry hiding interface
|
||||
|
||||
HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
|
||||
return SendIoctl_HideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegKeyObject, objId);
|
||||
return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, RegKeyObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject);
|
||||
return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_AddHiddenRegValue(HidContext context, wchar_t* regValue, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
|
||||
return SendIoctl_HideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegValueObject, objId);
|
||||
return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, RegValueObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenRegValues(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegValueObject);
|
||||
return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, RegValueObject);
|
||||
}
|
||||
|
||||
// File system hiding interface
|
||||
|
||||
HidStatus Hid_AddHiddenFile(HidContext context, wchar_t* filePath, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, filePath, FsFileObject, objId);
|
||||
return SendIoctl_HideObjectPacket((PHidContextInternal)context, filePath, FsFileObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenFile(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsFileObject, objId);
|
||||
return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, FsFileObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenFiles(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsFileObject);
|
||||
return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, FsFileObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId)
|
||||
{
|
||||
return SendIoctlHideObjectPacket((PHidContextInternal)context, dirPath, FsDirObject, objId);
|
||||
return SendIoctl_HideObjectPacket((PHidContextInternal)context, dirPath, FsDirObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsDirObject, objId);
|
||||
return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, FsDirObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllHiddenDirs(HidContext context)
|
||||
{
|
||||
return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsDirObject);
|
||||
return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, FsDirObject);
|
||||
}
|
||||
|
||||
// Process exclude interface
|
||||
|
||||
HidStatus Hid_AddExcludedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId)
|
||||
{
|
||||
return SendIoctl_AddPsObjectPacket((PHidContextInternal)context, imagePath, PsExcludedObject, inheritType, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveExcludedImage(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctl_RemovePsObjectPacket((PHidContextInternal)context, PsExcludedObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllExcludedImages(HidContext context)
|
||||
{
|
||||
return SendIoctl_RemoveAllPsObjectsPacket((PHidContextInternal)context, PsExcludedObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType)
|
||||
{
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
HidStatus Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType)
|
||||
{
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveExcludedState(HidContext context, HidProcId procId)
|
||||
{
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
// Process protect interface
|
||||
|
||||
HidStatus Hid_AddProtectedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId)
|
||||
{
|
||||
return SendIoctl_AddPsObjectPacket((PHidContextInternal)context, imagePath, PsProtectedObject, inheritType, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveProtectedImage(HidContext context, HidObjId objId)
|
||||
{
|
||||
return SendIoctl_RemovePsObjectPacket((PHidContextInternal)context, PsProtectedObject, objId);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveAllProtectedImages(HidContext context)
|
||||
{
|
||||
return SendIoctl_RemoveAllPsObjectsPacket((PHidContextInternal)context, PsProtectedObject);
|
||||
}
|
||||
|
||||
HidStatus Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType)
|
||||
{
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
HidStatus Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType)
|
||||
{
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
HidStatus Hid_RemoveProtectedState(HidContext context, HidProcId procId)
|
||||
{
|
||||
return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
@ -12,11 +12,29 @@ typedef HidContext* PHidContext;
|
||||
|
||||
typedef unsigned long long HidObjId;
|
||||
|
||||
typedef unsigned long HidProcId;
|
||||
|
||||
enum HidActiveState
|
||||
{
|
||||
StateDisabled = 0,
|
||||
StateEnabled
|
||||
};
|
||||
|
||||
enum HidPsInheritTypes
|
||||
{
|
||||
WithoutInherit = 0,
|
||||
InheritAlways,
|
||||
InheritOnce,
|
||||
InheritMax
|
||||
};
|
||||
|
||||
HidStatus Hid_Initialize(PHidContext pcontext);
|
||||
void Hid_Destroy(HidContext context);
|
||||
|
||||
HidStatus Hid_SetState(HidContext context, int state);
|
||||
HidStatus Hid_GetState(HidContext context, int* pstate);
|
||||
HidStatus Hid_SetState(HidContext context, HidActiveState state);
|
||||
HidStatus Hid_GetState(HidContext context, HidActiveState* pstate);
|
||||
|
||||
// Fs\Reg
|
||||
|
||||
HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId);
|
||||
HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId);
|
||||
@ -33,3 +51,19 @@ HidStatus Hid_RemoveAllHiddenFiles(HidContext context);
|
||||
HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId);
|
||||
HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllHiddenDirs(HidContext context);
|
||||
|
||||
// Ps
|
||||
|
||||
HidStatus Hid_AddExcludedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId);
|
||||
HidStatus Hid_RemoveExcludedImage(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllExcludedImages(HidContext context);
|
||||
HidStatus Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
||||
HidStatus Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType);
|
||||
HidStatus Hid_RemoveExcludedState(HidContext context, HidProcId procId);
|
||||
|
||||
HidStatus Hid_AddProtectedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId);
|
||||
HidStatus Hid_RemoveProtectedImage(HidContext context, HidObjId objId);
|
||||
HidStatus Hid_RemoveAllProtectedImages(HidContext context);
|
||||
HidStatus Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType);
|
||||
HidStatus Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType);
|
||||
HidStatus Hid_RemoveProtectedState(HidContext context, HidProcId procId);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user