Have a look at https://github.com/SubconsciousCompute/fsfilter-rs
Use cargo doc --no-deps --document-private-items --open
to read Documentation
Table of Contents
- Open
VS 2022
as Administrator - Goto
minifilter-rs -> minifilter -> RWatch.sln
- Build solution in
Debug
mode withx64
NOTE: Enable Loading of Test Signed Drivers by executing Bcdedit.exe -set TESTSIGNING ON
in administrative cmd
- Open Powershell or command prompt as Administrator
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 <path-to>\minifilter-rs\minifilter\x64\Debug\FsFilter.inf
You should be able to see the driver at "C:\Windows\System32\drivers\FsFilter.sys"
- Open Powershell or command prompt as Administrator
- Start the driver using
sc start FSFilter
, expected output:SERVICE_NAME: FSFilter TYPE : 2 FILE_SYSTEM_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 0 FLAGS :
- Stop the driver using
sc stop FSFilter
, should give the following output:SERVICE_NAME: FSFilter TYPE : 2 FILE_SYSTEM_DRIVER STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
- Remove it by
sc delete FSFilter
, should give the following output:[SC] DeleteService SUCCESS
You can also run Fltmc.exe
to see the currently loaded drivers:
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
bindflt 1 409800 0
FSFilter 4 378781 0 // our minifilter driver
WdFilter 5 328010 0
storqosflt 0 244000 0
wcifs 0 189900 0
CldFlt 0 180451 0
FileCrypt 0 141100 0
luafv 1 135000 0
npsvctrig 1 46000 0
Wof 3 40700 0
FileInfo 5 40500 0
Simply use cargo build --release
to build the application
Use cargo run --bin minifilter --release
to run the application
The program starts to print the IOMessage
which is defined like:
#[repr(C)]
pub struct IOMessage {
pub extension: [wchar_t; 12],
pub file_id_vsn: c_ulonglong,
pub file_id_id: [u8; 16],
pub mem_sized_used: c_ulonglong,
pub entropy: f64,
pub pid: c_ulong,
pub irp_op: c_uchar,
pub is_entropy_calc: u8,
pub file_change: c_uchar,
pub file_location_info: c_uchar,
pub filepathstr: String,
pub gid: c_ulonglong,
pub runtime_features: RuntimeFeatures,
pub file_size: i64,
}
We end the process using ctrl + c
in the example video:
- Might fail if not ran with administrative privileges
- You need to load and start the driver before running the program or else it will error out
We basically share definition between the mini-filter and Rust using #[repr(C)]