tandasat
diff --git a/‎DisPG/DisPG.sln‎
Lines changed: 8 additions & 2 deletions b/‎DisPG/DisPG.sln‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎DisPG/DisPG/DisPG.cpp‎
Lines changed: 11 additions & 99 deletions b/‎DisPG/DisPG/DisPG.cpp‎
Lines changed: 11 additions & 99 deletions
diff --git a/‎DisPG/DisPG/DisPG.vcxproj‎
Lines changed: 0 additions & 83 deletions b/‎DisPG/DisPG/DisPG.vcxproj‎
Lines changed: 0 additions & 83 deletions
diff --git a/‎DisPG/DisPG/DisPG.vcxproj.filters‎
Lines changed: 0 additions & 6 deletions b/‎DisPG/DisPG/DisPG.vcxproj.filters‎
Lines changed: 0 additions & 6 deletions
@@ -1,12 +1,18 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Express 2013 for Windows Desktop
-VisualStudioVersion = 12.0.30110.0
+# Visual Studio 14
+VisualStudioVersion = 14.0.23107.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DisPG", "DisPG\DisPG.vcxproj", "{74FA6A70-EA29-4787-A49C-1F33ADCE08F7}"
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DisPGLoader", "DisPGLoader\DisPGLoader.vcxproj", "{71E81282-4D39-4A23-B1D6-953D9754E8B2}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{24642E83-0F96-438F-9FF2-CF067ADE394C}"
+	ProjectSection(SolutionItems) = preProject
+		NOTE.md = NOTE.md
+		README.md = README.md
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x64 = Debug|x64
 
@@ -4,7 +4,6 @@
 //
 #include "stdafx.h"
 #include "util.h"
-#include "rootkit.h"
 #include "win8.h"
 #include "winX.h"
 
@@ -62,12 +61,6 @@ NTSTATUS DispgpLoadPointerVaule(
 EXTERN_C static
 NTSTATUS DispgpDisablePatchGuard();
 
-EXTERN_C static
-NTSTATUS DispgpEnableRootkitFunction();
-
-EXTERN_C static
-void DispgpDisableSigningEnforcement();
-
 EXTERN_C static
 bool DispgpIsWindows8OrGreater();
 
@@ -93,7 +86,6 @@ static ULONG64 g_KernelVersion = 0;
 // always
 static ULONG_PTR g_ExAcquireResourceSharedLite = 0;
 // ifVistaOr7
-static BOOLEAN* g_CiEnabled = nullptr;
 static POOL_TRACKER_BIG_PAGES** g_PoolBigPageTable = nullptr;
 // ifXp
 static POOL_TRACKER_BIG_PAGES_XP** g_PoolBigPageTableXp = nullptr;
@@ -107,7 +99,6 @@ static ULONG_PTR g_KiCommitThreadWait = 0;
 static ULONG_PTR g_KiAttemptFastRemovePriQueue = 0;
 static ULONG_PTR g_KeDelayExecutionThread = 0;
 static ULONG_PTR g_KeWaitForSingleObject = 0;
-static UINT32* g_CiOptions = nullptr;
 
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -124,50 +115,31 @@ NTSTATUS DriverEntry(
 {
     PAGED_CODE();
 
-    //DBG_BREAK();
+    DBG_BREAK();
 
-    DBG_PRINT("[%4x:%4x] Initialize : Starting DisPG.\n",
-        PsGetCurrentProcessId(), PsGetCurrentThreadId());
+    DBG_PRINT("[%5Iu:%5Iu] Initialize : Starting DisPG.\n",
+        reinterpret_cast<ULONG_PTR>(PsGetCurrentProcessId()),
+        reinterpret_cast<ULONG_PTR>(PsGetCurrentThreadId()));
 
     auto status = DispgpInitialize(RegistryPath);
     if (!NT_SUCCESS(status))
     {
         return status;
     }
 
-    // Disable PatchGuard. This function has to be called before
-    // DispgpEnableRootkitFunction or DispgpDisableSigningEnforcement as these
-    // functions install kernel patches.
+    // Disable PatchGuard.
     status = DispgpDisablePatchGuard();
     if (!NT_SUCCESS(status))
     {
         return status;
     }
-    DBG_PRINT("[%4x:%4x] Initialize : PatchGuard has been disarmed.\n",
-        PsGetCurrentProcessId(), PsGetCurrentThreadId());
-
-    //// Enables rootkit function by installing kernel patches. The driver should
-    //// never be unloaded after this function succeeded as it installs hook code
-    //// that calls this driver.
-    //status = DispgpEnableRootkitFunction();
-    //if (!NT_SUCCESS(status))
-    //{
-    //    return status;
-    //}
-    //DBG_PRINT("[%4x:%4x] Initialize : Hiding processes has been enabled.\n",
-    //    PsGetCurrentProcessId(), PsGetCurrentThreadId());
-
-    // Disable DSE if applicable
-    if (!DispgpIsWindowsXp())
-    {
-        DispgpDisableSigningEnforcement();
-        DBG_PRINT("[%4x:%4x] Initialize : Driver Signing Enforcement has been"
-                  " disabled.\n",
-            PsGetCurrentProcessId(), PsGetCurrentThreadId());
-    }
+    DBG_PRINT("[%5Iu:%5Iu] Initialize : PatchGuard has been disarmed.\n",
+        reinterpret_cast<ULONG_PTR>(PsGetCurrentProcessId()),
+        reinterpret_cast<ULONG_PTR>(PsGetCurrentThreadId()));
 
-    DBG_PRINT("[%4x:%4x] Initialize : Enjoy freedom ;)\n",
-        PsGetCurrentProcessId(), PsGetCurrentThreadId());
+    DBG_PRINT("[%5Iu:%5Iu] Initialize : Enjoy freedom ;)\n",
+        reinterpret_cast<ULONG_PTR>(PsGetCurrentProcessId()),
+        reinterpret_cast<ULONG_PTR>(PsGetCurrentThreadId()));
     return status;
 }
 
@@ -260,7 +232,6 @@ NTSTATUS DispgpLoadSymbolAddresses(
     const SymbolSet requireSymbols[] =
     {
         { L"ntoskrnl!ExAcquireResourceSharedLite",  reinterpret_cast<void**>(&g_ExAcquireResourceSharedLite),   always, },
-        { L"ntoskrnl!g_CiEnabled",                  reinterpret_cast<void**>(&g_CiEnabled),                     ifVistaOr7, },
         { L"ntoskrnl!PoolBigPageTable",             reinterpret_cast<void**>(&g_PoolBigPageTable),              ifVistaOr7, },
         { L"ntoskrnl!PoolBigPageTable",             reinterpret_cast<void**>(&g_PoolBigPageTableXp),            ifXp, },
         { L"ntoskrnl!PoolBigPageTableSize",         reinterpret_cast<void**>(&g_PoolBigPageTableSize),          ifNot8OrGreater, },
@@ -271,7 +242,6 @@ NTSTATUS DispgpLoadSymbolAddresses(
         { L"ntoskrnl!KiAttemptFastRemovePriQueue",  reinterpret_cast<void**>(&g_KiAttemptFastRemovePriQueue),   if8OrGreater, },
         { L"ntoskrnl!KeDelayExecutionThread",       reinterpret_cast<void**>(&g_KeDelayExecutionThread),        if8OrGreater, },
         { L"ntoskrnl!KeWaitForSingleObject",        reinterpret_cast<void**>(&g_KeWaitForSingleObject),         if8OrGreater, },
-        { L"ci!g_CiOptions",                        reinterpret_cast<void**>(&g_CiOptions),                     if8OrGreater, },
     };
 
     // Load each symbol from the registry if required
@@ -391,64 +361,6 @@ NTSTATUS DispgpDisablePatchGuard()
 }
 
 
-// Enable hiding processes function
-ALLOC_TEXT(INIT, DispgpEnableRootkitFunction)
-EXTERN_C static
-NTSTATUS DispgpEnableRootkitFunction()
-{
-    PAGED_CODE();
-    auto status = STATUS_UNSUCCESSFUL;
-
-    if ((g_WindowsVersion.dwMajorVersion == 6 && g_WindowsVersion.dwMinorVersion == 3)
-     || (g_WindowsVersion.dwMajorVersion == 6 && g_WindowsVersion.dwMinorVersion == 1))
-    {
-        // For Win 8 and 7
-        status = RootkitEnableRootkit(
-            18,
-            reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_Win8_1),
-            reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_Win8_1End));
-    }
-    else if (g_WindowsVersion.dwMajorVersion == 6 && g_WindowsVersion.dwMinorVersion == 0)
-    {
-        // For Win Vista
-        status = RootkitEnableRootkit(
-            18,
-            reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinVista),
-            reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinVistaEnd));
-    }
-    else if (DispgpIsWindowsXp())
-    {
-        // For Win XP
-        status = RootkitEnableRootkit(
-            18,
-            reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinXp),
-            reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinXpEnd));
-    }
-    return status;
-}
-
-
-// Disable Driver Signing Enforcement. This function should never been called
-// on Win XP since it has no Driver Signing Enforcement on the platform.
-ALLOC_TEXT(INIT, DispgpDisableSigningEnforcement)
-EXTERN_C static
-void DispgpDisableSigningEnforcement()
-{
-    PAGED_CODE();
-
-    if (DispgpIsWindows8OrGreater())
-    {
-        // For Win 8.1
-        *g_CiOptions = 0;
-    }
-    else
-    {
-        // For Win 7 and Vista
-        *g_CiEnabled = FALSE;
-    }
-}
-
-
 // Return true if the platform is Win 8 or later
 ALLOC_TEXT(INIT, DispgpIsWindows8OrGreater)
 EXTERN_C static
 
@@ -1,18 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|Win32">
-      <Configuration>Debug</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
     <ProjectConfiguration Include="Debug|x64">
       <Configuration>Debug</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|Win32">
-      <Configuration>Release</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
     <ProjectConfiguration Include="Release|x64">
       <Configuration>Release</Configuration>
       <Platform>x64</Platform>
@@ -24,25 +16,12 @@
     <RootNamespace>DisPG</RootNamespace>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
-    <CharacterSet>NotSet</CharacterSet>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>NotSet</CharacterSet>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
@@ -53,58 +32,23 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
   </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
   </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
   </ImportGroup>
   <PropertyGroup Label="UserMacros" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LinkIncremental>false</LinkIncremental>
-    <TargetExt>.sys</TargetExt>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <LinkIncremental>false</LinkIncremental>
     <TargetExt>.sys</TargetExt>
     <CodeAnalysisRuleSet>..\..\..\..\Program Files (x86)\Windows Kits\8.1\CodeAnalysis\DriverRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <RunCodeAnalysis>false</RunCodeAnalysis>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <LinkIncremental>false</LinkIncremental>
-    <TargetExt>.sys</TargetExt>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>
     <TargetExt>.sys</TargetExt>
   </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <ClCompile>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level4</WarningLevel>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <SDLCheck>true</SDLCheck>
-      <AdditionalIncludeDirectories>$(WindowsSdkDir)Include\km</AdditionalIncludeDirectories>
-      <TreatWarningAsError>false</TreatWarningAsError>
-    </ClCompile>
-    <Link>
-      <SubSystem>Native</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <AdditionalLibraryDirectories>$(WindowsSdkDir)Lib\winv6.3\km\$(PlatformTarget)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>ntoskrnl.lib;wdm.lib;wmilib.lib;hal.lib;bufferoverflowK.lib</AdditionalDependencies>
-      <Driver>Driver</Driver>
-      <EntryPointSymbol>GsDriverEntry@8</EntryPointSymbol>
-      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
-    </Link>
-  </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <ClCompile>
       <PrecompiledHeader>
@@ -128,31 +72,6 @@
       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
     </Link>
   </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <ClCompile>
-      <WarningLevel>Level4</WarningLevel>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <Optimization>MaxSpeed</Optimization>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <SDLCheck>true</SDLCheck>
-      <AdditionalIncludeDirectories>$(WindowsSdkDir)Include\km</AdditionalIncludeDirectories>
-      <TreatWarningAsError>false</TreatWarningAsError>
-    </ClCompile>
-    <Link>
-      <SubSystem>Native</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
-      <AdditionalLibraryDirectories>$(WindowsSdkDir)Lib\winv6.3\km\$(PlatformTarget)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>ntoskrnl.lib;wdm.lib;wmilib.lib;hal.lib;bufferoverflowK.lib</AdditionalDependencies>
-      <Driver>Driver</Driver>
-      <EntryPointSymbol>GsDriverEntry@8</EntryPointSymbol>
-      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
-    </Link>
-  </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <ClCompile>
       <WarningLevel>Level4</WarningLevel>
@@ -181,7 +100,6 @@
   <ItemGroup>
     <ClCompile Include="DisPG.cpp" />
     <ClCompile Include="exclusivity.cpp" />
-    <ClCompile Include="rootkit.cpp" />
     <ClCompile Include="stdafx.cpp" />
     <ClCompile Include="util.cpp" />
     <ClCompile Include="win8.cpp" />
@@ -193,7 +111,6 @@
     <ClInclude Include="..\..\Common\unique_resource.h" />
     <ClInclude Include="exclusivity.h" />
     <ClInclude Include="intrinsics.h" />
-    <ClInclude Include="rootkit.h" />
     <ClInclude Include="stdafx.h" />
     <ClInclude Include="util.h" />
     <ClInclude Include="win8.h" />
 
@@ -33,9 +33,6 @@
     <ClCompile Include="util.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="rootkit.cpp">
-      <Filter>Source Files</Filter>
-    </ClCompile>
     <ClCompile Include="win8.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
@@ -56,9 +53,6 @@
     <ClInclude Include="util.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="rootkit.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="win8.h">
       <Filter>Header Files</Filter>
     </ClInclude>