├── .gitignore ├── FileHide ├── FileHide.sln ├── FileHide │ ├── FileHide.inf │ ├── FileHide.rc │ ├── FileHide.vcxproj │ ├── FileHide.vcxproj.filters │ ├── autolock.h │ ├── filenameinfo.cpp │ ├── filenameinfo.h │ ├── filters.cpp │ ├── filters.h │ ├── hide.cpp │ ├── hide.h │ ├── main.cpp │ ├── main.h │ ├── mutex.cpp │ ├── mutex.h │ └── x64 │ │ └── Release │ │ ├── FileHide.inf │ │ ├── FileHide.log │ │ ├── FileHide.res │ │ ├── FileHide.sys.recipe │ │ ├── filenameinfo.obj │ │ ├── filters.obj │ │ ├── hide.obj │ │ ├── main.obj │ │ ├── mutex.obj │ │ └── vc142.pdb └── x64 │ └── Release │ ├── FileHide.cer │ ├── FileHide.inf │ ├── FileHide.pdb │ ├── FileHide.sys │ └── FileHide │ ├── FileHide.inf │ ├── FileHide.sys │ └── filehide.cat ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /FileHide/FileHide.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.34407.143 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FileHide", "FileHide\FileHide.vcxproj", "{015A0465-A906-448B-8C31-520B8F745F51}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|ARM.Build.0 = Debug|ARM 22 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|ARM.Deploy.0 = Debug|ARM 23 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|ARM64.ActiveCfg = Debug|ARM64 24 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|ARM64.Build.0 = Debug|ARM64 25 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|ARM64.Deploy.0 = Debug|ARM64 26 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|x64.ActiveCfg = Debug|x64 27 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|x64.Build.0 = Debug|x64 28 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|x64.Deploy.0 = Debug|x64 29 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|x86.ActiveCfg = Debug|Win32 30 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|x86.Build.0 = Debug|Win32 31 | {015A0465-A906-448B-8C31-520B8F745F51}.Debug|x86.Deploy.0 = Debug|Win32 32 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|ARM.ActiveCfg = Release|ARM 33 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|ARM.Build.0 = Release|ARM 34 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|ARM.Deploy.0 = Release|ARM 35 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|ARM64.ActiveCfg = Release|ARM64 36 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|ARM64.Build.0 = Release|ARM64 37 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|ARM64.Deploy.0 = Release|ARM64 38 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|x64.ActiveCfg = Release|x64 39 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|x64.Build.0 = Release|x64 40 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|x64.Deploy.0 = Release|x64 41 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|x86.ActiveCfg = Release|Win32 42 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|x86.Build.0 = Release|Win32 43 | {015A0465-A906-448B-8C31-520B8F745F51}.Release|x86.Deploy.0 = Release|Win32 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {56308FD9-1BEB-4CF6-92DE-2617E78772CA} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /FileHide/FileHide/FileHide.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileHide 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = %ManufacturerName% 13 | DriverVer = 14 | CatalogFile = FileHide.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | FileHide.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ; TODO - Add your manufacturer 89 | ManufacturerName = "Template" 90 | ServiceDescription = "FileHide Mini-Filter Driver" 91 | ServiceName = "FileHide" 92 | DriverName = "FileHide" 93 | DiskId1 = "FileHide Device Installation Disk" 94 | 95 | ;Instances specific information. 96 | DefaultInstance = "FileHide Instance" 97 | Instance1.Name = "FileHide Instance" 98 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 99 | Instance1.Altitude = "39333" 100 | Instance1.Flags = 0x0 ; Allow all attachments 101 | -------------------------------------------------------------------------------- /FileHide/FileHide/FileHide.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_DRV 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 7 | #define VER_FILEDESCRIPTION_STR "FileHide Filter Driver" 8 | #define VER_INTERNALNAME_STR "FileHide.sys" 9 | 10 | #include "common.ver" 11 | -------------------------------------------------------------------------------- /FileHide/FileHide/FileHide.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | {015A0465-A906-448B-8C31-520B8F745F51} 48 | {f2f62967-0815-4fd7-9b86-6eedcac766eb} 49 | v4.5 50 | 12.0 51 | Debug 52 | Win32 53 | FileHide 54 | 55 | 56 | 57 | Windows10 58 | true 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | WDM 62 | 63 | 64 | Windows10 65 | false 66 | WindowsKernelModeDriver10.0 67 | Driver 68 | WDM 69 | 70 | 71 | Windows10 72 | true 73 | WindowsKernelModeDriver10.0 74 | Driver 75 | WDM 76 | 77 | 78 | Windows10 79 | false 80 | WindowsKernelModeDriver10.0 81 | Driver 82 | WDM 83 | 84 | 85 | Windows10 86 | true 87 | WindowsKernelModeDriver10.0 88 | Driver 89 | WDM 90 | 91 | 92 | Windows10 93 | false 94 | WindowsKernelModeDriver10.0 95 | Driver 96 | WDM 97 | 98 | 99 | Windows10 100 | true 101 | WindowsKernelModeDriver10.0 102 | Driver 103 | WDM 104 | 105 | 106 | Windows10 107 | false 108 | WindowsKernelModeDriver10.0 109 | Driver 110 | WDM 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | DbgengKernelDebugger 122 | 123 | 124 | DbgengKernelDebugger 125 | 126 | 127 | DbgengKernelDebugger 128 | 129 | 130 | DbgengKernelDebugger 131 | true 132 | 133 | 134 | DbgengKernelDebugger 135 | 136 | 137 | DbgengKernelDebugger 138 | 139 | 140 | DbgengKernelDebugger 141 | 142 | 143 | DbgengKernelDebugger 144 | 145 | 146 | 147 | fltmgr.lib;%(AdditionalDependencies) 148 | 149 | 150 | 151 | 152 | fltmgr.lib;%(AdditionalDependencies) 153 | 154 | 155 | 156 | 157 | fltmgr.lib;%(AdditionalDependencies) 158 | 159 | 160 | 161 | 162 | fltmgr.lib;%(AdditionalDependencies) 163 | /INTEGRITYCHECK %(AdditionalOptions) 164 | 165 | 166 | $(ProjectDir);%(AdditionalIncludeDirectories) 167 | false 168 | 169 | 170 | 171 | 172 | fltmgr.lib;%(AdditionalDependencies) 173 | 174 | 175 | 176 | 177 | fltmgr.lib;%(AdditionalDependencies) 178 | 179 | 180 | 181 | 182 | fltmgr.lib;%(AdditionalDependencies) 183 | 184 | 185 | 186 | 187 | fltmgr.lib;%(AdditionalDependencies) 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | -------------------------------------------------------------------------------- /FileHide/FileHide/FileHide.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | 44 | 45 | Resource Files 46 | 47 | 48 | 49 | 50 | Header Files 51 | 52 | 53 | Header Files 54 | 55 | 56 | Header Files 57 | 58 | 59 | Header Files 60 | 61 | 62 | Header Files 63 | 64 | 65 | Header Files 66 | 67 | 68 | -------------------------------------------------------------------------------- /FileHide/FileHide/autolock.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | template 4 | struct AutoLock { 5 | AutoLock(TLock& lock) : _lock(lock) { 6 | _lock.Lock(); 7 | } 8 | 9 | ~AutoLock() { 10 | _lock.Unlock(); 11 | } 12 | 13 | private: 14 | TLock& _lock; 15 | }; -------------------------------------------------------------------------------- /FileHide/FileHide/filenameinfo.cpp: -------------------------------------------------------------------------------- 1 | #include "filenameinfo.h" 2 | 3 | FilterFileNameInformation::FilterFileNameInformation(PFLT_CALLBACK_DATA data, FileNameOptions options) { 4 | auto status = FltGetFileNameInformation(data, (FLT_FILE_NAME_OPTIONS)options, &_info); 5 | if (!NT_SUCCESS(status)) 6 | _info = nullptr; 7 | } 8 | 9 | FilterFileNameInformation::~FilterFileNameInformation() { 10 | if (_info) 11 | FltReleaseFileNameInformation(_info); 12 | } 13 | 14 | NTSTATUS FilterFileNameInformation::Parse() { 15 | return FltParseFileNameInformation(_info); 16 | } -------------------------------------------------------------------------------- /FileHide/FileHide/filenameinfo.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | enum class FileNameOptions { 5 | Normalized = FLT_FILE_NAME_NORMALIZED, 6 | Opened = FLT_FILE_NAME_OPENED, 7 | Short = FLT_FILE_NAME_SHORT, 8 | 9 | QueryDefault = FLT_FILE_NAME_QUERY_DEFAULT, 10 | QueryCacheOnly = FLT_FILE_NAME_QUERY_CACHE_ONLY, 11 | QueryFileSystemOnly = FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY, 12 | 13 | RequestFromCurrentProvider = FLT_FILE_NAME_REQUEST_FROM_CURRENT_PROVIDER, 14 | DoNotCache = FLT_FILE_NAME_DO_NOT_CACHE, 15 | AllowQueryOnReparse = FLT_FILE_NAME_ALLOW_QUERY_ON_REPARSE 16 | }; 17 | DEFINE_ENUM_FLAG_OPERATORS(FileNameOptions); 18 | 19 | struct FilterFileNameInformation { 20 | FilterFileNameInformation(PFLT_CALLBACK_DATA data, FileNameOptions options = FileNameOptions::QueryDefault | FileNameOptions::Normalized); 21 | ~FilterFileNameInformation(); 22 | 23 | operator bool() const { 24 | return _info != nullptr; 25 | } 26 | 27 | PFLT_FILE_NAME_INFORMATION Get() const { 28 | return _info; 29 | } 30 | 31 | operator PFLT_FILE_NAME_INFORMATION() const { 32 | return Get(); 33 | } 34 | 35 | PFLT_FILE_NAME_INFORMATION operator->() { 36 | return _info; 37 | } 38 | 39 | NTSTATUS Parse(); 40 | 41 | private: 42 | PFLT_FILE_NAME_INFORMATION _info; 43 | }; -------------------------------------------------------------------------------- /FileHide/FileHide/filters.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // role : filter out our files from query buffers before returned to requestor program 4 | FLT_POSTOP_CALLBACK_STATUS 5 | FilehidePostDirectoryControl( 6 | _Inout_ PFLT_CALLBACK_DATA Data, 7 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 8 | _In_opt_ PVOID CompletionContext, 9 | _In_ FLT_POST_OPERATION_FLAGS Flags 10 | ) 11 | 12 | { 13 | UNREFERENCED_PARAMETER(CompletionContext); 14 | UNREFERENCED_PARAMETER(FltObjects); 15 | PFLT_PARAMETERS Params = &Data->Iopb->Parameters; 16 | NTSTATUS status; 17 | 18 | if (Flags & FLTFL_POST_OPERATION_DRAINING) 19 | return FLT_POSTOP_FINISHED_PROCESSING; 20 | 21 | 22 | // if the operation failed just exit 23 | if (!NT_SUCCESS(Data->IoStatus.Status)) 24 | return FLT_POSTOP_FINISHED_PROCESSING; 25 | 26 | // get file name info 27 | FilterFileNameInformation fileNameInfo(Data); 28 | if (!fileNameInfo.Get()) { 29 | return FLT_POSTOP_FINISHED_PROCESSING; 30 | } 31 | 32 | if (!NT_SUCCESS(fileNameInfo.Parse())) 33 | return FLT_POSTOP_FINISHED_PROCESSING; 34 | 35 | status = STATUS_SUCCESS; 36 | UNICODE_STRING TargetDirectory = RTL_CONSTANT_STRING(TARGET_DIRECTORY); 37 | if (RtlCompareUnicodeString(&TargetDirectory, &fileNameInfo.Get()->FinalComponent, TRUE)) 38 | return FLT_POSTOP_FINISHED_PROCESSING; 39 | 40 | DbgPrint("[*] target directory %wZ has been queried\n", fileNameInfo.Get()->FinalComponent); 41 | 42 | switch (Params->DirectoryControl.QueryDirectory.FileInformationClass) 43 | { 44 | case FileFullDirectoryInformation: 45 | status = FilterFileFullDirectoryInformation((PFILE_FULL_DIR_INFORMATION)Params->DirectoryControl.QueryDirectory.DirectoryBuffer,fileNameInfo.Get()); 46 | break; 47 | case FileBothDirectoryInformation: 48 | status = FilterFileBothDirectoryInformation((PFILE_BOTH_DIR_INFORMATION)Params->DirectoryControl.QueryDirectory.DirectoryBuffer, fileNameInfo.Get()); 49 | break; 50 | case FileDirectoryInformation: 51 | status = FilterFileDirectoryInformation((PFILE_DIRECTORY_INFORMATION)Params->DirectoryControl.QueryDirectory.DirectoryBuffer, fileNameInfo.Get()); 52 | break; 53 | case FileIdFullDirectoryInformation: 54 | status = FilterFileIdFullDirectoryInformation((PFILE_ID_FULL_DIR_INFORMATION)Params->DirectoryControl.QueryDirectory.DirectoryBuffer, fileNameInfo.Get()); 55 | break; 56 | case FileIdBothDirectoryInformation: 57 | status = FilterFileIdBothDirectoryInformation((PFILE_ID_BOTH_DIR_INFORMATION)Params->DirectoryControl.QueryDirectory.DirectoryBuffer, fileNameInfo.Get()); 58 | break; 59 | case FileNamesInformation: 60 | status = FilterFileNamesInformation((PFILE_NAMES_INFORMATION)Params->DirectoryControl.QueryDirectory.DirectoryBuffer, fileNameInfo.Get()); 61 | break; 62 | } 63 | 64 | Data->IoStatus.Status = status; 65 | 66 | 67 | return FLT_POSTOP_FINISHED_PROCESSING; 68 | 69 | } 70 | 71 | 72 | 73 | // role : filter out uninteresting controls from post operation 74 | FLT_PREOP_CALLBACK_STATUS 75 | FilehidePreDirectoryControl( 76 | _Inout_ PFLT_CALLBACK_DATA Data, 77 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 78 | _Flt_CompletionContext_Outptr_ PVOID* CompletionContext 79 | ) 80 | 81 | { 82 | UNREFERENCED_PARAMETER(Data); 83 | UNREFERENCED_PARAMETER(FltObjects); 84 | UNREFERENCED_PARAMETER(CompletionContext); 85 | 86 | 87 | if (Data->Iopb->MinorFunction != IRP_MN_QUERY_DIRECTORY) 88 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 89 | 90 | switch (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass) 91 | { 92 | case FileIdFullDirectoryInformation: 93 | case FileIdBothDirectoryInformation: 94 | case FileBothDirectoryInformation: 95 | case FileDirectoryInformation: 96 | case FileFullDirectoryInformation: 97 | case FileNamesInformation: 98 | break; 99 | default: 100 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 101 | } 102 | 103 | return FLT_PREOP_SUCCESS_WITH_CALLBACK; 104 | } 105 | 106 | 107 | 108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /FileHide/FileHide/filters.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | EXTERN_C_START 6 | 7 | 8 | 9 | DRIVER_INITIALIZE DriverEntry; 10 | NTSTATUS 11 | DriverEntry( 12 | _In_ PDRIVER_OBJECT DriverObject, 13 | _In_ PUNICODE_STRING RegistryPath 14 | ); 15 | 16 | NTSTATUS 17 | FilehideInstanceSetup( 18 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 19 | _In_ FLT_INSTANCE_SETUP_FLAGS Flags, 20 | _In_ DEVICE_TYPE VolumeDeviceType, 21 | _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType 22 | ); 23 | 24 | 25 | NTSTATUS 26 | FilehideUnload( 27 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 28 | ); 29 | 30 | 31 | FLT_POSTOP_CALLBACK_STATUS 32 | FilehidePostDirectoryControl( 33 | _Inout_ PFLT_CALLBACK_DATA Data, 34 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 35 | _In_opt_ PVOID CompletionContext, 36 | _In_ FLT_POST_OPERATION_FLAGS Flags 37 | ); 38 | 39 | FLT_PREOP_CALLBACK_STATUS 40 | FilehidePreDirectoryControl( 41 | _Inout_ PFLT_CALLBACK_DATA Data, 42 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 43 | _Flt_CompletionContext_Outptr_ PVOID* CompletionContext 44 | ); 45 | 46 | EXTERN_C_END -------------------------------------------------------------------------------- /FileHide/FileHide/hide.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | NTSTATUS FilterFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo) 4 | { 5 | PFILE_NAMES_INFORMATION nextInfo, prevInfo = NULL; 6 | UNICODE_STRING QueriedFile; 7 | UINT32 offset, moveLength; 8 | BOOLEAN search; 9 | NTSTATUS status = STATUS_SUCCESS; 10 | WCHAR ToHide[20] = TARGET_FILE; 11 | offset = 0; 12 | search = TRUE; 13 | 14 | do 15 | { 16 | QueriedFile.Buffer = info->FileName; 17 | QueriedFile.Length = (USHORT)info->FileNameLength; 18 | QueriedFile.MaximumLength = (USHORT)info->FileNameLength; 19 | 20 | // Is it the file we want to hide 21 | if (!wcscmp(QueriedFile.Buffer, ToHide)) 22 | { 23 | DbgPrint("[*] stripped from query: %wZ\\%wZ\n", &FileInfo->FinalComponent, &QueriedFile); 24 | BOOLEAN retn = FALSE; 25 | 26 | if (prevInfo != NULL) 27 | { 28 | if (info->NextEntryOffset != 0) 29 | { 30 | prevInfo->NextEntryOffset += info->NextEntryOffset; 31 | offset = info->NextEntryOffset; 32 | } 33 | else 34 | { 35 | prevInfo->NextEntryOffset = 0; 36 | status = STATUS_SUCCESS; 37 | retn = TRUE; 38 | } 39 | 40 | RtlFillMemory(info, sizeof(FILE_NAMES_INFORMATION), 0); 41 | } 42 | else 43 | { 44 | if (info->NextEntryOffset != 0) 45 | { 46 | nextInfo = (PFILE_NAMES_INFORMATION)((PUCHAR)info + info->NextEntryOffset); 47 | moveLength = 0; 48 | while (nextInfo->NextEntryOffset != 0) 49 | { 50 | moveLength += nextInfo->NextEntryOffset; 51 | nextInfo = (PFILE_NAMES_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset); 52 | } 53 | 54 | moveLength += FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName) + nextInfo->FileNameLength; 55 | RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength); 56 | } 57 | else 58 | { 59 | status = STATUS_NO_MORE_ENTRIES; 60 | retn = TRUE; 61 | } 62 | } 63 | 64 | 65 | if (retn) 66 | return status; 67 | 68 | info = (PFILE_NAMES_INFORMATION)((PCHAR)info + offset); 69 | continue; 70 | 71 | } 72 | offset = info->NextEntryOffset; 73 | prevInfo = info; 74 | info = (PFILE_NAMES_INFORMATION)((PCHAR)info + offset); 75 | 76 | if (offset == 0) 77 | search = FALSE; 78 | } while (search); 79 | 80 | return STATUS_SUCCESS; 81 | } 82 | 83 | 84 | NTSTATUS FilterFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo) 85 | { 86 | PFILE_ID_BOTH_DIR_INFORMATION nextInfo, prevInfo = NULL; 87 | UINT32 offset, moveLength; 88 | BOOLEAN matched, search; 89 | NTSTATUS status = STATUS_SUCCESS; 90 | UNICODE_STRING QueriedFile; 91 | WCHAR ToHide[20] = TARGET_FILE; 92 | offset = 0; 93 | search = TRUE; 94 | 95 | do 96 | { 97 | QueriedFile.Buffer = info->FileName; 98 | QueriedFile.Length = (USHORT)info->FileNameLength; 99 | QueriedFile.MaximumLength = (USHORT)info->FileNameLength; 100 | 101 | // Is it the file we want to hide 102 | if (!wcscmp(QueriedFile.Buffer, ToHide)) 103 | { 104 | DbgPrint("[*] stripped from query: %wZ\\%wZ\n", &FileInfo->FinalComponent, &QueriedFile); 105 | 106 | BOOLEAN retn = FALSE; 107 | 108 | if (prevInfo != NULL) 109 | { 110 | if (info->NextEntryOffset != 0) 111 | { 112 | prevInfo->NextEntryOffset += info->NextEntryOffset; 113 | offset = info->NextEntryOffset; 114 | } 115 | else 116 | { 117 | prevInfo->NextEntryOffset = 0; 118 | status = STATUS_SUCCESS; 119 | retn = TRUE; 120 | } 121 | 122 | RtlFillMemory(info, sizeof(FILE_ID_BOTH_DIR_INFORMATION), 0); 123 | } 124 | else 125 | { 126 | if (info->NextEntryOffset != 0) 127 | { 128 | nextInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset); 129 | moveLength = 0; 130 | while (nextInfo->NextEntryOffset != 0) 131 | { 132 | moveLength += nextInfo->NextEntryOffset; 133 | nextInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset); 134 | } 135 | 136 | moveLength += FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength; 137 | RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue 138 | } 139 | else 140 | { 141 | status = STATUS_NO_MORE_ENTRIES; 142 | retn = TRUE; 143 | } 144 | } 145 | 146 | 147 | if (retn) 148 | return status; 149 | 150 | info = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)info + offset); 151 | continue; 152 | 153 | } 154 | offset = info->NextEntryOffset; 155 | prevInfo = info; 156 | info = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)info + offset); 157 | 158 | if (offset == 0) 159 | search = FALSE; 160 | } while (search); 161 | 162 | return status; 163 | } 164 | 165 | 166 | NTSTATUS FilterFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo) 167 | { 168 | PFILE_DIRECTORY_INFORMATION nextInfo, prevInfo = NULL; 169 | UNICODE_STRING QueriedFile; 170 | UINT32 offset, moveLength; 171 | BOOLEAN matched, search; 172 | NTSTATUS status = STATUS_SUCCESS; 173 | WCHAR ToHide[20] = TARGET_FILE; 174 | offset = 0; 175 | search = TRUE; 176 | 177 | do 178 | { 179 | QueriedFile.Buffer = info->FileName; 180 | QueriedFile.Length = (USHORT)info->FileNameLength; 181 | QueriedFile.MaximumLength = (USHORT)info->FileNameLength; 182 | 183 | // Is it the file we want to hide 184 | if (!wcscmp(QueriedFile.Buffer, ToHide)) 185 | { 186 | DbgPrint("[*] stripped from query: %wZ\\%wZ\n", &FileInfo->FinalComponent, &QueriedFile); 187 | BOOLEAN retn = FALSE; 188 | 189 | if (prevInfo != NULL) 190 | { 191 | if (info->NextEntryOffset != 0) 192 | { 193 | prevInfo->NextEntryOffset += info->NextEntryOffset; 194 | offset = info->NextEntryOffset; 195 | } 196 | else 197 | { 198 | prevInfo->NextEntryOffset = 0; 199 | status = STATUS_SUCCESS; 200 | retn = TRUE; 201 | } 202 | 203 | RtlFillMemory(info, sizeof(FILE_DIRECTORY_INFORMATION), 0); 204 | } 205 | else 206 | { 207 | if (info->NextEntryOffset != 0) 208 | { 209 | nextInfo = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)info + info->NextEntryOffset); 210 | moveLength = 0; 211 | while (nextInfo->NextEntryOffset != 0) 212 | { 213 | moveLength += nextInfo->NextEntryOffset; 214 | nextInfo = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset); 215 | } 216 | 217 | moveLength += FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName) + nextInfo->FileNameLength; 218 | RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue 219 | } 220 | else 221 | { 222 | status = STATUS_NO_MORE_ENTRIES; 223 | retn = TRUE; 224 | } 225 | } 226 | 227 | if (retn) 228 | return status; 229 | 230 | info = (PFILE_DIRECTORY_INFORMATION)((PCHAR)info + offset); 231 | continue; 232 | 233 | } 234 | offset = info->NextEntryOffset; 235 | prevInfo = info; 236 | info = (PFILE_DIRECTORY_INFORMATION)((PCHAR)info + offset); 237 | 238 | if (offset == 0) 239 | search = FALSE; 240 | } while (search); 241 | 242 | return STATUS_SUCCESS; 243 | } 244 | 245 | 246 | 247 | 248 | NTSTATUS FilterFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo) 249 | { 250 | PFILE_BOTH_DIR_INFORMATION nextInfo, prevInfo = NULL; 251 | UNICODE_STRING QueriedFile; 252 | UINT32 offset, moveLength; 253 | BOOLEAN matched, search; 254 | NTSTATUS status = STATUS_SUCCESS; 255 | WCHAR ToHide[20] = TARGET_FILE; 256 | offset = 0; 257 | search = TRUE; 258 | 259 | do 260 | { 261 | QueriedFile.Buffer = info->FileName; 262 | QueriedFile.Length = (USHORT)info->FileNameLength; 263 | QueriedFile.MaximumLength = (USHORT)info->FileNameLength; 264 | 265 | // Is it the file we want to hide 266 | if (!wcscmp(QueriedFile.Buffer, ToHide)) 267 | { 268 | DbgPrint("[*] stripped from query: %wZ\\%wZ\n", &FileInfo->FinalComponent, &QueriedFile); 269 | BOOLEAN retn = FALSE; 270 | 271 | if (prevInfo != NULL) 272 | { 273 | if (info->NextEntryOffset != 0) 274 | { 275 | prevInfo->NextEntryOffset += info->NextEntryOffset; 276 | offset = info->NextEntryOffset; 277 | } 278 | else 279 | { 280 | prevInfo->NextEntryOffset = 0; 281 | status = STATUS_SUCCESS; 282 | retn = TRUE; 283 | } 284 | 285 | RtlFillMemory(info, sizeof(FILE_BOTH_DIR_INFORMATION), 0); 286 | } 287 | else 288 | { 289 | if (info->NextEntryOffset != 0) 290 | { 291 | nextInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset); 292 | moveLength = 0; 293 | while (nextInfo->NextEntryOffset != 0) 294 | { 295 | moveLength += nextInfo->NextEntryOffset; 296 | nextInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset); 297 | } 298 | 299 | moveLength += FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName) + nextInfo->FileNameLength; 300 | RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue 301 | } 302 | else 303 | { 304 | status = STATUS_NO_MORE_ENTRIES; 305 | retn = TRUE; 306 | } 307 | } 308 | 309 | 310 | if (retn) 311 | return status; 312 | 313 | info = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)info + offset); 314 | continue; 315 | 316 | } 317 | offset = info->NextEntryOffset; 318 | prevInfo = info; 319 | info = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)info + offset); 320 | 321 | if (offset == 0) 322 | search = FALSE; 323 | } while (search); 324 | 325 | return STATUS_SUCCESS; 326 | } 327 | 328 | 329 | 330 | NTSTATUS FilterFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo) 331 | { 332 | PFILE_ID_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL; 333 | UNICODE_STRING QueriedFile; 334 | UINT32 offset, moveLength; 335 | BOOLEAN matched, search; 336 | NTSTATUS status = STATUS_SUCCESS; 337 | WCHAR ToHide[20] = TARGET_FILE; 338 | offset = 0; 339 | search = TRUE; 340 | 341 | do 342 | { 343 | QueriedFile.Buffer = info->FileName; 344 | QueriedFile.Length = (USHORT)info->FileNameLength; 345 | QueriedFile.MaximumLength = (USHORT)info->FileNameLength; 346 | if (!wcscmp(QueriedFile.Buffer, ToHide)) 347 | { 348 | DbgPrint("[*] stripped from query: %wZ\\%wZ\n", &FileInfo->FinalComponent, &QueriedFile); 349 | 350 | BOOLEAN retn = FALSE; 351 | 352 | if (prevInfo != NULL) 353 | { 354 | if (info->NextEntryOffset != 0) 355 | { 356 | prevInfo->NextEntryOffset += info->NextEntryOffset; 357 | offset = info->NextEntryOffset; 358 | } 359 | else 360 | { 361 | prevInfo->NextEntryOffset = 0; 362 | status = STATUS_SUCCESS; 363 | retn = TRUE; 364 | } 365 | 366 | RtlFillMemory(info, sizeof(FILE_ID_FULL_DIR_INFORMATION), 0); 367 | } 368 | else 369 | { 370 | if (info->NextEntryOffset != 0) 371 | { 372 | nextInfo = (PFILE_ID_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset); 373 | moveLength = 0; 374 | while (nextInfo->NextEntryOffset != 0) 375 | { 376 | moveLength += nextInfo->NextEntryOffset; 377 | nextInfo = (PFILE_ID_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset); 378 | } 379 | 380 | moveLength += FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength; 381 | RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength); 382 | } 383 | else 384 | { 385 | status = STATUS_NO_MORE_ENTRIES; 386 | retn = TRUE; 387 | } 388 | } 389 | 390 | 391 | if (retn) 392 | return status; 393 | 394 | info = (PFILE_ID_FULL_DIR_INFORMATION)((PCHAR)info + offset); 395 | continue; 396 | 397 | } 398 | offset = info->NextEntryOffset; 399 | prevInfo = info; 400 | info = (PFILE_ID_FULL_DIR_INFORMATION)((PCHAR)info + offset); 401 | 402 | if (offset == 0) 403 | search = FALSE; 404 | } while (search); 405 | 406 | return STATUS_SUCCESS; 407 | } 408 | 409 | 410 | 411 | NTSTATUS FilterFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo) 412 | { 413 | PFILE_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL; 414 | UNICODE_STRING QueriedFile; 415 | UINT32 offset, moveLength; 416 | BOOLEAN matched, search; 417 | NTSTATUS status = STATUS_SUCCESS; 418 | WCHAR ToHide[20] = TARGET_FILE; 419 | offset = 0; 420 | search = TRUE; 421 | 422 | do 423 | { 424 | QueriedFile.Buffer = info->FileName; 425 | QueriedFile.Length = (USHORT)info->FileNameLength; 426 | QueriedFile.MaximumLength = (USHORT)info->FileNameLength; 427 | if (!wcscmp(QueriedFile.Buffer, ToHide)) 428 | { 429 | DbgPrint("[*] stripped from query: %wZ\\%wZ\n", &FileInfo->FinalComponent, &QueriedFile); 430 | BOOLEAN retn = FALSE; 431 | 432 | if (prevInfo != NULL) 433 | { 434 | if (info->NextEntryOffset != 0) 435 | { 436 | prevInfo->NextEntryOffset += info->NextEntryOffset; 437 | offset = info->NextEntryOffset; 438 | } 439 | else 440 | { 441 | prevInfo->NextEntryOffset = 0; 442 | status = STATUS_SUCCESS; 443 | retn = TRUE; 444 | } 445 | 446 | RtlFillMemory(info, sizeof(FILE_FULL_DIR_INFORMATION), 0); 447 | } 448 | else 449 | { 450 | if (info->NextEntryOffset != 0) 451 | { 452 | nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset); 453 | moveLength = 0; 454 | while (nextInfo->NextEntryOffset != 0) 455 | { 456 | moveLength += nextInfo->NextEntryOffset; 457 | nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset); 458 | } 459 | 460 | moveLength += FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength; 461 | RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue 462 | } 463 | else 464 | { 465 | status = STATUS_NO_MORE_ENTRIES; 466 | retn = TRUE; 467 | } 468 | } 469 | 470 | if (retn) 471 | return status; 472 | 473 | info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset); 474 | continue; 475 | 476 | } 477 | offset = info->NextEntryOffset; 478 | prevInfo = info; 479 | info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset); 480 | 481 | if (offset == 0) 482 | search = FALSE; 483 | } while (search); 484 | 485 | return STATUS_SUCCESS; 486 | } -------------------------------------------------------------------------------- /FileHide/FileHide/hide.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | NTSTATUS FilterFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo); 6 | NTSTATUS FilterFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo); 7 | NTSTATUS FilterFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo); 8 | NTSTATUS FilterFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo); 9 | NTSTATUS FilterFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo); 10 | NTSTATUS FilterFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION FileInfo); -------------------------------------------------------------------------------- /FileHide/FileHide/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers") 5 | 6 | 7 | PFLT_FILTER gFilterHandle; 8 | 9 | 10 | CONST FLT_OPERATION_REGISTRATION Callbacks[] = { 11 | {IRP_MJ_DIRECTORY_CONTROL,NULL,FilehidePreDirectoryControl,FilehidePostDirectoryControl}, 12 | { IRP_MJ_OPERATION_END } 13 | }; 14 | 15 | 16 | 17 | CONST FLT_REGISTRATION FilterRegistration = { 18 | 19 | sizeof(FLT_REGISTRATION), // Size 20 | FLT_REGISTRATION_VERSION, // Version 21 | 0, // Flags 22 | 23 | nullptr, // Context 24 | Callbacks, // Operation callbacks 25 | 26 | FilehideUnload, // MiniFilterUnload 27 | 28 | FilehideInstanceSetup, // InstanceSetup 29 | nullptr, // InstanceQueryTeardown 30 | nullptr, // InstanceTeardownStart 31 | nullptr, // InstanceTeardownComplete 32 | 33 | nullptr, // GenerateFileName 34 | nullptr, // GenerateDestinationFileName 35 | nullptr // NormalizeNameComponent 36 | 37 | }; 38 | 39 | 40 | 41 | NTSTATUS 42 | FilehideInstanceSetup( 43 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 44 | _In_ FLT_INSTANCE_SETUP_FLAGS Flags, 45 | _In_ DEVICE_TYPE VolumeDeviceType, 46 | _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType 47 | ) 48 | 49 | { 50 | UNREFERENCED_PARAMETER(FltObjects); 51 | UNREFERENCED_PARAMETER(Flags); 52 | UNREFERENCED_PARAMETER(VolumeDeviceType); 53 | UNREFERENCED_PARAMETER(VolumeFilesystemType); 54 | 55 | PAGED_CODE(); 56 | 57 | 58 | 59 | return STATUS_SUCCESS; 60 | } 61 | 62 | 63 | 64 | /************************************************************************* 65 | MiniFilter initialization and unload routines. 66 | *************************************************************************/ 67 | 68 | NTSTATUS 69 | DriverEntry( 70 | _In_ PDRIVER_OBJECT DriverObject, 71 | _In_ PUNICODE_STRING RegistryPath 72 | ) 73 | 74 | 75 | 76 | { 77 | NTSTATUS status; 78 | UNREFERENCED_PARAMETER(RegistryPath); 79 | 80 | status = FltRegisterFilter(DriverObject, 81 | &FilterRegistration, 82 | &gFilterHandle); 83 | 84 | 85 | 86 | FLT_ASSERT(NT_SUCCESS(status)); 87 | 88 | if (NT_SUCCESS(status)) { 89 | 90 | status = FltStartFiltering(gFilterHandle); 91 | 92 | if (!NT_SUCCESS(status)) { 93 | 94 | FltUnregisterFilter(gFilterHandle); 95 | } 96 | } 97 | DbgPrint("[*] Filehide loaded\n"); 98 | return status; 99 | } 100 | 101 | NTSTATUS 102 | FilehideUnload( 103 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 104 | ) 105 | 106 | { 107 | UNREFERENCED_PARAMETER(Flags); 108 | FltUnregisterFilter(gFilterHandle); 109 | DbgPrint("[*] Filehide unloaded\n"); 110 | return STATUS_SUCCESS; 111 | } 112 | -------------------------------------------------------------------------------- /FileHide/FileHide/main.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | #define TAG 'FHFL' 13 | #define TARGET_DIRECTORY L"ToHide" 14 | #define TARGET_FILE L"Hidden.sys" 15 | 16 | 17 | extern PFLT_FILTER gFilterHandle; 18 | 19 | #ifdef ALLOC_PRAGMA 20 | #pragma alloc_text(INIT, DriverEntry) 21 | #pragma alloc_text(PAGE, FilehideUnload) 22 | #pragma alloc_text(PAGE, FilehideInstanceSetup) 23 | 24 | #endif -------------------------------------------------------------------------------- /FileHide/FileHide/mutex.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | void Mutex::Init() { 5 | KeInitializeMutex(&_mutex, 0); 6 | } 7 | 8 | void Mutex::Lock() { 9 | KeWaitForSingleObject(&_mutex, Executive, KernelMode, FALSE, nullptr); 10 | } 11 | 12 | void Mutex::Unlock() { 13 | KeReleaseMutex(&_mutex, FALSE); 14 | } -------------------------------------------------------------------------------- /FileHide/FileHide/mutex.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | class Mutex { 6 | public: 7 | void Init(); 8 | 9 | void Lock(); 10 | void Unlock(); 11 | 12 | private: 13 | KMUTEX _mutex; 14 | }; -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/FileHide.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileHide 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = %ManufacturerName% 13 | DriverVer = 02/09/2024,15.56.1.759 14 | CatalogFile = FileHide.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | FileHide.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ; TODO - Add your manufacturer 89 | ManufacturerName = "Template" 90 | ServiceDescription = "FileHide Mini-Filter Driver" 91 | ServiceName = "FileHide" 92 | DriverName = "FileHide" 93 | DiskId1 = "FileHide Device Installation Disk" 94 | 95 | ;Instances specific information. 96 | DefaultInstance = "FileHide Instance" 97 | Instance1.Name = "FileHide Instance" 98 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 99 | Instance1.Altitude = "39333" 100 | Instance1.Flags = 0x0 ; Allow all attachments 101 | -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/FileHide.log: -------------------------------------------------------------------------------- 1 |  Building 'FileHide' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform. 2 | Stamping x64\Release\FileHide.inf 3 | Stamping [Version] section with DriverVer=02/09/2024,15.56.1.759 4 | C:\Users\dorge\source\repos\FileHide\FileHide\FileHide.inf : warning 1420: [DefaultInstall]-based INF cannot be processed as Primitive. 5 | C:\Users\dorge\source\repos\FileHide\FileHide\FileHide.inf(25-25): warning 1421: Section [DefaultInstall] should have an architecture decoration. 6 | C:\Users\dorge\source\repos\FileHide\FileHide\FileHide.inf(36-36): warning 1421: Section [DefaultUninstall] should have an architecture decoration. 7 | C:\Users\dorge\source\repos\FileHide\FileHide\FileHide.inf(74-74): warning 1205: Section [MiniFilter.DriverFiles] referenced from DelFiles and CopyFiles directive. 8 | filenameinfo.cpp 9 | filters.cpp 10 | hide.cpp 11 | C:\Users\dorge\source\repos\FileHide\FileHide\hide.cpp(88,10): warning C4101: 'matched': unreferenced local variable 12 | C:\Users\dorge\source\repos\FileHide\FileHide\hide.cpp(171,10): warning C4101: 'matched': unreferenced local variable 13 | C:\Users\dorge\source\repos\FileHide\FileHide\hide.cpp(253,10): warning C4101: 'matched': unreferenced local variable 14 | C:\Users\dorge\source\repos\FileHide\FileHide\hide.cpp(335,10): warning C4101: 'matched': unreferenced local variable 15 | C:\Users\dorge\source\repos\FileHide\FileHide\hide.cpp(416,10): warning C4101: 'matched': unreferenced local variable 16 | main.cpp 17 | mutex.cpp 18 | Generating Code... 19 | FileHide.vcxproj -> C:\Users\dorge\source\repos\FileHide\x64\Release\FileHide.sys 20 | Done Adding Additional Store 21 | Successfully signed: C:\Users\dorge\source\repos\FileHide\x64\Release\FileHide.sys 22 | 23 | ......................... 24 | Signability test complete. 25 | 26 | Errors: 27 | None 28 | 29 | Warnings: 30 | None 31 | 32 | Catalog generation complete. 33 | C:\Users\dorge\source\repos\FileHide\x64\Release\FileHide\filehide.cat 34 | Done Adding Additional Store 35 | Successfully signed: C:\Users\dorge\source\repos\FileHide\x64\Release\FileHide\filehide.cat 36 | 37 | -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/FileHide.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/FileHide.res -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/FileHide.sys.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\dorge\source\repos\FileHide\x64\Release\FileHide.sys 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/filenameinfo.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/filenameinfo.obj -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/filters.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/filters.obj -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/hide.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/hide.obj -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/main.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/main.obj -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/mutex.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/mutex.obj -------------------------------------------------------------------------------- /FileHide/FileHide/x64/Release/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/FileHide/x64/Release/vc142.pdb -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/x64/Release/FileHide.cer -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileHide 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = %ManufacturerName% 13 | DriverVer = 02/09/2024,15.56.1.759 14 | CatalogFile = FileHide.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | FileHide.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ; TODO - Add your manufacturer 89 | ManufacturerName = "Template" 90 | ServiceDescription = "FileHide Mini-Filter Driver" 91 | ServiceName = "FileHide" 92 | DriverName = "FileHide" 93 | DiskId1 = "FileHide Device Installation Disk" 94 | 95 | ;Instances specific information. 96 | DefaultInstance = "FileHide Instance" 97 | Instance1.Name = "FileHide Instance" 98 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 99 | Instance1.Altitude = "39333" 100 | Instance1.Flags = 0x0 ; Allow all attachments 101 | -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/x64/Release/FileHide.pdb -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/x64/Release/FileHide.sys -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide/FileHide.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileHide 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = %ManufacturerName% 13 | DriverVer = 02/09/2024,15.56.1.759 14 | CatalogFile = FileHide.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | FileHide.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ; TODO - Add your manufacturer 89 | ManufacturerName = "Template" 90 | ServiceDescription = "FileHide Mini-Filter Driver" 91 | ServiceName = "FileHide" 92 | DriverName = "FileHide" 93 | DiskId1 = "FileHide Device Installation Disk" 94 | 95 | ;Instances specific information. 96 | DefaultInstance = "FileHide Instance" 97 | Instance1.Name = "FileHide Instance" 98 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 99 | Instance1.Altitude = "39333" 100 | Instance1.Flags = 0x0 ; Allow all attachments 101 | -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide/FileHide.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/x64/Release/FileHide/FileHide.sys -------------------------------------------------------------------------------- /FileHide/x64/Release/FileHide/filehide.cat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/FileHide/c3ddb18715dfa362d279414aea46edffe0e83c83/FileHide/x64/Release/FileHide/filehide.cat -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Windy Bug 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FileHide Minifilter Driver 2 | FileHide is a minifiter driver that allows you to hide your files or directories 3 | 4 | Tested on Windows 10 21H2 and 22H2 5 | 6 | # Usage: 7 | modify the TARGET_FILE(file/directory name only) and TARGET_FOLDER(parent directory of the file to hide) in 'main.h' 8 | 9 | 10 | 11 | # How it works 12 | programs like explorer use functions like NtQueryDirectoryFile to obtain information about directories and their contents 13 | 14 | the corresponding sent IRP is IRP_MJ_DIRECTORY_CONTROL with MinorFunction of IRP_MN_QUERY 15 | 16 | we register both pre and post filters for IRP_MJ_DIRECTORY_CONTROL 17 | 18 | the pre filter is responsible to reduce overhead by filtering out uninteresting directory controls and returning FLT_PREOP_SUCCESS_NO_CALLBACK 19 | 20 | the post filter , which is invoked only for directory queries we care about , is responsible for parsing the query results buffer structure and removing the file we wish to hide 21 | 22 | *************************** 23 | # Demo 24 | before loading FileHide 25 | 26 | ![FileHide_Before](https://github.com/0mWindyBug/FileHide/assets/139051196/d9861966-f4a2-46b6-b869-1a77a5d9660a) 27 | 28 | after loading FileHide 29 | 30 | ![FileHide_After](https://github.com/0mWindyBug/FileHide/assets/139051196/974240d2-a923-415b-8c02-174741dcbe7e) 31 | 32 | 33 | 34 | --------------------------------------------------------------------------------