├── .gitignore
├── KillDriverProtect.sln
├── KillDriverProtect
    ├── Driver.c
    ├── Helper.c
    ├── Helper.h
    ├── KillDriverProtect.inf
    ├── KillDriverProtect.vcxproj
    ├── KillDriverProtect.vcxproj.filters
    ├── KillDriverProtect.vcxproj.user
    ├── KillFsFilter.c
    ├── KillFsFilter.h
    ├── KillRegFilter.c
    └── KillRegFilter.h
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | /.vs
2 | /Release
3 | /x64
4 | /KillDriverProtect/Release
5 | /KillDriverProtect/x64
6 | 


--------------------------------------------------------------------------------
/KillDriverProtect.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28307.1433
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KillDriverProtect", "KillDriverProtect\KillDriverProtect.vcxproj", "{C13FA071-EEB9-4325-811A-CF70B1553C95}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|x64.Build.0 = Debug|x64
28 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|x86.Build.0 = Debug|Win32
31 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|ARM.Build.0 = Release|ARM
34 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|x64.ActiveCfg = Release|x64
39 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|x64.Build.0 = Release|x64
40 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|x64.Deploy.0 = Release|x64
41 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|x86.ActiveCfg = Release|Win32
42 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|x86.Build.0 = Release|Win32
43 | 		{C13FA071-EEB9-4325-811A-CF70B1553C95}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {33867E0F-4417-4835-87FB-A83170AB4397}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/KillDriverProtect/Driver.c:
--------------------------------------------------------------------------------
 1 | #include "KillFsFilter.h"
 2 | #include "KillRegFilter.h"
 3 | 
 4 | VOID DriverUnload(PDRIVER_OBJECT DriverObject)
 5 | {
 6 | }
 7 | 
 8 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 9 | {
10 | 	KillFsFilter();
11 | 
12 | 	KillRegFilter();
13 | 
14 | 	DriverObject->DriverUnload = DriverUnload;
15 | 
16 | 	return STATUS_SUCCESS;
17 | }


--------------------------------------------------------------------------------
/KillDriverProtect/Helper.c:
--------------------------------------------------------------------------------
 1 | #include "Helper.h"
 2 | 
 3 | VOID DisableFunctionWithReturnZero(PVOID Address, int retType)
 4 | {
 5 | 	KIRQL irql;
 6 | 	CHAR* patchCode = (char *)ExAllocatePool(NonPagedPool, 5);
 7 | 	int length;
 8 | 
 9 | 	if (retType == 0) //ret
10 | 	{
11 | 		char* temp = "\x33\xC0\xC3";
12 | 		length = 3;
13 | 		memmove(patchCode, temp, length);
14 | 	}
15 | 	else if (retType == 1) //ret c
16 | 	{
17 | 		char* temp = "\x33\xC0\xc2\x0c\x00";
18 | 		length = 5;
19 | 		memmove(patchCode, temp, length);
20 | 	}
21 | 	else if (retType == 2) //ret 0x10
22 | 	{
23 | 		char* temp = "\x33\xC0\xc2\x10\x00";
24 | 		length = 5;
25 | 		memmove(patchCode, temp, length);
26 | 	}
27 | 
28 | 	if (MmIsAddressValid(Address))
29 | 	{
30 | 		irql = WPOFF();
31 | 		memmove(Address, patchCode, length);
32 | 		WPON(irql);
33 | 	}
34 | }
35 | 
36 | VOID DisableFunctionWithReturnOne(PVOID Address, int retType)
37 | {
38 | 	KIRQL irql;
39 | 	CHAR* patchCode = (char *)ExAllocatePool(NonPagedPool, 8);
40 | 	int length;
41 | 
42 | 	if (retType == 0) //ret
43 | 	{
44 | 		char* temp = "\xb8\x01\x00\x00\x00\xc3";
45 | 		length = 6;
46 | 		memmove(patchCode, temp, length);
47 | 	}
48 | 	else if (retType == 1) //ret c
49 | 	{
50 | 		char* temp = "\xb8\x01\x00\x00\x00\xc2\x0c\x00";
51 | 		length = 8;
52 | 		memmove(patchCode, temp, length);
53 | 	}
54 | 	else if (retType == 2) //ret 0x10
55 | 	{
56 | 		char* temp = "\xb8\x01\x00\x00\x00\xc2\x10\x00";
57 | 		length = 8;
58 | 		memmove(patchCode, temp, length);
59 | 	}
60 | 
61 | 	if (MmIsAddressValid(Address))
62 | 	{
63 | 		irql = WPOFF();
64 | 		memmove(Address, patchCode, length);
65 | 		WPON(irql);
66 | 	}
67 | }
68 | 
69 | KIRQL WPOFF()
70 | {
71 | 	KIRQL irql = KeRaiseIrqlToDpcLevel();
72 | #ifdef _WIN64
73 | 	UINT64 cr0 = __readcr0();
74 | 	cr0 &= 0xfffffffffffeffff;
75 | # else
76 | 	UINT32 cr0 = __readcr0();
77 | 	cr0 &= 0xFFFEFFFF;
78 | # endif
79 | 	__writecr0(cr0);
80 | 	_disable();
81 | 	return irql;
82 | }
83 | 
84 | void WPON(KIRQL irql)
85 | {
86 | #ifdef _WIN64
87 | 	UINT64 cr0 = __readcr0();
88 | 	cr0 |= 0x10000;
89 | # else
90 | 	UINT32 cr0 = __readcr0();
91 | 	cr0 |= (!0xFFFEFFFF);
92 | # endif
93 | 	_enable();
94 | 	__writecr0(cr0);
95 | 	KeLowerIrql(irql);
96 | }
97 | 


--------------------------------------------------------------------------------
/KillDriverProtect/Helper.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Ntddk.h>
 3 | 
 4 | #define _LogMsg(lvl, lvlname, frmt, ...) \
 5 | 	DbgPrintEx(\
 6 | 		DPFLTR_IHVDRIVER_ID, \
 7 | 		lvl, \
 8 | 		"[" lvlname "] [irql:%Iu,pid:%Iu,tid:%Iu]\tKillDriverProtect!" __FUNCTION__ ": " frmt "\n", \
 9 | 		KeGetCurrentIrql(), \
10 | 		PsGetCurrentProcessId(), \
11 | 		PsGetCurrentThreadId(), \
12 | 		__VA_ARGS__ \
13 | 	)
14 | 
15 | #define LogError(frmt,   ...) _LogMsg(DPFLTR_ERROR_LEVEL,   "error",   frmt, __VA_ARGS__)
16 | #define LogWarning(frmt, ...) _LogMsg(DPFLTR_WARNING_LEVEL, "warning", frmt, __VA_ARGS__)
17 | #define LogTrace(frmt,   ...) _LogMsg(DPFLTR_TRACE_LEVEL,   "trace",   frmt, __VA_ARGS__)
18 | #define LogInfo(frmt,    ...) _LogMsg(DPFLTR_INFO_LEVEL,    "info",    frmt, __VA_ARGS__)
19 | 
20 | VOID DisableFunctionWithReturnZero(PVOID Address, int retType);
21 | VOID DisableFunctionWithReturnOne(PVOID Address, int retType);
22 | 
23 | KIRQL WPOFF();
24 | void WPON(KIRQL irql);
25 | 
26 | 


--------------------------------------------------------------------------------
/KillDriverProtect/KillDriverProtect.inf:
--------------------------------------------------------------------------------
 1 | ;;;
 2 | ;;; KillDriverProtect
 3 | ;;;
 4 | 
 5 | [Version]
 6 | Signature   = "$Windows NT$"
 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963
 8 | Class       = "ActivityMonitor"                         ;This is determined by the work this filter driver does
 9 | ClassGuid   = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}    ;This value is determined by the Load Order Group value
10 | Provider    = %ManufacturerName%
11 | DriverVer   = 3/27/2016
12 | CatalogFile = KillDriverProtect.cat
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir          = 12
16 | MiniFilter.DriverFiles  = 12            ;%windir%\system32\drivers
17 | 
18 | ;;
19 | ;; Default install sections
20 | ;;
21 | 
22 | [DefaultInstall]
23 | OptionDesc          = %ServiceDescription%
24 | CopyFiles           = MiniFilter.DriverFiles
25 | 
26 | [DefaultInstall.Services]
27 | AddService          = %ServiceName%,,MiniFilter.Service
28 | 
29 | ;;
30 | ;; Default uninstall sections
31 | ;;
32 | 
33 | [DefaultUninstall]
34 | DelFiles   = MiniFilter.DriverFiles
35 | 
36 | [DefaultUninstall.Services]
37 | DelService = %ServiceName%,0x200      ;Ensure service is stopped before deleting
38 | 
39 | ;
40 | ; Services Section
41 | ;
42 | 
43 | [MiniFilter.Service]
44 | DisplayName      = %ServiceName%
45 | Description      = %ServiceDescription%
46 | ServiceBinary    = %12%\%DriverName%.sys        ;%windir%\system32\drivers\
47 | Dependencies     = "FltMgr"
48 | ServiceType      = 2                            ;SERVICE_FILE_SYSTEM_DRIVER
49 | StartType        = 3                            ;SERVICE_DEMAND_START
50 | ErrorControl     = 1                            ;SERVICE_ERROR_NORMAL
51 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
52 | LoadOrderGroup = "FSFilter Activity Monitor"
53 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
54 | AddReg           = MiniFilter.AddRegistry
55 | 
56 | ;
57 | ; Registry Modifications
58 | ;
59 | 
60 | [MiniFilter.AddRegistry]
61 | HKR,,"DebugFlags",0x00010001 ,0x0
62 | HKR,,"SupportedFeatures",0x00010001,0x3
63 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
64 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
65 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
66 | 
67 | ;
68 | ; Copy Files
69 | ;
70 | 
71 | [MiniFilter.DriverFiles]
72 | %DriverName%.sys
73 | 
74 | [SourceDisksFiles]
75 | KillDriverProtect.sys = 1,,
76 | 
77 | [SourceDisksNames]
78 | 1 = %DiskId1%,,,
79 | 
80 | ;;
81 | ;; String Section
82 | ;;
83 | 
84 | [Strings]
85 | ; TODO - Add your manufacturer
86 | ManufacturerName        = "Template"
87 | ServiceDescription      = "KillDriverProtect Kernel Driver"
88 | ServiceName             = "KillDriverProtect"
89 | DriverName              = "KillDriverProtect"
90 | DiskId1                 = "KillDriverProtect Device Installation Disk"
91 | 
92 | ;Instances specific information.
93 | DefaultInstance         = "KillDriverProtect Instance"
94 | Instance1.Name          = "KillDriverProtect Instance"
95 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
96 | Instance1.Altitude      = "370030"
97 | ;Instance.Altitude       = "_TODO_Change_Altitude_appropriately_"
98 | Instance1.Flags         = 0x0              ; Allow all attachments
99 | 


--------------------------------------------------------------------------------
/KillDriverProtect/KillDriverProtect.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{C13FA071-EEB9-4325-811A-CF70B1553C95}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>KillDriverProtect</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>Windows10</TargetVersion>
 49 |     <UseDebugLibraries>true</UseDebugLibraries>
 50 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 51 |     <ConfigurationType>Driver</ConfigurationType>
 52 |     <DriverType>KMDF</DriverType>
 53 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 54 |   </PropertyGroup>
 55 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 56 |     <TargetVersion>Windows7</TargetVersion>
 57 |     <UseDebugLibraries>false</UseDebugLibraries>
 58 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 59 |     <ConfigurationType>Driver</ConfigurationType>
 60 |     <DriverType>KMDF</DriverType>
 61 |     <DriverTargetPlatform>
 62 |     </DriverTargetPlatform>
 63 |   </PropertyGroup>
 64 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 65 |     <TargetVersion>Windows10</TargetVersion>
 66 |     <UseDebugLibraries>true</UseDebugLibraries>
 67 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 68 |     <ConfigurationType>Driver</ConfigurationType>
 69 |     <DriverType>KMDF</DriverType>
 70 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 73 |     <TargetVersion>Windows7</TargetVersion>
 74 |     <UseDebugLibraries>false</UseDebugLibraries>
 75 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 76 |     <ConfigurationType>Driver</ConfigurationType>
 77 |     <DriverType>KMDF</DriverType>
 78 |     <DriverTargetPlatform>
 79 |     </DriverTargetPlatform>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 82 |     <TargetVersion>Windows10</TargetVersion>
 83 |     <UseDebugLibraries>true</UseDebugLibraries>
 84 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 85 |     <ConfigurationType>Driver</ConfigurationType>
 86 |     <DriverType>KMDF</DriverType>
 87 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 88 |   </PropertyGroup>
 89 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 90 |     <TargetVersion>Windows10</TargetVersion>
 91 |     <UseDebugLibraries>false</UseDebugLibraries>
 92 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 93 |     <ConfigurationType>Driver</ConfigurationType>
 94 |     <DriverType>KMDF</DriverType>
 95 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 96 |   </PropertyGroup>
 97 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 98 |     <TargetVersion>Windows10</TargetVersion>
 99 |     <UseDebugLibraries>true</UseDebugLibraries>
100 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
101 |     <ConfigurationType>Driver</ConfigurationType>
102 |     <DriverType>KMDF</DriverType>
103 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
106 |     <TargetVersion>Windows10</TargetVersion>
107 |     <UseDebugLibraries>false</UseDebugLibraries>
108 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
109 |     <ConfigurationType>Driver</ConfigurationType>
110 |     <DriverType>KMDF</DriverType>
111 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
112 |   </PropertyGroup>
113 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
114 |   <ImportGroup Label="ExtensionSettings">
115 |   </ImportGroup>
116 |   <ImportGroup Label="PropertySheets">
117 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
118 |   </ImportGroup>
119 |   <PropertyGroup Label="UserMacros" />
120 |   <PropertyGroup />
121 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
122 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
123 |   </PropertyGroup>
124 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
125 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
126 |   </PropertyGroup>
127 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
128 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
129 |   </PropertyGroup>
130 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
131 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
134 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
135 |   </PropertyGroup>
136 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
137 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
138 |   </PropertyGroup>
139 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
140 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
141 |   </PropertyGroup>
142 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
143 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
144 |   </PropertyGroup>
145 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
146 |     <Link>
147 |       <AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfLdr.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfDriverEntry.lib</AdditionalDependencies>
148 |     </Link>
149 |     <ClCompile>
150 |       <TreatWarningAsError>false</TreatWarningAsError>
151 |     </ClCompile>
152 |   </ItemDefinitionGroup>
153 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
154 |     <ClCompile>
155 |       <TreatWarningAsError>false</TreatWarningAsError>
156 |     </ClCompile>
157 |     <Link>
158 |       <AdditionalDependencies>$(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfLdr.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfDriverEntry.lib</AdditionalDependencies>
159 |     </Link>
160 |   </ItemDefinitionGroup>
161 |   <ItemGroup>
162 |     <Inf Include="KillDriverProtect.inf" />
163 |   </ItemGroup>
164 |   <ItemGroup>
165 |     <FilesToPackage Include="$(TargetPath)" />
166 |   </ItemGroup>
167 |   <ItemGroup>
168 |     <ClCompile Include="Driver.c" />
169 |     <ClCompile Include="Helper.c" />
170 |     <ClCompile Include="KillFsFilter.c" />
171 |     <ClCompile Include="KillRegFilter.c" />
172 |   </ItemGroup>
173 |   <ItemGroup>
174 |     <ClInclude Include="Helper.h" />
175 |     <ClInclude Include="KillFsFilter.h" />
176 |     <ClInclude Include="KillRegFilter.h" />
177 |   </ItemGroup>
178 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
179 |   <ImportGroup Label="ExtensionTargets">
180 |   </ImportGroup>
181 | </Project>


--------------------------------------------------------------------------------
/KillDriverProtect/KillDriverProtect.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="KillDriverProtect.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="Driver.c">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="KillFsFilter.c">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |     <ClCompile Include="Helper.c">
34 |       <Filter>Source Files</Filter>
35 |     </ClCompile>
36 |     <ClCompile Include="KillRegFilter.c">
37 |       <Filter>Source Files</Filter>
38 |     </ClCompile>
39 |   </ItemGroup>
40 |   <ItemGroup>
41 |     <ClInclude Include="Helper.h">
42 |       <Filter>Header Files</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="KillFsFilter.h">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="KillRegFilter.h">
48 |       <Filter>Header Files</Filter>
49 |     </ClInclude>
50 |   </ItemGroup>
51 | </Project>


--------------------------------------------------------------------------------
/KillDriverProtect/KillDriverProtect.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/KillDriverProtect/KillFsFilter.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Neo-Maoku/KillDriverProtect/2ff86c4cb41d4a1ad00d17a74b014c0f8c026edb/KillDriverProtect/KillFsFilter.c


--------------------------------------------------------------------------------
/KillDriverProtect/KillFsFilter.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include <fltKernel.h>
3 | #include <Ntddk.h>
4 | 
5 | ULONG KillFsFilter();
6 | 
7 | 


--------------------------------------------------------------------------------
/KillDriverProtect/KillRegFilter.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Neo-Maoku/KillDriverProtect/2ff86c4cb41d4a1ad00d17a74b014c0f8c026edb/KillDriverProtect/KillRegFilter.c


--------------------------------------------------------------------------------
/KillDriverProtect/KillRegFilter.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include <Ntddk.h>
3 | 
4 | ULONG KillRegFilter();
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # KillDriverProtect
 2 | 1. **关闭恶意驱动的文件和注册表保护**
 3 |    - 去除MINIFilter的IRP_MJ_CREATE的PRE回调,IRP_MJ_DIRECTORY_CONTROL的PRE和POST回调
 4 |    - 使用CmUnRegisterCallback去除注册表回调
 5 | 2. **当前只在win7(x86，x64)，win10（x64）系统上测试过，且均测试成功**
 6 | 3. **使用方法**
 7 |    - 拷贝KillDriverProtect.inf和KillDriverProtect.sys到目标机器
 8 |    - 使用禁用签名方式启动机器
 9 |    - 右击KillDriverProtect.inf，点安装
10 |    - 已管理员权限启动cmd
11 |    - 启动服务：**sc start KillDriverProtect**
12 | 


--------------------------------------------------------------------------------