├── README.md ├── UsermodeProgram ├── Release │ ├── UsermodeProgram.exe │ ├── UsermodeProgram.iobj │ ├── UsermodeProgram.ipdb │ └── UsermodeProgram.pdb ├── UsermodeProgram.sln └── UsermodeProgram │ ├── Driver.h │ ├── Maths.h │ ├── Release │ ├── UsermodeProgram.log │ ├── UsermodeProgram.obj │ ├── UsermodeProgram.pch │ ├── UsermodeProgram.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── UsermodeProgram.lastbuildstate │ │ ├── UsermodeProgram.write.1u.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── stdafx.obj │ └── vc141.pdb │ ├── UsermodeProgram.cpp │ ├── UsermodeProgram.vcxproj │ ├── UsermodeProgram.vcxproj.filters │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h └── hidden-master ├── Hidden Package ├── Hidden Package.vcxproj └── Hidden Package.vcxproj.filters ├── Hidden.sln ├── Hidden ├── Configs.c ├── Configs.h ├── Device.c ├── Device.h ├── DeviceAPI.h ├── Driver.c ├── Driver.h ├── ExcludeList.c ├── ExcludeList.h ├── FsFilter.c ├── FsFilter.h ├── Helper.c ├── Helper.h ├── Hidden.inf ├── Hidden.rc ├── Hidden.vcxproj ├── Hidden.vcxproj.filters ├── PsMonitor.c ├── PsMonitor.h ├── PsRules.c ├── PsRules.h ├── PsTable.c ├── PsTable.h ├── RegFilter.c ├── RegFilter.h ├── back.txt ├── todo.txt └── x64 │ └── Release │ ├── Configs.obj │ ├── Device.obj │ ├── Driver.obj │ ├── ExcludeList.obj │ ├── FsFilter.obj │ ├── Helper.obj │ ├── Hidden.inf │ ├── Hidden.log │ ├── Hidden.res │ ├── Hidden.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── Hidden.lastbuildstate │ ├── Inf2Cat.command.1.tlog │ ├── inf2cat-expand.5952.read.1.tlog │ ├── inf2cat-expand.5952.write.1.tlog │ ├── inf2cat-expand.6184.read.1.tlog │ ├── inf2cat-expand.6184.write.1.tlog │ ├── inf2cat-expand.6504.read.1.tlog │ ├── inf2cat-expand.6504.write.1.tlog │ ├── inf2cat-expand.6816.read.1.tlog │ ├── inf2cat-expand.6816.write.1.tlog │ ├── inf2cat-expand.7316.read.1.tlog │ ├── inf2cat-expand.7316.write.1.tlog │ ├── inf2cat-expand.7336.read.1.tlog │ ├── inf2cat-expand.7336.write.1.tlog │ ├── inf2cat-expand.9032.read.1.tlog │ ├── inf2cat-expand.9032.write.1.tlog │ ├── inf2cat-expand.read.1.tlog │ ├── inf2cat-expand.write.1.tlog │ ├── inf2cat.read.1.tlog │ ├── inf2cat.write.1.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ ├── link.write.1.tlog │ ├── rc.command.1.tlog │ ├── rc.read.1.tlog │ ├── rc.write.1.tlog │ ├── signtool.command.1.tlog │ ├── signtool.read.1.tlog │ ├── signtool.timestamp.1.tlog │ ├── signtool.write.1.tlog │ ├── stampinf.command.1.tlog │ ├── stampinf.read.1.tlog │ └── stampinf.write.1.tlog │ ├── PsMonitor.obj │ ├── PsRules.obj │ ├── PsTable.obj │ ├── RegFilter.obj │ └── vc141.pdb └── HiddenCLI ├── Commands.cpp ├── Commands.h ├── Connection.cpp ├── Connection.h ├── Helper.cpp ├── Helper.h ├── HiddenCLI.cpp ├── HiddenCLI.vcxproj ├── HiddenCLI.vcxproj.filters ├── Hide.cpp ├── Hide.h ├── Ignore.cpp ├── Ignore.h ├── Protect.cpp ├── Protect.h ├── Query.cpp ├── Query.h ├── State.cpp ├── State.h └── cli.txt /README.md: -------------------------------------------------------------------------------- 1 | # KernelMode-Bypass 2 | 3 | [[My Website]](https://mitsuzi.xyz/) 4 | 5 | # Important 6 | This is a source to a bypass i made for some games, for now this should work for VAC, BE and EAC. The only downside is that you will need to find a exploit to load the driver. 7 | 8 | # Things To Use 9 | - https://github.com/hfiref0x/TDL/tree/master/Source 10 | - https://github.com/not-wlan/drvmap/tree/master/drvmap 11 | 12 | # Credit 13 | - https://github.com/JKornev/hidden 14 | 15 | # Notes 16 | 17 | Make sure to change some stuff just incase they sig it. If you do not understand how drivers work, go ahead and read https://theherobrine9.wixsite.com/website/single-post/2016/08/22/kernel-mode . 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /UsermodeProgram/Release/UsermodeProgram.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/Release/UsermodeProgram.exe -------------------------------------------------------------------------------- /UsermodeProgram/Release/UsermodeProgram.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/Release/UsermodeProgram.iobj -------------------------------------------------------------------------------- /UsermodeProgram/Release/UsermodeProgram.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/Release/UsermodeProgram.ipdb -------------------------------------------------------------------------------- /UsermodeProgram/Release/UsermodeProgram.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/Release/UsermodeProgram.pdb -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27004.2009 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "UsermodeProgram", "UsermodeProgram\UsermodeProgram.vcxproj", "{63092156-4E3F-4E63-AA3F-23E6160E5B36}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Debug|x64.ActiveCfg = Debug|x64 17 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Debug|x64.Build.0 = Debug|x64 18 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Debug|x86.ActiveCfg = Debug|Win32 19 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Debug|x86.Build.0 = Debug|Win32 20 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Release|x64.ActiveCfg = Release|x64 21 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Release|x64.Build.0 = Release|x64 22 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Release|x86.ActiveCfg = Release|Win32 23 | {63092156-4E3F-4E63-AA3F-23E6160E5B36}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {44E8368C-32F5-46DB-B0DF-D9CD7CEC14FB} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Driver.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include "stdafx.h" 3 | 4 | #define READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 5 | #define WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 6 | #define SET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 7 | #define GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 8 | #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 9 | 10 | namespace Offset { 11 | DWORD_PTR GameManager = 0x47F00D0; 12 | DWORD_PTR EntityList = 0xC0; 13 | 14 | DWORD_PTR Entity = 0x0008; 15 | DWORD_PTR EntityRef = 0x20; 16 | 17 | DWORD_PTR EntityInfo = 0x18; 18 | DWORD_PTR MainComponent = 0xB8; 19 | DWORD_PTR ChildComponent = 0x8; 20 | DWORD_PTR Health = 0x108; 21 | 22 | DWORD_PTR PlayerInfo = 0x2A0; 23 | DWORD_PTR PlayerInfoDeref = 0x0; 24 | DWORD_PTR PlayerTeamId = 0x140; 25 | DWORD_PTR PlayerName = 0x158; 26 | 27 | DWORD_PTR FeetPosition = 0x1C0; 28 | DWORD_PTR HeadPosition = 0x160; 29 | 30 | DWORD_PTR WeaponComp = 0x38; 31 | DWORD_PTR WeaponProcessor = 0xF0; 32 | DWORD_PTR Weapon = 0x0; 33 | DWORD_PTR WeaponInfo = 0x110; 34 | DWORD_PTR Spread = 0x2A0; 35 | DWORD_PTR Recoil = 0x2D8; 36 | DWORD_PTR Recoil2 = 0x354; 37 | DWORD_PTR Recoil3 = 0x304; 38 | DWORD_PTR AdsRecoil = 0x330; 39 | 40 | DWORD_PTR Renderer = 0x47A4930; 41 | DWORD_PTR GameRenderer = 0x0; 42 | DWORD_PTR EngineLink = 0xd8; 43 | DWORD_PTR Engine = 0x218; 44 | DWORD_PTR Camera = 0x38; 45 | 46 | DWORD_PTR ViewTranslastion = 0x1A0; 47 | DWORD_PTR ViewRight = 0x170; 48 | DWORD_PTR ViewUp = 0x180; 49 | DWORD_PTR ViewForward = 0x190; 50 | DWORD_PTR FOVX = 0x1B0; 51 | DWORD_PTR FOVY = 0x1C4; 52 | } 53 | 54 | typedef struct _READ_MEM 55 | { 56 | DWORD64 address; 57 | DWORD64 response; 58 | ULONG size; 59 | 60 | } READ_MEM, *PREAD_MEM; 61 | 62 | typedef struct _WRITE_MEM 63 | { 64 | DWORD64 address; 65 | float value; 66 | ULONG size; 67 | 68 | } WRITE_MEM, *PWRITE_MEM; 69 | 70 | class Wrappers 71 | { 72 | public: 73 | HANDLE hDriver; 74 | // Open a handle to the driver 75 | Wrappers(LPCSTR RegistryPath) 76 | { 77 | hDriver = CreateFileA(RegistryPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); 78 | } 79 | 80 | // Simple read function 81 | DWORD64 RPM(DWORD64 address, SIZE_T size) 82 | { 83 | READ_MEM read; 84 | 85 | read.address = address; 86 | read.size = size; 87 | 88 | if (DeviceIoControl(hDriver, READ_REQUEST, &read, sizeof(read), &read, sizeof(read), 0, 0)) 89 | return (DWORD64)read.response; 90 | else 91 | return false; 92 | } 93 | 94 | // Simple write function 95 | bool WPM(DWORD64 address, float value, SIZE_T size) 96 | { 97 | DWORD bytes; 98 | WRITE_MEM write; 99 | 100 | write.address = address; 101 | write.value = value; 102 | write.size = size; 103 | 104 | if (DeviceIoControl(hDriver, WRITE_REQUEST, &write, sizeof(write), 0, 0, &bytes, NULL)) 105 | return true; 106 | else 107 | return false; 108 | } 109 | 110 | // Sets the games PID in the driver 111 | DWORD SetTargetPid(DWORD PID) 112 | { 113 | DWORD Bytes; 114 | 115 | if (DeviceIoControl(hDriver, SET_ID_REQUEST, &PID, sizeof(PID), 0, 0, &Bytes, NULL)) 116 | return true; 117 | else 118 | return false; 119 | } 120 | 121 | // Get's the main modules base address 122 | DWORD64 GetMainModule() 123 | { 124 | DWORD64 MainModule; 125 | 126 | if (DeviceIoControl(hDriver, GET_MODULE_REQUEST, 0, 0, &MainModule, sizeof(MainModule), 0, 0)) 127 | return MainModule; 128 | else 129 | return false; 130 | } 131 | }; -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Maths.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define M_PI 3.14159265358979323846264338327950288419716939937510 6 | 7 | //Vector2 8 | class Vector2 9 | { 10 | public: 11 | Vector2() : x(0.f), y(0.f) 12 | { 13 | 14 | } 15 | 16 | Vector2(float _x, float _y) : x(_x), y(_y) 17 | { 18 | 19 | } 20 | ~Vector2() 21 | { 22 | 23 | } 24 | 25 | float x; 26 | float y; 27 | }; 28 | 29 | //Vector3 30 | class Vector3 31 | { 32 | public: 33 | Vector3() : x(0.f), y(0.f), z(0.f) 34 | { 35 | 36 | } 37 | 38 | Vector3(float _x, float _y, float _z) : x(_x), y(_y), z(_z) 39 | { 40 | 41 | } 42 | ~Vector3() 43 | { 44 | 45 | } 46 | 47 | float x; 48 | float y; 49 | float z; 50 | 51 | inline float Dot(Vector3 v) 52 | { 53 | return x * v.x + y * v.y + z * v.z; 54 | } 55 | 56 | inline float Distance(Vector3 v) 57 | { 58 | return float(sqrtf(powf(v.x - x, 2.0) + powf(v.y - y, 2.0) + powf(v.z - z, 2.0))); 59 | } 60 | 61 | Vector3 operator+(Vector3 v) 62 | { 63 | return Vector3(x + v.x, y + v.y, z + v.z); 64 | } 65 | 66 | Vector3 operator-(Vector3 v) 67 | { 68 | return Vector3(x - v.x, y - v.y, z - v.z); 69 | } 70 | 71 | Vector3 operator*(float number) const 72 | { 73 | return Vector3(x * number, y * number, z * number); 74 | } 75 | }; 76 | 77 | //Vector4 78 | class Vector4 79 | { 80 | public: 81 | Vector4() : x(0.f), y(0.f), z(0.f), w(0.f) 82 | { 83 | 84 | } 85 | 86 | Vector4(float _x, float _y, float _z, float _w) : x(_x), y(_y), z(_z), w(_w) 87 | { 88 | 89 | } 90 | ~Vector4() 91 | { 92 | 93 | } 94 | 95 | float x; 96 | float y; 97 | float z; 98 | float w; 99 | }; -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.log: -------------------------------------------------------------------------------- 1 |  stdafx.cpp 2 | UsermodeProgram.cpp 3 | UsermodeProgram.cpp(74): warning C4005: 'IO_READ_REQUEST': macro redefinition 4 | c:\users\user\desktop\usermodeprogram\usermodeprogram\Driver.h(8): note: see previous definition of 'IO_READ_REQUEST' 5 | UsermodeProgram.cpp(88): warning C4101: 'Return': unreferenced local variable 6 | UsermodeProgram.cpp(230): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 7 | UsermodeProgram.cpp(257): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 8 | UsermodeProgram.cpp(258): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 9 | UsermodeProgram.cpp(259): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 10 | UsermodeProgram.cpp(260): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 11 | UsermodeProgram.cpp(261): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 12 | UsermodeProgram.cpp(262): warning C4244: 'initializing': conversion from 'DWORD64' to 'DWORD_PTR', possible loss of data 13 | UsermodeProgram.cpp(263): warning C4244: 'initializing': conversion from 'DWORD64' to 'float', possible loss of data 14 | UsermodeProgram.cpp(268): warning C4244: 'initializing': conversion from 'DWORD64' to 'float', possible loss of data 15 | UsermodeProgram.cpp(269): warning C4244: 'initializing': conversion from 'DWORD64' to 'float', possible loss of data 16 | UsermodeProgram.cpp(270): warning C4244: 'initializing': conversion from 'DWORD64' to 'float', possible loss of data 17 | UsermodeProgram.cpp(271): warning C4244: 'initializing': conversion from 'DWORD64' to 'float', possible loss of data 18 | UsermodeProgram.cpp(273): warning C4244: 'argument': conversion from 'float' to 'DWORD64', possible loss of data 19 | UsermodeProgram.cpp(274): warning C4244: 'argument': conversion from 'float' to 'DWORD64', possible loss of data 20 | UsermodeProgram.cpp(275): warning C4244: 'argument': conversion from 'float' to 'DWORD64', possible loss of data 21 | UsermodeProgram.cpp(276): warning C4244: 'argument': conversion from 'float' to 'DWORD64', possible loss of data 22 | UsermodeProgram.cpp(197): warning C4101: 'ProcessId': unreferenced local variable 23 | Generating code 24 | All 201 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 25 | Finished generating code 26 | UsermodeProgram.vcxproj -> C:\Users\user\Desktop\UsermodeProgram\Release\UsermodeProgram.exe 27 | -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.obj -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.pch -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/UsermodeProgram.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.16299.0 2 | Release|Win32|C:\Users\user\Desktop\UsermodeProgram\| 3 | -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/UsermodeProgram.write.1u.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/UsermodeProgram.write.1u.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/UsermodeProgram.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/stdafx.obj -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/Release/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/Release/vc141.pdb -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/UsermodeProgram.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/UsermodeProgram.cpp -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/UsermodeProgram.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {63092156-4E3F-4E63-AA3F-23E6160E5B36} 24 | Win32Proj 25 | UsermodeProgram 26 | 10.0.16299.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | 93 | 94 | Console 95 | true 96 | 97 | 98 | 99 | 100 | Use 101 | Level3 102 | Disabled 103 | true 104 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | 106 | 107 | Console 108 | true 109 | 110 | 111 | 112 | 113 | Use 114 | Level3 115 | MaxSpeed 116 | true 117 | true 118 | true 119 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | 121 | 122 | Console 123 | true 124 | true 125 | true 126 | 127 | 128 | 129 | 130 | Use 131 | Level3 132 | MaxSpeed 133 | true 134 | true 135 | true 136 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 137 | 138 | 139 | Console 140 | true 141 | true 142 | true 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | Create 154 | Create 155 | Create 156 | Create 157 | 158 | 159 | 160 | 161 | 162 | 163 | -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/UsermodeProgram.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/stdafx.cpp -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/stdafx.h -------------------------------------------------------------------------------- /UsermodeProgram/UsermodeProgram/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/UsermodeProgram/UsermodeProgram/targetver.h -------------------------------------------------------------------------------- /hidden-master/Hidden Package/Hidden Package.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {D6C8BE8B-D2E2-40BA-ADAC-E23FD8062E93} 23 | {4605da2c-74a5-4865-98e1-152ef136825f} 24 | v4.5 25 | 11.0 26 | Debug 27 | Win32 28 | Hidden_Package 29 | 30 | 31 | 32 | Windows7 33 | true 34 | WindowsKernelModeDriver10.0 35 | Utility 36 | Package 37 | true 38 | 39 | 40 | Windows7 41 | false 42 | WindowsKernelModeDriver10.0 43 | Utility 44 | Package 45 | true 46 | 47 | 48 | Windows7 49 | true 50 | WindowsKernelModeDriver10.0 51 | Utility 52 | Package 53 | true 54 | 55 | 56 | Windows7 57 | false 58 | WindowsKernelModeDriver10.0 59 | Utility 60 | Package 61 | true 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | DbgengKernelDebugger 73 | False 74 | True 75 | 76 | 77 | 78 | False 79 | False 80 | True 81 | 82 | 133563 83 | 84 | 85 | DbgengKernelDebugger 86 | False 87 | True 88 | 89 | 90 | 91 | False 92 | False 93 | True 94 | 95 | 133563 96 | 97 | 98 | DbgengKernelDebugger 99 | False 100 | True 101 | 102 | 103 | 104 | False 105 | False 106 | True 107 | 108 | 133563 109 | 110 | 111 | DbgengKernelDebugger 112 | False 113 | True 114 | 115 | 116 | 117 | False 118 | False 119 | True 120 | 121 | 133563 122 | 123 | 124 | 125 | true 126 | 127 | 128 | 129 | 130 | true 131 | 132 | 133 | 134 | 135 | true 136 | 137 | 138 | 139 | 140 | true 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | {3e4bbcd0-dc35-4825-9a8d-8686cdfaa6a8} 149 | 150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /hidden-master/Hidden Package/Hidden Package.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {8E41214B-6785-4CFE-B992-037D68949A14} 6 | inf;inv;inx;mof;mc; 7 | 8 | 9 | -------------------------------------------------------------------------------- /hidden-master/Hidden.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27004.2009 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Hidden", "Hidden\Hidden.vcxproj", "{3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Debug|x64 = Debug|x64 12 | Release|Win32 = Release|Win32 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.ActiveCfg = Debug|Win32 17 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.Build.0 = Debug|Win32 18 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|Win32.Deploy.0 = Debug|Win32 19 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.ActiveCfg = Debug|x64 20 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.Build.0 = Debug|x64 21 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Debug|x64.Deploy.0 = Debug|x64 22 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.ActiveCfg = Release|Win32 23 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.Build.0 = Release|Win32 24 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|Win32.Deploy.0 = Release|Win32 25 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.ActiveCfg = Release|x64 26 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.Build.0 = Release|x64 27 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8}.Release|x64.Deploy.0 = Release|x64 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | GlobalSection(ExtensibilityGlobals) = postSolution 33 | SolutionGuid = {C5D83A86-0F54-4BDA-AC4B-ADEB0BBB4B23} 34 | EndGlobalSection 35 | EndGlobal 36 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Configs.c: -------------------------------------------------------------------------------- 1 | #include "Configs.h" 2 | 3 | #define CONFIG_ALLOC_TAG 'gfnC' 4 | 5 | typedef struct _HidConfigContext { 6 | BOOLEAN state; 7 | BOOLEAN stealth; 8 | UNICODE_STRING hideFSDirs; 9 | UNICODE_STRING hideFSFiles; 10 | UNICODE_STRING hideRegKeys; 11 | UNICODE_STRING hideRegValues; 12 | UNICODE_STRING ignoreImages; 13 | UNICODE_STRING protectImages; 14 | } HidConfigContext, *PHidConfigContext; 15 | 16 | PHidConfigContext g_configContext = NULL; 17 | 18 | VOID ReleaseConfigContext(PHidConfigContext context); 19 | 20 | NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default); 21 | NTSTATUS QueryAndAllocRegistryData(HANDLE hKey, LPCWSTR Value, ULONG Type, PUNICODE_STRING Data, PUNICODE_STRING Default); 22 | VOID ReleaseRegistryData(PUNICODE_STRING Data); 23 | 24 | // ========================================================================================= 25 | 26 | NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath) 27 | { 28 | HidConfigContext config; 29 | OBJECT_ATTRIBUTES attribs; 30 | NTSTATUS status; 31 | HANDLE hkey; 32 | ULONG value; 33 | 34 | if (g_configContext) 35 | return STATUS_ALREADY_REGISTERED; 36 | 37 | RtlZeroMemory(&config, sizeof(config)); 38 | 39 | InitializeObjectAttributes(&attribs, RegistryPath, 0, NULL, NULL); 40 | 41 | status = ZwOpenKey(&hkey, KEY_ALL_ACCESS, &attribs); 42 | if (!NT_SUCCESS(status)) 43 | { 44 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't open config registry key, code:%08x\n", status); 45 | return status; 46 | } 47 | 48 | GetRegistryDWORD(hkey, L"Hid_State", &value, 1); 49 | config.state = (value ? TRUE : FALSE); 50 | 51 | GetRegistryDWORD(hkey, L"Hid_StealthMode", &value, 0); 52 | config.stealth = (value ? TRUE : FALSE); 53 | 54 | QueryAndAllocRegistryData(hkey, L"Hid_HideFsDirs", REG_MULTI_SZ, &config.hideFSDirs, NULL); 55 | QueryAndAllocRegistryData(hkey, L"Hid_HideFsFiles", REG_MULTI_SZ, &config.hideFSFiles, NULL); 56 | QueryAndAllocRegistryData(hkey, L"Hid_HideRegKeys", REG_MULTI_SZ, &config.hideRegKeys, NULL); 57 | QueryAndAllocRegistryData(hkey, L"Hid_HideRegValues", REG_MULTI_SZ, &config.hideRegValues, NULL); 58 | 59 | QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL); 60 | QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL); 61 | 62 | ZwClose(hkey); 63 | 64 | g_configContext = (PHidConfigContext)ExAllocatePoolWithTag(NonPagedPool, sizeof(config), CONFIG_ALLOC_TAG); 65 | if (!g_configContext) 66 | { 67 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't allocate memory for the config context\n"); 68 | ReleaseConfigContext(&config); 69 | return STATUS_NO_MEMORY; 70 | } 71 | 72 | RtlCopyMemory(g_configContext, &config, sizeof(config)); 73 | 74 | return STATUS_SUCCESS; 75 | } 76 | 77 | NTSTATUS DestroyConfigs() 78 | { 79 | if (!g_configContext) 80 | return STATUS_NOT_FOUND; 81 | 82 | ReleaseConfigContext(g_configContext); 83 | ExFreePoolWithTag(g_configContext, CONFIG_ALLOC_TAG); 84 | 85 | return STATUS_SUCCESS; 86 | } 87 | 88 | // ========================================================================================= 89 | 90 | BOOLEAN CfgGetDriverState() 91 | { 92 | if (!g_configContext) 93 | return TRUE; // Enable by default 94 | 95 | return g_configContext->state; 96 | } 97 | 98 | BOOLEAN CfgGetStealthState() 99 | { 100 | if (!g_configContext) 101 | return FALSE; // Disable by default 102 | 103 | return g_configContext->stealth; 104 | } 105 | 106 | NTSTATUS CfgEnumConfigsTable(enum CfgMultiStringTables Table, CfgMultiStringCallback Callback, PVOID Params) 107 | { 108 | PUNICODE_STRING table; 109 | LPWSTR buffer; 110 | ULONG length; 111 | 112 | if (!g_configContext) 113 | return STATUS_NOT_FOUND; 114 | 115 | switch (Table) 116 | { 117 | case HideFilesTable: 118 | table = &g_configContext->hideFSFiles; 119 | break; 120 | case HideDirsTable: 121 | table = &g_configContext->hideFSDirs; 122 | break; 123 | case HideRegKeysTable: 124 | table = &g_configContext->hideRegKeys; 125 | break; 126 | case HideRegValuesTable: 127 | table = &g_configContext->hideRegValues; 128 | break; 129 | case IgnoreImagesTable: 130 | table = &g_configContext->ignoreImages; 131 | break; 132 | case ProtectImagesTable: 133 | table = &g_configContext->protectImages; 134 | break; 135 | default: 136 | return STATUS_INVALID_VARIANT; 137 | } 138 | 139 | if (table->Length == 0) 140 | return STATUS_SUCCESS; 141 | 142 | buffer = table->Buffer; 143 | length = table->Length; 144 | while (length > 1) 145 | { 146 | UNICODE_STRING entry; 147 | ULONG inx, delta = 0; 148 | 149 | for (inx = 0; inx < length / sizeof(WCHAR); inx++) 150 | { 151 | if (buffer[inx] == L'\0') 152 | { 153 | delta = 1; 154 | break; 155 | } 156 | } 157 | 158 | entry.Buffer = buffer; 159 | entry.Length = (USHORT)(inx * sizeof(WCHAR)); 160 | entry.MaximumLength = entry.Length; 161 | 162 | length -= (inx + delta) * sizeof(WCHAR); 163 | buffer += (inx + delta); 164 | 165 | if (entry.Length) 166 | Callback(&entry, Params); 167 | } 168 | 169 | return STATUS_SUCCESS; 170 | } 171 | 172 | // ========================================================================================= 173 | 174 | VOID ReleaseConfigContext(PHidConfigContext context) 175 | { 176 | ReleaseRegistryData(&context->hideFSDirs); 177 | ReleaseRegistryData(&context->hideFSFiles); 178 | ReleaseRegistryData(&context->hideRegKeys); 179 | ReleaseRegistryData(&context->hideRegValues); 180 | ReleaseRegistryData(&context->ignoreImages); 181 | ReleaseRegistryData(&context->protectImages); 182 | } 183 | 184 | NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default) 185 | { 186 | UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG)]; 187 | NTSTATUS status; 188 | UNICODE_STRING valueName; 189 | ULONG length; 190 | 191 | RtlInitUnicodeString(&valueName, Value); 192 | 193 | status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, buffer, sizeof(buffer), &length); 194 | if (NT_SUCCESS(status) && length <= sizeof(buffer)) 195 | { 196 | PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer; 197 | if (info->Type == REG_DWORD && info->DataLength == sizeof(ULONG)) 198 | *Data = *(ULONG*)(info->Data); 199 | else 200 | *Data = Default; 201 | } 202 | else 203 | { 204 | *Data = Default; 205 | } 206 | 207 | return STATUS_SUCCESS; 208 | } 209 | 210 | NTSTATUS QueryAndAllocRegistryData(HANDLE hKey, LPCWSTR Value, ULONG Type, PUNICODE_STRING Data, PUNICODE_STRING Default) 211 | { 212 | PKEY_VALUE_PARTIAL_INFORMATION info = NULL; 213 | UNICODE_STRING valueName; 214 | ULONG length, dataLength; 215 | NTSTATUS status; 216 | PVOID dataBuffer; 217 | 218 | if (Default) 219 | { 220 | dataLength = Default->Length; 221 | dataBuffer = ExAllocatePoolWithTag(NonPagedPool, dataLength, CONFIG_ALLOC_TAG); 222 | if (!dataBuffer) 223 | return STATUS_NO_MEMORY; 224 | 225 | RtlCopyMemory(dataBuffer, Default->Buffer, dataLength); 226 | } 227 | else 228 | { 229 | dataLength = 0; 230 | dataBuffer = NULL; 231 | } 232 | 233 | RtlInitUnicodeString(&valueName, Value); 234 | 235 | status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, NULL, 0, &length); 236 | if (status != STATUS_BUFFER_OVERFLOW && status != STATUS_BUFFER_TOO_SMALL) 237 | goto end_proc; 238 | 239 | if (length < sizeof(KEY_VALUE_PARTIAL_INFORMATION)) 240 | goto end_proc; 241 | 242 | info = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, length, CONFIG_ALLOC_TAG); 243 | if (!info) 244 | goto end_proc; 245 | 246 | status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, info, length, &length); 247 | if (!NT_SUCCESS(status)) 248 | goto end_proc; 249 | 250 | if (info->Type != Type) 251 | goto end_proc; 252 | 253 | if (info->DataLength == 0 || info->DataLength > 0xFFFF) 254 | goto end_proc; 255 | 256 | if (dataBuffer) 257 | ExFreePoolWithTag(dataBuffer, CONFIG_ALLOC_TAG); 258 | 259 | dataLength = info->DataLength; 260 | dataBuffer = ExAllocatePoolWithTag(NonPagedPool, dataLength, CONFIG_ALLOC_TAG); 261 | if (!dataBuffer) 262 | { 263 | ExFreePoolWithTag(info, CONFIG_ALLOC_TAG); 264 | return STATUS_NO_MEMORY; 265 | } 266 | 267 | RtlCopyMemory(dataBuffer, info->Data, dataLength); 268 | 269 | end_proc: 270 | 271 | if (info) 272 | ExFreePoolWithTag(info, CONFIG_ALLOC_TAG); 273 | 274 | Data->Buffer = (PWCH)dataBuffer; 275 | Data->Length = (USHORT)dataLength; 276 | Data->MaximumLength = (USHORT)dataLength; 277 | 278 | return STATUS_SUCCESS; 279 | } 280 | 281 | VOID ReleaseRegistryData(PUNICODE_STRING Data) 282 | { 283 | if (Data->Length) 284 | ExFreePoolWithTag(Data->Buffer, CONFIG_ALLOC_TAG); 285 | } 286 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Configs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath); 6 | NTSTATUS DestroyConfigs(); 7 | 8 | BOOLEAN CfgGetDriverState(); 9 | BOOLEAN CfgGetStealthState(); 10 | 11 | enum CfgMultiStringTables { 12 | HideFilesTable, 13 | HideDirsTable, 14 | HideRegKeysTable, 15 | HideRegValuesTable, 16 | IgnoreImagesTable, 17 | ProtectImagesTable, 18 | MaxTableEntries, 19 | }; 20 | 21 | typedef VOID(NTAPI*CfgMultiStringCallback)(PUNICODE_STRING str, PVOID Params); 22 | 23 | NTSTATUS CfgEnumConfigsTable(enum CfgMultiStringTables Table, CfgMultiStringCallback Callback, PVOID Params); 24 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Device.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | NTSTATUS InitializeDevice(PDRIVER_OBJECT DriverObject); 4 | NTSTATUS DestroyDevice(); 5 | -------------------------------------------------------------------------------- /hidden-master/Hidden/DeviceAPI.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // ======================================== 4 | // Device information 5 | 6 | #define DEVICE_NAME L"\\Device\\discordexp" 7 | #define DOS_DEVICES_LINK_NAME L"\\DosDevices\\discordexp" 8 | #define DEVICE_WIN32_NAME L"\\\\.\\discordexp" 9 | 10 | // ======================================== 11 | // IOCTL codes 12 | 13 | #define HID_IOCTL_SET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 14 | #define HID_IOCTL_GET_DRIVER_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 15 | 16 | #define HID_IOCTL_SET_STEALTH_MODE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 2), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 17 | 18 | #define HID_IOCTL_ADD_HIDDEN_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 60), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 19 | #define HID_IOCTL_REMOVE_HIDDEN_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 61), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 20 | #define HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECTS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 62), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 21 | 22 | #define HID_IOCTL_ADD_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 70), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 23 | #define HID_IOCTL_GET_OBJECT_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 71), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 24 | #define HID_IOCTL_SET_OBJECT_STATE CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 72), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 25 | #define HID_IOCTL_REMOVE_OBJECT CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 73), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 26 | #define HID_IOCTL_REMOVE_ALL_OBJECTS CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 74), METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 27 | 28 | enum Hid_ObjectTypes { 29 | RegKeyObject, 30 | RegValueObject, 31 | FsFileObject, 32 | FsDirObject, 33 | PsExcludedObject, 34 | PsProtectedObject, 35 | }; 36 | 37 | #pragma pack(push, 4) 38 | 39 | // Fs/Reg packets 40 | 41 | typedef struct _Hid_DriverStatusPacket { 42 | unsigned short state; 43 | unsigned short reserved; 44 | } Hid_DriverStatus, *PHid_DriverStatus; 45 | 46 | typedef struct _Hid_HideObjectPacket { 47 | unsigned short objType; 48 | unsigned short dataSize; 49 | } Hid_HideObjectPacket, *PHid_HideObjectPacket; 50 | 51 | typedef struct _Hid_UnhideObjectPacket { 52 | unsigned short objType; 53 | unsigned short reserved; 54 | unsigned long long id; 55 | } Hid_UnhideObjectPacket, *PHid_UnhideObjectPacket; 56 | 57 | typedef struct _Hid_UnhideAllObjectsPacket { 58 | unsigned short objType; 59 | unsigned short reserved; 60 | } Hid_UnhideAllObjectsPacket, *PHid_UnhideAllObjectsPacket; 61 | 62 | // Ps packets 63 | 64 | typedef struct _Hid_AddPsObjectPacket { 65 | unsigned short objType; 66 | unsigned short dataSize; 67 | unsigned short inheritType; 68 | unsigned short applyForProcesses; 69 | } Hid_AddPsObjectPacket, *PHid_AddPsObjectPacket; 70 | 71 | typedef struct _Hid_GetPsObjectInfoPacket { 72 | unsigned short objType; 73 | unsigned short inheritType; 74 | unsigned short enable; 75 | unsigned short reserved; 76 | unsigned long procId; 77 | } Hid_GetPsObjectInfoPacket, *PHid_GetPsObjectInfoPacket; 78 | 79 | typedef Hid_GetPsObjectInfoPacket Hid_SetPsObjectInfoPacket; 80 | typedef Hid_GetPsObjectInfoPacket* PHid_SetPsObjectInfoPacket; 81 | 82 | typedef struct _Hid_RemovePsObjectPacket { 83 | unsigned short objType; 84 | unsigned short reserved; 85 | unsigned long long id; 86 | } Hid_RemovePsObjectPacket, *PHid_RemovePsObjectPacket; 87 | 88 | typedef struct _Hid_RemoveAllPsObjectsPacket { 89 | unsigned short objType; 90 | unsigned short reserved; 91 | } Hid_RemoveAllPsObjectsPacket, *PHid_RemoveAllPsObjectsPacket; 92 | 93 | // Result packet 94 | 95 | typedef struct _Hid_StatusPacket { 96 | unsigned int status; 97 | unsigned int dataSize; 98 | union { 99 | unsigned long long id; 100 | unsigned long state; 101 | } info; 102 | } Hid_StatusPacket, *PHid_StatusPacket; 103 | 104 | #pragma pack(pop) 105 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Driver.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "ExcludeList.h" 4 | 5 | #include "RegFilter.h" 6 | #include "FsFilter.h" 7 | #include "PsMonitor.h" 8 | #include "Device.h" 9 | #include "Driver.h" 10 | #include "Configs.h" 11 | #include "Helper.h" 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #define DRIVER_ALLOC_TAG 'nddH' 19 | 20 | PDRIVER_OBJECT g_driverObject = NULL; 21 | 22 | volatile LONG g_driverActive = FALSE; 23 | 24 | // ========================================================================================= 25 | 26 | VOID EnableDisableDriver(BOOLEAN enabled) 27 | { 28 | InterlockedExchange(&g_driverActive, (LONG)enabled); 29 | } 30 | 31 | BOOLEAN IsDriverEnabled() 32 | { 33 | return (g_driverActive ? TRUE : FALSE); 34 | } 35 | 36 | // ========================================================================================= 37 | 38 | ULONGLONG g_hiddenRegConfigId = 0; 39 | ULONGLONG g_hiddenDriverFileId = 0; 40 | 41 | NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) 42 | { 43 | PLDR_DATA_TABLE_ENTRY LdrEntry; 44 | UNICODE_STRING normalized; 45 | NTSTATUS status; 46 | 47 | if (!CfgGetStealthState()) 48 | return STATUS_SUCCESS; 49 | 50 | LdrEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection; 51 | 52 | normalized.Length = 0; 53 | normalized.MaximumLength = LdrEntry->FullModuleName.Length + NORMALIZE_INCREAMENT; 54 | normalized.Buffer = (PWCH)ExAllocatePoolWithQuotaTag(PagedPool, normalized.MaximumLength, DRIVER_ALLOC_TAG); 55 | 56 | if (!normalized.Buffer) 57 | { 58 | DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n"); 59 | return STATUS_MEMORY_NOT_ALLOCATED; 60 | } 61 | 62 | status = NormalizeDevicePath(&LdrEntry->FullModuleName, &normalized); 63 | if (!NT_SUCCESS(status)) 64 | { 65 | DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &LdrEntry->FullModuleName); 66 | ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG); 67 | return status; 68 | } 69 | 70 | status = AddHiddenFile(&normalized, &g_hiddenDriverFileId); 71 | if (!NT_SUCCESS(status)) 72 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't hide self registry key\n"); 73 | 74 | ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG); 75 | 76 | status = AddHiddenRegKey(RegistryPath, &g_hiddenRegConfigId); 77 | if (!NT_SUCCESS(status)) 78 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't hide self registry key\n"); 79 | 80 | return STATUS_SUCCESS; 81 | } 82 | 83 | // ========================================================================================= 84 | 85 | _Function_class_(DRIVER_UNLOAD) 86 | VOID DriverUnload(PDRIVER_OBJECT DriverObject) 87 | { 88 | UNREFERENCED_PARAMETER(DriverObject); 89 | 90 | DestroyDevice(); 91 | DestroyRegistryFilter(); 92 | DestroyFSMiniFilter(); 93 | DestroyPsMonitor(); 94 | } 95 | 96 | #define READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 97 | #define WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 98 | #define SET_PID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 99 | #define GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 100 | #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 101 | 102 | ULONG PID; 103 | DWORD64 MainModule; 104 | PEPROCESS process; 105 | 106 | 107 | NTSTATUS NTAPI MmCopyVirtualMemory(IN PEPROCESS SourceProcess, 108 | IN PVOID SourceAddress, 109 | IN PEPROCESS TargetProcess, 110 | OUT PVOID TargetAddress, 111 | IN SIZE_T BufferSize, 112 | IN KPROCESSOR_MODE PreviousMode, 113 | OUT PSIZE_T ReturnSize 114 | ); 115 | 116 | NTKERNELAPI 117 | PVOID 118 | PsGetProcessSectionBaseAddress( 119 | __in PEPROCESS Process 120 | ); 121 | 122 | typedef struct _READ_MEM 123 | { 124 | DWORD64 address; 125 | DWORD64 response; 126 | ULONG size; 127 | 128 | } READ_MEM, *PREAD_MEM; 129 | 130 | typedef struct _WRITE_MEM 131 | { 132 | DWORD64 address; 133 | float value; 134 | ULONG size; 135 | 136 | } WRITE_MEM, *PWRITE_MEM; 137 | 138 | NTSTATUS RPM(PVOID src, PVOID dest, SIZE_T size) 139 | { 140 | PSIZE_T bytes; 141 | __try 142 | { 143 | // Checks if the memory address actually exists 144 | ProbeForRead(src, size, (ULONG)size); 145 | // Use MmCopyVirtualMemory to copy memory from the game to our usermode process 146 | if (NT_SUCCESS(MmCopyVirtualMemory(process, src, PsGetCurrentProcess(), dest, size, KernelMode, &bytes))) 147 | return STATUS_SUCCESS; 148 | else 149 | return STATUS_ACCESS_DENIED; 150 | } 151 | __except (EXCEPTION_EXECUTE_HANDLER) 152 | { 153 | return STATUS_ACCESS_DENIED; 154 | } 155 | } 156 | 157 | NTSTATUS WPM(PVOID src, PVOID dest, SIZE_T size) 158 | { 159 | PSIZE_T bytes; 160 | __try 161 | { 162 | // Checks if the memory address actually exists and is writable 163 | ProbeForWrite(dest, size, (ULONG)size); 164 | // Use MmCopyVirtualMemory to copy memory from our usermode process to the game 165 | if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), src, process, dest, size, KernelMode, &bytes))) 166 | return STATUS_SUCCESS; 167 | else 168 | return STATUS_ACCESS_DENIED; 169 | } 170 | __except (EXCEPTION_EXECUTE_HANDLER) 171 | { 172 | return STATUS_ACCESS_DENIED; 173 | } 174 | } 175 | 176 | 177 | typedef struct _KERNEL_READ_REQUEST 178 | { 179 | ULONG ProtectedProgram; 180 | ULONG LSASS; 181 | ULONG CSRSS; 182 | ULONG CSRSS2; 183 | 184 | } KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST; 185 | 186 | ULONG ProtectedProgramPID = 0; 187 | ULONG LsassPID = 0; 188 | ULONG CsrssPID = 0; 189 | ULONG CsrssSecondPID = 0; 190 | NTSTATUS DriverDispatch(PDEVICE_OBJECT pDeviceObject, PIRP Irp) 191 | { 192 | NTSTATUS status = STATUS_SUCCESS; 193 | ULONG bytes = 0; 194 | 195 | PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp); 196 | 197 | // Get the IOCTL code 198 | ULONG IOcode = stack->Parameters.DeviceIoControl.IoControlCode; 199 | 200 | 201 | if (IOcode == READ_REQUEST) 202 | { 203 | // Get the struct address from the irp buffer 204 | PREAD_MEM read = (PREAD_MEM)Irp->AssociatedIrp.SystemBuffer; 205 | 206 | // Check if address is in usermode virtual memory (the usermode app sometimes fuck up for some reason) 207 | if (read->address < 0x7FFFFFFFFFFF) 208 | { 209 | PsLookupProcessByProcessId((HANDLE)PID, &process); 210 | RPM(read->address, &read->response, read->size); 211 | } 212 | 213 | status = STATUS_SUCCESS; 214 | bytes = sizeof(PREAD_MEM); 215 | } 216 | else if (IOcode == IO_READ_REQUEST) 217 | { 218 | // Get the input buffer & format it to our struct 219 | PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer; 220 | 221 | if (ReadInput->ProtectedProgram != 0) 222 | { 223 | ProtectedProgramPID = ReadInput->ProtectedProgram; 224 | } 225 | if (ReadInput->LSASS != 0) 226 | { 227 | LsassPID = ReadInput->LSASS; 228 | } 229 | 230 | if (ReadInput->CSRSS != 0) 231 | { 232 | CsrssPID = ReadInput->CSRSS; 233 | } 234 | 235 | if (ReadInput->CSRSS2 != 0) 236 | { 237 | CsrssSecondPID = ReadInput->CSRSS2; 238 | } 239 | 240 | status = STATUS_SUCCESS; 241 | bytes = sizeof(KERNEL_READ_REQUEST); 242 | } 243 | else if (IOcode == WRITE_REQUEST) 244 | { 245 | // Get the struct address from the irp buffer 246 | PWRITE_MEM write = (PWRITE_MEM)Irp->AssociatedIrp.SystemBuffer; 247 | 248 | // Check if address is in usermode virtual memory (the usermode app sometimes fuck up for some reason) 249 | if (write->address < 0x7FFFFFFFFFFF) 250 | { 251 | PsLookupProcessByProcessId((HANDLE)PID, &process); 252 | WPM(&write->value, write->address, write->size); 253 | } 254 | 255 | status = STATUS_SUCCESS; 256 | bytes = sizeof(PWRITE_MEM); 257 | } 258 | else if (IOcode == SET_PID_REQUEST) 259 | { 260 | // Get address of var where to read the PID from 261 | PULONG Input = (PULONG)Irp->AssociatedIrp.SystemBuffer; 262 | PID = *Input; 263 | 264 | status = STATUS_SUCCESS; 265 | bytes = sizeof(Input); 266 | } 267 | else if (IOcode == GET_MODULE_REQUEST) 268 | { 269 | // Get address of var where to store the main mdoule base address 270 | PDWORD64 Module = (PDWORD64)Irp->AssociatedIrp.SystemBuffer; 271 | PsLookupProcessByProcessId((HANDLE)PID, &process); 272 | 273 | // Attach to the process and get it's base 274 | KeAttachProcess((PKPROCESS)process); 275 | *Module = PsGetProcessSectionBaseAddress(process); 276 | KeDetachProcess(); 277 | 278 | status = STATUS_SUCCESS; 279 | bytes = sizeof(Module); 280 | } 281 | 282 | // Finish our request 283 | Irp->IoStatus.Status = status; 284 | Irp->IoStatus.Information = bytes; 285 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 286 | 287 | return status; 288 | } 289 | 290 | _Function_class_(DRIVER_INITIALIZE) 291 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) 292 | { 293 | NTSTATUS status; 294 | 295 | UNREFERENCED_PARAMETER(RegistryPath); 296 | 297 | EnableDisableDriver(TRUE); 298 | 299 | status = InitializeConfigs(RegistryPath); 300 | if (!NT_SUCCESS(status)) 301 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't initialize configs\n"); 302 | 303 | EnableDisableDriver(CfgGetDriverState()); 304 | 305 | status = InitializePsMonitor(DriverObject); 306 | if (!NT_SUCCESS(status)) 307 | DbgPrint("FsFilter1!" __FUNCTION__ ": object monitor didn't start\n"); 308 | 309 | status = InitializeFSMiniFilter(DriverObject); 310 | if (!NT_SUCCESS(status)) 311 | DbgPrint("FsFilter1!" __FUNCTION__ ": file-system mini-filter didn't start\n"); 312 | 313 | status = InitializeRegistryFilter(DriverObject); 314 | if (!NT_SUCCESS(status)) 315 | DbgPrint("FsFilter1!" __FUNCTION__ ": registry filter didn't start\n"); 316 | 317 | status = InitializeDevice(DriverObject); 318 | if (!NT_SUCCESS(status)) 319 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't create device\n"); 320 | 321 | status = InitializeStealthMode(DriverObject, RegistryPath); 322 | if (!NT_SUCCESS(status)) 323 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't activate stealth mode\n"); 324 | 325 | DestroyConfigs(); 326 | 327 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch; 328 | 329 | DriverObject->DriverUnload = DriverUnload; 330 | g_driverObject = DriverObject; 331 | 332 | return STATUS_SUCCESS; 333 | } 334 | 335 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Driver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | VOID EnableDisableDriver(BOOLEAN enabled); 4 | BOOLEAN IsDriverEnabled(); 5 | 6 | extern ULONG ProtectedProgramPID; 7 | extern ULONG LsassPID; 8 | extern ULONG CsrssPID; 9 | extern ULONG CsrssSecondPID; 10 | -------------------------------------------------------------------------------- /hidden-master/Hidden/ExcludeList.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | //#include 4 | #include 5 | 6 | enum ExcludeObjectType { 7 | ExcludeFile, 8 | ExcludeDirectory, 9 | ExcludeRegKey, 10 | ExcludeRegValue , 11 | ExcludeMaxType, 12 | }; 13 | 14 | typedef PVOID ExcludeContext; 15 | typedef ExcludeContext* PExcludeContext; 16 | 17 | typedef ULONGLONG ExcludeEntryId; 18 | typedef ExcludeEntryId* PExcludeEntryId; 19 | 20 | typedef ULONGLONG ExcludeEnumId; 21 | typedef ExcludeEnumId* PExcludeEnumId; 22 | 23 | NTSTATUS InitializeExcludeListContext(PExcludeContext Context, UINT32 Type); 24 | VOID DestroyExcludeListContext(ExcludeContext Context); 25 | 26 | NTSTATUS AddExcludeListFile(ExcludeContext Context, PUNICODE_STRING FilePath, PExcludeEntryId EntryId, ExcludeEntryId ParentId); 27 | NTSTATUS AddExcludeListDirectory(ExcludeContext Context, PUNICODE_STRING DirPath, PExcludeEntryId EntryId, ExcludeEntryId ParentId); 28 | NTSTATUS AddExcludeListRegistryKey(ExcludeContext Context, PUNICODE_STRING KeyPath, PExcludeEntryId EntryId, ExcludeEntryId ParentId); 29 | NTSTATUS AddExcludeListRegistryValue(ExcludeContext Context, PUNICODE_STRING ValuePath, PExcludeEntryId EntryId, ExcludeEntryId ParentId); 30 | 31 | NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId); 32 | NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context); 33 | 34 | BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path); 35 | BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path); 36 | BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File); 37 | 38 | BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key); 39 | BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament); 40 | -------------------------------------------------------------------------------- /hidden-master/Hidden/FsFilter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | NTSTATUS InitializeFSMiniFilter(PDRIVER_OBJECT DriverObject); 6 | NTSTATUS DestroyFSMiniFilter(); 7 | 8 | NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId); 9 | NTSTATUS RemoveHiddenFile(ULONGLONG ObjId); 10 | NTSTATUS RemoveAllHiddenFiles(); 11 | 12 | NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId); 13 | NTSTATUS RemoveHiddenDir(ULONGLONG ObjId); 14 | NTSTATUS RemoveAllHiddenDirs(); 15 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Helper.c: -------------------------------------------------------------------------------- 1 | #include "Helper.h" 2 | 3 | #define HELPER_ALLOC_TAG 'rplH' 4 | 5 | NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize) 6 | { 7 | PVOID info = NULL; 8 | NTSTATUS status; 9 | ULONG size = 0, written = 0; 10 | 11 | // Query required size 12 | status = ZwQuerySystemInformation(Class, 0, 0, &size); 13 | if (status != STATUS_INFO_LENGTH_MISMATCH) 14 | return status; 15 | 16 | while (status == STATUS_INFO_LENGTH_MISMATCH) 17 | { 18 | size += written; // We should allocate little bit more space 19 | 20 | if (info) 21 | ExFreePoolWithTag(info, HELPER_ALLOC_TAG); 22 | 23 | info = ExAllocatePoolWithTag(NonPagedPool, size, HELPER_ALLOC_TAG); 24 | if (!info) 25 | break; 26 | 27 | status = ZwQuerySystemInformation(Class, info, size, &written); 28 | } 29 | 30 | if (!info) 31 | return STATUS_ACCESS_DENIED; 32 | 33 | if (!NT_SUCCESS(status)) 34 | { 35 | ExFreePoolWithTag(info, HELPER_ALLOC_TAG); 36 | return status; 37 | } 38 | 39 | *InfoBuffer = info; 40 | *InfoSize = size; 41 | 42 | return status; 43 | } 44 | 45 | NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE Process, PVOID* InfoBuffer, PSIZE_T InfoSize) 46 | { 47 | PVOID info = NULL; 48 | NTSTATUS status; 49 | ULONG size = 0, written = 0; 50 | 51 | // Query required size 52 | status = ZwQueryInformationProcess(Process, Class, 0, 0, &size); 53 | if (status != STATUS_INFO_LENGTH_MISMATCH) 54 | return status; 55 | 56 | while (status == STATUS_INFO_LENGTH_MISMATCH) 57 | { 58 | size += written; // We should allocate little bit more space 59 | 60 | if (info) 61 | ExFreePoolWithTag(info, HELPER_ALLOC_TAG); 62 | 63 | info = ExAllocatePoolWithTag(NonPagedPool, size, HELPER_ALLOC_TAG); 64 | if (!info) 65 | break; 66 | 67 | status = ZwQueryInformationProcess(Process, Class, info, size, &written); 68 | } 69 | 70 | if (!info) 71 | return STATUS_ACCESS_DENIED; 72 | 73 | if (!NT_SUCCESS(status)) 74 | { 75 | ExFreePoolWithTag(info, HELPER_ALLOC_TAG); 76 | return status; 77 | } 78 | 79 | *InfoBuffer = info; 80 | *InfoSize = size; 81 | 82 | return status; 83 | } 84 | 85 | VOID FreeInformation(PVOID Buffer) 86 | { 87 | ExFreePoolWithTag(Buffer, HELPER_ALLOC_TAG); 88 | } 89 | 90 | NTSTATUS ResolveSymbolicLink(PUNICODE_STRING Link, PUNICODE_STRING Resolved) 91 | { 92 | OBJECT_ATTRIBUTES attribs; 93 | HANDLE hsymLink; 94 | ULONG written; 95 | NTSTATUS status = STATUS_SUCCESS; 96 | 97 | // Open symlink 98 | 99 | InitializeObjectAttributes(&attribs, Link, OBJ_KERNEL_HANDLE, NULL, NULL); 100 | 101 | status = ZwOpenSymbolicLinkObject(&hsymLink, GENERIC_READ, &attribs); 102 | if (!NT_SUCCESS(status)) 103 | return status; 104 | 105 | // Query original name 106 | 107 | status = ZwQuerySymbolicLinkObject(hsymLink, Resolved, &written); 108 | ZwClose(hsymLink); 109 | if (!NT_SUCCESS(status)) 110 | return status; 111 | 112 | return status; 113 | } 114 | 115 | // 116 | // Convertion template: 117 | // \\??\\C:\\Windows -> \\Device\\HarddiskVolume1\\Windows 118 | // 119 | NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized) 120 | { 121 | UNICODE_STRING globalPrefix, dvcPrefix, sysrootPrefix; 122 | NTSTATUS status; 123 | 124 | RtlInitUnicodeString(&globalPrefix, L"\\??\\"); 125 | RtlInitUnicodeString(&dvcPrefix, L"\\Device\\"); 126 | RtlInitUnicodeString(&sysrootPrefix, L"\\SystemRoot\\"); 127 | 128 | if (RtlPrefixUnicodeString(&globalPrefix, Path, TRUE)) 129 | { 130 | OBJECT_ATTRIBUTES attribs; 131 | UNICODE_STRING subPath; 132 | HANDLE hsymLink; 133 | ULONG i, written, size; 134 | 135 | subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + globalPrefix.Length); 136 | subPath.Length = Path->Length - globalPrefix.Length; 137 | 138 | for (i = 0; i < subPath.Length; i++) 139 | { 140 | if (subPath.Buffer[i] == L'\\') 141 | { 142 | subPath.Length = (USHORT)(i * sizeof(WCHAR)); 143 | break; 144 | } 145 | } 146 | 147 | if (subPath.Length == 0) 148 | return STATUS_INVALID_PARAMETER_1; 149 | 150 | subPath.Buffer = Path->Buffer; 151 | subPath.Length += globalPrefix.Length; 152 | subPath.MaximumLength = subPath.Length; 153 | 154 | // Open symlink 155 | 156 | InitializeObjectAttributes(&attribs, &subPath, OBJ_KERNEL_HANDLE, NULL, NULL); 157 | 158 | status = ZwOpenSymbolicLinkObject(&hsymLink, GENERIC_READ, &attribs); 159 | if (!NT_SUCCESS(status)) 160 | return status; 161 | 162 | // Query original name 163 | 164 | status = ZwQuerySymbolicLinkObject(hsymLink, Normalized, &written); 165 | ZwClose(hsymLink); 166 | if (!NT_SUCCESS(status)) 167 | return status; 168 | 169 | // Construct new variable 170 | 171 | size = Path->Length - subPath.Length + Normalized->Length; 172 | if (size > Normalized->MaximumLength) 173 | return STATUS_BUFFER_OVERFLOW; 174 | 175 | subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + subPath.Length); 176 | subPath.Length = Path->Length - subPath.Length; 177 | subPath.MaximumLength = subPath.Length; 178 | 179 | status = RtlAppendUnicodeStringToString(Normalized, &subPath); 180 | if (!NT_SUCCESS(status)) 181 | return status; 182 | } 183 | else if (RtlPrefixUnicodeString(&dvcPrefix, Path, TRUE)) 184 | { 185 | Normalized->Length = 0; 186 | status = RtlAppendUnicodeStringToString(Normalized, Path); 187 | if (!NT_SUCCESS(status)) 188 | return status; 189 | } 190 | else if (RtlPrefixUnicodeString(&sysrootPrefix, Path, TRUE)) 191 | { 192 | UNICODE_STRING subPath, resolvedLink, winDir; 193 | WCHAR buffer[64]; 194 | SHORT i; 195 | 196 | // Open symlink 197 | 198 | subPath.Buffer = sysrootPrefix.Buffer; 199 | subPath.MaximumLength = subPath.Length = sysrootPrefix.Length - sizeof(WCHAR); 200 | 201 | resolvedLink.Buffer = buffer; 202 | resolvedLink.Length = 0; 203 | resolvedLink.MaximumLength = sizeof(buffer); 204 | 205 | status = ResolveSymbolicLink(&subPath, &resolvedLink); 206 | if (!NT_SUCCESS(status)) 207 | return status; 208 | 209 | // \Device\Harddisk0\Partition0\Windows -> \Device\Harddisk0\Partition0 210 | 211 | winDir.Length = 0; 212 | for (i = (resolvedLink.Length - sizeof(WCHAR)) / sizeof(WCHAR); i >= 0; i--) 213 | { 214 | if (resolvedLink.Buffer[i] == L'\\') 215 | { 216 | winDir.Buffer = resolvedLink.Buffer + i; 217 | winDir.Length = resolvedLink.Length - (i * sizeof(WCHAR)); 218 | winDir.MaximumLength = winDir.Length; 219 | resolvedLink.Length = (i * sizeof(WCHAR)); 220 | break; 221 | } 222 | } 223 | 224 | // \Device\Harddisk0\Partition0 -> \Device\HarddiskVolume1 225 | 226 | status = ResolveSymbolicLink(&resolvedLink, Normalized); 227 | if (!NT_SUCCESS(status)) 228 | return status; 229 | 230 | // Construct new variable 231 | 232 | subPath.Buffer = (PWCHAR)((PCHAR)Path->Buffer + sysrootPrefix.Length - sizeof(WCHAR)); 233 | subPath.MaximumLength = subPath.Length = Path->Length - sysrootPrefix.Length + sizeof(WCHAR); 234 | 235 | status = RtlAppendUnicodeStringToString(Normalized, &winDir); 236 | if (!NT_SUCCESS(status)) 237 | return status; 238 | 239 | status = RtlAppendUnicodeStringToString(Normalized, &subPath); 240 | if (!NT_SUCCESS(status)) 241 | return status; 242 | } 243 | else 244 | { 245 | return STATUS_INVALID_PARAMETER; 246 | } 247 | 248 | return STATUS_SUCCESS; 249 | } 250 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Helper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef enum _SYSTEM_INFORMATION_CLASS { 6 | SystemBasicInformation = 0, 7 | SystemPerformanceInformation = 2, 8 | SystemTimeOfDayInformation = 3, 9 | SystemProcessInformation = 5, 10 | SystemProcessorPerformanceInformation = 8, 11 | SystemInterruptInformation = 23, 12 | SystemExceptionInformation = 33, 13 | SystemRegistryQuotaInformation = 37, 14 | SystemLookasideInformation = 45, 15 | SystemPolicyInformation = 134, 16 | } SYSTEM_INFORMATION_CLASS; 17 | 18 | typedef struct _SYSTEM_PROCESS_INFORMATION { 19 | ULONG NextEntryOffset; 20 | ULONG NumberOfThreads; 21 | LARGE_INTEGER Reserved[3]; 22 | LARGE_INTEGER CreateTime; 23 | LARGE_INTEGER UserTime; 24 | LARGE_INTEGER KernelTime; 25 | UNICODE_STRING ImageName; 26 | KPRIORITY BasePriority; 27 | HANDLE ProcessId; 28 | HANDLE InheritedFromProcessId; 29 | ULONG HandleCount; 30 | UCHAR Reserved4[4]; 31 | PVOID Reserved5[11]; 32 | SIZE_T PeakPagefileUsage; 33 | SIZE_T PrivatePageCount; 34 | LARGE_INTEGER Reserved6[6]; 35 | } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 36 | 37 | typedef struct _LDR_DATA_TABLE_ENTRY { 38 | LIST_ENTRY LoadOrder; 39 | LIST_ENTRY MemoryOrder; 40 | LIST_ENTRY InitializationOrder; 41 | PVOID ModuleBaseAddress; 42 | PVOID EntryPoint; 43 | ULONG ModuleSize; 44 | UNICODE_STRING FullModuleName; 45 | UNICODE_STRING ModuleName; 46 | ULONG Flags; 47 | USHORT LoadCount; 48 | USHORT TlsIndex; 49 | union { 50 | LIST_ENTRY Hash; 51 | struct { 52 | PVOID SectionPointer; 53 | ULONG CheckSum; 54 | } s; 55 | } u; 56 | ULONG TimeStamp; 57 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 58 | 59 | NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( 60 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, 61 | _Inout_ PVOID SystemInformation, 62 | _In_ ULONG SystemInformationLength, 63 | _Out_opt_ PULONG ReturnLength 64 | ); 65 | 66 | NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( 67 | _In_ HANDLE ProcessHandle, 68 | _In_ PROCESSINFOCLASS ProcessInformationClass, 69 | _Out_ PVOID ProcessInformation, 70 | _In_ ULONG ProcessInformationLength, 71 | _Out_opt_ PULONG ReturnLength 72 | ); 73 | 74 | NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize); 75 | NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize); 76 | VOID FreeInformation(PVOID Buffer); 77 | 78 | #define NORMALIZE_INCREAMENT (USHORT)128 79 | 80 | NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized); 81 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Hidden.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; Hidden 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | ;Class = "_TODO_Change_Class_appropriately_" 11 | ;ClassGuid = {_TODO_Change_ClassGuid_appropriately_} 12 | Provider = %ManufacturerName% 13 | DriverVer = 3/27/2016 14 | CatalogFile = Hidden.cat 15 | 16 | [DestinationDirs] 17 | DefaultDestDir = 12 18 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 19 | 20 | ;; 21 | ;; Default install sections 22 | ;; 23 | 24 | [DefaultInstall] 25 | OptionDesc = %ServiceDescription% 26 | CopyFiles = MiniFilter.DriverFiles 27 | 28 | [DefaultInstall.Services] 29 | AddService = %ServiceName%,,MiniFilter.Service 30 | 31 | ;; 32 | ;; Default uninstall sections 33 | ;; 34 | 35 | [DefaultUninstall] 36 | DelFiles = MiniFilter.DriverFiles 37 | 38 | [DefaultUninstall.Services] 39 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 40 | 41 | ; 42 | ; Services Section 43 | ; 44 | 45 | [MiniFilter.Service] 46 | DisplayName = %ServiceName% 47 | Description = %ServiceDescription% 48 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 49 | Dependencies = "FltMgr" 50 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 51 | StartType = 3 ;SERVICE_DEMAND_START 52 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 53 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 54 | LoadOrderGroup = "FSFilter Activity Monitor" 55 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 56 | AddReg = MiniFilter.AddRegistry 57 | 58 | ; 59 | ; Registry Modifications 60 | ; 61 | 62 | [MiniFilter.AddRegistry] 63 | HKR,,"DebugFlags",0x00010001 ,0x0 64 | HKR,,"SupportedFeatures",0x00010001,0x3 65 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 66 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 67 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 68 | 69 | ; 70 | ; Copy Files 71 | ; 72 | 73 | [MiniFilter.DriverFiles] 74 | %DriverName%.sys 75 | 76 | [SourceDisksFiles] 77 | Hidden.sys = 1,, 78 | 79 | [SourceDisksNames] 80 | 1 = %DiskId1%,,, 81 | 82 | ;; 83 | ;; String Section 84 | ;; 85 | 86 | [Strings] 87 | ; TODO - Add your manufacturer 88 | ManufacturerName = "Template" 89 | ServiceDescription = "Hidden Kernel Driver" 90 | ServiceName = "Hidden" 91 | DriverName = "Hidden" 92 | DiskId1 = "Hidden Device Installation Disk" 93 | 94 | ;Instances specific information. 95 | DefaultInstance = "Hidden Instance" 96 | Instance1.Name = "Hidden Instance" 97 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 98 | Instance1.Altitude = "370030" 99 | ;Instance.Altitude = "_TODO_Change_Altitude_appropriately_" 100 | Instance1.Flags = 0x0 ; Allow all attachments 101 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Hidden.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_DRV 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 7 | #define VER_FILEDESCRIPTION_STR "Hidden Kernel Driver" 8 | #define VER_INTERNALNAME_STR "Hidden.sys" 9 | 10 | #include "common.ver" 11 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Hidden.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | {3E4BBCD0-DC35-4825-9A8D-8686CDFAA6A8} 36 | {f2f62967-0815-4fd7-9b86-6eedcac766eb} 37 | v4.5 38 | 11.0 39 | Debug 40 | Win32 41 | Hidden 42 | 43 | 44 | 45 | Windows7 46 | true 47 | WindowsKernelModeDriver10.0 48 | Driver 49 | WDM 50 | 51 | 52 | Windows7 53 | false 54 | WindowsKernelModeDriver10.0 55 | Driver 56 | WDM 57 | 58 | 59 | Windows7 60 | true 61 | WindowsKernelModeDriver10.0 62 | Driver 63 | WDM 64 | 65 | 66 | Windows7 67 | false 68 | WindowsKernelModeDriver10.0 69 | Driver 70 | WDM 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | DbgengKernelDebugger 82 | $(SolutionDir)$(ConfigurationName)\ 83 | 84 | 85 | DbgengKernelDebugger 86 | $(SolutionDir)$(ConfigurationName)\ 87 | 88 | 89 | DbgengKernelDebugger 90 | $(SolutionDir)$(Platform)\$(ConfigurationName)\ 91 | 92 | 93 | DbgengKernelDebugger 94 | $(SolutionDir)$(Platform)\$(ConfigurationName)\ 95 | 96 | 97 | 98 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 99 | /INTEGRITYCHECK %(AdditionalOptions) 100 | 101 | 102 | 103 | 104 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 105 | /INTEGRITYCHECK %(AdditionalOptions) 106 | 107 | 108 | 109 | 110 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 111 | /INTEGRITYCHECK %(AdditionalOptions) 112 | 113 | 114 | 115 | 116 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 117 | /INTEGRITYCHECK %(AdditionalOptions) 118 | 119 | 120 | false 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /hidden-master/Hidden/Hidden.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | Source Files 27 | 28 | 29 | Source Files 30 | 31 | 32 | Source Files 33 | 34 | 35 | Source Files 36 | 37 | 38 | Source Files 39 | 40 | 41 | Source Files 42 | 43 | 44 | Source Files 45 | 46 | 47 | Source Files 48 | 49 | 50 | Source Files 51 | 52 | 53 | 54 | 55 | Resource Files 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Header Files 65 | 66 | 67 | Header Files 68 | 69 | 70 | Header Files 71 | 72 | 73 | Header Files 74 | 75 | 76 | Header Files 77 | 78 | 79 | Header Files 80 | 81 | 82 | Header Files 83 | 84 | 85 | Header Files 86 | 87 | 88 | Header Files 89 | 90 | 91 | Header Files 92 | 93 | 94 | Header Files 95 | 96 | 97 | 98 | 99 | Driver Files 100 | 101 | 102 | -------------------------------------------------------------------------------- /hidden-master/Hidden/PsMonitor.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _ProcessId { 6 | HANDLE id; 7 | LARGE_INTEGER creationTime; 8 | } ProcessId, *PProcessId; 9 | 10 | NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject); 11 | NTSTATUS DestroyPsMonitor(); 12 | 13 | BOOLEAN IsProcessExcluded(HANDLE ProcessId); 14 | BOOLEAN IsProcessProtected(HANDLE ProcessId); 15 | 16 | NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId); 17 | NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable); 18 | NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable); 19 | NTSTATUS RemoveProtectedImage(ULONGLONG ObjId); 20 | NTSTATUS RemoveAllProtectedImages(); 21 | 22 | NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId); 23 | NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable); 24 | NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable); 25 | NTSTATUS RemoveExcludedImage(ULONGLONG ObjId); 26 | NTSTATUS RemoveAllExcludedImages(); 27 | -------------------------------------------------------------------------------- /hidden-master/Hidden/PsRules.c: -------------------------------------------------------------------------------- 1 | #include "PsRules.h" 2 | 3 | #define PSRULE_ALLOC_TAG 'lRsP' 4 | 5 | typedef struct _PsRulesInternalContext { 6 | RTL_AVL_TABLE table; 7 | ULONGLONG idCounter; 8 | FAST_MUTEX tableLock; 9 | } PsRulesInternalContext, *PPsRulesInternalContext; 10 | 11 | _Function_class_(RTL_AVL_COMPARE_ROUTINE) 12 | RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct) 13 | { 14 | PPsRuleEntry first = *(PPsRuleEntry*)FirstStruct; 15 | PPsRuleEntry second = *(PPsRuleEntry*)SecondStruct; 16 | INT res; 17 | 18 | UNREFERENCED_PARAMETER(Table); 19 | 20 | res = RtlCompareUnicodeString(&first->imagePath, &second->imagePath, TRUE); 21 | 22 | if (res > 0) 23 | return GenericGreaterThan; 24 | 25 | if (res < 0) 26 | return GenericLessThan; 27 | 28 | return GenericEqual; 29 | } 30 | 31 | _Function_class_(RTL_AVL_ALLOCATE_ROUTINE) 32 | PVOID AllocatePsRuleEntry(struct _RTL_AVL_TABLE *Table, CLONG ByteSize) 33 | { 34 | UNREFERENCED_PARAMETER(Table); 35 | return ExAllocatePoolWithTag(NonPagedPool, ByteSize, PSRULE_ALLOC_TAG); 36 | } 37 | 38 | _Function_class_(RTL_AVL_FREE_ROUTINE) 39 | VOID FreePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer) 40 | { 41 | UNREFERENCED_PARAMETER(Table); 42 | ExFreePoolWithTag(Buffer, PSRULE_ALLOC_TAG); 43 | } 44 | 45 | NTSTATUS InitializePsRuleListContext(PPsRulesContext pRuleContext) 46 | { 47 | NTSTATUS status = STATUS_SUCCESS; 48 | PPsRulesInternalContext context; 49 | 50 | context = (PPsRulesInternalContext)ExAllocatePoolWithTag(NonPagedPool, sizeof(PsRulesInternalContext), PSRULE_ALLOC_TAG); 51 | if (!context) 52 | { 53 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't allocate memory\n"); 54 | return STATUS_MEMORY_NOT_ALLOCATED; 55 | } 56 | 57 | context->idCounter = 1; 58 | ExInitializeFastMutex(&context->tableLock); 59 | RtlInitializeGenericTableAvl(&context->table, ComparePsRuleEntry, AllocatePsRuleEntry, FreePsRuleEntry, NULL); 60 | 61 | *pRuleContext = context; 62 | return status; 63 | } 64 | 65 | VOID DestroyPsRuleListContext(PsRulesContext RuleContext) 66 | { 67 | RemoveAllRulesFromPsRuleList(RuleContext); 68 | ExFreePoolWithTag(RuleContext, PSRULE_ALLOC_TAG); 69 | } 70 | 71 | NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId) 72 | { 73 | PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; 74 | NTSTATUS status = STATUS_SUCCESS; 75 | ULONGLONG guid; 76 | PPsRuleEntry entry; 77 | ULONG entryLen; 78 | BOOLEAN newElem; 79 | PVOID buf; 80 | 81 | if (InheritType > PsRuleTypeMax) 82 | { 83 | DbgPrint("FsFilter1!" __FUNCTION__ ": invalid inherit type: %d\n", InheritType); 84 | return STATUS_INVALID_PARAMETER_3; 85 | } 86 | 87 | entryLen = sizeof(PsRuleEntry) + ImgPath->Length; 88 | entry = (PPsRuleEntry)ExAllocatePoolWithTag(NonPagedPool, entryLen, PSRULE_ALLOC_TAG); 89 | if (!entry) 90 | { 91 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't allocate memory\n"); 92 | return STATUS_MEMORY_NOT_ALLOCATED; 93 | } 94 | 95 | entry->inheritType = InheritType; 96 | entry->len = entryLen; 97 | entry->imagePath.Buffer = (PWCH)(entry + 1); 98 | entry->imagePath.Length = 0; 99 | entry->imagePath.MaximumLength = ImgPath->Length; 100 | RtlCopyUnicodeString(&entry->imagePath, ImgPath); 101 | 102 | ExAcquireFastMutex(&context->tableLock); 103 | guid = context->idCounter++; 104 | entry->guid = guid; 105 | buf = RtlInsertElementGenericTableAvl(&context->table, &entry, sizeof(&entry)/*entryLen*/, &newElem); 106 | ExReleaseFastMutex(&context->tableLock); 107 | 108 | if (!buf) 109 | { 110 | ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG); 111 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't allocate memory for a new element\n"); 112 | return STATUS_MEMORY_NOT_ALLOCATED; 113 | } 114 | 115 | if (!newElem) 116 | { 117 | ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG); 118 | DbgPrint("FsFilter1!" __FUNCTION__ ": this path already in a rules list\n"); 119 | return STATUS_DUPLICATE_NAME; 120 | } 121 | 122 | *EntryId = guid; 123 | return status; 124 | } 125 | 126 | NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId EntryId) 127 | { 128 | PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; 129 | NTSTATUS status = STATUS_NOT_FOUND; 130 | PPsRuleEntry entry, *pentry; 131 | PVOID restartKey = NULL; 132 | 133 | ExAcquireFastMutex(&context->tableLock); 134 | 135 | for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); 136 | pentry != NULL; 137 | pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey)) 138 | { 139 | entry = *pentry; 140 | if (entry->guid == EntryId) 141 | { 142 | if (!RtlDeleteElementGenericTableAvl(&context->table, pentry)) 143 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process rules table, looks like memory leak\n"); 144 | else 145 | ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG); 146 | 147 | status = STATUS_SUCCESS; 148 | break; 149 | } 150 | } 151 | 152 | ExReleaseFastMutex(&context->tableLock); 153 | 154 | return status; 155 | } 156 | 157 | NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext) 158 | { 159 | PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; 160 | NTSTATUS status = STATUS_SUCCESS; 161 | PPsRuleEntry entry, *pentry; 162 | PVOID restartKey = NULL; 163 | 164 | ExAcquireFastMutex(&context->tableLock); 165 | 166 | for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); 167 | pentry != NULL; 168 | pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey)) 169 | { 170 | entry = *pentry; 171 | if (!RtlDeleteElementGenericTableAvl(&context->table, pentry)) 172 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process rules table, looks like memory leak\n"); 173 | else 174 | ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG); 175 | 176 | restartKey = NULL; // reset enum 177 | } 178 | 179 | ExReleaseFastMutex(&context->tableLock); 180 | 181 | return status; 182 | } 183 | 184 | NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PPsRuleEntry Rule, ULONG RuleSize, PULONG OutSize) 185 | { 186 | PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; 187 | NTSTATUS status = STATUS_NOT_FOUND; 188 | PPsRuleEntry entry, *pentry; 189 | PVOID restartKey = NULL; 190 | 191 | ExAcquireFastMutex(&context->tableLock); 192 | 193 | for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); 194 | pentry != NULL; 195 | pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey)) 196 | { 197 | entry = *pentry; 198 | if (RtlCompareUnicodeString(&entry->imagePath, ImgPath, TRUE) == 0) 199 | { 200 | *OutSize = entry->len; 201 | 202 | if (RuleSize < entry->len) 203 | { 204 | status = STATUS_BUFFER_TOO_SMALL; 205 | break; 206 | } 207 | 208 | RtlCopyMemory(Rule, entry, entry->len); 209 | status = STATUS_SUCCESS; 210 | break; 211 | } 212 | } 213 | 214 | ExReleaseFastMutex(&context->tableLock); 215 | 216 | return status; 217 | } 218 | 219 | BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance) 220 | { 221 | PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; 222 | PPsRuleEntry entry, *pentry; 223 | PVOID restartKey = NULL; 224 | BOOLEAN result = FALSE; 225 | 226 | ExAcquireFastMutex(&context->tableLock); 227 | 228 | for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); 229 | pentry != NULL; 230 | pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey)) 231 | { 232 | entry = *pentry; 233 | if (RtlCompareUnicodeString(&entry->imagePath, ImgPath, TRUE) == 0) 234 | { 235 | *pInheritance = entry->inheritType; 236 | result = TRUE; 237 | break; 238 | } 239 | } 240 | 241 | ExReleaseFastMutex(&context->tableLock); 242 | 243 | return result; 244 | } 245 | -------------------------------------------------------------------------------- /hidden-master/Hidden/PsRules.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef PVOID PsRulesContext; 6 | typedef PsRulesContext* PPsRulesContext; 7 | 8 | typedef ULONGLONG PsRuleEntryId; 9 | typedef PsRuleEntryId* PPsRuleEntryId; 10 | 11 | enum PsRuleInheritTypes { 12 | PsRuleTypeWithoutInherit = 0, 13 | PsRuleTypeInherit, 14 | PsRuleTypeInheritOnce, 15 | PsRuleTypeMax 16 | }; 17 | 18 | typedef struct _PsRuleEntry { 19 | ULONGLONG guid; 20 | UNICODE_STRING imagePath; 21 | ULONG inheritType; 22 | ULONG len; 23 | } PsRuleEntry, *PPsRuleEntry; 24 | 25 | NTSTATUS InitializePsRuleListContext(PPsRulesContext pRuleContext); 26 | VOID DestroyPsRuleListContext(PsRulesContext RuleContext); 27 | 28 | NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId); 29 | 30 | NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId EntryId); 31 | NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext); 32 | 33 | NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PPsRuleEntry Rule, ULONG RuleSize, PULONG OutSize); 34 | BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance); 35 | -------------------------------------------------------------------------------- /hidden-master/Hidden/PsTable.c: -------------------------------------------------------------------------------- 1 | #include "PsTable.h" 2 | #include "Helper.h" 3 | 4 | #define PSTREE_ALLOC_TAG 'rTsP' 5 | 6 | RTL_AVL_TABLE g_processTable; 7 | 8 | _Function_class_(RTL_AVL_COMPARE_ROUTINE) 9 | RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct) 10 | { 11 | PProcessTableEntry first = (PProcessTableEntry)FirstStruct; 12 | PProcessTableEntry second = (PProcessTableEntry)SecondStruct; 13 | 14 | UNREFERENCED_PARAMETER(Table); 15 | 16 | if (first->processId > second->processId) 17 | return GenericGreaterThan; 18 | 19 | if (first->processId < second->processId) 20 | return GenericLessThan; 21 | 22 | return GenericEqual; 23 | } 24 | 25 | _Function_class_(RTL_AVL_ALLOCATE_ROUTINE) 26 | PVOID AllocateProcessTableEntry(struct _RTL_AVL_TABLE *Table, CLONG ByteSize) 27 | { 28 | UNREFERENCED_PARAMETER(Table); 29 | return ExAllocatePoolWithTag(NonPagedPool, ByteSize, PSTREE_ALLOC_TAG); 30 | } 31 | 32 | _Function_class_(RTL_AVL_FREE_ROUTINE) 33 | VOID FreeProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer) 34 | { 35 | UNREFERENCED_PARAMETER(Table); 36 | ExFreePoolWithTag(Buffer, PSTREE_ALLOC_TAG); 37 | } 38 | 39 | // API 40 | 41 | BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry) 42 | { 43 | BOOLEAN result = FALSE; 44 | 45 | if (RtlInsertElementGenericTableAvl(&g_processTable, entry, sizeof(ProcessTableEntry), &result) == NULL) 46 | return FALSE; 47 | 48 | return result; 49 | } 50 | 51 | BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry) 52 | { 53 | return RtlDeleteElementGenericTableAvl(&g_processTable, entry); 54 | } 55 | 56 | BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry) 57 | { 58 | PProcessTableEntry entry2; 59 | 60 | entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry); 61 | if (entry2) 62 | RtlCopyMemory(entry, entry2, sizeof(ProcessTableEntry)); 63 | 64 | return (entry2 ? TRUE : FALSE); 65 | } 66 | 67 | BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry) 68 | { 69 | PProcessTableEntry entry2; 70 | 71 | entry2 = (PProcessTableEntry)RtlLookupElementGenericTableAvl(&g_processTable, entry); 72 | 73 | if (entry2) 74 | RtlCopyMemory(entry2, entry, sizeof(ProcessTableEntry)); 75 | 76 | return (entry2 ? TRUE : FALSE); 77 | } 78 | 79 | // Initialization 80 | 81 | NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE)) 82 | { 83 | PSYSTEM_PROCESS_INFORMATION processInfo = NULL, first; 84 | NTSTATUS status; 85 | SIZE_T size = 0, offset; 86 | 87 | // Init process table 88 | 89 | RtlInitializeGenericTableAvl(&g_processTable, CompareProcessTableEntry, AllocateProcessTableEntry, FreeProcessTableEntry, NULL); 90 | 91 | // We should query processes information for creation process table for existing processes 92 | 93 | status = QuerySystemInformation(SystemProcessInformation, &processInfo, &size); 94 | if (!NT_SUCCESS(status)) 95 | { 96 | DbgPrint("FsFilter1!" __FUNCTION__ ": query system information(pslist) failed with code:%08x\n", status); 97 | return status; 98 | } 99 | 100 | offset = 0; 101 | first = processInfo; 102 | do 103 | { 104 | ProcessTableEntry entry; 105 | PUNICODE_STRING procName; 106 | CLIENT_ID clientId; 107 | OBJECT_ATTRIBUTES attribs; 108 | HANDLE hProcess; 109 | 110 | // Get process path 111 | 112 | processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset); 113 | 114 | if (processInfo->ProcessId == 0) 115 | { 116 | offset = processInfo->NextEntryOffset; 117 | continue; 118 | } 119 | 120 | InitializeObjectAttributes(&attribs, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); 121 | clientId.UniqueProcess = processInfo->ProcessId; 122 | clientId.UniqueThread = 0; 123 | 124 | status = ZwOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId); 125 | if (!NT_SUCCESS(status)) 126 | { 127 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%p) failed with code:%08x\n", processInfo->ProcessId, status); 128 | offset = processInfo->NextEntryOffset; 129 | continue; 130 | } 131 | 132 | status = QueryProcessInformation(ProcessImageFileName, hProcess, &procName, &size); 133 | ZwClose(hProcess); 134 | 135 | if (!NT_SUCCESS(status)) 136 | { 137 | DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%p) failed with code:%08x\n", processInfo->ProcessId, status); 138 | offset = processInfo->NextEntryOffset; 139 | continue; 140 | } 141 | 142 | // Add process in process table 143 | 144 | RtlZeroMemory(&entry, sizeof(entry)); 145 | entry.processId = processInfo->ProcessId; 146 | 147 | DbgPrint("FsFilter1!" __FUNCTION__ ": add process: %p, %wZ\n", processInfo->ProcessId, procName); 148 | 149 | InitProcessEntryCallback(&entry, procName, processInfo->InheritedFromProcessId); 150 | if (!AddProcessToProcessTable(&entry)) 151 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%p) to process table\n", processInfo->ProcessId); 152 | 153 | if (entry.excluded) 154 | DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%p\n", entry.processId); 155 | 156 | if (entry.protected) 157 | DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%p\n", entry.processId); 158 | 159 | if (entry.subsystem) 160 | DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem process:%p\n", entry.processId); 161 | 162 | // Go to next 163 | 164 | FreeInformation(procName); 165 | offset = processInfo->NextEntryOffset; 166 | } 167 | while (offset); 168 | 169 | FreeInformation(first); 170 | return status; 171 | } 172 | 173 | VOID DestroyProcessTable() 174 | { 175 | PProcessTableEntry entry; 176 | PVOID restartKey = NULL; 177 | 178 | for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey); 179 | entry != NULL; 180 | entry = RtlEnumerateGenericTableWithoutSplayingAvl(&g_processTable, &restartKey)) 181 | { 182 | if (!RtlDeleteElementGenericTableAvl(&g_processTable, entry)) 183 | DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process table, looks like memory leak\n"); 184 | 185 | restartKey = NULL; // reset enum 186 | } 187 | } 188 | -------------------------------------------------------------------------------- /hidden-master/Hidden/PsTable.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _ProcessTableEntry { 6 | HANDLE processId; 7 | 8 | BOOLEAN excluded; 9 | ULONG inheritExclusion; 10 | 11 | BOOLEAN protected; 12 | ULONG inheritProtection; 13 | 14 | BOOLEAN subsystem; 15 | BOOLEAN inited; 16 | 17 | } ProcessTableEntry, *PProcessTableEntry; 18 | 19 | NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE)); 20 | VOID DestroyProcessTable(); 21 | 22 | // Important notice: 23 | // Keep in mind that internal sync mechanisms removed from functions below (including DestroyProcessTable) 24 | // because in some situations we need to perform two operation under one lock, for instance we should 25 | // perform GetProcessInProcessTable and UpdateProcessInProcessTable under one lock. So in this case all 26 | // functions, excluding InitializeProcessTable, should be synced manualy from external code 27 | 28 | BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry); 29 | BOOLEAN RemoveProcessFromProcessTable(PProcessTableEntry entry); 30 | BOOLEAN GetProcessInProcessTable(PProcessTableEntry entry); 31 | BOOLEAN UpdateProcessInProcessTable(PProcessTableEntry entry); 32 | 33 | -------------------------------------------------------------------------------- /hidden-master/Hidden/RegFilter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | NTSTATUS InitializeRegistryFilter(PDRIVER_OBJECT DriverObject); 6 | NTSTATUS DestroyRegistryFilter(); 7 | 8 | NTSTATUS AddHiddenRegKey(PUNICODE_STRING KeyPath, PULONGLONG ObjId); 9 | NTSTATUS RemoveHiddenRegKey(ULONGLONG ObjId); 10 | NTSTATUS RemoveAllHiddenRegKeys(); 11 | 12 | NTSTATUS AddHiddenRegValue(PUNICODE_STRING ValuePath, PULONGLONG ObjId); 13 | NTSTATUS RemoveHiddenRegValue(ULONGLONG ObjId); 14 | NTSTATUS RemoveAllHiddenRegValues(); 15 | 16 | -------------------------------------------------------------------------------- /hidden-master/Hidden/back.txt: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /hidden-master/Hidden/todo.txt: -------------------------------------------------------------------------------- 1 | TODO: 2 | + Добавить поддержку фильтрации открытия и создания key 3 | + Добавить поддержку фильтрации перечисления key 4 | + Добавить поддержку фильтрации перечисления value 5 | + Вынести fs filter и reg filter в отдельные файлы 6 | + Протестировать фишки с ObRegisterCallback 7 | + Стерание всех флагов 8 | + Реализовать PsMonitor со всеми вытекающими 9 | + Реализовать рабочий прототип 10 | + Для Exclude 11 | + Для Protected 12 | + Добавить флаг наследования 13 | + Реализовать интерфейс для IOCTL 14 | + Реализовать интерфейс для File & Reg мониторов 15 | + Вынести Process Table в отдельный файл 16 | + Переименовать Process Tree в Process Table 17 | + Протестировать интерфейсы 18 | + Добавить в HiddenCLI загрузку excluded и protected процессов 19 | + Добавить проект HiddenTest 20 | + Реализовать тесты в проекте HiddenTest 21 | + FS monitor 22 | + Reg filter 23 | + Ps filter 24 | + Добавить код тестирования для add\remove excluded image 25 | + Добавить в Reg filter поддержку всех возможных операций над value 26 | + set value 27 | + delete value 28 | + query value 29 | + query multiple value 30 | - Переписать Exclude List на основе AVL или других buildin generic trees 31 | - FS monitor 32 | - Reg monitor 33 | + Реализовать конвертирование пути в пути драйвера 34 | + Ps monitor 35 | + FS filter 36 | + Reg filter 37 | + Реализовать RemoveAllExcludeListEntries 38 | + Реализовать все ф-и Ps monitor 39 | + Добавить в библиотеку поддержку get\set state 40 | + Решить проблему с protected (возможно разрешить создавать такие процессы только из protected\system) 41 | + Реализовать IOCTL протокол управления 42 | + Реализовать usermode библиотеку для работы с IOCTL API 43 | + Слинковать с IOCTL API lib 44 | + Добавить поддержку флага автоприсвоение состояния существующим процессам для Hid_AddExcludedImage\Hid_AddProtectedImage 45 | + Проверить как ведёт себя файловый фильтр с файлами открытыми по ID или по короткому пути 46 | + Реализовать HiddenCLI 47 | + ignore 48 | + unignore 49 | + protect 50 | + unprotect 51 | + query 52 | + Протестировать все комманды 53 | + При выполнении /unhide с любым ID возвращается статус ок 54 | + Проверить чтобы все ObjId генерировались начиная с 1 55 | + Реализовать функционал вкл\выкл драйвера через IOCTL 56 | - Написать тест для вкл\выкл драйвера через IOCTL 57 | - Написать тест HiddenCLITests 58 | + Портировать драйвер под архитектуру x64 59 | + Портировать под версии Windows 8, 8.1, 10 60 | + Залить проект на Git 61 | + Переименовать проект драйвера в Hidden 62 | + Привести в порядок все версии билда Release, Debug, ... 63 | + Добавить процесс System(4) как статически исключенный 64 | - Подумать по поводу проблемы, что HKLM\System\CurrentControlSet на самом деле берётся из CurrentControl00n 65 | - Реализовать steals mode 66 | + Реализовать поддержку загрузки дефольтных конфигов из реестра 67 | + Реализовать установку конфигов в реестр через hiddencli 68 | + Привести в порядок вывод статуса в hiddencli 69 | + Привести в порядок номер ошибки в hiddencli 70 | - Насодить на ETL и DbgPrintEx 71 | - Добавить SAL на функции драйвера 72 | 73 | -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Configs.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Configs.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Device.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Device.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Driver.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Driver.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/ExcludeList.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/ExcludeList.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/FsFilter.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/FsFilter.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Helper.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Helper.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; Hidden 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | ;Class = "_TODO_Change_Class_appropriately_" 11 | ;ClassGuid = {_TODO_Change_ClassGuid_appropriately_} 12 | Provider = %ManufacturerName% 13 | DriverVer = 04/02/2018,19.26.13.846 14 | CatalogFile = Hidden.cat 15 | 16 | [DestinationDirs] 17 | DefaultDestDir = 12 18 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 19 | 20 | ;; 21 | ;; Default install sections 22 | ;; 23 | 24 | [DefaultInstall] 25 | OptionDesc = %ServiceDescription% 26 | CopyFiles = MiniFilter.DriverFiles 27 | 28 | [DefaultInstall.Services] 29 | AddService = %ServiceName%,,MiniFilter.Service 30 | 31 | ;; 32 | ;; Default uninstall sections 33 | ;; 34 | 35 | [DefaultUninstall] 36 | DelFiles = MiniFilter.DriverFiles 37 | 38 | [DefaultUninstall.Services] 39 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 40 | 41 | ; 42 | ; Services Section 43 | ; 44 | 45 | [MiniFilter.Service] 46 | DisplayName = %ServiceName% 47 | Description = %ServiceDescription% 48 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 49 | Dependencies = "FltMgr" 50 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 51 | StartType = 3 ;SERVICE_DEMAND_START 52 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 53 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 54 | LoadOrderGroup = "FSFilter Activity Monitor" 55 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 56 | AddReg = MiniFilter.AddRegistry 57 | 58 | ; 59 | ; Registry Modifications 60 | ; 61 | 62 | [MiniFilter.AddRegistry] 63 | HKR,,"DebugFlags",0x00010001 ,0x0 64 | HKR,,"SupportedFeatures",0x00010001,0x3 65 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 66 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 67 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 68 | 69 | ; 70 | ; Copy Files 71 | ; 72 | 73 | [MiniFilter.DriverFiles] 74 | %DriverName%.sys 75 | 76 | [SourceDisksFiles] 77 | Hidden.sys = 1,, 78 | 79 | [SourceDisksNames] 80 | 1 = %DiskId1%,,, 81 | 82 | ;; 83 | ;; String Section 84 | ;; 85 | 86 | [Strings] 87 | ; TODO - Add your manufacturer 88 | ManufacturerName = "Template" 89 | ServiceDescription = "Hidden Kernel Driver" 90 | ServiceName = "Hidden" 91 | DriverName = "Hidden" 92 | DiskId1 = "Hidden Device Installation Disk" 93 | 94 | ;Instances specific information. 95 | DefaultInstance = "Hidden Instance" 96 | Instance1.Name = "Hidden Instance" 97 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 98 | Instance1.Altitude = "370030" 99 | ;Instance.Altitude = "_TODO_Change_Altitude_appropriately_" 100 | Instance1.Flags = 0x0 ; Allow all attachments 101 | 102 | -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.log: -------------------------------------------------------------------------------- 1 |  Building 'Hidden' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform. 2 | Stamping x64\Release\Hidden.inf [Version] section with DriverVer=04/02/2018,19.26.13.846 3 | C:\Users\user\Desktop\hidden-master\Hidden\Hidden.inf(73-73): warning 1205: Section [MiniFilter.DriverFiles] referenced from DelFiles and CopyFiles directive. 4 | PsMonitor.c 5 | PsMonitor.c(115): warning C4100: 'OperationInformation': unreferenced formal parameter 6 | PsMonitor.c(115): warning C4100: 'RegistrationContext': unreferenced formal parameter 7 | Hidden.vcxproj -> C:\Users\user\Desktop\hidden-master\x64\Release\Hidden.sys 8 | Done Adding Additional Store 9 | Successfully signed: C:\Users\user\Desktop\hidden-master\x64\Release\Hidden.sys 10 | 11 | ......................... 12 | Signability test complete. 13 | 14 | Errors: 15 | None 16 | 17 | Warnings: 18 | None 19 | 20 | Catalog generation complete. 21 | C:\Users\user\Desktop\hidden-master\x64\Release\Hidden\hidden.cat 22 | Done Adding Additional Store 23 | Successfully signed: C:\Users\user\Desktop\hidden-master\x64\Release\Hidden\hidden.cat 24 | 25 | -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.res -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/Hidden.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver10.0:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.16299.0 2 | Release|x64|C:\Users\user\Desktop\hidden-master\| 3 | -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/Inf2Cat.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/Inf2Cat.command.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.5952.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.5952.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.5952.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.5952.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6184.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6184.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6184.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6184.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6504.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6504.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6504.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6504.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6816.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6816.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6816.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.6816.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7316.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7316.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7316.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7316.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7336.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7336.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7336.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.7336.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.9032.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.9032.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.9032.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.9032.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat-expand.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/inf2cat.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/rc.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/rc.command.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/rc.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/rc.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/rc.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/rc.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.command.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.timestamp.1.tlog: -------------------------------------------------------------------------------- 1 | C:\USERS\USER\DESKTOP\HIDDEN-MASTER\X64\RELEASE\HIDDEN\HIDDEN.CAT|636582651796651927 2 | C:\USERS\USER\DESKTOP\HIDDEN-MASTER\X64\RELEASE\HIDDEN.SYS|636582651791971659 3 | -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/signtool.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/stampinf.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/stampinf.command.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/stampinf.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/stampinf.read.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/Hidden.tlog/stampinf.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/Hidden.tlog/stampinf.write.1.tlog -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/PsMonitor.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/PsMonitor.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/PsRules.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/PsRules.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/PsTable.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/PsTable.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/RegFilter.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/RegFilter.obj -------------------------------------------------------------------------------- /hidden-master/Hidden/x64/Release/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ContionMig/KernelMode-Bypass/dc8ffcfac17689ee65a39ece6ca2d85ec63cb999/hidden-master/Hidden/x64/Release/vc141.pdb -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Commands.cpp: -------------------------------------------------------------------------------- 1 | #include "Commands.h" 2 | #include "Hide.h" 3 | #include "Ignore.h" 4 | #include "Protect.h" 5 | #include "Query.h" 6 | #include "State.h" 7 | #include 8 | #include 9 | #include 10 | 11 | using namespace std; 12 | 13 | // ================= 14 | 15 | void LoadCommandsStack(vector& stack) 16 | { 17 | stack.push_back(CommandPtr(new CommandHide())); 18 | stack.push_back(CommandPtr(new CommandUnhide())); 19 | stack.push_back(CommandPtr(new CommandIgnore())); 20 | stack.push_back(CommandPtr(new CommandUnignore())); 21 | stack.push_back(CommandPtr(new CommandProtect())); 22 | stack.push_back(CommandPtr(new CommandUnprotect())); 23 | stack.push_back(CommandPtr(new CommandQuery())); 24 | stack.push_back(CommandPtr(new CommandState())); 25 | } 26 | 27 | // ================= 28 | 29 | void ICommand::InstallCommand(RegistryKey& configKey) 30 | { 31 | throw WException(ERROR_UNSUPPORTED_TYPE, L"Error, install mode is not supported"); 32 | } 33 | 34 | void ICommand::UninstallCommand(RegistryKey& configKey) 35 | { 36 | } 37 | 38 | // ================= 39 | 40 | CommandMode::CommandMode(Arguments& args) : m_type(CommandModeType::Execute) 41 | { 42 | wstring mode, all; 43 | 44 | if (!args.Probe(mode)) 45 | throw WException(ERROR_INVALID_PARAMETER, L"Error, no command, please use 'hiddencli /help'"); 46 | 47 | if (mode == L"/install") 48 | { 49 | args.SwitchToNext(); 50 | m_type = CommandModeType::Install; 51 | LoadConfigPath(args); 52 | } 53 | else if (mode == L"/uninstall") 54 | { 55 | args.SwitchToNext(); 56 | m_type = CommandModeType::Uninstall; 57 | LoadConfigPath(args); 58 | } 59 | 60 | if (m_type == CommandModeType::Uninstall) 61 | { 62 | if (!args.Probe(all) || all != L"all") 63 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid '/unistall' format"); 64 | 65 | args.SwitchToNext(); 66 | } 67 | } 68 | 69 | void CommandMode::LoadConfigPath(Arguments& args) 70 | { 71 | wstring path; 72 | 73 | if (!args.Probe(path) || path.compare(0, 1, L"/") == 0 || path == L"all") 74 | { 75 | m_regConfigPath = L"System\\CurrentControlSet\\Services\\Hidden"; 76 | return; 77 | } 78 | 79 | args.SwitchToNext(); 80 | 81 | m_regConfigPath = L"System\\CurrentControlSet\\Services\\"; 82 | m_regConfigPath += path; 83 | } 84 | 85 | CommandModeType CommandMode::GetModeType() 86 | { 87 | return m_type; 88 | } 89 | 90 | const wstring& CommandMode::GetConfigRegistryKeyPath() 91 | { 92 | return m_regConfigPath; 93 | } 94 | 95 | // ================= 96 | 97 | SingleCommand::SingleCommand(Arguments& args, CommandModeType mode) 98 | { 99 | wstring arg; 100 | bool found = false; 101 | 102 | if (mode == CommandModeType::Uninstall) 103 | { 104 | if (args.SwitchToNext()) 105 | throw WException(ERROR_INVALID_PARAMETER, L"Error, too many arguments"); 106 | 107 | LoadCommandsStack(m_commandsStack); 108 | return; 109 | } 110 | 111 | if (!args.GetNext(arg)) 112 | throw WException(ERROR_INVALID_PARAMETER, L"Error, no command, please use 'hiddencli /help'"); 113 | 114 | LoadCommandsStack(m_commandsStack); 115 | 116 | for (auto it = m_commandsStack.begin(); it != m_commandsStack.end(); it++) 117 | { 118 | if ((*it)->CompareCommand(arg)) 119 | { 120 | (*it)->LoadArgs(args, mode); 121 | m_current = *it; 122 | found = true; 123 | break; 124 | } 125 | } 126 | 127 | if (!found) 128 | throw WException(ERROR_INVALID_PARAMETER, L"Error, unknown command, please use 'hiddencli /help'"); 129 | 130 | if (args.SwitchToNext()) 131 | throw WException(ERROR_INVALID_PARAMETER, L"Error, too many arguments"); 132 | } 133 | 134 | SingleCommand::~SingleCommand() 135 | { 136 | } 137 | 138 | void SingleCommand::Perform(Connection& connection) 139 | { 140 | m_current->PerformCommand(connection); 141 | } 142 | 143 | void SingleCommand::Install(RegistryKey& configKey) 144 | { 145 | m_current->InstallCommand(configKey); 146 | } 147 | 148 | void SingleCommand::Uninstall(RegistryKey& configKey) 149 | { 150 | for (auto it = m_commandsStack.begin(); it != m_commandsStack.end(); it++) 151 | { 152 | try 153 | { 154 | (*it)->UninstallCommand(configKey); 155 | } 156 | catch (WException&) 157 | { 158 | // Skip exceptions because we don't wan't break uninstall on registry deletion fails 159 | } 160 | } 161 | } 162 | 163 | // ================= 164 | 165 | MultipleCommands::MultipleCommands(Arguments& args, CommandModeType mode) 166 | { 167 | wstring arg; 168 | 169 | if (mode == CommandModeType::Uninstall) 170 | throw WException(ERROR_INVALID_PARAMETER, L"Error, /uninstall can't be combined with /multi"); 171 | 172 | if (!args.GetNext(arg)) 173 | throw WException(ERROR_INVALID_PARAMETER, L"Error, no command, please use 'hiddencli /help'"); 174 | 175 | LoadCommandsStack(m_commandsStack); 176 | 177 | do 178 | { 179 | bool found = false; 180 | 181 | for (auto it = m_commandsStack.begin(); it != m_commandsStack.end(); it++) 182 | { 183 | if ((*it)->CompareCommand(arg)) 184 | { 185 | CommandPtr command = (*it)->CreateInstance(); 186 | command->LoadArgs(args, mode); 187 | m_currentStack.push_back(command); 188 | found = true; 189 | break; 190 | } 191 | } 192 | 193 | if (!found) 194 | throw WException(ERROR_INVALID_PARAMETER, L"Error, unknown command, please use 'hiddencli /help'"); 195 | } 196 | while (args.GetNext(arg)); 197 | } 198 | 199 | MultipleCommands::~MultipleCommands() 200 | { 201 | } 202 | 203 | void MultipleCommands::Perform(Connection& connection) 204 | { 205 | for (auto it = m_currentStack.begin(); it != m_currentStack.end(); it++) 206 | (*it)->PerformCommand(connection); 207 | } 208 | 209 | void MultipleCommands::Install(RegistryKey& configKey) 210 | { 211 | for (auto it = m_currentStack.begin(); it != m_currentStack.end(); it++) 212 | (*it)->InstallCommand(configKey); 213 | } 214 | 215 | void MultipleCommands::Uninstall(RegistryKey& configKey) 216 | { 217 | throw WException(ERROR_UNSUPPORTED_TYPE, L"Error, uninstall mode is not supported"); 218 | } 219 | 220 | // ================= 221 | 222 | class ArgsParser 223 | { 224 | private: 225 | 226 | shared_ptr m_args; 227 | bool m_haveArgs; 228 | 229 | public: 230 | 231 | ArgsParser(wstring& line) : m_haveArgs(false) 232 | { 233 | int argc; 234 | LPWSTR* argv; 235 | 236 | if (line.compare(0, 1, L";") == 0) // comment 237 | return; 238 | 239 | if (all_of(line.begin(), line.end(), isspace)) // whitespace only string 240 | return; 241 | 242 | argv = CommandLineToArgvW(line.c_str(), &argc); 243 | if (!argv) 244 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid command format"); 245 | 246 | try 247 | { 248 | m_args.reset(new Arguments(argc, argv, 0)); 249 | } 250 | catch (WException& e) 251 | { 252 | LocalFree(argv); 253 | throw e; 254 | } 255 | 256 | LocalFree(argv); 257 | m_haveArgs = true; 258 | } 259 | 260 | bool HaveArgs() 261 | { 262 | return m_haveArgs; 263 | } 264 | 265 | Arguments& GetArgs() 266 | { 267 | return *m_args.get(); 268 | } 269 | 270 | }; 271 | 272 | MultipleCommandsFromFile::MultipleCommandsFromFile(Arguments& args, CommandModeType mode) 273 | { 274 | wstring configFile; 275 | 276 | if (mode == CommandModeType::Uninstall) 277 | throw WException(ERROR_INVALID_PARAMETER, L"Error, /uninstall can't be combined with /config"); 278 | 279 | if (!args.GetNext(configFile)) 280 | throw WException(ERROR_INVALID_PARAMETER, L"Error, no command, please use 'hiddencli /help'"); 281 | 282 | if (args.SwitchToNext()) 283 | throw WException(ERROR_INVALID_PARAMETER, L"Error, too many arguments"); 284 | 285 | wifstream fconfig(configFile); 286 | wstring line; 287 | 288 | LoadCommandsStack(m_commandsStack); 289 | 290 | while (getline(fconfig, line)) 291 | { 292 | ArgsParser parser(line); 293 | wstring arg; 294 | 295 | if (parser.HaveArgs()) 296 | { 297 | Arguments lineArgs = parser.GetArgs(); 298 | 299 | if (!lineArgs.GetNext(arg)) 300 | throw WException(ERROR_INVALID_PARAMETER, L"Error, no command, please use 'hiddencli /help'"); 301 | 302 | do 303 | { 304 | bool found = false; 305 | 306 | for (auto it = m_commandsStack.begin(); it != m_commandsStack.end(); it++) 307 | { 308 | if ((*it)->CompareCommand(arg)) 309 | { 310 | CommandPtr command = (*it)->CreateInstance(); 311 | command->LoadArgs(lineArgs, mode); 312 | m_currentStack.push_back(command); 313 | found = true; 314 | break; 315 | } 316 | } 317 | 318 | if (!found) 319 | throw WException(ERROR_INVALID_PARAMETER, L"Error, unknown command, please use 'hiddencli /help'"); 320 | } 321 | while (lineArgs.GetNext(arg)); 322 | } 323 | } 324 | } 325 | 326 | MultipleCommandsFromFile::~MultipleCommandsFromFile() 327 | { 328 | } 329 | 330 | void MultipleCommandsFromFile::Perform(Connection& connection) 331 | { 332 | for (auto it = m_currentStack.begin(); it != m_currentStack.end(); it++) 333 | (*it)->PerformCommand(connection); 334 | } 335 | 336 | void MultipleCommandsFromFile::Install(RegistryKey& configKey) 337 | { 338 | for (auto it = m_currentStack.begin(); it != m_currentStack.end(); it++) 339 | (*it)->InstallCommand(configKey); 340 | } 341 | 342 | void MultipleCommandsFromFile::Uninstall(RegistryKey& configKey) 343 | { 344 | throw WException(ERROR_UNSUPPORTED_TYPE, L"Error, uninstall mode is not supported"); 345 | } 346 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Commands.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Helper.h" 4 | #include "Connection.h" 5 | #include 6 | 7 | enum CommandModeType { 8 | Execute, 9 | Install, 10 | Uninstall 11 | }; 12 | 13 | class ICommand 14 | { 15 | public: 16 | typedef std::shared_ptr CommandPtrInternal; 17 | 18 | virtual ~ICommand() {}; 19 | 20 | virtual bool CompareCommand(std::wstring& command) = 0; 21 | virtual void LoadArgs(Arguments& args, CommandModeType mode) = 0; 22 | virtual void PerformCommand(Connection& connection) = 0; 23 | virtual void InstallCommand(RegistryKey& configKey); 24 | virtual void UninstallCommand(RegistryKey& configKey); 25 | 26 | virtual CommandPtrInternal CreateInstance() = 0; 27 | }; 28 | 29 | typedef ICommand::CommandPtrInternal CommandPtr; 30 | 31 | class CommandMode 32 | { 33 | std::wstring m_regConfigPath; 34 | CommandModeType m_type; 35 | 36 | void LoadConfigPath(Arguments& args); 37 | 38 | public: 39 | CommandMode(Arguments& args); 40 | 41 | CommandModeType GetModeType(); 42 | const std::wstring& GetConfigRegistryKeyPath(); 43 | }; 44 | 45 | class ICommandTemplate 46 | { 47 | public: 48 | virtual ~ICommandTemplate() {} 49 | virtual void Perform(Connection& connection) = 0; 50 | virtual void Install(RegistryKey& configKey) = 0; 51 | virtual void Uninstall(RegistryKey& configKey) = 0; 52 | }; 53 | 54 | typedef std::shared_ptr CommandTemplatePtr; 55 | 56 | class SingleCommand : public ICommandTemplate 57 | { 58 | std::vector m_commandsStack; 59 | CommandPtr m_current; 60 | 61 | public: 62 | 63 | SingleCommand(Arguments& args, CommandModeType mode); 64 | virtual ~SingleCommand(); 65 | 66 | virtual void Perform(Connection& connection); 67 | virtual void Install(RegistryKey& configKey); 68 | virtual void Uninstall(RegistryKey& configKey); 69 | }; 70 | 71 | class MultipleCommands : public ICommandTemplate 72 | { 73 | std::vector m_commandsStack; 74 | std::vector m_currentStack; 75 | 76 | public: 77 | 78 | MultipleCommands(Arguments& args, CommandModeType mode); 79 | virtual ~MultipleCommands(); 80 | 81 | virtual void Perform(Connection& connection); 82 | virtual void Install(RegistryKey& configKey); 83 | virtual void Uninstall(RegistryKey& configKey); 84 | }; 85 | 86 | class MultipleCommandsFromFile : public ICommandTemplate 87 | { 88 | std::vector m_commandsStack; 89 | std::vector m_currentStack; 90 | 91 | public: 92 | 93 | MultipleCommandsFromFile(Arguments& args, CommandModeType mode); 94 | virtual ~MultipleCommandsFromFile(); 95 | 96 | virtual void Perform(Connection& connection); 97 | virtual void Install(RegistryKey& configKey); 98 | virtual void Uninstall(RegistryKey& configKey); 99 | }; 100 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Connection.cpp: -------------------------------------------------------------------------------- 1 | #include "Connection.h" 2 | 3 | using namespace std; 4 | 5 | Connection::Connection(Arguments& args) : 6 | m_context(nullptr) 7 | { 8 | wstring arg; 9 | 10 | if (!args.Probe(arg)) 11 | return; 12 | 13 | do 14 | { 15 | if (arg == L"/gate") 16 | { 17 | args.SwitchToNext(); 18 | if (!args.GetNext(m_deviceName)) 19 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument for command 'gate'"); 20 | 21 | if (m_deviceName.compare(0, 1, L"\\") != 0) 22 | m_deviceName.insert(0, L"\\\\.\\"); 23 | } 24 | else 25 | { 26 | break; 27 | } 28 | } 29 | while (args.Probe(arg)); 30 | } 31 | 32 | Connection::~Connection() 33 | { 34 | if (m_context) 35 | Hid_Destroy(m_context); 36 | } 37 | 38 | void Connection::Open() 39 | { 40 | HidStatus status; 41 | const wchar_t* deviceName = nullptr; 42 | 43 | if (m_deviceName.size()) 44 | deviceName = m_deviceName.c_str(); 45 | 46 | status = Hid_Initialize(&m_context, deviceName); 47 | if (!HID_STATUS_SUCCESSFUL(status)) 48 | throw WException(HID_STATUS_CODE(status), L"Error, can't connect to gate"); 49 | } 50 | 51 | HidContext Connection::GetContext() 52 | { 53 | return m_context; 54 | } 55 | 56 | LibInitializator::LibInitializator() 57 | { 58 | HidStatus status = Hid_InitializeWithNoConnection(); 59 | if (!HID_STATUS_SUCCESSFUL(status)) 60 | throw WException(HID_STATUS_CODE(status), L"Error, init hidden lib"); 61 | } 62 | 63 | LibInitializator::~LibInitializator() 64 | { 65 | // We don't need release lib resources because in case of the 66 | // Hid_InitializeWithNoConnection() there aren't any dynamic data 67 | } 68 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Connection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Helper.h" 4 | #include "../HiddenLib/HiddenLib.h" 5 | 6 | class Connection 7 | { 8 | private: 9 | 10 | HidContext m_context; 11 | 12 | std::wstring m_deviceName; 13 | 14 | public: 15 | 16 | Connection(Arguments& args); 17 | ~Connection(); 18 | 19 | void Open(); 20 | 21 | HidContext GetContext(); 22 | }; 23 | 24 | class LibInitializator 25 | { 26 | public: 27 | LibInitializator(); 28 | ~LibInitializator(); 29 | }; 30 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Helper.cpp: -------------------------------------------------------------------------------- 1 | #include "helper.h" 2 | #include 3 | 4 | using namespace std; 5 | 6 | // ================= 7 | 8 | std::wstringstream g_stdout; 9 | std::wstringstream g_stderr; 10 | 11 | // ================= 12 | 13 | WException::WException(unsigned int Code, wchar_t* Format, ...) : 14 | m_errorCode(Code) 15 | { 16 | wchar_t buffer[256]; 17 | 18 | va_list args; 19 | va_start(args, Format); 20 | _vsnwprintf_s(buffer, _countof(buffer), _TRUNCATE, Format, args); 21 | va_end(args); 22 | 23 | m_errorMessage = buffer; 24 | } 25 | 26 | const wchar_t* WException::What() 27 | { 28 | return m_errorMessage.c_str(); 29 | } 30 | 31 | unsigned int WException::Code() 32 | { 33 | return m_errorCode; 34 | } 35 | 36 | // ================= 37 | 38 | Arguments::Arguments(int argc, wchar_t* argv[], int start) : 39 | m_argPointer(0) 40 | { 41 | for (int i = start; i < argc; i++) 42 | m_arguments.push_back(argv[i]); 43 | } 44 | 45 | size_t Arguments::ArgsCount() 46 | { 47 | return m_arguments.size(); 48 | } 49 | 50 | bool Arguments::Probe(std::wstring& arg) 51 | { 52 | if (m_argPointer >= m_arguments.size()) 53 | return false; 54 | 55 | arg = m_arguments[m_argPointer]; 56 | return true; 57 | } 58 | 59 | bool Arguments::SwitchToNext() 60 | { 61 | if (m_argPointer >= m_arguments.size()) 62 | return false; 63 | 64 | m_argPointer++; 65 | return true; 66 | } 67 | 68 | bool Arguments::GetNext(wstring& arg) 69 | { 70 | if (m_argPointer >= m_arguments.size()) 71 | return false; 72 | 73 | arg = m_arguments[m_argPointer++]; 74 | return true; 75 | } 76 | 77 | // ================= 78 | 79 | Handle::Handle(HANDLE handle) : 80 | m_handle(handle), 81 | m_error(::GetLastError()) 82 | { 83 | } 84 | 85 | Handle::~Handle() 86 | { 87 | if (m_handle != INVALID_HANDLE_VALUE) 88 | ::CloseHandle(m_handle); 89 | } 90 | 91 | HANDLE Handle::Get() 92 | { 93 | return m_handle; 94 | } 95 | 96 | DWORD Handle::Error() 97 | { 98 | return m_error; 99 | } 100 | 101 | // ================= 102 | 103 | RegistryKey::RegistryKey(std::wstring regKey, HKEY root, REGSAM access, bool newKey) : m_hkey(NULL) 104 | { 105 | if (newKey) 106 | { 107 | LONG status = RegCreateKeyExW(root, regKey.c_str(), 0, NULL, 0, access, NULL, &m_hkey, NULL); 108 | if (status != ERROR_SUCCESS) 109 | throw WException(status, L"Error, can't create registry key"); 110 | } 111 | else 112 | { 113 | LONG status = RegOpenKeyExW(root, regKey.c_str(), 0, access, &m_hkey); 114 | if (status != ERROR_SUCCESS) 115 | throw WException(status, L"Error, can't open registry key"); 116 | } 117 | } 118 | 119 | RegistryKey::~RegistryKey() 120 | { 121 | RegCloseKey(m_hkey); 122 | } 123 | 124 | void RegistryKey::CopyTreeFrom(RegistryKey& src) 125 | { 126 | LONG status; 127 | 128 | status = RegCopyTree(src.m_hkey, NULL, m_hkey); 129 | if (status != ERROR_SUCCESS) 130 | throw WException(status, L"Error, can't copy registry tree"); 131 | } 132 | 133 | void RegistryKey::DeleteKey(std::wstring regKey, HKEY root) 134 | { 135 | LONG status; 136 | 137 | status = RegDeleteTreeW(root, regKey.c_str()); 138 | if (status != ERROR_SUCCESS) 139 | throw WException(status, L"Error, can't copy registry tree"); 140 | } 141 | 142 | void RegistryKey::SetDwordValue(const wchar_t* name, DWORD value) 143 | { 144 | LONG status; 145 | 146 | status = RegSetValueExW(m_hkey, name, NULL, REG_DWORD, (LPBYTE)&value, sizeof(value)); 147 | if (status != ERROR_SUCCESS) 148 | throw WException(status, L"Error, can't set registry value"); 149 | } 150 | 151 | DWORD RegistryKey::GetDwordValue(const wchar_t* name, DWORD defValue) 152 | { 153 | DWORD value, size = sizeof(value), type = REG_DWORD; 154 | LONG status; 155 | 156 | status = RegQueryValueEx(m_hkey, name, NULL, &type, (LPBYTE)&value, &size); 157 | if (status != ERROR_SUCCESS) 158 | { 159 | if (status != ERROR_FILE_NOT_FOUND) 160 | throw WException(status, L"Error, can't query registry value"); 161 | 162 | return defValue; 163 | } 164 | 165 | return value; 166 | } 167 | 168 | void RegistryKey::SetStrValue(const wchar_t* name, std::wstring& value, bool expanded) 169 | { 170 | LONG status; 171 | 172 | status = RegSetValueExW(m_hkey, name, NULL, (expanded ? REG_EXPAND_SZ : REG_SZ), (LPBYTE)value.c_str(), (DWORD)(value.size() + 1) * sizeof(wchar_t)); 173 | if (status != ERROR_SUCCESS) 174 | throw WException(status, L"Error, can't set registry value"); 175 | } 176 | 177 | void RegistryKey::GetStrValue(const wchar_t* name, std::wstring& value, const wchar_t* defValue) 178 | { 179 | DWORD size = 0, type = REG_SZ; 180 | LONG status; 181 | 182 | status = RegQueryValueExW(m_hkey, name, NULL, &type, NULL, &size); 183 | if (status != ERROR_SUCCESS) 184 | { 185 | if (status != ERROR_FILE_NOT_FOUND) 186 | throw WException(status, L"Error, can't query registry value"); 187 | 188 | value = defValue; 189 | return; 190 | } 191 | 192 | if (type != REG_SZ && type != REG_EXPAND_SZ) 193 | throw WException(status, L"Error, invalid registry key type"); 194 | 195 | if (size == 0) 196 | return; 197 | 198 | value.clear(); 199 | value.insert(0, size / sizeof(wchar_t), L'\0'); 200 | 201 | status = RegQueryValueExW(m_hkey, name, NULL, &type, (LPBYTE)value.c_str(), &size); 202 | if (status != ERROR_SUCCESS) 203 | throw WException(status, L"Error, can't query registry value"); 204 | 205 | while (value.size() > 0 && value[value.size() - 1] == L'\0') 206 | value.pop_back(); 207 | } 208 | 209 | void RegistryKey::SetMultiStrValue(const wchar_t* name, const std::vector& strs) 210 | { 211 | DWORD size = 0, offset = 0; 212 | shared_ptr buffer; 213 | LONG status; 214 | 215 | for (auto it = strs.begin(); it != strs.end(); it++) 216 | { 217 | if (it->size() > 0) 218 | size += (DWORD)(it->size() + 1) * sizeof(wchar_t); 219 | } 220 | 221 | if (size == 0) 222 | { 223 | WCHAR value = 0; 224 | status = RegSetValueExW(m_hkey, name, NULL, REG_MULTI_SZ, (LPBYTE)&value, 2); 225 | if (status != ERROR_SUCCESS) 226 | throw WException(status, L"Error, can't set registry value"); 227 | 228 | return; 229 | } 230 | 231 | buffer.reset(new BYTE[size]); 232 | memset(buffer.get(), 0, size); 233 | 234 | for (auto it = strs.begin(); it != strs.end(); it++) 235 | { 236 | if (it->size() == 0) 237 | continue; 238 | 239 | DWORD strSize = (DWORD)(it->size() + 1) * sizeof(wchar_t); 240 | memcpy(buffer.get() + offset, it->c_str(), strSize); 241 | offset += strSize; 242 | } 243 | 244 | status = RegSetValueExW(m_hkey, name, NULL, REG_MULTI_SZ, buffer.get(), size); 245 | if (status != ERROR_SUCCESS) 246 | throw WException(status, L"Error, can't set registry value"); 247 | } 248 | 249 | void RegistryKey::GetMultiStrValue(const wchar_t* name, std::vector& strs) 250 | { 251 | DWORD size = 0, type = REG_MULTI_SZ; 252 | shared_ptr buffer; 253 | LPWSTR bufferPtr; 254 | LONG status; 255 | 256 | strs.clear(); 257 | 258 | status = RegQueryValueExW(m_hkey, name, NULL, &type, NULL, &size); 259 | if (status != ERROR_SUCCESS) 260 | { 261 | if (status != ERROR_FILE_NOT_FOUND) 262 | throw WException(status, L"Error, can't query registry value"); 263 | 264 | return; 265 | } 266 | 267 | if (type != REG_MULTI_SZ) 268 | throw WException(status, L"Error, invalid registry key type"); 269 | 270 | if (size == 0) 271 | return; 272 | 273 | buffer.reset(new BYTE[size + sizeof(WCHAR)]); 274 | memset(buffer.get(), 0, size + sizeof(WCHAR)); 275 | 276 | status = RegQueryValueExW(m_hkey, name, NULL, &type, buffer.get(), &size); 277 | if (status != ERROR_SUCCESS) 278 | throw WException(status, L"Error, can't query registry value"); 279 | 280 | bufferPtr = (LPWSTR)buffer.get(); 281 | while (size > 1) 282 | { 283 | ULONG inx, delta = 0; 284 | ULONG len = size / sizeof(WCHAR); 285 | 286 | for (inx = 0; inx < len; inx++) 287 | { 288 | if (bufferPtr[inx] == L'\0') 289 | { 290 | delta = 1; 291 | break; 292 | } 293 | } 294 | 295 | if (inx > 0) 296 | strs.push_back(bufferPtr); 297 | 298 | size -= (inx + delta) * sizeof(WCHAR); 299 | bufferPtr += (inx + delta); 300 | } 301 | } 302 | 303 | void RegistryKey::RemoveValue(const wchar_t* name) 304 | { 305 | LONG status = RegDeleteKeyValueW(m_hkey, NULL, name); 306 | if (status != ERROR_SUCCESS) 307 | throw WException(status, L"Error, can't delete registry value"); 308 | } 309 | 310 | // ================= 311 | 312 | HidRegRootTypes GetRegType(wstring& path) 313 | { 314 | static wchar_t regHKLM[] = L"HKLM\\"; 315 | static wchar_t regHKCU[] = L"HKCU\\"; 316 | static wchar_t regHKU[] = L"HKU\\"; 317 | 318 | if (path.compare(0, _countof(regHKLM) - 1, regHKLM) == 0) 319 | return HidRegRootTypes::RegHKLM; 320 | else if (path.compare(0, _countof(regHKCU) - 1, regHKCU) == 0) 321 | return HidRegRootTypes::RegHKCU; 322 | else if (path.compare(0, _countof(regHKU) - 1, regHKU) == 0) 323 | return HidRegRootTypes::RegHKU; 324 | else 325 | throw WException(ERROR_INVALID_DATA, L"Error, invalid registry prefix"); 326 | } 327 | 328 | HidPsInheritTypes LoadInheritOption(Arguments& args, HidPsInheritTypes default) 329 | { 330 | wstring arg; 331 | 332 | if (!args.Probe(arg)) 333 | return default; 334 | 335 | if (arg == L"inherit:none") 336 | { 337 | args.SwitchToNext(); 338 | return HidPsInheritTypes::WithoutInherit; 339 | } 340 | else if (arg == L"inherit:always") 341 | { 342 | args.SwitchToNext(); 343 | return HidPsInheritTypes::InheritAlways; 344 | } 345 | else if (arg == L"inherit:once") 346 | { 347 | args.SwitchToNext(); 348 | return HidPsInheritTypes::InheritOnce; 349 | } 350 | 351 | return default; 352 | } 353 | 354 | bool LoadApplyOption(Arguments& args, bool applyByDefault) 355 | { 356 | wstring arg; 357 | 358 | if (!args.Probe(arg)) 359 | return applyByDefault; 360 | 361 | if (arg == L"apply:fornew") 362 | { 363 | args.SwitchToNext(); 364 | return false; 365 | } 366 | else if (arg == L"apply:forall") 367 | { 368 | args.SwitchToNext(); 369 | return true; 370 | } 371 | 372 | return applyByDefault; 373 | } 374 | 375 | const wchar_t* ConvertInheritTypeToUnicode(HidPsInheritTypes type) 376 | { 377 | switch (type) 378 | { 379 | case HidPsInheritTypes::WithoutInherit: 380 | return L"none"; 381 | break; 382 | case HidPsInheritTypes::InheritOnce: 383 | return L"once"; 384 | break; 385 | case HidPsInheritTypes::InheritAlways: 386 | return L"always"; 387 | break; 388 | } 389 | return L"unknown"; 390 | } 391 | 392 | const wchar_t* ConvertRegRootTypeToUnicode(HidRegRootTypes type) 393 | { 394 | switch (type) 395 | { 396 | case HidRegRootTypes::RegHKCU: 397 | return L"HKCU"; 398 | break; 399 | case HidRegRootTypes::RegHKLM: 400 | return L"HKLM"; 401 | break; 402 | case HidRegRootTypes::RegHKU: 403 | return L"HKU"; 404 | break; 405 | } 406 | return L"unknown"; 407 | } 408 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Helper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "../HiddenLib/HiddenLib.h" 11 | 12 | extern std::wstringstream g_stdout; 13 | extern std::wstringstream g_stderr; 14 | 15 | class WException 16 | { 17 | std::wstring m_errorMessage; 18 | unsigned int m_errorCode; 19 | 20 | public: 21 | 22 | WException(unsigned int Code, wchar_t* Format, ...); 23 | 24 | const wchar_t* What(); 25 | unsigned int Code(); 26 | }; 27 | 28 | class Arguments 29 | { 30 | std::vector m_arguments; 31 | unsigned int m_argPointer; 32 | 33 | public: 34 | 35 | Arguments(int argc, wchar_t* argv[], int start = 1); 36 | 37 | size_t ArgsCount(); 38 | 39 | bool Probe(std::wstring& arg); 40 | bool SwitchToNext(); 41 | bool GetNext(std::wstring& arg); 42 | }; 43 | 44 | class Handle 45 | { 46 | private: 47 | DWORD m_error; 48 | HANDLE m_handle; 49 | 50 | public: 51 | 52 | Handle(HANDLE handle); 53 | ~Handle(); 54 | 55 | HANDLE Get(); 56 | DWORD Error(); 57 | 58 | }; 59 | 60 | class RegistryKey 61 | { 62 | private: 63 | 64 | HKEY m_hkey; 65 | 66 | public: 67 | 68 | RegistryKey(std::wstring regKey, HKEY root = HKEY_LOCAL_MACHINE, REGSAM access = KEY_ALL_ACCESS | KEY_WOW64_64KEY, bool newKey = false); 69 | ~RegistryKey(); 70 | 71 | void CopyTreeFrom(RegistryKey& src); 72 | 73 | void SetDwordValue(const wchar_t* name, DWORD value); 74 | DWORD GetDwordValue(const wchar_t* name, DWORD defValue); 75 | 76 | void SetStrValue(const wchar_t* name, std::wstring& value, bool expanded = false); 77 | void GetStrValue(const wchar_t* name, std::wstring& value, const wchar_t* defValue); 78 | 79 | void SetMultiStrValue(const wchar_t* name, const std::vector& strs); 80 | void GetMultiStrValue(const wchar_t* name, std::vector& strs); 81 | 82 | void RemoveValue(const wchar_t* name); 83 | 84 | static void DeleteKey(std::wstring regKey, HKEY root = HKEY_LOCAL_MACHINE); 85 | }; 86 | 87 | enum EObjTypes { 88 | TypeFile, 89 | TypeDir, 90 | TypeRegKey, 91 | TypeRegVal, 92 | }; 93 | 94 | enum EProcTypes { 95 | TypeProcessId, 96 | TypeImage, 97 | }; 98 | 99 | HidRegRootTypes GetRegType(std::wstring& path); 100 | 101 | HidPsInheritTypes LoadInheritOption(Arguments& args, HidPsInheritTypes default); 102 | bool LoadApplyOption(Arguments& args, bool applyByDefault); 103 | 104 | const wchar_t* ConvertInheritTypeToUnicode(HidPsInheritTypes type); 105 | const wchar_t* ConvertRegRootTypeToUnicode(HidRegRootTypes type); 106 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/HiddenCLI.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "Helper.h" 6 | #include "Connection.h" 7 | #include "Commands.h" 8 | 9 | using namespace std; 10 | 11 | bool PrintUsage(Arguments& args) 12 | { 13 | wstring command; 14 | 15 | if (!args.Probe(command)) 16 | return false; 17 | 18 | if (command != L"/help" && command != L"/?") 19 | return false; 20 | 21 | wchar_t message[] = 22 | L"hiddencli [mode] [connection] [perform] \n" 23 | L"hiddencli /help\n" 24 | L"\n" 25 | L"mode:\n" 26 | L"\n" 27 | L" By default perform current commands\n" 28 | L"\n" 29 | L" /install [%driver%]\n" 30 | L" Install commands to registry without execution, driver will load them on\n" 31 | L" start. If this flag is set connection parameters shouldn't be set. Optional\n" 32 | L" parameter is used for set valid registry path if driver name is changed, by\n" 33 | L" default \"hidden\"\n" 34 | L"\n" 35 | L" /uninstall [%driver%] all\n" 36 | L" Uninstall all configs from registry. This flag is all-sufficient therefore\n" 37 | L" if this flag is set no other parameters and commands should be set after\n" 38 | L"\n" 39 | L"connection:\n" 40 | L"\n" 41 | L" /gate <%name%>\n" 42 | L" Set specific connection gate name. By default \"HiddenGate\" is used\n" 43 | L"\n" 44 | L"perform:\n" 45 | L"\n" 46 | L" By default perform one command by one execution\n" 47 | L"\n" 48 | L" /multi\n" 49 | L" Enable multiple commands per execution, just type commands one by one\n" 50 | L" without any separator\n" 51 | L"\n" 52 | L" /config <%path%>\n" 53 | L" Loads multiple commands from file, each command should be on separate line\n" 54 | L"\n" 55 | L"commands:\n" 56 | L"\n" 57 | L" /state \n" 58 | L" Enable or disable hidden\n" 59 | L"\n" 60 | L" /query state\n" 61 | L" Get enforcement state\n" 62 | L"\n" 63 | L" /hide <%path%>\n" 64 | L" Hide filesystem or registry object by path\n" 65 | L"\n" 66 | L" /unhide all\n" 67 | L" Unhide all filesystem or registry object by selected type\n" 68 | L"\n" 69 | L" /unhide <%ruleid%>\n" 70 | L" Unhide all filesystem or registry object by selected type and rule ID\n" 71 | L"\n" 72 | L" /ignore image [inherit:] [apply:] <%path%>\n" 73 | L" Set rule that allows to see hidden filesystem and registry objects for\n" 74 | L" processes with specific image path\n" 75 | L"\n" 76 | L" /unignore <%ruleid%>\n" 77 | L" Remove rule that allows to see hidden filesystem and registry objects by\n" 78 | L" rule ID\n" 79 | L"\n" 80 | L" /unignore all\n" 81 | L" Remove all rules that allow to see hidden filesystem and registry objects\n" 82 | L"\n" 83 | L" /ignore pid [inherit:] <%pid%>\n" 84 | L" Turn on abillity to see hidden filesystem and registry objects for\n" 85 | L" specific process by PID\n" 86 | L"\n" 87 | L" /unignore pid <%pid%>\n" 88 | L" Turn off abillity to see hidden filesystem and registry objects for\n" 89 | L" specific process by PID\n" 90 | L"\n" 91 | L" /protect image [inherit:] [apply:] <%path%>\n" 92 | L" Set rule that allows to enable process protection for processes with\n" 93 | L" specific image path\n" 94 | L"\n" 95 | L" /unprotect <%ruleid%>\n" 96 | L" Remove rule that enables process protection by rule ID\n" 97 | L"\n" 98 | L" /unprotect all\n" 99 | L" Remove all rules that enable process protection\n" 100 | L"\n" 101 | L" /protect pid [inherit:] <%pid%>\n" 102 | L" Turn on protection for specific process by PID\n" 103 | L"\n" 104 | L" /unprotect pid <%pid%>\n" 105 | L" Turn off protection for specific process by PID\n" 106 | L"\n" 107 | L" /query process <%pid%>\n" 108 | L" Query information about state of the process by PID\n" 109 | L"\n" 110 | L"options:\n" 111 | L"\n" 112 | L" inherit:none\n" 113 | L" Disable inheritance of the protected or ignored state\n" 114 | L"\n" 115 | L" inherit:once\n" 116 | L" Child process will inherit the same state but its children no\n" 117 | L"\n" 118 | L" inherit:always\n" 119 | L" Child process will inherit the same state and its children too\n" 120 | L"\n" 121 | L" apply:forall\n" 122 | L" Apply policy for existing processes and for all new processes\n" 123 | L"\n" 124 | L" apply:fornew\n" 125 | L" Don't apply policy for existing processes only for new\n"; 126 | 127 | wcout << message << endl; 128 | return true; 129 | } 130 | 131 | CommandTemplatePtr LoadCommandsTemplate(Arguments& args, CommandMode& mode) 132 | { 133 | wstring templateType; 134 | 135 | if (mode.GetModeType() == CommandModeType::Uninstall) 136 | return CommandTemplatePtr(new SingleCommand(args, mode.GetModeType())); 137 | 138 | if (!args.Probe(templateType)) 139 | throw WException(ERROR_INVALID_PARAMETER, L"Error, unknown perform mode, please use 'hiddencli /help'"); 140 | 141 | if (templateType == L"/multi") 142 | { 143 | args.SwitchToNext(); 144 | return CommandTemplatePtr(new MultipleCommands(args, mode.GetModeType())); 145 | } 146 | else if (templateType == L"/config") 147 | { 148 | args.SwitchToNext(); 149 | return CommandTemplatePtr(new MultipleCommandsFromFile(args, mode.GetModeType())); 150 | } 151 | 152 | return CommandTemplatePtr(new SingleCommand(args, mode.GetModeType())); 153 | } 154 | 155 | int wmain(int argc, wchar_t* argv[]) 156 | { 157 | try 158 | { 159 | Arguments arguments(argc , argv); 160 | 161 | if (!arguments.ArgsCount()) 162 | throw WException( 163 | ERROR_INVALID_PARAMETER, 164 | L"Welcome to HiddenCLI, please use 'hiddencli /help'" 165 | ); 166 | 167 | if (PrintUsage(arguments)) 168 | return 0; 169 | 170 | 171 | CommandMode mode(arguments); 172 | 173 | if (mode.GetModeType() == CommandModeType::Execute) 174 | { 175 | Connection connection(arguments); 176 | { 177 | CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); 178 | connection.Open(); 179 | commands->Perform(connection); 180 | } 181 | } 182 | else if (mode.GetModeType() == CommandModeType::Install) 183 | { 184 | LibInitializator lib; 185 | { 186 | CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); 187 | RegistryKey key(mode.GetConfigRegistryKeyPath()); 188 | commands->Install(key); 189 | } 190 | } 191 | else if (mode.GetModeType() == CommandModeType::Uninstall) 192 | { 193 | LibInitializator lib; 194 | { 195 | CommandTemplatePtr commands = LoadCommandsTemplate(arguments, mode); 196 | RegistryKey key(mode.GetConfigRegistryKeyPath()); 197 | commands->Uninstall(key); 198 | } 199 | } 200 | 201 | const wstring output = g_stdout.str(); 202 | 203 | wcerr << g_stderr.str(); 204 | 205 | if (output.empty()) 206 | wcout << L"status:ok" << endl; 207 | else 208 | wcout << L"status:ok;" << output << endl; 209 | } 210 | catch (WException& exception) 211 | { 212 | wcerr << exception.What() << endl; 213 | wcout << L"status:failed" << endl; 214 | return exception.Code(); 215 | } 216 | catch (exception& exception) 217 | { 218 | cerr << exception.what() << endl; 219 | wcout << L"status:failed" << endl; 220 | return -1; 221 | } 222 | 223 | return 0; 224 | } 225 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/HiddenCLI.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {E6A7AAAD-4877-4F05-A5A1-F42707895996} 23 | Win32Proj 24 | HiddenCLI 25 | 10.0.16299.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v141 32 | Unicode 33 | 34 | 35 | Application 36 | true 37 | v141 38 | Unicode 39 | 40 | 41 | Application 42 | false 43 | v141 44 | true 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v141 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | true 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | false 81 | 82 | 83 | 84 | 85 | 86 | Level3 87 | Disabled 88 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 89 | MultiThreadedDebug 90 | 91 | 92 | Console 93 | true 94 | HiddenLib.lib;%(AdditionalDependencies) 95 | $(SolutionDir)$(Configuration)\ 96 | 97 | 98 | 99 | 100 | 101 | 102 | Level3 103 | Disabled 104 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 105 | MultiThreadedDebug 106 | 107 | 108 | Console 109 | true 110 | HiddenLib.lib;%(AdditionalDependencies) 111 | $(SolutionDir)x64\$(Configuration)\ 112 | 113 | 114 | 115 | 116 | Level3 117 | 118 | 119 | MaxSpeed 120 | true 121 | true 122 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 123 | MultiThreaded 124 | 125 | 126 | Console 127 | true 128 | true 129 | true 130 | $(SolutionDir)$(Configuration)\ 131 | HiddenLib.lib;%(AdditionalDependencies) 132 | 133 | 134 | 135 | 136 | Level3 137 | 138 | 139 | MaxSpeed 140 | true 141 | true 142 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 143 | MultiThreaded 144 | 145 | 146 | Console 147 | true 148 | true 149 | true 150 | $(SolutionDir)x64\$(Configuration)\ 151 | HiddenLib.lib;%(AdditionalDependencies) 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/HiddenCLI.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Commands 10 | 11 | 12 | Commands 13 | 14 | 15 | Commands 16 | 17 | 18 | Commands 19 | 20 | 21 | Commands 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | Commands 33 | 34 | 35 | Commands 36 | 37 | 38 | Commands 39 | 40 | 41 | Commands 42 | 43 | 44 | Commands 45 | 46 | 47 | 48 | 49 | {680a2e80-be0d-4ac2-8a4a-d59b67e55c61} 50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Hide.cpp: -------------------------------------------------------------------------------- 1 | #include "Hide.h" 2 | #include 3 | #include 4 | 5 | using namespace std; 6 | 7 | // ================= 8 | 9 | CommandHide::CommandHide() : m_command(L"/hide") 10 | { 11 | } 12 | 13 | CommandHide::~CommandHide() 14 | { 15 | } 16 | 17 | bool CommandHide::CompareCommand(std::wstring& command) 18 | { 19 | return (command == m_command); 20 | } 21 | 22 | HidRegRootTypes CommandHide::GetTypeAndNormalizeRegPath(std::wstring& regPath) 23 | { 24 | HidRegRootTypes type = GetRegType(regPath); 25 | size_t pos = regPath.find(L"\\"); 26 | if (pos == wstring::npos) 27 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid registry path"); 28 | 29 | regPath = std::move(wstring(regPath.c_str() + pos + 1)); 30 | return type; 31 | } 32 | 33 | void CommandHide::LoadArgs(Arguments& args, CommandModeType mode) 34 | { 35 | wstring object; 36 | 37 | if (!args.GetNext(object)) 38 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'hide'"); 39 | 40 | if (!args.GetNext(m_path)) 41 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'hide'"); 42 | 43 | if (object == L"file") 44 | { 45 | m_hideType = EObjTypes::TypeFile; 46 | } 47 | else if (object == L"dir") 48 | { 49 | m_hideType = EObjTypes::TypeDir; 50 | } 51 | else if (object == L"regkey") 52 | { 53 | m_hideType = EObjTypes::TypeRegKey; 54 | m_regRootType = GetTypeAndNormalizeRegPath(m_path); 55 | } 56 | else if (object == L"regval") 57 | { 58 | m_hideType = EObjTypes::TypeRegVal; 59 | m_regRootType = GetTypeAndNormalizeRegPath(m_path); 60 | } 61 | else 62 | { 63 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid argument for command 'hide'"); 64 | } 65 | } 66 | 67 | void CommandHide::PerformCommand(Connection& connection) 68 | { 69 | HidStatus status; 70 | HidObjId objId; 71 | 72 | switch (m_hideType) 73 | { 74 | case EObjTypes::TypeFile: 75 | status = Hid_AddHiddenFile(connection.GetContext(), m_path.c_str(), &objId); 76 | break; 77 | case EObjTypes::TypeDir: 78 | status = Hid_AddHiddenDir(connection.GetContext(), m_path.c_str(), &objId); 79 | break; 80 | case EObjTypes::TypeRegKey: 81 | status = Hid_AddHiddenRegKey(connection.GetContext(), m_regRootType, m_path.c_str(), &objId); 82 | break; 83 | case EObjTypes::TypeRegVal: 84 | status = Hid_AddHiddenRegValue(connection.GetContext(), m_regRootType, m_path.c_str(), &objId); 85 | break; 86 | default: 87 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'hide'"); 88 | } 89 | 90 | if (!HID_STATUS_SUCCESSFUL(status)) 91 | throw WException(HID_STATUS_CODE(status), L"Error, command 'hide' rejected"); 92 | 93 | g_stderr << L"Command 'hide' successful" << endl; 94 | g_stdout << L"ruleid:" << objId << endl; 95 | } 96 | 97 | void CommandHide::InstallCommand(RegistryKey& configKey) 98 | { 99 | vector commands; 100 | const wchar_t* valueName; 101 | HidStatus status; 102 | wstring entry; 103 | 104 | entry.insert(0, m_path.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); 105 | 106 | switch (m_hideType) 107 | { 108 | case EObjTypes::TypeFile: 109 | valueName = L"Hid_HideFsFiles"; 110 | status = Hid_NormalizeFilePath(m_path.c_str(), const_cast(entry.c_str()), entry.size()); 111 | break; 112 | case EObjTypes::TypeDir: 113 | valueName = L"Hid_HideFsDirs"; 114 | status = Hid_NormalizeFilePath(m_path.c_str(), const_cast(entry.c_str()), entry.size()); 115 | break; 116 | case EObjTypes::TypeRegKey: 117 | valueName = L"Hid_HideRegKeys"; 118 | status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast(entry.c_str()), entry.size()); 119 | break; 120 | case EObjTypes::TypeRegVal: 121 | valueName = L"Hid_HideRegValues"; 122 | status = Hid_NormalizeRegistryPath(m_regRootType, m_path.c_str(), const_cast(entry.c_str()), entry.size()); 123 | break; 124 | default: 125 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'hide'"); 126 | } 127 | 128 | configKey.GetMultiStrValue(valueName, commands); 129 | commands.push_back(entry); 130 | configKey.SetMultiStrValue(valueName, commands); 131 | 132 | g_stderr << L"Install 'hide' successful" << endl; 133 | } 134 | 135 | void CommandHide::UninstallCommand(RegistryKey& configKey) 136 | { 137 | int errors = 0; 138 | 139 | try { configKey.RemoveValue(L"Hid_HideFsFiles"); } catch (...) { errors++; } 140 | try { configKey.RemoveValue(L"Hid_HideFsDirs"); } catch (...) { errors++; } 141 | try { configKey.RemoveValue(L"Hid_HideRegKeys"); } catch (...) { errors++; } 142 | try { configKey.RemoveValue(L"Hid_HideRegValues"); } catch (...) { errors++; } 143 | 144 | if (errors < 4) 145 | g_stderr << L"Uninstall 'hide' successful" << endl; 146 | } 147 | 148 | CommandPtr CommandHide::CreateInstance() 149 | { 150 | return CommandPtr(new CommandHide()); 151 | } 152 | 153 | // ================= 154 | 155 | CommandUnhide::CommandUnhide() : m_command(L"/unhide") 156 | { 157 | m_targetId = 0; 158 | } 159 | 160 | CommandUnhide::~CommandUnhide() 161 | { 162 | } 163 | 164 | bool CommandUnhide::CompareCommand(std::wstring& command) 165 | { 166 | return (command == m_command); 167 | } 168 | 169 | void CommandUnhide::LoadArgs(Arguments& args, CommandModeType mode) 170 | { 171 | wstring object, target; 172 | 173 | if (!args.GetNext(object)) 174 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'unhide'"); 175 | 176 | if (!args.GetNext(target)) 177 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'unhide'"); 178 | 179 | if (object == L"file") 180 | { 181 | m_hideType = EObjTypes::TypeFile; 182 | } 183 | else if (object == L"dir") 184 | { 185 | m_hideType = EObjTypes::TypeDir; 186 | } 187 | else if (object == L"regkey") 188 | { 189 | m_hideType = EObjTypes::TypeRegKey; 190 | } 191 | else if (object == L"regval") 192 | { 193 | m_hideType = EObjTypes::TypeRegVal; 194 | } 195 | else 196 | { 197 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid argument for command 'unhide'"); 198 | } 199 | 200 | m_targetAll = (target == L"all"); 201 | if (!m_targetAll) 202 | { 203 | m_targetId = _wtoll(target.c_str()); 204 | if (!m_targetId) 205 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target objid for command 'unhide'"); 206 | } 207 | } 208 | 209 | void CommandUnhide::PerformCommand(Connection& connection) 210 | { 211 | HidStatus status; 212 | 213 | if (m_targetAll) 214 | { 215 | switch (m_hideType) 216 | { 217 | case EObjTypes::TypeFile: 218 | status = Hid_RemoveAllHiddenFiles(connection.GetContext()); 219 | break; 220 | case EObjTypes::TypeDir: 221 | status = Hid_RemoveAllHiddenDirs(connection.GetContext()); 222 | break; 223 | case EObjTypes::TypeRegKey: 224 | status = Hid_RemoveAllHiddenRegKeys(connection.GetContext()); 225 | break; 226 | case EObjTypes::TypeRegVal: 227 | status = Hid_RemoveAllHiddenRegValues(connection.GetContext()); 228 | break; 229 | default: 230 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error #1, invalid type for command 'unhide'"); 231 | } 232 | } 233 | else 234 | { 235 | switch (m_hideType) 236 | { 237 | case EObjTypes::TypeFile: 238 | status = Hid_RemoveHiddenFile(connection.GetContext(), m_targetId); 239 | break; 240 | case EObjTypes::TypeDir: 241 | status = Hid_RemoveHiddenDir(connection.GetContext(), m_targetId); 242 | break; 243 | case EObjTypes::TypeRegKey: 244 | status = Hid_RemoveHiddenRegKey(connection.GetContext(), m_targetId); 245 | break; 246 | case EObjTypes::TypeRegVal: 247 | status = Hid_RemoveHiddenRegValue(connection.GetContext(), m_targetId); 248 | break; 249 | default: 250 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error #2, invalid type for command 'unhide'"); 251 | } 252 | } 253 | 254 | if (!HID_STATUS_SUCCESSFUL(status)) 255 | throw WException(HID_STATUS_CODE(status), L"Error, command 'unhide' rejected"); 256 | 257 | g_stderr << L"Command 'unhide' successful" << endl; 258 | } 259 | 260 | CommandPtr CommandUnhide::CreateInstance() 261 | { 262 | return CommandPtr(new CommandUnhide()); 263 | } 264 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Hide.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Commands.h" 4 | 5 | class CommandHide : public ICommand 6 | { 7 | const wchar_t* m_command = nullptr; 8 | 9 | EObjTypes m_hideType; 10 | HidRegRootTypes m_regRootType; 11 | std::wstring m_path; 12 | 13 | HidRegRootTypes GetTypeAndNormalizeRegPath(std::wstring& regPath); 14 | 15 | public: 16 | 17 | CommandHide(); 18 | virtual ~CommandHide(); 19 | 20 | virtual bool CompareCommand(std::wstring& command); 21 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 22 | virtual void PerformCommand(Connection& connection); 23 | virtual void InstallCommand(RegistryKey& configKey); 24 | virtual void UninstallCommand(RegistryKey& configKey); 25 | 26 | virtual CommandPtr CreateInstance(); 27 | }; 28 | 29 | class CommandUnhide : public ICommand 30 | { 31 | const wchar_t* m_command = nullptr; 32 | 33 | EObjTypes m_hideType; 34 | HidObjId m_targetId; 35 | bool m_targetAll; 36 | 37 | public: 38 | 39 | CommandUnhide(); 40 | virtual ~CommandUnhide(); 41 | 42 | virtual bool CompareCommand(std::wstring& command); 43 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 44 | virtual void PerformCommand(Connection& connection); 45 | 46 | virtual CommandPtr CreateInstance(); 47 | }; 48 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Ignore.cpp: -------------------------------------------------------------------------------- 1 | #include "Ignore.h" 2 | #include 3 | 4 | using namespace std; 5 | 6 | // ================= 7 | 8 | CommandIgnore::CommandIgnore() : m_command(L"/ignore") 9 | { 10 | } 11 | 12 | CommandIgnore::~CommandIgnore() 13 | { 14 | } 15 | 16 | bool CommandIgnore::CompareCommand(std::wstring& command) 17 | { 18 | return (command == m_command); 19 | } 20 | 21 | void CommandIgnore::LoadArgs(Arguments& args, CommandModeType mode) 22 | { 23 | wstring object, target; 24 | 25 | if (!args.GetNext(object)) 26 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'ignore'"); 27 | 28 | if (object == L"image") 29 | { 30 | m_procType = EProcTypes::TypeImage; 31 | } 32 | else if (object == L"pid") 33 | { 34 | if (!CommandModeType::Execute) 35 | throw WException(ERROR_INVALID_PARAMETER, L"Error, target 'pid' isn't allowed"); 36 | 37 | m_procType = EProcTypes::TypeProcessId; 38 | } 39 | else 40 | { 41 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid object type in command 'ignore'"); 42 | } 43 | 44 | m_inheritType = LoadInheritOption(args, HidPsInheritTypes::WithoutInherit); 45 | 46 | m_applyByDefault = false; 47 | if (m_procType == EProcTypes::TypeImage && mode == CommandModeType::Execute) 48 | m_applyByDefault = LoadApplyOption(args, m_applyByDefault); 49 | 50 | if (!args.GetNext(target)) 51 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'ignore'"); 52 | 53 | if (m_procType == EProcTypes::TypeImage) 54 | { 55 | m_targetImage = target; 56 | } 57 | else 58 | { 59 | m_targetProcId = _wtol(target.c_str()); 60 | if (!m_targetProcId) 61 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target pid for command 'ignore'"); 62 | } 63 | } 64 | 65 | void CommandIgnore::PerformCommand(Connection& connection) 66 | { 67 | HidStatus status; 68 | HidObjId objId = 0; 69 | 70 | switch (m_procType) 71 | { 72 | case EProcTypes::TypeProcessId: 73 | status = Hid_AttachExcludedState(connection.GetContext(), m_targetProcId, m_inheritType); 74 | break; 75 | case EProcTypes::TypeImage: 76 | status = Hid_AddExcludedImage(connection.GetContext(), m_targetImage.c_str(), m_inheritType, m_applyByDefault, &objId); 77 | break; 78 | default: 79 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'ignore'"); 80 | } 81 | 82 | if (!HID_STATUS_SUCCESSFUL(status)) 83 | throw WException(HID_STATUS_CODE(status), L"Error, command 'ignore' rejected"); 84 | 85 | g_stderr << L"Command 'ignore' successful" << endl; 86 | if (m_procType == EProcTypes::TypeImage) 87 | g_stdout << L"ruleid:" << objId << endl; 88 | } 89 | 90 | void CommandIgnore::InstallCommand(RegistryKey& configKey) 91 | { 92 | vector commands; 93 | wstring temp, entry; 94 | HidStatus status; 95 | 96 | temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); 97 | 98 | status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast(temp.c_str()), temp.size()); 99 | if (!HID_STATUS_SUCCESSFUL(status)) 100 | throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'ignore' rejected"); 101 | 102 | entry += temp.c_str(); 103 | entry += L";"; 104 | entry += ConvertInheritTypeToUnicode(m_inheritType); 105 | 106 | configKey.GetMultiStrValue(L"Hid_IgnoredImages", commands); 107 | commands.push_back(entry); 108 | configKey.SetMultiStrValue(L"Hid_IgnoredImages", commands); 109 | 110 | g_stderr << L"Install 'ignore' successful" << endl; 111 | } 112 | 113 | void CommandIgnore::UninstallCommand(RegistryKey& configKey) 114 | { 115 | configKey.RemoveValue(L"Hid_IgnoredImages"); 116 | 117 | g_stderr << L"Uninstall 'ignore' successful" << endl; 118 | } 119 | 120 | CommandPtr CommandIgnore::CreateInstance() 121 | { 122 | return CommandPtr(new CommandIgnore()); 123 | } 124 | 125 | // ================= 126 | 127 | CommandUnignore::CommandUnignore() : m_command(L"/unignore") 128 | { 129 | } 130 | 131 | CommandUnignore::~CommandUnignore() 132 | { 133 | } 134 | 135 | bool CommandUnignore::CompareCommand(std::wstring& command) 136 | { 137 | return (command == m_command); 138 | } 139 | 140 | void CommandUnignore::LoadArgs(Arguments& args, CommandModeType mode) 141 | { 142 | wstring object, target; 143 | 144 | if (mode != CommandModeType::Execute) 145 | throw WException(ERROR_INVALID_PARAMETER, L"Error, install/uninstall mode isn't supported for this command"); 146 | 147 | if (!args.GetNext(object)) 148 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'unignore'"); 149 | 150 | if (object == L"pid") 151 | { 152 | m_targetType = ETargetIdType::ProcId; 153 | 154 | if (!args.GetNext(target)) 155 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'unignore'"); 156 | 157 | m_targetProcId = _wtol(target.c_str()); 158 | if (!m_targetProcId) 159 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target ruleid for command 'unignore'"); 160 | } 161 | else if (object == L"all") 162 | { 163 | m_targetType = ETargetIdType::All; 164 | } 165 | else 166 | { 167 | m_targetType = ETargetIdType::RuleId; 168 | 169 | m_targetId = _wtoll(object.c_str()); 170 | if (!m_targetId) 171 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target ruleid for command 'unignore'"); 172 | } 173 | } 174 | 175 | void CommandUnignore::PerformCommand(Connection& connection) 176 | { 177 | HidStatus status; 178 | 179 | switch (m_targetType) 180 | { 181 | case ETargetIdType::All: 182 | status = Hid_RemoveAllExcludedImages(connection.GetContext()); 183 | break; 184 | case ETargetIdType::ProcId: 185 | status = Hid_RemoveExcludedState(connection.GetContext(), m_targetProcId); 186 | break; 187 | case ETargetIdType::RuleId: 188 | status = Hid_RemoveExcludedImage(connection.GetContext(), m_targetId); 189 | break; 190 | default: 191 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'unignore'"); 192 | } 193 | 194 | if (!HID_STATUS_SUCCESSFUL(status)) 195 | throw WException(HID_STATUS_CODE(status), L"Error, command 'unignore' rejected"); 196 | 197 | g_stderr << L"Command 'unignore' successful" << endl; 198 | } 199 | 200 | CommandPtr CommandUnignore::CreateInstance() 201 | { 202 | return CommandPtr(new CommandUnignore()); 203 | } 204 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Ignore.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Commands.h" 4 | 5 | class CommandIgnore : public ICommand 6 | { 7 | const wchar_t* m_command = nullptr; 8 | 9 | EProcTypes m_procType; 10 | std::wstring m_targetImage; 11 | HidProcId m_targetProcId; 12 | HidPsInheritTypes m_inheritType; 13 | bool m_applyByDefault; 14 | 15 | public: 16 | 17 | CommandIgnore(); 18 | virtual ~CommandIgnore(); 19 | 20 | virtual bool CompareCommand(std::wstring& command); 21 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 22 | virtual void PerformCommand(Connection& connection); 23 | virtual void InstallCommand(RegistryKey& configKey); 24 | virtual void UninstallCommand(RegistryKey& configKey); 25 | 26 | virtual CommandPtr CreateInstance(); 27 | }; 28 | 29 | class CommandUnignore : public ICommand 30 | { 31 | const wchar_t* m_command = nullptr; 32 | 33 | enum ETargetIdType { 34 | RuleId, 35 | ProcId, 36 | All 37 | }; 38 | 39 | ETargetIdType m_targetType; 40 | HidProcId m_targetProcId; 41 | HidObjId m_targetId; 42 | 43 | public: 44 | 45 | CommandUnignore(); 46 | virtual ~CommandUnignore(); 47 | 48 | virtual bool CompareCommand(std::wstring& command); 49 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 50 | virtual void PerformCommand(Connection& connection); 51 | 52 | virtual CommandPtr CreateInstance(); 53 | }; 54 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Protect.cpp: -------------------------------------------------------------------------------- 1 | #include "Protect.h" 2 | #include 3 | 4 | using namespace std; 5 | 6 | // ================= 7 | 8 | CommandProtect::CommandProtect() : m_command(L"/protect") 9 | { 10 | } 11 | 12 | CommandProtect::~CommandProtect() 13 | { 14 | } 15 | 16 | bool CommandProtect::CompareCommand(std::wstring& command) 17 | { 18 | return (command == m_command); 19 | } 20 | 21 | void CommandProtect::LoadArgs(Arguments& args, CommandModeType mode) 22 | { 23 | wstring object, target; 24 | 25 | if (!args.GetNext(object)) 26 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'protect'"); 27 | 28 | if (object == L"image") 29 | { 30 | m_procType = EProcTypes::TypeImage; 31 | } 32 | else if (object == L"pid") 33 | { 34 | if (!CommandModeType::Execute) 35 | throw WException(ERROR_INVALID_PARAMETER, L"Error, target 'pid' isn't allowed"); 36 | 37 | m_procType = EProcTypes::TypeProcessId; 38 | } 39 | else 40 | { 41 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid object type in command 'protect'"); 42 | } 43 | 44 | m_inheritType = LoadInheritOption(args, HidPsInheritTypes::WithoutInherit); 45 | 46 | m_applyByDefault = false; 47 | if (m_procType == EProcTypes::TypeImage && mode == CommandModeType::Execute) 48 | m_applyByDefault = LoadApplyOption(args, m_applyByDefault); 49 | 50 | if (!args.GetNext(target)) 51 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'protect'"); 52 | 53 | if (m_procType == EProcTypes::TypeImage) 54 | { 55 | m_targetImage = target; 56 | } 57 | else 58 | { 59 | m_targetProcId = _wtol(target.c_str()); 60 | if (!m_targetProcId) 61 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target pid for command 'protect'"); 62 | } 63 | } 64 | 65 | void CommandProtect::PerformCommand(Connection& connection) 66 | { 67 | HidStatus status; 68 | HidObjId objId; 69 | 70 | switch (m_procType) 71 | { 72 | case EProcTypes::TypeProcessId: 73 | status = Hid_AttachProtectedState(connection.GetContext(), m_targetProcId, m_inheritType); 74 | break; 75 | case EProcTypes::TypeImage: 76 | status = Hid_AddProtectedImage(connection.GetContext(), m_targetImage.c_str(), m_inheritType, m_applyByDefault, &objId); 77 | break; 78 | default: 79 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'protect'"); 80 | } 81 | 82 | if (!HID_STATUS_SUCCESSFUL(status)) 83 | throw WException(HID_STATUS_CODE(status), L"Error, command 'protect' rejected"); 84 | 85 | g_stderr << L"Command 'protect' successful" << endl; 86 | if (m_procType == EProcTypes::TypeImage) 87 | g_stdout << L"status:ok;ruleid:" << objId << endl; 88 | } 89 | 90 | void CommandProtect::InstallCommand(RegistryKey& configKey) 91 | { 92 | vector commands; 93 | wstring temp, entry; 94 | HidStatus status; 95 | 96 | temp.insert(0, m_targetImage.size() + HID_NORMALIZATION_OVERHEAD, L'\0'); 97 | 98 | status = Hid_NormalizeFilePath(m_targetImage.c_str(), const_cast(temp.c_str()), temp.size()); 99 | if (!HID_STATUS_SUCCESSFUL(status)) 100 | throw WException(HID_STATUS_CODE(status), L"Error, can't normalize path, 'protect' rejected"); 101 | 102 | entry += temp.c_str(); 103 | entry += L";"; 104 | entry += ConvertInheritTypeToUnicode(m_inheritType); 105 | 106 | configKey.GetMultiStrValue(L"Hid_ProtectedImages", commands); 107 | commands.push_back(entry); 108 | configKey.SetMultiStrValue(L"Hid_ProtectedImages", commands); 109 | 110 | g_stderr << L"Install 'protect' successful" << endl; 111 | } 112 | 113 | void CommandProtect::UninstallCommand(RegistryKey& configKey) 114 | { 115 | configKey.RemoveValue(L"Hid_ProtectedImages"); 116 | 117 | g_stderr << L"Uninstall 'protect' successful" << endl; 118 | } 119 | 120 | CommandPtr CommandProtect::CreateInstance() 121 | { 122 | return CommandPtr(new CommandProtect()); 123 | } 124 | 125 | // ================= 126 | 127 | CommandUnprotect::CommandUnprotect() : m_command(L"/unprotect") 128 | { 129 | } 130 | 131 | CommandUnprotect::~CommandUnprotect() 132 | { 133 | } 134 | 135 | bool CommandUnprotect::CompareCommand(std::wstring& command) 136 | { 137 | return (command == m_command); 138 | } 139 | 140 | void CommandUnprotect::LoadArgs(Arguments& args, CommandModeType mode) 141 | { 142 | wstring object, target; 143 | 144 | if (mode != CommandModeType::Execute) 145 | throw WException(ERROR_INVALID_PARAMETER, L"Error, install/uninstall mode isn't supported for this command"); 146 | 147 | if (!args.GetNext(object)) 148 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'unprotect'"); 149 | 150 | if (object == L"pid") 151 | { 152 | m_targetType = ETargetIdType::ProcId; 153 | 154 | if (!args.GetNext(target)) 155 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'unprotect'"); 156 | 157 | m_targetProcId = _wtol(target.c_str()); 158 | if (!m_targetProcId) 159 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target ruleid for command 'unprotect'"); 160 | } 161 | else if (object == L"all") 162 | { 163 | m_targetType = ETargetIdType::All; 164 | } 165 | else 166 | { 167 | m_targetType = ETargetIdType::RuleId; 168 | 169 | m_targetId = _wtoll(object.c_str()); 170 | if (!m_targetId) 171 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target ruleid for command 'unprotect'"); 172 | } 173 | } 174 | 175 | void CommandUnprotect::PerformCommand(Connection& connection) 176 | { 177 | HidStatus status; 178 | 179 | switch (m_targetType) 180 | { 181 | case ETargetIdType::All: 182 | status = Hid_RemoveAllProtectedImages(connection.GetContext()); 183 | break; 184 | case ETargetIdType::ProcId: 185 | status = Hid_RemoveProtectedState(connection.GetContext(), m_targetProcId); 186 | break; 187 | case ETargetIdType::RuleId: 188 | status = Hid_RemoveProtectedImage(connection.GetContext(), m_targetId); 189 | break; 190 | default: 191 | throw WException(ERROR_UNKNOWN_COMPONENT, L"Internal error, invalid type for command 'unprotect'"); 192 | } 193 | 194 | if (!HID_STATUS_SUCCESSFUL(status)) 195 | throw WException(HID_STATUS_CODE(status), L"Error, command 'unprotect' rejected"); 196 | 197 | g_stderr << L"Command 'unprotect' successful" << endl; 198 | } 199 | 200 | CommandPtr CommandUnprotect::CreateInstance() 201 | { 202 | return CommandPtr(new CommandUnprotect()); 203 | } 204 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Protect.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Commands.h" 4 | 5 | class CommandProtect : public ICommand 6 | { 7 | const wchar_t* m_command = nullptr; 8 | 9 | EProcTypes m_procType; 10 | std::wstring m_targetImage; 11 | HidProcId m_targetProcId; 12 | HidPsInheritTypes m_inheritType; 13 | bool m_applyByDefault; 14 | 15 | public: 16 | 17 | CommandProtect(); 18 | virtual ~CommandProtect(); 19 | 20 | virtual bool CompareCommand(std::wstring& command); 21 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 22 | virtual void PerformCommand(Connection& connection); 23 | virtual void InstallCommand(RegistryKey& configKey); 24 | virtual void UninstallCommand(RegistryKey& configKey); 25 | 26 | virtual CommandPtr CreateInstance(); 27 | }; 28 | 29 | class CommandUnprotect : public ICommand 30 | { 31 | const wchar_t* m_command = nullptr; 32 | 33 | enum ETargetIdType { 34 | RuleId, 35 | ProcId, 36 | All 37 | }; 38 | 39 | ETargetIdType m_targetType; 40 | HidProcId m_targetProcId; 41 | HidObjId m_targetId; 42 | 43 | public: 44 | 45 | CommandUnprotect(); 46 | virtual ~CommandUnprotect(); 47 | 48 | virtual bool CompareCommand(std::wstring& command); 49 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 50 | virtual void PerformCommand(Connection& connection); 51 | 52 | virtual CommandPtr CreateInstance(); 53 | }; 54 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Query.cpp: -------------------------------------------------------------------------------- 1 | #include "Query.h" 2 | #include 3 | 4 | using namespace std; 5 | 6 | CommandQuery::CommandQuery() : m_command(L"/query") 7 | { 8 | } 9 | 10 | CommandQuery::~CommandQuery() 11 | { 12 | } 13 | 14 | bool CommandQuery::CompareCommand(std::wstring& command) 15 | { 16 | return (command == m_command); 17 | } 18 | 19 | void CommandQuery::LoadArgs(Arguments& args, CommandModeType mode) 20 | { 21 | wstring object, target; 22 | 23 | if (!args.GetNext(object)) 24 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'query'"); 25 | 26 | if (object == L"process") 27 | { 28 | m_queryType = EQueryType::QueryProcess; 29 | 30 | if (!args.GetNext(target)) 31 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'query'"); 32 | 33 | m_targetProcId = _wtol(target.c_str()); 34 | if (!m_targetProcId) 35 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid target pid for command 'query'"); 36 | } 37 | else if (object == L"state") 38 | { 39 | m_queryType = EQueryType::QueryState; 40 | } 41 | else 42 | { 43 | 44 | throw WException(ERROR_INVALID_PARAMETER, L"Error, invalid object type for command 'query'"); 45 | } 46 | } 47 | 48 | void CommandQuery::PerformCommand(Connection& connection) 49 | { 50 | HidStatus status; 51 | 52 | if (m_queryType == EQueryType::QueryState) 53 | { 54 | HidActiveState state; 55 | 56 | status = Hid_GetState(connection.GetContext(), &state); 57 | if (!HID_STATUS_SUCCESSFUL(status)) 58 | throw WException(HID_STATUS_CODE(status), L"Error, query state rejected"); 59 | 60 | g_stderr << L"Driver state:" << (state == HidActiveState::StateEnabled ? L"enabled" : L"disabled") << endl; 61 | g_stdout << L"state:" << (state == HidActiveState::StateEnabled ? 1 : 0) << endl; 62 | } 63 | else if (m_queryType == EQueryType::QueryProcess) 64 | { 65 | HidActiveState excludeState, protectedState; 66 | HidPsInheritTypes excludedInherit, protectedInherit; 67 | 68 | status = Hid_GetExcludedState(connection.GetContext(), m_targetProcId, &excludeState, &excludedInherit); 69 | if (!HID_STATUS_SUCCESSFUL(status)) 70 | throw WException(HID_STATUS_CODE(status), L"Error, query ignored state rejected"); 71 | 72 | status = Hid_GetProtectedState(connection.GetContext(), m_targetProcId, &protectedState, &protectedInherit); 73 | if (!HID_STATUS_SUCCESSFUL(status)) 74 | throw WException(HID_STATUS_CODE(status), L"Error, query protected state rejected"); 75 | 76 | g_stderr << L"Ignored state:" << (excludeState == HidActiveState::StateEnabled ? L"true" : L"false") 77 | << L", inherit:" << ConvertInheritTypeToUnicode(excludedInherit) << endl; 78 | g_stderr << L"Protected state:" << (protectedState == HidActiveState::StateEnabled ? L"true" : L"false") 79 | << L", inherit:" << ConvertInheritTypeToUnicode(protectedInherit) << endl; 80 | 81 | g_stdout << L"ignored:" << excludeState << L"," << excludedInherit 82 | << L";protected:" << protectedState << L"," << protectedInherit << endl; 83 | } 84 | } 85 | 86 | CommandPtr CommandQuery::CreateInstance() 87 | { 88 | return CommandPtr(new CommandQuery()); 89 | } 90 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/Query.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Commands.h" 4 | 5 | class CommandQuery : public ICommand 6 | { 7 | enum EQueryType { 8 | QueryProcess, 9 | QueryState, 10 | }; 11 | 12 | const wchar_t* m_command = nullptr; 13 | 14 | EQueryType m_queryType; 15 | HidProcId m_targetProcId; 16 | 17 | public: 18 | 19 | CommandQuery(); 20 | virtual ~CommandQuery(); 21 | 22 | virtual bool CompareCommand(std::wstring& command); 23 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 24 | virtual void PerformCommand(Connection& connection); 25 | 26 | virtual CommandPtr CreateInstance(); 27 | }; 28 | 29 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/State.cpp: -------------------------------------------------------------------------------- 1 | #include "State.h" 2 | #include 3 | 4 | using namespace std; 5 | 6 | CommandState::CommandState() : m_command(L"/state") 7 | { 8 | } 9 | 10 | CommandState::~CommandState() 11 | { 12 | } 13 | 14 | bool CommandState::CompareCommand(std::wstring& command) 15 | { 16 | return (command == m_command); 17 | } 18 | 19 | void CommandState::LoadArgs(Arguments& args, CommandModeType mode) 20 | { 21 | wstring state, enable; 22 | 23 | if (!args.GetNext(state)) 24 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #1 for command 'state'"); 25 | 26 | if (state == L"on") 27 | m_state = true; 28 | else if (state == L"off") 29 | m_state = false; 30 | else 31 | throw WException(ERROR_INVALID_PARAMETER, L"Error, mismatched argument #2 for command 'state'"); 32 | } 33 | 34 | void CommandState::PerformCommand(Connection& connection) 35 | { 36 | HidStatus status; 37 | 38 | status = Hid_SetState(connection.GetContext(), (m_state ? HidActiveState::StateEnabled : HidActiveState::StateDisabled)); 39 | if (!HID_STATUS_SUCCESSFUL(status)) 40 | throw WException(HID_STATUS_CODE(status), L"Error, command 'state' rejected"); 41 | 42 | g_stderr << L"Command 'state' successful" << endl; 43 | } 44 | 45 | void CommandState::InstallCommand(RegistryKey& configKey) 46 | { 47 | configKey.SetDwordValue(L"Hid_State", (m_state ? 1 : 0)); 48 | 49 | g_stderr << L"Install 'state' successful" << endl; 50 | } 51 | 52 | void CommandState::UninstallCommand(RegistryKey& configKey) 53 | { 54 | configKey.RemoveValue(L"Hid_State"); 55 | 56 | g_stderr << L"Uninstall 'state' successful" << endl; 57 | } 58 | 59 | CommandPtr CommandState::CreateInstance() 60 | { 61 | return CommandPtr(new CommandState()); 62 | } 63 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/State.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Commands.h" 4 | 5 | class CommandState : public ICommand 6 | { 7 | const wchar_t* m_command = nullptr; 8 | 9 | bool m_state; 10 | 11 | public: 12 | 13 | CommandState(); 14 | virtual ~CommandState(); 15 | 16 | virtual bool CompareCommand(std::wstring& command); 17 | virtual void LoadArgs(Arguments& args, CommandModeType mode); 18 | virtual void PerformCommand(Connection& connection); 19 | virtual void InstallCommand(RegistryKey& configKey); 20 | virtual void UninstallCommand(RegistryKey& configKey); 21 | 22 | virtual CommandPtr CreateInstance(); 23 | }; 24 | -------------------------------------------------------------------------------- /hidden-master/HiddenCLI/cli.txt: -------------------------------------------------------------------------------- 1 | 2 | hiddencli [mode] [connection] [perform] 3 | hiddencli /help 4 | 5 | mode: 6 | 7 | By default perform current commands 8 | 9 | /install [%driver%] 10 | Install commands to registry without execution, driver will load them on start. If this flag is set 11 | connection parameters shouldn't be set. Optional parameter is used for set valid registry path if 12 | driver name is changed, by default "hidden" 13 | 14 | /uninstall [%driver%] 15 | Uninstall all configs from registry. This flag is all-sufficient therefore if this flag is set 16 | no other parameters and commands should be set after 17 | 18 | connection: 19 | 20 | /gate <%name%> 21 | Set specific connection gate name (driver device name) 22 | 23 | perform: 24 | 25 | By default perform one command by one execution 26 | 27 | /multi 28 | Enable multiple commands per execution, just type commands one by one without any separator 29 | 30 | /config <%path%> 31 | Loads multiple commands from file, each command should be on separate line 32 | 33 | commands: 34 | 35 | /state 36 | Enable or disable enforcement (hiding, protecting, ignoring etc) 37 | 38 | /query state 39 | Get enforcement state 40 | 41 | /hide <%path%> 42 | Hide filesystem or registry object by path 43 | 44 | /unhide all 45 | Unhide all filesystem or registry object by selected type 46 | 47 | /unhide <%ruleid%> 48 | Unhide all filesystem or registry object by selected type and rule ID 49 | 50 | /ignore image [inherit:] [apply:] <%path%> 51 | Set rule that allows to see hidden filesystem and registry objects for processes with specific image path 52 | 53 | /unignore <%ruleid%> 54 | Remove rule that allows to see hidden filesystem and registry objects by rule ID 55 | 56 | /unignore all 57 | Remove all rules that allow to see hidden filesystem and registry objects 58 | 59 | /ignore pid [inherit:] <%pid%> 60 | Turn on abillity to see hidden filesystem and registry objects for specific process by PID 61 | 62 | /unignore pid <%pid%> 63 | Turn off abillity to see hidden filesystem and registry objects for specific process by PID 64 | 65 | /protect image [inherit:] [apply:] <%path%> 66 | Set rule that allows to enable process protection for processes with specific image path 67 | 68 | /unprotect <%ruleid%> 69 | Remove rule that enables process protection by rule ID 70 | 71 | /unprotect all 72 | Remove all rules that enable process protection 73 | 74 | /protect pid [inherit:] <%pid%> 75 | Turn on protection for specific process by PID 76 | 77 | /unprotect pid <%pid%> 78 | Turn off protection for specific process by PID 79 | 80 | /query process <%pid%> 81 | Query information about state of the process by PID 82 | 83 | options: 84 | 85 | inherit:none 86 | Disable inheritance of the protected or ignored state 87 | 88 | inherit:once 89 | Child process will inherit the same state but its children no 90 | 91 | inherit:always 92 | Child process will inherit the same state and its children too 93 | 94 | apply:forall 95 | Apply policy for existing processes and for all new processes 96 | 97 | apply:fornew 98 | Don't apply policy for existing processes only for new 99 | --------------------------------------------------------------------------------