Derive the device name from the service

Discussion: #92

Author: mrexodia

TitanHide/TitanHide.cpp

@@ -7,7 +7,9 @@
 #include "threadhidefromdbg.h"
 
 static UNICODE_STRING DeviceName;
+static wchar_t DeviceNameBuffer[256];
 static UNICODE_STRING Win32Device;
+static wchar_t Win32DeviceBuffer[256];
 
 static void DriverUnload(IN PDRIVER_OBJECT DriverObject)
 {
@@ -65,9 +67,44 @@ static NTSTATUS DriverWrite(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
     return RetStatus;
 }
 
-extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
+extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
 {
-    UNREFERENCED_PARAMETER(RegistryPath);
+    // Initialize name buffers
+    RtlInitEmptyUnicodeString(&DeviceName, DeviceNameBuffer, sizeof(DeviceNameBuffer));
+    RtlAppendUnicodeToString(&DeviceName, L"\\Device\\");
+    RtlInitEmptyUnicodeString(&Win32Device, Win32DeviceBuffer, sizeof(Win32DeviceBuffer));
+    RtlAppendUnicodeToString(&Win32Device, L"\\DosDevices\\");
+
+    // Derive the device name and symbolic link from the registry path
+    UNICODE_STRING DriverName = {};
+    if (RegistryPath != NULL && RegistryPath->Buffer != NULL)
+    {
+        for (int i = 0; i < RegistryPath->Length / sizeof(WCHAR); i++)
+        {
+            auto index = RegistryPath->Length / sizeof(WCHAR) - i - 1;
+            if (RegistryPath->Buffer[index] == L'\\')
+            {
+                index++; // skip the backslash
+                DriverName.Buffer = RegistryPath->Buffer + index;
+                DriverName.Length = (USHORT)(RegistryPath->Length - index * sizeof(WCHAR));
+                DriverName.MaximumLength = DriverName.Length;
+                break;
+            }
+        }
+    }
+
+    // Fall back to default driver name
+    if (DriverName.Length == 0)
+    {
+        RtlInitUnicodeString(&DriverName, L"TitanHide");
+    }
+
+    // Use the driver name
+    RtlAppendUnicodeStringToString(&DeviceName, &DriverName);
+    RtlAppendUnicodeStringToString(&Win32Device, &DriverName);
+    InitLog(&DriverName);
+    Log("[TITANHIDE] DriverName: %.*ws\r\n", DriverName.Length / sizeof(WCHAR), DriverName.Buffer);
+
     PDEVICE_OBJECT DeviceObject = NULL;
     NTSTATUS status;
 
@@ -103,8 +140,6 @@ extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRI
     }
 
     //create io device
-    RtlInitUnicodeString(&DeviceName, L"\\Device\\TitanHide");
-    RtlInitUnicodeString(&Win32Device, L"\\DosDevices\\TitanHide");
     status = IoCreateDevice(DriverObject,
                             0,
                             &DeviceName,

TitanHide/log.cpp

@@ -1,5 +1,18 @@
 #include "log.h"
 
+static UNICODE_STRING LogFilename;
+static wchar_t LogFilenameBuffer[256];
+
+void InitLog(const PUNICODE_STRING DriverName)
+{
+    RtlInitEmptyUnicodeString(&LogFilename, LogFilenameBuffer, sizeof(LogFilenameBuffer));
+    RtlAppendUnicodeToString(&LogFilename, L"\\DosDevices\\C:\\");
+    RtlAppendUnicodeStringToString(&LogFilename, DriverName);
+    RtlAppendUnicodeToString(&LogFilename, L".log");
+    Log("[TITANHIDE] Log file initialized: %.*ws\r\n",
+        LogFilename.Length / sizeof(WCHAR), LogFilename.Buffer);
+}
+
 void Log(const char* format, ...)
 {
     char msg[1024] = "";
@@ -12,10 +25,8 @@ void Log(const char* format, ...)
     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, msg);
 #endif
     va_end(format);
-    UNICODE_STRING FileName;
     OBJECT_ATTRIBUTES objAttr;
-    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\TitanHide.log");
-    InitializeObjectAttributes(&objAttr, &FileName,
+    InitializeObjectAttributes(&objAttr, &LogFilename,
                                OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
                                NULL, NULL);
     if(KeGetCurrentIrql() != PASSIVE_LEVEL)

TitanHide/log.h

@@ -13,6 +13,7 @@
 #define PRINTF_ATTR(FormatIndex, FirstToCheck)
 #endif
 
+void InitLog(const PUNICODE_STRING DriverName);
 PRINTF_ATTR(1, 2) void Log(const char* format, ...);
 
 #endif