Added reg key\value path normalization

HiddenCLI/HiddenCLI.cpp

@@ -25,17 +25,17 @@ CONST PWCHAR g_excludeDirs[] = {
 };
 
 CONST PWCHAR g_excludeRegKeys[] = {
-	L"\\REGISTRY\\MACHINE\\SOFTWARE\\test",
-	L"\\Registry\\MACHINE\\SOFTWARE\\test2",
+	L"SOFTWARE\\test",
+	L"SOFTWARE\\test2",
 };
 
 CONST PWCHAR g_excludeRegValues[] = {
-	L"\\REGISTRY\\MACHINE\\SOFTWARE\\aaa",
-	L"\\Registry\\MACHINE\\SOFTWARE\\xxx",
-	L"\\Registry\\MACHINE\\SOFTWARE\\aa",
-	L"\\Registry\\MACHINE\\SOFTWARE\\aaa",
-	L"\\Registry\\MACHINE\\SOFTWARE\\aaaa",
-	L"\\Registry\\MACHINE\\SOFTWARE\\zz",
+	L"SOFTWARE\\aaa",
+	L"SOFTWARE\\xxx",
+	L"SOFTWARE\\aa",
+	L"SOFTWARE\\aaa",
+	L"SOFTWARE\\aaaa",
+	L"SOFTWARE\\zz",
 };
 
 CONST PWCHAR g_protectProcesses[] = {
@@ -68,7 +68,7 @@ int wmain(int argc, wchar_t *argv[])
 	for (int i = 0; i < count; i++)
 	{
 		HidObjId objId;
-		hid_status = Hid_AddHiddenRegKey(hid_context, g_excludeRegKeys[i], &objId);
+		hid_status = Hid_AddHiddenRegKey(hid_context, RegHKLM, g_excludeRegKeys[i], &objId);
 		if (!HID_STATUS_SUCCESSFUL(hid_status))
 			cout << "Error, Hid_AddHiddenRegKey failed with code: " << HID_STATUS_CODE(hid_status) << endl;
 	}
@@ -78,7 +78,7 @@ int wmain(int argc, wchar_t *argv[])
 	for (int i = 0; i < count; i++)
 	{
 		HidObjId objId;
-		hid_status = Hid_AddHiddenRegValue(hid_context, g_excludeRegValues[i], &objId);
+		hid_status = Hid_AddHiddenRegValue(hid_context, RegHKLM, g_excludeRegValues[i], &objId);
 		if (!HID_STATUS_SUCCESSFUL(hid_status))
 			cout << "Error, Hid_AddHiddenRegValue failed with code: " << HID_STATUS_CODE(hid_status) << endl;
 	}

HiddenLib/HiddenLib.cpp

@@ -32,7 +32,17 @@ typedef BOOLEAN(NTAPI*RtlDosPathNameToRelativeNtPathName_U_Prototype)(
 	_Out_opt_  PRTL_RELATIVE_NAME RelativeName
 );
 
-RtlDosPathNameToRelativeNtPathName_U_Prototype RtlDosPathNameToRelativeNtPathName_U = nullptr;
+typedef NTSTATUS(WINAPI*RtlFormatCurrentUserKeyPath_Prototype)(
+	PUNICODE_STRING CurrentUserKeyPath
+);
+
+typedef VOID(WINAPI*RtlFreeUnicodeString_Prototype)(
+	PUNICODE_STRING UnicodeString
+);
+
+static RtlDosPathNameToRelativeNtPathName_U_Prototype RtlDosPathNameToRelativeNtPathName_U = nullptr;
+static RtlFormatCurrentUserKeyPath_Prototype RtlFormatCurrentUserKeyPath = nullptr;
+static RtlFreeUnicodeString_Prototype RtlFreeUnicodeString = nullptr;
 
 HidStatus Hid_Initialize(PHidContext pcontext)
 {
@@ -42,13 +52,33 @@ HidStatus Hid_Initialize(PHidContext pcontext)
 	if (!RtlDosPathNameToRelativeNtPathName_U)
 	{
 		*(FARPROC*)&RtlDosPathNameToRelativeNtPathName_U = GetProcAddress(
-			GetModuleHandleW(L"ntdll.dll"), 
+			GetModuleHandleW(L"ntdll.dll"),
 			"RtlDosPathNameToRelativeNtPathName_U"
-		);
+			);
 		if (!RtlDosPathNameToRelativeNtPathName_U)
 			return HID_SET_STATUS(FALSE, GetLastError());
 	}
 
+	if (!RtlFormatCurrentUserKeyPath)
+	{
+		*(FARPROC*)&RtlFormatCurrentUserKeyPath = GetProcAddress(
+			GetModuleHandleW(L"ntdll.dll"),
+			"RtlFormatCurrentUserKeyPath"
+			);
+		if (!RtlFormatCurrentUserKeyPath)
+			return HID_SET_STATUS(FALSE, GetLastError());
+	}
+
+	if (!RtlFreeUnicodeString)
+	{
+		*(FARPROC*)&RtlFreeUnicodeString = GetProcAddress(
+			GetModuleHandleW(L"ntdll.dll"),
+			"RtlFreeUnicodeString"
+			);
+		if (!RtlFreeUnicodeString)
+			return HID_SET_STATUS(FALSE, GetLastError());
+	}
+
 	hdevice = CreateFileW(
 				DEVICE_WIN32_NAME,
 				GENERIC_READ | GENERIC_WRITE,
@@ -108,6 +138,65 @@ bool ConvertToNtPath(const wchar_t* path, wchar_t* normalized, size_t normalized
 	return result;
 }
 
+bool NormalizeRegistryPath(HidRegRootTypes root, const wchar_t* key, wchar_t* normalized, size_t normalizedLen)
+{
+	static const wchar_t* hklm = L"\\Registry\\Machine\\";
+	static const wchar_t* hku = L"\\Registry\\User\\";
+	size_t keyLen, rootLen;
+
+	keyLen = wcslen(key);
+
+	if (root == RegHKCU)
+	{
+		UNICODE_STRING currUser;
+
+		RtlFormatCurrentUserKeyPath(&currUser);
+
+		rootLen = currUser.Length / sizeof(wchar_t);
+
+		if (normalizedLen < rootLen + keyLen + 2)
+		{
+			RtlFreeUnicodeString(&currUser);
+			return false;
+		}
+
+		memcpy(normalized, currUser.Buffer, rootLen * sizeof(wchar_t));
+		normalized[rootLen] = L'\\';
+		memcpy(normalized + rootLen + 1, key, keyLen * sizeof(wchar_t));
+		normalized[rootLen + keyLen + 1] = L'\0';
+
+		RtlFreeUnicodeString(&currUser);
+	}
+	else if (root == RegHKLM)
+	{
+		rootLen = wcslen(hklm);
+
+		if (normalizedLen < rootLen + keyLen + 1)
+			return false;
+
+		memcpy(normalized, hklm, rootLen * sizeof(wchar_t));
+		memcpy(normalized + rootLen, key, keyLen * sizeof(wchar_t));
+		normalized[rootLen + keyLen] = L'\0';
+	}
+	else if (root == RegHKU)
+	{
+		rootLen = wcslen(hku);
+
+		if (normalizedLen < rootLen + keyLen + 1)
+			return false;
+
+		memcpy(normalized, hku, rootLen * sizeof(wchar_t));
+		memcpy(normalized + rootLen, key, keyLen * sizeof(wchar_t));
+		normalized[rootLen + keyLen] = L'\0';
+	}
+	else
+	{
+		return false;
+	}
+
+	return true;
+}
+
 HidStatus AllocNormalizedPath(const wchar_t* path, wchar_t** normalized)
 {
 	enum { NORMALIZATION_OVERHEAD = 32 };
@@ -130,6 +219,28 @@ HidStatus AllocNormalizedPath(const wchar_t* path, wchar_t** normalized)
 	return HID_SET_STATUS(TRUE, 0);
 }
 
+HidStatus AllocNormalizedRegistryPath(HidRegRootTypes root, const wchar_t* key, wchar_t** normalized)
+{
+	enum { NORMALIZATION_OVERHEAD = 96 };
+	wchar_t* buf;
+	size_t len;
+
+	len = wcslen(key) + NORMALIZATION_OVERHEAD;
+
+	buf = (wchar_t*)malloc(len * sizeof(wchar_t));
+	if (!buf)
+		return HID_SET_STATUS(FALSE, ERROR_NOT_ENOUGH_MEMORY);
+
+	if (!NormalizeRegistryPath(root, key, buf, len))
+	{
+		free(buf);
+		return HID_SET_STATUS(FALSE, ERROR_INVALID_DATA);
+	}
+
+	*normalized = buf;
+	return HID_SET_STATUS(TRUE, 0);
+}
+
 void FreeNormalizedPath(wchar_t* normalized)
 {
 	free(normalized);
@@ -330,9 +441,20 @@ HidStatus Hid_GetState(HidContext context, HidActiveState* pstate)
 
 // Registry hiding interface
 
-HidStatus Hid_AddHiddenRegKey(HidContext context, const wchar_t* regKey, HidObjId* objId)
+HidStatus Hid_AddHiddenRegKey(HidContext context, HidRegRootTypes root, const wchar_t* regKey, HidObjId* objId)
 {
-	return SendIoctl_HideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
+	HidStatus status;
+	wchar_t* normalized;
+
+	status = AllocNormalizedRegistryPath(root, regKey, &normalized);
+	if (!HID_STATUS_SUCCESSFUL(status))
+		return status;
+
+	status = SendIoctl_HideObjectPacket((PHidContextInternal)context, normalized, RegKeyObject, objId);
+	FreeNormalizedPath(normalized);
+
+	return status;
+	//return SendIoctl_HideObjectPacket((PHidContextInternal)context, regKey, RegKeyObject, objId);
 }
 
 HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId)
@@ -345,9 +467,20 @@ HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context)
 	return SendIoctl_UnhideAllObjectsPacket((PHidContextInternal)context, RegKeyObject);
 }
 
-HidStatus Hid_AddHiddenRegValue(HidContext context, const wchar_t* regValue, HidObjId* objId)
+HidStatus Hid_AddHiddenRegValue(HidContext context, HidRegRootTypes root, const wchar_t* regValue, HidObjId* objId)
 {
-	return SendIoctl_HideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
+	HidStatus status;
+	wchar_t* normalized;
+
+	status = AllocNormalizedRegistryPath(root, regValue, &normalized);
+	if (!HID_STATUS_SUCCESSFUL(status))
+		return status;
+
+	status = SendIoctl_HideObjectPacket((PHidContextInternal)context, normalized, RegValueObject, objId);
+	FreeNormalizedPath(normalized);
+
+	return status;
+	//return SendIoctl_HideObjectPacket((PHidContextInternal)context, regValue, RegValueObject, objId);
 }
 
 HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId)

HiddenLib/HiddenLib.h

@@ -28,6 +28,13 @@ enum HidPsInheritTypes
 	InheritMax
 };
 
+enum HidRegRootTypes
+{
+	RegHKCU,
+	RegHKLM,
+	RegHKU
+};
+
 HidStatus Hid_Initialize(PHidContext pcontext);
 void Hid_Destroy(HidContext context);
 
@@ -36,11 +43,11 @@ HidStatus Hid_GetState(HidContext context, HidActiveState* pstate);
 
 // Fs\Reg
 
-HidStatus Hid_AddHiddenRegKey(HidContext context, const wchar_t* regKey, HidObjId* objId);
+HidStatus Hid_AddHiddenRegKey(HidContext context, HidRegRootTypes root, const wchar_t* regKey, HidObjId* objId);
 HidStatus Hid_RemoveHiddenRegKey(HidContext context, HidObjId objId);
 HidStatus Hid_RemoveAllHiddenRegKeys(HidContext context);
 
-HidStatus Hid_AddHiddenRegValue(HidContext context, const wchar_t* regValue, HidObjId* objId);
+HidStatus Hid_AddHiddenRegValue(HidContext context, HidRegRootTypes root, const wchar_t* regValue, HidObjId* objId);
 HidStatus Hid_RemoveHiddenRegValue(HidContext context, HidObjId objId);
 HidStatus Hid_RemoveAllHiddenRegValues(HidContext context);