forked from JKornev/hidden
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDriver.c
139 lines (101 loc) · 3.54 KB
/
Driver.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#include <fltKernel.h>
#include <Ntddk.h>
#include "ExcludeList.h"
#include "RegFilter.h"
#include "FsFilter.h"
#include "PsMonitor.h"
#include "Device.h"
#include "Driver.h"
#include "Configs.h"
#include "Helper.h"
#include "KernelAnalyzer.h"
#define DRIVER_ALLOC_TAG 'nddH'
PDRIVER_OBJECT g_driverObject = NULL;
volatile LONG g_driverActive = FALSE;
// =========================================================================================
VOID EnableDisableDriver(BOOLEAN enabled)
{
InterlockedExchange(&g_driverActive, (LONG)enabled);
}
BOOLEAN IsDriverEnabled()
{
return (g_driverActive ? TRUE : FALSE);
}
// =========================================================================================
ULONGLONG g_hiddenRegConfigId = 0;
ULONGLONG g_hiddenDriverFileId = 0;
NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
PLDR_DATA_TABLE_ENTRY LdrEntry;
UNICODE_STRING normalized;
NTSTATUS status;
if (!CfgGetStealthState())
return STATUS_SUCCESS;
LdrEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
normalized.Length = 0;
normalized.MaximumLength = LdrEntry->FullModuleName.Length + NORMALIZE_INCREAMENT;
normalized.Buffer = (PWCH)ExAllocatePoolWithQuotaTag(PagedPool, normalized.MaximumLength, DRIVER_ALLOC_TAG);
if (!normalized.Buffer)
{
LogError("Error, can't allocate buffer");
return STATUS_MEMORY_NOT_ALLOCATED;
}
status = NormalizeDevicePath(&LdrEntry->FullModuleName, &normalized);
if (!NT_SUCCESS(status))
{
LogError("Error, path normalization failed with code:%08x, path:%wZ", status, &LdrEntry->FullModuleName);
ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);
return status;
}
status = AddHiddenFile(&normalized, &g_hiddenDriverFileId);
if (!NT_SUCCESS(status))
LogWarning("Error, can't hide self registry key");
ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);
status = AddHiddenRegKey(RegistryPath, &g_hiddenRegConfigId);
if (!NT_SUCCESS(status))
LogWarning("Error, can't hide self registry key");
LogTrace("Stealth mode has been activated");
return STATUS_SUCCESS;
}
// =========================================================================================
_Function_class_(DRIVER_UNLOAD)
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
UNREFERENCED_PARAMETER(DriverObject);
DestroyDevice();
DestroyRegistryFilter();
DestroyFSMiniFilter();
DestroyPsMonitor();
DestroyKernelAnalyzer();
}
_Function_class_(DRIVER_INITIALIZE)
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNREFERENCED_PARAMETER(RegistryPath);
EnableDisableDriver(TRUE);
status = InitializeConfigs(RegistryPath);
if (!NT_SUCCESS(status))
LogWarning("Error, can't initialize configs");
EnableDisableDriver(CfgGetDriverState());
InitializeKernelAnalyzer();
status = InitializePsMonitor(DriverObject);
if (!NT_SUCCESS(status))
LogWarning("Error, object monitor haven't started");
status = InitializeFSMiniFilter(DriverObject);
if (!NT_SUCCESS(status))
LogWarning("Error, file-system mini-filter haven't started");
status = InitializeRegistryFilter(DriverObject);
if (!NT_SUCCESS(status))
LogWarning("Error, registry filter haven't started");
status = InitializeDevice(DriverObject);
if (!NT_SUCCESS(status))
LogWarning("Error, can't create device");
status = InitializeStealthMode(DriverObject, RegistryPath);
if (!NT_SUCCESS(status))
LogWarning("Error, can't activate stealth mode");
DestroyConfigs();
DriverObject->DriverUnload = DriverUnload;
g_driverObject = DriverObject;
return STATUS_SUCCESS;
}