minifilter

Minifilter driver not blocking file edition

扶醉桌前 提交于 2020-01-03 04:39:07
问题 I am trying to create a File System Filter (Minifilter) driver. For that I am following the tutorial provided here: https://www.youtube.com/watch?v=ukUf3kSSTOU In a brief way, in the tutorial you create a minifilter driver that stops you from writing into a file called OPENME.txt. This is the code I have: #include <fltKernel.h> #include <dontuse.h> #include <suppress.h> PFLT_FILTER FilterHandle = NULL; NTSTATUS MiniUnload(FLT_FILTER_UNLOAD_FLAGS Flags); FLT_POSTOP_CALLBACK_STATUS

minifilter vs. API Hooking for file system operations monitoring \ filtering

别等时光非礼了梦想. 提交于 2020-01-01 19:41:09
问题 I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options? 回答1: API hooking (at least in kernel space) is essentially not supported by microsoft. On x64 (starting from Vista and up)

Mini-Filter intercept drag & drop file(s) to disk?

依然范特西╮ 提交于 2019-12-25 06:58:02
问题 I am developing a mini-filter to intercept files and get the name of files which are dragged & dropped to a specific disk and get the file names. If I drag & drop a file, I can get this file name and intercept it successfully (That's mean this file is not created on disk). If I drag & drop multiple files, I can only get the first file name and other is not. But when I open the disk, I don't see any file here (That's mean Mini-Filter intercept them successfully). So I can not get the file

FilterGetMessage is error?

和自甴很熟 提交于 2019-12-23 02:34:32
问题 I am writing windows service to communication with minifilter (kernel). Using FltSendMessage in minifilter Using FilterGetMessage in service The status of FilterGetMessage is success (status = 0). But the buffer is always null. What is not correct? This is my code in minifilter: C++ code status = FltSendMessage( gFilterHandle, &gClientPort, (PVOID)FltObjects->FileObject->FileName.Buffer, FltObjects->FileObject->FileName.MaximumLength, NULL, NULL, NULL); p/s: above code is put PreCreate

How to get sign my mini-filter driver for Windows 10 from Microsoft

蹲街弑〆低调 提交于 2019-12-22 00:02:05
问题 I have created my own mini-filter driver like mini-spy (example from Windows-driver-samples). Now I've completed my driver and signed with our own SHA-1 company certificate. But still it needs Microsoft sign to run in windows 10 machines. I have searched in internet for signing my driver. But it misleads me. How to sign my driver from Microsoft? 回答1: Yes, the new signing system for drivers is a massive PITA that makes it very difficult to integrete with CI and properly check. It's also a mess

How to delete a file from kernel-mode?

天大地大妈咪最大 提交于 2019-12-13 08:17:15
问题 I have a minifilter (kernel-mode). I want to delete a file with specific path (\Device\HarddiskVolume1\file.txt or C:\file.txt) from kernel-mode Is there any way to do that? UPDATE: 20150130 I try to use ZwDeleteFile routine as Harry Johnston said. These are my codes: RtlInitUnicodeString(&gRedirectFullFilePath, "\\Device\\HarddiskVolume1\\test.txt"); // This file existed InitializeObjectAttributes(&ObjectAttribute, &gRedirectFullFilePath, OBJ_CASE_INSENSITIVE, NULL, NULL); status =

Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?

∥☆過路亽.° 提交于 2019-12-11 13:59:12
问题 I need to: 1. Monitor operations on certain drives/paths 2. Prevent read and/or write operations on certain drives/paths For example: C://Users D: Can this be done using Windows Filesystem Minifilter Drivers ? I am mostly interested in step 2. In other words can a minifilter cancel a IRP ? 回答1: Yes this is all possible with a filesystem mini filter driver. For #1 you don't need a mini filter driver you could use a Win32 API like ReadDirectoryChangesW. For #2 you can not only do that but you

Installing file system minifilter from INF launched from debug

落爺英雄遲暮 提交于 2019-12-06 08:24:02
问题 I am working on my first file system mini-filter. I am using the SwapBuffers sample project in the WDK. I have successfully compiled and deployed this project to a VM from a physical laptop. But the installation from the INF file is failing. I looked in the log file in C:\DriverTest\Logs on the target machine and found these lines in the log file. UserText="WDTF_TARGETS: Query("HardwareIDs=&apos;WDTF\NOEXIST&apos;")" UserText="WDTF_DRIVER_SETUP_SYSTEM: CreateRootEnumeratedDevicesFromPackage()

I can't break when attaching to target machine in kernel debug mode

笑着哭i 提交于 2019-12-05 00:31:49
问题 I am starting a prototype including a Windows minifilter. I have set up my environment: a target Virtual Machine (actually 3: a Windows 7, 8 and 8.1) a host development machine (which hosts Visual Studio 2013 and HyperV VMs) I finally managed to deploy the test minifilter to the target machine, but my problem is: I can not break the kernel in the target machine. When I make a build and start from Visual Studio Debugger, here is the result: -----------------------------------------------------

minifilter vs. API Hooking for file system operations monitoring \\ filtering

流过昼夜 提交于 2019-12-04 20:32:27
I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options? API hooking (at least in kernel space) is essentially not supported by microsoft. On x64 (starting from Vista and up) patchguard will usually kill the machine if it detects SSDT hooking or any change whatsoever in critical
订阅 minifilter