From a25458a4c8a99338316f514008c43d0b934d39a6 Mon Sep 17 00:00:00 2001 From: JKornev <8bit.dosninja@gmail.com> Date: Sun, 4 Sep 2016 22:00:48 +0300 Subject: [PATCH] Added usermode implementation of the PsMonitor interface and etc --- Hidden/FsFilter.c | 12 +-- Hidden/PsMonitor.c | 13 ++- HiddenLib/HiddenLib.cpp | 198 ++++++++++++++++++++++++++++++++++++---- HiddenLib/HiddenLib.h | 38 +++++++- 4 files changed, 227 insertions(+), 34 deletions(-) diff --git a/Hidden/FsFilter.c b/Hidden/FsFilter.c index c6276b3..90bf538 100644 --- a/Hidden/FsFilter.c +++ b/Hidden/FsFilter.c @@ -54,17 +54,17 @@ PFLT_FILTER gFilterHandle = NULL; ExcludeContext g_excludeFileContext; ExcludeContext g_excludeDirectoryContext; +// Use this variable for hard code full file paths that you would like to hide +// For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe" +// Notice: this array should be NULL terminated CONST PWCHAR g_excludeFiles[] = { -// L"\\Device\\HarddiskVolume1\\Windows\\System32\\calc.exe", -// L"\\Device\\HarddiskVolume1\\test.txt", -// L"\\Device\\HarddiskVolume1\\abcd\\test.txt", NULL }; +// Use this variable for hard code full directory paths that you would like to hide +// For instance: L"\\Device\\HarddiskVolume1\\Windows\\System32\\mysecretdir" +// Notice: this array should be NULL terminated CONST PWCHAR g_excludeDirs[] = { -// L"\\Device\\HarddiskVolume1\\abc", -// L"\\Device\\HarddiskVolume1\\abcd\\abc", -// L"\\Device\\HarddiskVolume1\\New folder", NULL }; diff --git a/Hidden/PsMonitor.c b/Hidden/PsMonitor.c index 0ca4157..866a0e2 100644 --- a/Hidden/PsMonitor.c +++ b/Hidden/PsMonitor.c @@ -15,18 +15,17 @@ OB_CALLBACK_REGISTRATION g_regCallback; PsRulesContext g_excludeProcessRules; PsRulesContext g_protectProcessRules; +// Use this variable for hard code full path to applications that can see hidden objects +// For instance: L"\\??\\C:\\Windows\\System32\\calc.exe", +// Notice: this array should be NULL terminated CONST PWCHAR g_excludeProcesses[] = { - //L"\\??\\C:\\Windows\\System32\\calc.exe", - //L"\\??\\C:\\Windows\\System32\\cmd.exe", - //L"\\??\\C:\\Windows\\System32\\reg.exe", NULL }; +// Use this variable for hard code full path to applications that will be protected +// For instance: L"\\??\\C:\\Windows\\System32\\cmd.exe", +// Notice: this array should be NULL terminated CONST PWCHAR g_protectProcesses[] = { - //L"\\??\\C:\\Windows\\System32\\calc.exe", - //L"\\??\\C:\\Windows\\System32\\cmd.exe", - //L"\\??\\C:\\Windows\\System32\\csrss.exe", - //L"\\??\\C:\\Windows\\System32\\services.exe", NULL }; diff --git a/HiddenLib/HiddenLib.cpp b/HiddenLib/HiddenLib.cpp index 6b00a25..6ae6268 100644 --- a/HiddenLib/HiddenLib.cpp +++ b/HiddenLib/HiddenLib.cpp @@ -50,7 +50,7 @@ void Hid_Destroy(HidContext context) free(cntx); } -HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidObjId* objId) +HidStatus SendIoctl_HideObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidObjId* objId) { PHid_HideObjectPacket hide; Hid_StatusPacket result; @@ -90,7 +90,7 @@ HidStatus SendIoctlHideObjectPacket(PHidContextInternal context, wchar_t* path, return HID_SET_STATUS(TRUE, 0); } -HidStatus SendIoctlUnhideObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId) +HidStatus SendIoctl_UnhideObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId) { Hid_UnhideObjectPacket unhide; Hid_StatusPacket result; @@ -115,7 +115,7 @@ HidStatus SendIoctlUnhideObjectPacket(PHidContextInternal context, unsigned shor return HID_SET_STATUS(TRUE, 0); } -HidStatus SendIoctlUnhideAllObjectsPacket(PHidContextInternal context, unsigned short type) +HidStatus SendIoctl_UnhideAllObjectsPacket(PHidContextInternal context, unsigned short type) { Hid_UnhideAllObjectsPacket unhide; Hid_StatusPacket result; @@ -139,74 +139,234 @@ HidStatus SendIoctlUnhideAllObjectsPacket(PHidContextInternal context, unsigned return HID_SET_STATUS(TRUE, 0); } -HidStatus Hid_SetState(HidContext context, int state) +HidStatus SendIoctl_AddPsObjectPacket(PHidContextInternal context, wchar_t* path, unsigned short type, HidPsInheritTypes inheritType, HidObjId* objId) { - PHidContextInternal cntx = (PHidContextInternal)context; + PHid_AddPsObjectPacket hide; + Hid_StatusPacket result; + size_t size, len, total; + DWORD returned; + + len = wcslen(path); + if (len == 0 || len > 1024) + return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER); + + // Pack data to packet + + total = (len + 1) * sizeof(wchar_t); + size = sizeof(Hid_AddPsObjectPacket) + total; + hide = (PHid_AddPsObjectPacket)_alloca(size); + hide->dataSize = total; + hide->objType = type; + hide->inheritType = inheritType; + + memcpy((char*)hide + sizeof(Hid_AddPsObjectPacket), path, total); + + // Send IOCTL to device + + if (!DeviceIoControl(context->hdevice, HID_IOCTL_ADD_OBJECT, hide, size, &result, sizeof(result), &returned, NULL)) + return HID_SET_STATUS(FALSE, GetLastError()); + + // Check result + + if (returned != sizeof(result)) + return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER); + + if (!NT_SUCCESS(result.status)) + return HID_SET_STATUS(FALSE, result.status); + + if (objId) + *objId = result.info.id; + return HID_SET_STATUS(TRUE, 0); } -HidStatus Hid_GetState(HidContext context, int* pstate) +HidStatus SendIoctl_RemovePsObjectPacket(PHidContextInternal context, unsigned short type, HidObjId objId) { - PHidContextInternal cntx = (PHidContextInternal)context; + Hid_RemovePsObjectPacket remove; + Hid_StatusPacket result; + DWORD returned; + + remove.objType = type; + remove.id = objId; + + // Send IOCTL to device + + if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_OBJECT, &remove, sizeof(remove), &result, sizeof(result), &returned, NULL)) + return HID_SET_STATUS(FALSE, GetLastError()); + + // Check result + + if (returned != sizeof(result)) + return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER); + + if (!NT_SUCCESS(result.status)) + return HID_SET_STATUS(FALSE, result.status); + return HID_SET_STATUS(TRUE, 0); } +HidStatus SendIoctl_RemoveAllPsObjectsPacket(PHidContextInternal context, unsigned short type) +{ + Hid_UnhideAllObjectsPacket remove; + Hid_StatusPacket result; + DWORD returned; + + remove.objType = type; + + // Send IOCTL to device + + if (!DeviceIoControl(context->hdevice, HID_IOCTL_REMOVE_ALL_OBJECTS, &remove, sizeof(remove), &result, sizeof(result), &returned, NULL)) + return HID_SET_STATUS(FALSE, GetLastError()); + + // Check result + + if (returned != sizeof(result)) + return HID_SET_STATUS(FALSE, ERROR_INVALID_PARAMETER); + + if (!NT_SUCCESS(result.status)) + return HID_SET_STATUS(FALSE, result.status); + + return HID_SET_STATUS(TRUE, 0); +} + +// Control interface + +HidStatus Hid_SetState(HidContext context, HidActiveState state) +{ + PHidContextInternal cntx = (PHidContextInternal)context; + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +HidStatus Hid_GetState(HidContext context, HidActiveState* pstate) +{ + PHidContextInternal cntx = (PHidContextInternal)context; + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +// Registry hiding interface + HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId) { - return SendIoctlHideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId); + return SendIoctl_HideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId); } HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId) { - return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegKeyObject, objId); + return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, RegKeyObject, objId); } HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context) { - return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject); + return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject); } HidStatus Hid_AddHiddenRegValue(HidContext context, wchar_t* regValue, HidObjId* objId) { - return SendIoctlHideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId); + return SendIoctl_HideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId); } HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId) { - return SendIoctlUnhideObjectPacket((PHidContextInternal)context, RegValueObject, objId); + return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, RegValueObject, objId); } HidStatus Hid_RemoveAllHiddenRegValues(HidContext context) { - return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, RegValueObject); + return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, RegValueObject); } +// File system hiding interface + HidStatus Hid_AddHiddenFile(HidContext context, wchar_t* filePath, HidObjId* objId) { - return SendIoctlHideObjectPacket((PHidContextInternal)context, filePath, FsFileObject, objId); + return SendIoctl_HideObjectPacket((PHidContextInternal)context, filePath, FsFileObject, objId); } HidStatus Hid_RemoveHiddenFile(HidContext context, HidObjId objId) { - return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsFileObject, objId); + return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, FsFileObject, objId); } HidStatus Hid_RemoveAllHiddenFiles(HidContext context) { - return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsFileObject); + return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, FsFileObject); } HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId) { - return SendIoctlHideObjectPacket((PHidContextInternal)context, dirPath, FsDirObject, objId); + return SendIoctl_HideObjectPacket((PHidContextInternal)context, dirPath, FsDirObject, objId); } HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId) { - return SendIoctlUnhideObjectPacket((PHidContextInternal)context, FsDirObject, objId); + return SendIoctl_UnhideObjectPacket((PHidContextInternal)context, FsDirObject, objId); } HidStatus Hid_RemoveAllHiddenDirs(HidContext context) { - return SendIoctlUnhideAllObjectsPacket((PHidContextInternal)context, FsDirObject); + return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, FsDirObject); +} + +// Process exclude interface + +HidStatus Hid_AddExcludedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId) +{ + return SendIoctl_AddPsObjectPacket((PHidContextInternal)context, imagePath, PsExcludedObject, inheritType, objId); +} + +HidStatus Hid_RemoveExcludedImage(HidContext context, HidObjId objId) +{ + return SendIoctl_RemovePsObjectPacket((PHidContextInternal)context, PsExcludedObject, objId); +} + +HidStatus Hid_RemoveAllExcludedImages(HidContext context) +{ + return SendIoctl_RemoveAllPsObjectsPacket((PHidContextInternal)context, PsExcludedObject); +} + +HidStatus Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType) +{ + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +HidStatus Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType) +{ + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +HidStatus Hid_RemoveExcludedState(HidContext context, HidProcId procId) +{ + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +// Process protect interface + +HidStatus Hid_AddProtectedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId) +{ + return SendIoctl_AddPsObjectPacket((PHidContextInternal)context, imagePath, PsProtectedObject, inheritType, objId); +} + +HidStatus Hid_RemoveProtectedImage(HidContext context, HidObjId objId) +{ + return SendIoctl_RemovePsObjectPacket((PHidContextInternal)context, PsProtectedObject, objId); +} + +HidStatus Hid_RemoveAllProtectedImages(HidContext context) +{ + return SendIoctl_RemoveAllPsObjectsPacket((PHidContextInternal)context, PsProtectedObject); +} + +HidStatus Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType) +{ + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +HidStatus Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType) +{ + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); +} + +HidStatus Hid_RemoveProtectedState(HidContext context, HidProcId procId) +{ + return HID_SET_STATUS(FALSE, ERROR_CALL_NOT_IMPLEMENTED); } diff --git a/HiddenLib/HiddenLib.h b/HiddenLib/HiddenLib.h index 98b7dfd..6807d5f 100644 --- a/HiddenLib/HiddenLib.h +++ b/HiddenLib/HiddenLib.h @@ -12,11 +12,29 @@ typedef HidContext* PHidContext; typedef unsigned long long HidObjId; +typedef unsigned long HidProcId; + +enum HidActiveState +{ + StateDisabled = 0, + StateEnabled +}; + +enum HidPsInheritTypes +{ + WithoutInherit = 0, + InheritAlways, + InheritOnce, + InheritMax +}; + HidStatus Hid_Initialize(PHidContext pcontext); void Hid_Destroy(HidContext context); -HidStatus Hid_SetState(HidContext context, int state); -HidStatus Hid_GetState(HidContext context, int* pstate); +HidStatus Hid_SetState(HidContext context, HidActiveState state); +HidStatus Hid_GetState(HidContext context, HidActiveState* pstate); + +// Fs\Reg HidStatus Hid_AddHiddenRegKey(HidContext context, wchar_t* regKey, HidObjId* objId); HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId); @@ -33,3 +51,19 @@ HidStatus Hid_RemoveAllHiddenFiles(HidContext context); HidStatus Hid_AddHiddenDir(HidContext context, wchar_t* dirPath, HidObjId* objId); HidStatus Hid_RemoveHiddenDir(HidContext context, HidObjId objId); HidStatus Hid_RemoveAllHiddenDirs(HidContext context); + +// Ps + +HidStatus Hid_AddExcludedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId); +HidStatus Hid_RemoveExcludedImage(HidContext context, HidObjId objId); +HidStatus Hid_RemoveAllExcludedImages(HidContext context); +HidStatus Hid_GetExcludedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType); +HidStatus Hid_AttachExcludedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType); +HidStatus Hid_RemoveExcludedState(HidContext context, HidProcId procId); + +HidStatus Hid_AddProtectedImage(HidContext context, wchar_t* imagePath, HidPsInheritTypes inheritType, HidObjId* objId); +HidStatus Hid_RemoveProtectedImage(HidContext context, HidObjId objId); +HidStatus Hid_RemoveAllProtectedImages(HidContext context); +HidStatus Hid_GetProtectedState(HidContext context, HidProcId procId, HidActiveState* state, HidPsInheritTypes* inheritType); +HidStatus Hid_AttachProtectedState(HidContext context, HidProcId procId, HidPsInheritTypes inheritType); +HidStatus Hid_RemoveProtectedState(HidContext context, HidProcId procId);