A minifilter driver for the annual challenge on college.
This minifilter tries to identify malicious processes by validating rules against all IRP sent to the filesystem.
Files that were not written by me:
"uthash.h" and "utlist.h" from troydhanson/uthash with the necessary kernel-space modifications made by be.
Minifilter or any other File System Filter Driver intercepts and modifies requests directed at a file system or another filter driver. By intercepting these requests before they reach their intended destination, the filter driver can enhance or replace the functionality provided by the original target. These services are accessible via the Windows Filter Manager.
Example macro architecture of file system drivers:
| Name | Reason |
|---|---|
| Microsoft Visual Studio Build Tools for C++ | To develop and build C++ code, install "Desktop development with C++ |
| Windows SDK | WDK needs a matching version of Windows SDK. |
| Windows Driver Kit (WDK) | The base kit to develop a driver |
| (optional) LLVM and Clang | In the rust version of the driver, LLVM is needed to generate bindings for the Windows Driver API (bindgen) |
- Open the "MinifilterSOTA.sln" with Visual Studio and click "Build Solution".
- The default output is "x64\Debug\MinifilterSOTA" directory.
| Name | Reason |
|---|---|
| Disable Secure Boot | To make Microsoft Windows accepts self-signed drivers |
| Enable Driver Testing Mode | To make Microsoft Windows accepts self-signed drivers |
| (optional) Sysinternals DebugView | DebugView to see kernel debug messages |
- Deploy the three files from the release page (or those you've built) to the target machine.
- Right-click on "MinifilterSOTA.inf" and choose "Install". Alternatively, you can run the following on an elevated powershell:
pnputil -i -a "<path>/MinifilterSOTA.inf"
- Click "install" on the windows that pops up.
- Reboot your system.