├── Providence ├── User │ ├── User.vcxproj.user │ ├── runsdvui.cmd │ ├── scanner.c │ ├── scanner.h │ ├── User.vcxproj.filters │ ├── main.c │ └── User.vcxproj ├── Providence │ ├── App.config │ ├── Properties │ │ ├── Settings.settings │ │ ├── Settings.Designer.cs │ │ ├── AssemblyInfo.cs │ │ ├── Resources.Designer.cs │ │ └── Resources.resx │ ├── Program.cs │ ├── Form1.cs │ ├── Providence.csproj │ ├── Form1.resx │ └── Form1.Designer.cs ├── Filter │ ├── sdv │ │ ├── StaticDVTrace.log │ │ └── SDV.DVL.xml │ ├── Filter.vcxproj.user │ ├── Filter.vcxproj.filters │ ├── Filter.inf │ ├── Filter.vcxproj │ └── Driver.c ├── Common │ └── common.h └── Providence.sln └── README.md /Providence/User/User.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Providence/User/runsdvui.cmd: -------------------------------------------------------------------------------- 1 | cd /d "c:\Users\Zen\documents\visual studio 2015\Projects\Providence\User" &msbuild "User.vcxproj" /t:sdvViewer /p:configuration="Debug" /p:platform=Win32 2 | exit %errorlevel% -------------------------------------------------------------------------------- /Providence/Providence/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Providence/Filter/sdv/StaticDVTrace.log: -------------------------------------------------------------------------------- 1 | 7/14/2018 2:58:56 PM:SDV does not support this build environment. 2 | 7/14/2018 2:58:56 PM:Driver type is 'wdf_fs_wdf'. This driver type is not supported by SDV. Please consult the documentation for supported driver types. 3 | -------------------------------------------------------------------------------- /Providence/Providence/Properties/Settings.settings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Providence/User/scanner.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "scanner.h" 4 | 5 | BOOL ScanFile(LPCSTR lpFileName, PSCAN_CALLBACK_USER_DATA pScanData) { 6 | DBG_PRINT("Scanning file: %s\n", lpFileName); 7 | 8 | // Simulate infection status (1/100 infected rate). 9 | pScanData->bIsDetected = rand() % 100 > 0 ? FALSE : TRUE; 10 | 11 | return TRUE; 12 | } -------------------------------------------------------------------------------- /Providence/Filter/Filter.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | TestSign 5 | 6 | 7 | TestSign 8 | 9 | -------------------------------------------------------------------------------- /Providence/User/scanner.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef __SCANNER_H__ 3 | #define __SCANNER_H__ 4 | 5 | #include 6 | 7 | #define DEBUG 8 | #ifdef DEBUG 9 | #define DBG_PRINT(_fmt, ...) printf(_fmt, __VA_ARGS__) 10 | #else 11 | #define DBG_PRINT(_fmt, ...) { NOTHING; } 12 | #endif // DEBUG 13 | 14 | typedef struct _SCAN_CALLBACK_USER_DATA { 15 | BOOL bIsDetected; 16 | } SCAN_CALLBACK_USER_DATA, *PSCAN_CALLBACK_USER_DATA; 17 | 18 | BOOL ScanFile(LPCSTR lpFileName, PSCAN_CALLBACK_USER_DATA pScanData); 19 | 20 | #endif // !__SCANNER_H__ 21 | -------------------------------------------------------------------------------- /Providence/Providence/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Threading.Tasks; 5 | using System.Windows.Forms; 6 | 7 | namespace Providence { 8 | static class Program { 9 | ///

10 | /// The main entry point for the application. 11 | ///

12 | [STAThread] 13 | static void Main() { 14 | Application.EnableVisualStyles(); 15 | Application.SetCompatibleTextRenderingDefault(false); 16 | Application.Run(new Form1()); 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Providence/Common/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef __COMMON_H__ 3 | #define __COMMON_H__ 4 | 5 | #pragma warning(disable:4005) 6 | #undef MAX_PATH 7 | #ifndef MAX_PATH 8 | #define MAX_PATH 500 9 | #endif // !MAX_PATH 10 | 11 | #define PORT_NAME L"\\ProvidencePort" 12 | 13 | #pragma warning(disable:4200) 14 | typedef struct _SCAN_DATA_MESSAGE { 15 | WCHAR FilePath[MAX_PATH + 1]; // Path of the file name to scan. 16 | } SCAN_DATA_MESSAGE, *PSCAN_DATA_MESSAGE; 17 | 18 | typedef struct _SCAN_REPLY_MESSAGE { 19 | BOOLEAN Infected; // Infection state of the file. 20 | } SCAN_REPLY_MESSAGE, *PSCAN_REPLY_MESSAGE; 21 | 22 | #endif // !__COMMON_H__ 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Providence 2 | Kernel-mode file scanner. 3 | 4 | Based heavily on https://github.com/Microsoft/Windows-driver-samples/tree/ba25139ebc243c1a79dcd6168cc95563a467b7ef/filesys/miniFilter/scanner. 5 | 6 | Detects file creation in a kernel-mode driver and then sends the file path to the user-mode application for signature scanning. Also prevents file deletion of its own files. 7 | 8 | ## TODO 9 | 10 | 1. Remove hard-coded file path of own critical files and place into registry to be used by `RegistryPath` in `DriverEntry`. 11 | 2. Integrate YARA C library. 12 | 3. Add driver loading into the user-mode application. 13 | 4. Change user-mode application into DLL. 14 | 5. Complete C# GUI to be used with the user-mode DLL. 15 | -------------------------------------------------------------------------------- /Providence/Filter/sdv/SDV.DVL.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /Providence/Providence/Properties/Settings.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace Providence.Properties { 12 | 13 | 14 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 15 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "11.0.0.0")] 16 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase { 17 | 18 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings()))); 19 | 20 | public static Settings Default { 21 | get { 22 | return defaultInstance; 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Providence/User/User.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /Providence/Filter/Filter.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | -------------------------------------------------------------------------------- /Providence/Providence/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Providence")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("Microsoft")] 12 | [assembly: AssemblyProduct("Providence")] 13 | [assembly: AssemblyCopyright("Copyright © Microsoft 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("dff1e23c-4d66-43b6-b9cd-5d5f7b300c4e")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Providence/Providence/Form1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.ComponentModel; 4 | using System.Data; 5 | using System.Drawing; 6 | using System.Linq; 7 | using System.Text; 8 | using System.Threading.Tasks; 9 | using System.Windows.Forms; 10 | 11 | namespace Providence { 12 | public partial class Form1 : Form { 13 | ToolTip rulesDirectoryToolTip; 14 | BackgroundWorker worker; 15 | bool scannerEnabled; 16 | 17 | public Form1() { 18 | InitializeComponent(); 19 | 20 | rulesDirectoryToolTip = new ToolTip(); 21 | worker = new BackgroundWorker(); 22 | scannerEnabled = true; 23 | } 24 | 25 | private void disableScannerButton_Click(object sender, EventArgs e) { 26 | if (scannerEnabled) { 27 | // Disconnect application from filter port. 28 | 29 | disableScannerButton.Text = "Enable Scanner"; 30 | 31 | scannerEnabled = false; 32 | } else { 33 | // Connect application to filter port. 34 | 35 | disableScannerButton.Text = "Disable Scanner"; 36 | 37 | scannerEnabled = true; 38 | } 39 | } 40 | 41 | private void browseButton_Click(object sender, EventArgs e) { 42 | // Open dialog. 43 | FolderBrowserDialog fbd = new FolderBrowserDialog(); 44 | if (fbd.ShowDialog() == DialogResult.OK) { 45 | // Modify rulesDirectoryTextbox text to selected directory. 46 | rulesDirectoryTextbox.Text = fbd.SelectedPath; 47 | } 48 | } 49 | 50 | private void rulesDirectoryTextbox_MouseHover(object sender, EventArgs e) { 51 | // Display tool tip of the text in rulesDirectoryTextbox if any. 52 | if (rulesDirectoryTextbox.Text != "") { 53 | rulesDirectoryToolTip.SetToolTip(rulesDirectoryTextbox, rulesDirectoryTextbox.Text); 54 | } 55 | } 56 | 57 | private void scanFilesButton_Click(object sender, EventArgs e) { 58 | // Open dialog. 59 | OpenFileDialog ofd = new OpenFileDialog(); 60 | ofd.CheckFileExists = true; 61 | ofd.Multiselect = true; 62 | if (ofd.ShowDialog() == DialogResult.OK) { 63 | // Select files and add them to a task queue to be scanned in a background worker. 64 | 65 | } 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /Providence/Filter/Filter.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; Filter.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=Filter.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | Filter_Device_CoInstaller_CopyFiles = 11 16 | 17 | ; ================= Class section ===================== 18 | 19 | [ClassInstall32] 20 | Addreg=SampleClassReg 21 | 22 | [SampleClassReg] 23 | HKR,,,0,%ClassName% 24 | HKR,,Icon,,-5 25 | 26 | [SourceDisksNames] 27 | 1 = %DiskName%,,,"" 28 | 29 | [SourceDisksFiles] 30 | Filter.sys = 1,, 31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 32 | 33 | ;***************************************** 34 | ; Install Section 35 | ;***************************************** 36 | 37 | [Manufacturer] 38 | %ManufacturerName%=Standard,NT$ARCH$ 39 | 40 | [Standard.NT$ARCH$] 41 | %Filter.DeviceDesc%=Filter_Device, Root\Filter ; TODO: edit hw-id 42 | 43 | [Filter_Device.NT] 44 | CopyFiles=Drivers_Dir 45 | 46 | [Drivers_Dir] 47 | Filter.sys 48 | 49 | ;-------------- Service installation 50 | [Filter_Device.NT.Services] 51 | AddService = Filter,%SPSVCINST_ASSOCSERVICE%, Filter_Service_Inst 52 | 53 | ; -------------- Filter driver install sections 54 | [Filter_Service_Inst] 55 | DisplayName = %Filter.SVCDESC% 56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 57 | StartType = 3 ; SERVICE_DEMAND_START 58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 59 | ServiceBinary = %12%\Filter.sys 60 | 61 | ; 62 | ;--- Filter_Device Coinstaller installation ------ 63 | ; 64 | 65 | [Filter_Device.NT.CoInstallers] 66 | AddReg=Filter_Device_CoInstaller_AddReg 67 | CopyFiles=Filter_Device_CoInstaller_CopyFiles 68 | 69 | [Filter_Device_CoInstaller_AddReg] 70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 71 | 72 | [Filter_Device_CoInstaller_CopyFiles] 73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 74 | 75 | [Filter_Device.NT.Wdf] 76 | KmdfService = Filter, Filter_wdfsect 77 | [Filter_wdfsect] 78 | KmdfLibraryVersion = $KMDFVERSION$ 79 | 80 | [Strings] 81 | SPSVCINST_ASSOCSERVICE= 0x00000002 82 | ManufacturerName="" ;TODO: Replace with your manufacturer name 83 | ClassName="Samples" ; TODO: edit ClassName 84 | DiskName = "Filter Installation Disk" 85 | Filter.DeviceDesc = "Filter Device" 86 | Filter.SVCDESC = "Filter Service" 87 | -------------------------------------------------------------------------------- /Providence/Providence/Properties/Resources.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace Providence.Properties { 12 | 13 | 14 | ///

15 | /// A strongly-typed resource class, for looking up localized strings, etc. 16 | ///

17 | // This class was auto-generated by the StronglyTypedResourceBuilder 18 | // class via a tool like ResGen or Visual Studio. 19 | // To add or remove a member, edit your .ResX file then rerun ResGen 20 | // with the /str option, or rebuild your VS project. 21 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")] 22 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] 23 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 24 | internal class Resources { 25 | 26 | private static global::System.Resources.ResourceManager resourceMan; 27 | 28 | private static global::System.Globalization.CultureInfo resourceCulture; 29 | 30 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")] 31 | internal Resources() { 32 | } 33 | 34 | ///

35 | /// Returns the cached ResourceManager instance used by this class. 36 | ///

37 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 38 | internal static global::System.Resources.ResourceManager ResourceManager { 39 | get { 40 | if ((resourceMan == null)) { 41 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Providence.Properties.Resources", typeof(Resources).Assembly); 42 | resourceMan = temp; 43 | } 44 | return resourceMan; 45 | } 46 | } 47 | 48 | ///

49 | /// Overrides the current thread's CurrentUICulture property for all 50 | /// resource lookups using this strongly typed resource class. 51 | ///

52 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 53 | internal static global::System.Globalization.CultureInfo Culture { 54 | get { 55 | return resourceCulture; 56 | } 57 | set { 58 | resourceCulture = value; 59 | } 60 | } 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /Providence/Providence/Providence.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E} 8 | WinExe 9 | Properties 10 | Providence 11 | Providence 12 | v4.5.2 13 | 512 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | Form 51 | 52 | 53 | Form1.cs 54 | 55 | 56 | 57 | 58 | Form1.cs 59 | 60 | 61 | ResXFileCodeGenerator 62 | Resources.Designer.cs 63 | Designer 64 | 65 | 66 | True 67 | Resources.resx 68 | 69 | 70 | SettingsSingleFileGenerator 71 | Settings.Designer.cs 72 | 73 | 74 | True 75 | Settings.settings 76 | True 77 | 78 | 79 | 80 | 81 | 82 | 83 | 90 | -------------------------------------------------------------------------------- /Providence/Providence/Properties/Resources.resx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | text/microsoft-resx 107 | 108 | 109 | 2.0 110 | 111 | 112 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 113 | 114 | 115 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | -------------------------------------------------------------------------------- /Providence/User/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "common.h" 5 | #include "scanner.h" 6 | 7 | #define NUM_SCAN_THREADS 10 8 | 9 | typedef struct _PORT_DATA_THREAD_CONTEXT { 10 | HANDLE hFilterPort; 11 | HANDLE hCompletionPort; 12 | } PORT_DATA_THREAD_CONTEXT, *PPORT_DATA_THREAD_CONTEXT; 13 | 14 | typedef struct _USER_SCAN_DATA_MESSAGE { 15 | FILTER_MESSAGE_HEADER header; 16 | SCAN_DATA_MESSAGE data; 17 | OVERLAPPED ovlp; 18 | } USER_SCAN_DATA_MESSAGE, *PUSER_SCAN_DATA_MESSAGE; 19 | 20 | // Pack it or size calculation in FilterReplyMessage/FltSendMessage will complain about buffer overflow. 21 | #pragma pack(1) 22 | typedef struct _USER_SCAN_REPLY_MESSAGE { 23 | FILTER_REPLY_HEADER header; 24 | SCAN_REPLY_MESSAGE reply; 25 | } USER_SCAN_REPLY_MESSAGE, *PUSER_SCAN_REPLY_MESSAGE; 26 | 27 | VOID ScanThread(PPORT_DATA_THREAD_CONTEXT pContext) { 28 | DWORD dwBytes; 29 | ULONG_PTR ulKey; 30 | LPOVERLAPPED pOvlp; 31 | PUSER_SCAN_DATA_MESSAGE message = NULL; 32 | 33 | while (TRUE) { 34 | // Block until we get a message from the driver's FltSendMessage. 35 | BOOL bRet = GetQueuedCompletionStatus(pContext->hCompletionPort, &dwBytes, &ulKey, &pOvlp, INFINITE); 36 | if (bRet == FALSE) { 37 | DBG_PRINT("GetQueuedCompletionStatus error: <0x%08x>.\n", GetLastError()); 38 | break; 39 | } 40 | 41 | // Since the overlapped parameter is passed in as an address from FilterGetMessage, 42 | // we can retrieve the message structure via the CONTAINING_RECORD macro. 43 | message = CONTAINING_RECORD(pOvlp, USER_SCAN_DATA_MESSAGE, ovlp); 44 | 45 | USER_SCAN_REPLY_MESSAGE reply; 46 | reply.header.Status = 0; 47 | // Set the reply's message ID to correspond with the original message's. 48 | reply.header.MessageId = message->header.MessageId; 49 | 50 | // Scan the file and set the infection status. 51 | SCAN_CALLBACK_USER_DATA scanData; 52 | scanData.bIsDetected = FALSE; 53 | 54 | // Convert wide string to ASCII. 55 | CHAR szFilePath[MAX_PATH + 1]; 56 | ZeroMemory(szFilePath, MAX_PATH + 1); 57 | sprintf_s(szFilePath, MAX_PATH, "%ws", message->data.FilePath); 58 | 59 | if (ScanFile(szFilePath, &scanData) == FALSE) { 60 | DBG_PRINT("ScanFile failed.\n"); 61 | } 62 | reply.reply.Infected = (BOOLEAN)scanData.bIsDetected; 63 | 64 | if (reply.reply.Infected) { 65 | DBG_PRINT("File is infected!\n"); 66 | } 67 | 68 | HRESULT hr = FilterReplyMessage(pContext->hFilterPort, (PFILTER_REPLY_HEADER)&reply, sizeof(USER_SCAN_REPLY_MESSAGE)); 69 | if (!SUCCEEDED(hr)) { 70 | DBG_PRINT("Failed to reply to message: <0x%08x>.\n", hr); 71 | //break; 72 | } 73 | 74 | // Reset the overlapped data for another asynchronous message. 75 | ZeroMemory(&message->ovlp, sizeof(OVERLAPPED)); 76 | 77 | // Request for new message asynchronously. 78 | hr = FilterGetMessage(pContext->hFilterPort, &message->header, sizeof(FILTER_MESSAGE_HEADER) + sizeof(SCAN_DATA_MESSAGE), &message->ovlp); 79 | if (hr != HRESULT_FROM_WIN32(ERROR_IO_PENDING)) { 80 | if (hr == HRESULT_FROM_WIN32(ERROR_INVALID_HANDLE)) { 81 | DBG_PRINT("Driver port disconnected.\n"); 82 | } else { 83 | DBG_PRINT("Failed to get new message: <0x%08x>.\n", hr); 84 | } 85 | break; 86 | } 87 | } 88 | 89 | // Something wrong with this, I don't know why it BSODs. :'( 90 | HeapFree(GetProcessHeap(), 0, message); 91 | } 92 | 93 | int __cdecl main(int argc, char *argv[]) { 94 | UNREFERENCED_PARAMETER(argc); 95 | UNREFERENCED_PARAMETER(argv); 96 | 97 | // Seed infection status. 98 | srand((__rdtsc() << 32) >> 32); 99 | 100 | PORT_DATA_THREAD_CONTEXT ctx = { 0 }; 101 | 102 | // Connect to the driver's port. 103 | HANDLE hPort; 104 | HRESULT hr; 105 | while (IS_ERROR(hr = FilterConnectCommunicationPort(PORT_NAME, 0, NULL, 0, NULL, &hPort))); 106 | if (IS_ERROR(hr)) { 107 | DBG_PRINT("Failed to connect to communication port: <0x%08x>.\n", hr); 108 | return 1; 109 | } 110 | 111 | HANDLE hCompletion = CreateIoCompletionPort(hPort, NULL, 0, NUM_SCAN_THREADS); 112 | if (hCompletion == NULL) { 113 | DBG_PRINT("Failed to create completion port: <0x%08x>.\n", GetLastError()); 114 | goto cleanup; 115 | } 116 | 117 | DBG_PRINT("Filter port: 0x%p; Completion port: 0x%p\n", hPort, hCompletion); 118 | 119 | ctx.hFilterPort = hPort; 120 | ctx.hCompletionPort = hCompletion; 121 | 122 | DBG_PRINT("Creating threads.\n"); 123 | // Create threads to wait for messages from driver. 124 | HANDLE hThreadPool[NUM_SCAN_THREADS]; 125 | for (size_t i = 0; i < NUM_SCAN_THREADS; i++) { 126 | hThreadPool[i] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ScanThread, &ctx, 0, NULL); 127 | 128 | if (hThreadPool[i] == NULL) { 129 | DBG_PRINT("Failed to create thread %d: <0x%08x>.\n", i, GetLastError()); 130 | goto cleanup; 131 | } 132 | 133 | // We free this in the thread worker. 134 | PUSER_SCAN_DATA_MESSAGE message = (PUSER_SCAN_DATA_MESSAGE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(USER_SCAN_DATA_MESSAGE)); 135 | if (message == NULL) { 136 | DBG_PRINT("Failed to create message in heap: <0X%08X>.\n", GetLastError()); 137 | goto cleanup; 138 | } 139 | 140 | ZeroMemory(&message->ovlp, sizeof(OVERLAPPED)); 141 | 142 | // Get messages from driver asynchronously. 143 | hr = FilterGetMessage(hPort, &message->header, sizeof(FILTER_MESSAGE_HEADER) + sizeof(SCAN_DATA_MESSAGE), &message->ovlp); 144 | if (hr != HRESULT_FROM_WIN32(ERROR_IO_PENDING)) { 145 | DBG_PRINT("FitlerGetMessage failed overlapped: <0x%08x>.\n", GetLastError()); 146 | goto cleanup; 147 | } 148 | } 149 | 150 | DBG_PRINT("Waiting for threads to complete.\n"); 151 | 152 | // Block until all threads have completed. 153 | WaitForMultipleObjects(NUM_SCAN_THREADS, hThreadPool, TRUE, INFINITE); 154 | 155 | cleanup: 156 | for (size_t i = 0; i < NUM_SCAN_THREADS; i++) { 157 | if (hThreadPool[i] != NULL) { 158 | CloseHandle(hThreadPool[i]); 159 | } 160 | } 161 | 162 | if (hCompletion != NULL) { 163 | CloseHandle(hCompletion); 164 | } 165 | 166 | if (hPort != NULL) { 167 | CloseHandle(hPort); 168 | } 169 | 170 | return 0; 171 | } -------------------------------------------------------------------------------- /Providence/Providence/Form1.resx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | text/microsoft-resx 110 | 111 | 112 | 2.0 113 | 114 | 115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | 118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 119 | 120 | -------------------------------------------------------------------------------- /Providence/Providence.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Filter", "Filter\Filter.vcxproj", "{BEB82A2E-C245-4329-8E24-35F122BB636D}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "User", "User\User.vcxproj", "{BC752604-F439-4D0F-8D49-650DD44AD4E9}" 9 | EndProject 10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Providence", "Providence\Providence.csproj", "{DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Any CPU = Debug|Any CPU 15 | Debug|ARM = Debug|ARM 16 | Debug|ARM64 = Debug|ARM64 17 | Debug|x64 = Debug|x64 18 | Debug|x86 = Debug|x86 19 | Release|Any CPU = Release|Any CPU 20 | Release|ARM = Release|ARM 21 | Release|ARM64 = Release|ARM64 22 | Release|x64 = Release|x64 23 | Release|x86 = Release|x86 24 | EndGlobalSection 25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 26 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|Any CPU.ActiveCfg = Debug|Win32 27 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|ARM.ActiveCfg = Debug|ARM 28 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|ARM.Build.0 = Debug|ARM 29 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|ARM.Deploy.0 = Debug|ARM 30 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|ARM64.ActiveCfg = Debug|ARM64 31 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|ARM64.Build.0 = Debug|ARM64 32 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|ARM64.Deploy.0 = Debug|ARM64 33 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|x64.ActiveCfg = Debug|x64 34 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|x64.Build.0 = Debug|x64 35 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|x64.Deploy.0 = Debug|x64 36 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|x86.ActiveCfg = Release|Win32 37 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|x86.Build.0 = Release|Win32 38 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Debug|x86.Deploy.0 = Release|Win32 39 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|Any CPU.ActiveCfg = Release|Win32 40 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|ARM.ActiveCfg = Release|ARM 41 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|ARM.Build.0 = Release|ARM 42 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|ARM.Deploy.0 = Release|ARM 43 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|ARM64.ActiveCfg = Release|ARM64 44 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|ARM64.Build.0 = Release|ARM64 45 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|ARM64.Deploy.0 = Release|ARM64 46 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|x64.ActiveCfg = Release|x64 47 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|x64.Build.0 = Release|x64 48 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|x64.Deploy.0 = Release|x64 49 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|x86.ActiveCfg = Release|Win32 50 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|x86.Build.0 = Release|Win32 51 | {BEB82A2E-C245-4329-8E24-35F122BB636D}.Release|x86.Deploy.0 = Release|Win32 52 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|Any CPU.ActiveCfg = Debug|Win32 53 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|ARM.ActiveCfg = Debug|ARM 54 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|ARM.Build.0 = Debug|ARM 55 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|ARM64.ActiveCfg = Debug|ARM64 56 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|ARM64.Build.0 = Debug|ARM64 57 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|x64.ActiveCfg = Debug|x64 58 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|x64.Build.0 = Debug|x64 59 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|x86.ActiveCfg = Release|Win32 60 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Debug|x86.Build.0 = Release|Win32 61 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|Any CPU.ActiveCfg = Release|Win32 62 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|ARM.ActiveCfg = Release|ARM 63 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|ARM.Build.0 = Release|ARM 64 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|ARM64.ActiveCfg = Release|ARM64 65 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|ARM64.Build.0 = Release|ARM64 66 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|x64.ActiveCfg = Release|x64 67 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|x64.Build.0 = Release|x64 68 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|x86.ActiveCfg = Release|Win32 69 | {BC752604-F439-4D0F-8D49-650DD44AD4E9}.Release|x86.Build.0 = Release|Win32 70 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 71 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|Any CPU.Build.0 = Debug|Any CPU 72 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|ARM.ActiveCfg = Debug|Any CPU 73 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|ARM.Build.0 = Debug|Any CPU 74 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|ARM64.ActiveCfg = Debug|Any CPU 75 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|ARM64.Build.0 = Debug|Any CPU 76 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|x64.ActiveCfg = Debug|Any CPU 77 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|x64.Build.0 = Debug|Any CPU 78 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|x86.ActiveCfg = Release|Any CPU 79 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Debug|x86.Build.0 = Release|Any CPU 80 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|Any CPU.ActiveCfg = Release|Any CPU 81 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|Any CPU.Build.0 = Release|Any CPU 82 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|ARM.ActiveCfg = Release|Any CPU 83 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|ARM.Build.0 = Release|Any CPU 84 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|ARM64.ActiveCfg = Release|Any CPU 85 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|ARM64.Build.0 = Release|Any CPU 86 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|x64.ActiveCfg = Release|Any CPU 87 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|x64.Build.0 = Release|Any CPU 88 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|x86.ActiveCfg = Release|Any CPU 89 | {DFF1E23C-4D66-43B6-B9CD-5D5F7B300C4E}.Release|x86.Build.0 = Release|Any CPU 90 | EndGlobalSection 91 | GlobalSection(SolutionProperties) = preSolution 92 | HideSolutionNode = FALSE 93 | EndGlobalSection 94 | EndGlobal 95 | -------------------------------------------------------------------------------- /Providence/User/User.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | {BC752604-F439-4D0F-8D49-650DD44AD4E9} 46 | {504102d4-2172-473c-8adf-cd96e308f257} 47 | v4.5 48 | 12.0 49 | Debug 50 | Win32 51 | User 52 | $(LatestTargetPlatformVersion) 53 | 54 | 55 | 56 | Windows10 57 | true 58 | WindowsApplicationForDrivers10.0 59 | Application 60 | 61 | 62 | Windows10 63 | false 64 | WindowsApplicationForDrivers10.0 65 | Application 66 | 67 | 68 | Windows10 69 | true 70 | WindowsApplicationForDrivers10.0 71 | Application 72 | 73 | 74 | Windows10 75 | false 76 | WindowsApplicationForDrivers10.0 77 | Application 78 | 79 | 80 | Windows10 81 | true 82 | WindowsApplicationForDrivers10.0 83 | Application 84 | 85 | 86 | Windows10 87 | false 88 | WindowsApplicationForDrivers10.0 89 | Application 90 | 91 | 92 | Windows10 93 | true 94 | WindowsApplicationForDrivers10.0 95 | Application 96 | 97 | 98 | Windows10 99 | false 100 | WindowsApplicationForDrivers10.0 101 | Application 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | $(ProjectName) 112 | 113 | 114 | $(ProjectName) 115 | 116 | 117 | 118 | $(SolutionDir)\Common;%(AdditionalIncludeDirectories) 119 | false 120 | MultiThreaded 121 | 122 | 123 | true 124 | C:\Users\Zen\Documents\Visual Studio 2015\Projects\Providence\User\libyara;%(AdditionalLibraryDirectories) 125 | %(AdditionalDependencies);fltLib.lib 126 | RequireAdministrator 127 | 128 | 129 | 130 | 131 | $(SolutionDir)\Common;%(AdditionalIncludeDirectories) 132 | false 133 | MultiThreaded 134 | 135 | 136 | true 137 | C:\Users\Zen\Documents\Visual Studio 2015\Projects\Providence\User\libyara;%(AdditionalLibraryDirectories) 138 | %(AdditionalDependencies);fltLib.lib 139 | RequireAdministrator 140 | 141 | 142 | 143 | 144 | 145 | -------------------------------------------------------------------------------- /Providence/Providence/Form1.Designer.cs: -------------------------------------------------------------------------------- 1 | namespace Providence { 2 | partial class Form1 { 3 | ///

4 | /// Required designer variable. 5 | ///

6 | private System.ComponentModel.IContainer components = null; 7 | 8 | ///

9 | /// Clean up any resources being used. 10 | ///

11 | /// true if managed resources should be disposed; otherwise, false. 12 | protected override void Dispose(bool disposing) { 13 | if (disposing && (components != null)) { 14 | components.Dispose(); 15 | } 16 | base.Dispose(disposing); 17 | } 18 | 19 | #region Windows Form Designer generated code 20 | 21 | ///

22 | /// Required method for Designer support - do not modify 23 | /// the contents of this method with the code editor. 24 | ///

25 | private void InitializeComponent() { 26 | this.disableScannerButton = new System.Windows.Forms.Button(); 27 | this.browseButton = new System.Windows.Forms.Button(); 28 | this.rulesDirectoryLabel = new System.Windows.Forms.Label(); 29 | this.rulesDirectoryTextbox = new System.Windows.Forms.TextBox(); 30 | this.currentTaskLabel = new System.Windows.Forms.Label(); 31 | this.tabControl1 = new System.Windows.Forms.TabControl(); 32 | this.mainTabPage = new System.Windows.Forms.TabPage(); 33 | this.scanFilesButton = new System.Windows.Forms.Button(); 34 | this.settingsTabPage = new System.Windows.Forms.TabPage(); 35 | this.tabControl1.SuspendLayout(); 36 | this.mainTabPage.SuspendLayout(); 37 | this.settingsTabPage.SuspendLayout(); 38 | this.SuspendLayout(); 39 | // 40 | // disableScannerButton 41 | // 42 | this.disableScannerButton.Location = new System.Drawing.Point(7, 49); 43 | this.disableScannerButton.Name = "disableScannerButton"; 44 | this.disableScannerButton.Size = new System.Drawing.Size(262, 34); 45 | this.disableScannerButton.TabIndex = 0; 46 | this.disableScannerButton.Text = "Disable Scanner"; 47 | this.disableScannerButton.UseVisualStyleBackColor = true; 48 | this.disableScannerButton.Click += new System.EventHandler(this.disableScannerButton_Click); 49 | // 50 | // browseButton 51 | // 52 | this.browseButton.Location = new System.Drawing.Point(191, 16); 53 | this.browseButton.Name = "browseButton"; 54 | this.browseButton.Size = new System.Drawing.Size(78, 23); 55 | this.browseButton.TabIndex = 1; 56 | this.browseButton.Text = "Browse"; 57 | this.browseButton.UseVisualStyleBackColor = true; 58 | this.browseButton.Click += new System.EventHandler(this.browseButton_Click); 59 | // 60 | // rulesDirectoryLabel 61 | // 62 | this.rulesDirectoryLabel.AutoSize = true; 63 | this.rulesDirectoryLabel.Location = new System.Drawing.Point(4, 3); 64 | this.rulesDirectoryLabel.Name = "rulesDirectoryLabel"; 65 | this.rulesDirectoryLabel.Size = new System.Drawing.Size(80, 13); 66 | this.rulesDirectoryLabel.TabIndex = 2; 67 | this.rulesDirectoryLabel.Text = "Rules directory:"; 68 | // 69 | // rulesDirectoryTextbox 70 | // 71 | this.rulesDirectoryTextbox.Location = new System.Drawing.Point(7, 18); 72 | this.rulesDirectoryTextbox.Name = "rulesDirectoryTextbox"; 73 | this.rulesDirectoryTextbox.ReadOnly = true; 74 | this.rulesDirectoryTextbox.Size = new System.Drawing.Size(178, 20); 75 | this.rulesDirectoryTextbox.TabIndex = 3; 76 | this.rulesDirectoryTextbox.MouseHover += new System.EventHandler(this.rulesDirectoryTextbox_MouseHover); 77 | // 78 | // currentTaskLabel 79 | // 80 | this.currentTaskLabel.AutoSize = true; 81 | this.currentTaskLabel.Location = new System.Drawing.Point(4, 3); 82 | this.currentTaskLabel.Name = "currentTaskLabel"; 83 | this.currentTaskLabel.Size = new System.Drawing.Size(84, 13); 84 | this.currentTaskLabel.TabIndex = 4; 85 | this.currentTaskLabel.Text = "No active tasks."; 86 | // 87 | // tabControl1 88 | // 89 | this.tabControl1.Controls.Add(this.mainTabPage); 90 | this.tabControl1.Controls.Add(this.settingsTabPage); 91 | this.tabControl1.Location = new System.Drawing.Point(1, 1); 92 | this.tabControl1.Name = "tabControl1"; 93 | this.tabControl1.SelectedIndex = 0; 94 | this.tabControl1.Size = new System.Drawing.Size(283, 115); 95 | this.tabControl1.TabIndex = 5; 96 | // 97 | // mainTabPage 98 | // 99 | this.mainTabPage.Controls.Add(this.scanFilesButton); 100 | this.mainTabPage.Controls.Add(this.currentTaskLabel); 101 | this.mainTabPage.Location = new System.Drawing.Point(4, 22); 102 | this.mainTabPage.Name = "mainTabPage"; 103 | this.mainTabPage.Padding = new System.Windows.Forms.Padding(3); 104 | this.mainTabPage.Size = new System.Drawing.Size(275, 89); 105 | this.mainTabPage.TabIndex = 0; 106 | this.mainTabPage.Text = "Main"; 107 | this.mainTabPage.UseVisualStyleBackColor = true; 108 | // 109 | // scanFilesButton 110 | // 111 | this.scanFilesButton.Location = new System.Drawing.Point(7, 49); 112 | this.scanFilesButton.Name = "scanFilesButton"; 113 | this.scanFilesButton.Size = new System.Drawing.Size(262, 34); 114 | this.scanFilesButton.TabIndex = 5; 115 | this.scanFilesButton.Text = "Scan Files"; 116 | this.scanFilesButton.UseVisualStyleBackColor = true; 117 | this.scanFilesButton.Click += new System.EventHandler(this.scanFilesButton_Click); 118 | // 119 | // settingsTabPage 120 | // 121 | this.settingsTabPage.Controls.Add(this.rulesDirectoryLabel); 122 | this.settingsTabPage.Controls.Add(this.disableScannerButton); 123 | this.settingsTabPage.Controls.Add(this.browseButton); 124 | this.settingsTabPage.Controls.Add(this.rulesDirectoryTextbox); 125 | this.settingsTabPage.Location = new System.Drawing.Point(4, 22); 126 | this.settingsTabPage.Name = "settingsTabPage"; 127 | this.settingsTabPage.Padding = new System.Windows.Forms.Padding(3); 128 | this.settingsTabPage.Size = new System.Drawing.Size(275, 89); 129 | this.settingsTabPage.TabIndex = 1; 130 | this.settingsTabPage.Text = "Settings"; 131 | this.settingsTabPage.UseVisualStyleBackColor = true; 132 | // 133 | // Form1 134 | // 135 | this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F); 136 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font; 137 | this.ClientSize = new System.Drawing.Size(284, 115); 138 | this.Controls.Add(this.tabControl1); 139 | this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle; 140 | this.MaximizeBox = false; 141 | this.Name = "Form1"; 142 | this.Text = "Providence Malware Scanner"; 143 | this.tabControl1.ResumeLayout(false); 144 | this.mainTabPage.ResumeLayout(false); 145 | this.mainTabPage.PerformLayout(); 146 | this.settingsTabPage.ResumeLayout(false); 147 | this.settingsTabPage.PerformLayout(); 148 | this.ResumeLayout(false); 149 | 150 | } 151 | 152 | #endregion 153 | 154 | private System.Windows.Forms.Button disableScannerButton; 155 | private System.Windows.Forms.Button browseButton; 156 | private System.Windows.Forms.Label rulesDirectoryLabel; 157 | private System.Windows.Forms.TextBox rulesDirectoryTextbox; 158 | private System.Windows.Forms.Label currentTaskLabel; 159 | private System.Windows.Forms.TabControl tabControl1; 160 | private System.Windows.Forms.TabPage mainTabPage; 161 | private System.Windows.Forms.TabPage settingsTabPage; 162 | private System.Windows.Forms.Button scanFilesButton; 163 | } 164 | } 165 | 166 | -------------------------------------------------------------------------------- /Providence/Filter/Filter.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {BEB82A2E-C245-4329-8E24-35F122BB636D} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | Filter 45 | $(LatestTargetPlatformVersion) 46 | 47 | 48 | 49 | Windows7 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | KMDF 54 | Desktop 55 | 56 | 57 | Windows7 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | KMDF 62 | Desktop 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | 72 | 73 | Windows10 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | KMDF 78 | Universal 79 | 80 | 81 | Windows10 82 | true 83 | WindowsKernelModeDriver10.0 84 | Driver 85 | KMDF 86 | Universal 87 | 88 | 89 | Windows10 90 | false 91 | WindowsKernelModeDriver10.0 92 | Driver 93 | KMDF 94 | Universal 95 | 96 | 97 | Windows10 98 | true 99 | WindowsKernelModeDriver10.0 100 | Driver 101 | KMDF 102 | Universal 103 | 104 | 105 | Windows10 106 | false 107 | WindowsKernelModeDriver10.0 108 | Driver 109 | KMDF 110 | Universal 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | DbgengKernelDebugger 122 | $(ProjectName) 123 | Yes 124 | false 125 | 126 | 127 | DbgengKernelDebugger 128 | $(ProjectName) 129 | Yes 130 | false 131 | 132 | 133 | DbgengKernelDebugger 134 | 135 | 136 | DbgengKernelDebugger 137 | 138 | 139 | DbgengKernelDebugger 140 | 141 | 142 | DbgengKernelDebugger 143 | 144 | 145 | DbgengKernelDebugger 146 | 147 | 148 | DbgengKernelDebugger 149 | 150 | 151 | 152 | $(SolutionDir)\Common;%(AdditionalIncludeDirectories) 153 | false 154 | 155 | 156 | $(DDK_LIB_PATH)fltMgr.lib;%(AdditionalDependencies) 157 | 158 | 159 | 160 | 161 | $(SolutionDir)\Common;%(AdditionalIncludeDirectories) 162 | false 163 | 164 | 165 | $(DDK_LIB_PATH)fltMgr.lib;%(AdditionalDependencies) 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /Providence/Filter/Driver.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "common.h" 3 | 4 | #define DEBUG 5 | #ifdef DEBUG 6 | #define DBG_PRINT(_fmt, ...) DbgPrint(_fmt, __VA_ARGS__) 7 | #else 8 | #define DBG_PRINT(_fmt, ...) { NOTHING; } 9 | #endif // DEBUG 10 | 11 | DRIVER_INITIALIZE DriverEntry; 12 | 13 | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath); 14 | NTSTATUS Unload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags); 15 | NTSTATUS InstanceSetup(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_SETUP_FLAGS Flags, _In_ DEVICE_TYPE VolumeDeviceType, _In_ FLT_FILESYSTEM_TYPE VolumeFileSystemType); 16 | NTSTATUS InstanceQueryTeardown(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags); 17 | NTSTATUS GetFilePath(_In_ PFLT_CALLBACK_DATA Data, _Inout_ PUNICODE_STRING FilePath); 18 | BOOLEAN IsProtectedFileName(PFLT_CALLBACK_DATA Data); 19 | FLT_PREOP_CALLBACK_STATUS PreCreate(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext); 20 | FLT_POSTOP_CALLBACK_STATUS PostCreate(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags); 21 | FLT_PREOP_CALLBACK_STATUS PreCleanup(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext); 22 | FLT_PREOP_CALLBACK_STATUS PreSetInformation(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext); 23 | NTSTATUS PortConnect(_In_ PFLT_PORT ClientPort, _In_ PVOID ServerPortCookie, _In_ PVOID ConnectionContext, _In_ ULONG SizeOfContext, _Out_ PVOID *ConnectionPortCookie); 24 | VOID PortDisconnect(_In_ PVOID ConnectionCookie); 25 | NTSTATUS ScanFileInUserMode(_In_ PFLT_CALLBACK_DATA Data, _Out_ PBOOLEAN Infected); 26 | 27 | typedef struct _STREAM_HANDLE_CONTEXT { 28 | BOOLEAN Scan; // Perform scan or not. 29 | } STREAM_HANDLE_CONTEXT, *PSTREAM_HANDLE_CONTEXT; 30 | 31 | typedef struct _GLOBAL_DATA { 32 | PFLT_FILTER FilterHandle; 33 | PFLT_PORT ServerPort; 34 | PFLT_PORT ClientPort; 35 | PEPROCESS UserProcess; 36 | UNICODE_STRING DriverPath; 37 | UNICODE_STRING ApplicationPath; 38 | } GLOBAL_DATA, *PGLOBAL_DATA; 39 | 40 | CONST FLT_OPERATION_REGISTRATION Callbacks[] = { 41 | { IRP_MJ_CREATE, 0, PreCreate, PostCreate }, // We want to scan files when created. This routine also holds anti-deletion of critical files. 42 | { IRP_MJ_CLEANUP, 0, PreCleanup, NULL }, // Rescan the file if the file was created with write access. 43 | /* { IRP_MJ_WRITE, 0, PreWrite, PostWrite }, */ // Don't need this since we will scan on clean up? 44 | { IRP_MJ_SET_INFORMATION, 0, PreSetInformation, NULL }, // Anti-deletion of critical files. 45 | { IRP_MJ_OPERATION_END } 46 | }; 47 | 48 | CONST FLT_CONTEXT_REGISTRATION Contexts[] = { 49 | { FLT_STREAMHANDLE_CONTEXT, 0, NULL, sizeof(STREAM_HANDLE_CONTEXT), 'vorP' }, // For rescanning of files created with write access. 50 | { FLT_CONTEXT_END } 51 | }; 52 | 53 | CONST FLT_REGISTRATION FilterRegistration = { 54 | sizeof(FLT_REGISTRATION), // Size 55 | FLT_REGISTRATION_VERSION, // Version 56 | 0, // Flags 57 | Contexts, // ContextRegistration 58 | Callbacks, // OperationRegistration 59 | Unload, // FilterUnloadCallback 60 | InstanceSetup, // InstanceSetupCallback 61 | InstanceQueryTeardown, // InstanceQueryTeardownCallback 62 | NULL, // InstanceTeardownStartCallback 63 | NULL, // InstanceTeardownCompleteCallback 64 | NULL, // GenerateFileNameCallback 65 | NULL, // NormalizeNameComponentCallback 66 | NULL // NormalizeContextCleanupCallback 67 | }; 68 | 69 | GLOBAL_DATA Globals; 70 | 71 | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { 72 | UNREFERENCED_PARAMETER(RegistryPath); 73 | 74 | DBG_PRINT("DriverEntry called.\n"); 75 | 76 | RtlZeroMemory(&Globals, sizeof(GLOBAL_DATA)); 77 | RtlInitUnicodeString(&Globals.DriverPath, L"C:\\Users\\Arcadia\\Desktop\\Filter.sys"); 78 | RtlInitUnicodeString(&Globals.ApplicationPath, L"C:\\Users\\Arcadia\\Desktop\\Providence.exe"); 79 | 80 | // Register with filter manager. 81 | NTSTATUS status = FltRegisterFilter(DriverObject, &FilterRegistration, &Globals.FilterHandle); 82 | if (!NT_SUCCESS(status)) { 83 | return status; 84 | } 85 | 86 | // Initialise the port name for communication with the user application. 87 | UNICODE_STRING usPortName; 88 | RtlInitUnicodeString(&usPortName, PORT_NAME); 89 | 90 | // Security descriptor for communication port creation. 91 | PSECURITY_DESCRIPTOR sd = NULL; 92 | status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS); 93 | if (NT_SUCCESS(status)) { 94 | // Object handle for communication port creation. 95 | OBJECT_ATTRIBUTES oa; 96 | InitializeObjectAttributes(&oa, &usPortName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, sd); 97 | 98 | // Create a port for the user application to connect for receiving scan requests. 99 | status = FltCreateCommunicationPort(Globals.FilterHandle, &Globals.ServerPort, &oa, NULL, PortConnect, PortDisconnect, NULL, 1); 100 | 101 | FltFreeSecurityDescriptor(sd); 102 | 103 | if (NT_SUCCESS(status)) { 104 | // Start filtering I/O. 105 | status = FltStartFiltering(Globals.FilterHandle); 106 | if (NT_SUCCESS(status)) { 107 | return STATUS_SUCCESS; 108 | } 109 | 110 | FltCloseCommunicationPort(Globals.ServerPort); 111 | } 112 | } 113 | 114 | FltUnregisterFilter(Globals.FilterHandle); 115 | 116 | DBG_PRINT("Oops! Something went wrong: <0x%08x>.\n", status); 117 | 118 | return status; 119 | } 120 | 121 | NTSTATUS Unload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags) { 122 | UNREFERENCED_PARAMETER(Flags); 123 | 124 | DBG_PRINT("Unload called.\n"); 125 | 126 | FltCloseCommunicationPort(Globals.ServerPort); 127 | 128 | FltUnregisterFilter(Globals.FilterHandle); 129 | 130 | return STATUS_SUCCESS; 131 | } 132 | 133 | /* 134 | * Callback for when the minifilter is called to set up for another volume. 135 | * Reject connection to a networked volume. 136 | */ 137 | NTSTATUS InstanceSetup(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_SETUP_FLAGS Flags, _In_ DEVICE_TYPE VolumeDeviceType, _In_ FLT_FILESYSTEM_TYPE VolumeFileSystemType) { 138 | UNREFERENCED_PARAMETER(FltObjects); 139 | UNREFERENCED_PARAMETER(Flags); 140 | UNREFERENCED_PARAMETER(VolumeFileSystemType); 141 | 142 | PAGED_CODE(); 143 | 144 | // Do not attach to networked file systems. 145 | if (VolumeDeviceType == FILE_DEVICE_NETWORK_FILE_SYSTEM) { 146 | return STATUS_FLT_DO_NOT_ATTACH; 147 | } 148 | 149 | return STATUS_SUCCESS; 150 | } 151 | 152 | /* 153 | * Callback for when the volume is requesting manual detach. 154 | * Probably want to stop any jobs that are active with the volume. 155 | */ 156 | NTSTATUS InstanceQueryTeardown(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags) { 157 | UNREFERENCED_PARAMETER(FltObjects); 158 | UNREFERENCED_PARAMETER(Flags); 159 | 160 | // Something something here. 161 | 162 | return STATUS_SUCCESS; 163 | } 164 | 165 | /* 166 | * Translate the NT namespace convention to a standard, non-UNC file name. 167 | * 168 | * Returns STATUS_SUCCESS on success else, an appropriate error code. 169 | */ 170 | NTSTATUS GetFilePath(_In_ PFLT_CALLBACK_DATA Data, _Inout_ PUNICODE_STRING FilePath) { 171 | UNICODE_STRING DosName; 172 | NTSTATUS status = IoVolumeDeviceToDosName(Data->Iopb->TargetFileObject->DeviceObject, &DosName); 173 | if (NT_SUCCESS(status)) { 174 | // Set up variables for the UNICODE_STRING to hold the full path name. 175 | // Max UNICODE_STRING length. 176 | USHORT MaxLength = DosName.MaximumLength + Data->Iopb->TargetFileObject->FileName.MaximumLength; 177 | // Allocate a buffer in paged memory. 178 | PVOID Buffer = ExAllocatePool(PagedPool, MaxLength); 179 | if (Buffer != NULL) { 180 | // Initialise UNICODE_STRING members to hold full path name. 181 | FilePath->Length = 0; 182 | FilePath->MaximumLength = MaxLength; 183 | FilePath->Buffer = Buffer; 184 | // Copy the DOS device drive letter. 185 | RtlCopyUnicodeString(FilePath, &DosName); 186 | // Free up this DOS device name since we do not need it anymore. 187 | //ExFreePool(DosName.Buffer); 188 | // Append the file name's path. 189 | RtlAppendUnicodeStringToString(FilePath, &Data->Iopb->TargetFileObject->FileName); 190 | 191 | // Free up the buffer allocated previously in paged memory. 192 | //ExFreePool(Buffer); 193 | } else { 194 | DBG_PRINT("ExAllocatePool failed."); 195 | status = STATUS_INSUFFICIENT_RESOURCES; 196 | } 197 | } 198 | 199 | return status; 200 | } 201 | 202 | /* 203 | * Compares provided file name in FLT_CALLBACK_DATA to protected, critical files. 204 | * 205 | * Returns TRUE if the given file name is the same as a protected file else, FALSE. 206 | */ 207 | BOOLEAN IsProtectedFileName(PFLT_CALLBACK_DATA Data) { 208 | BOOLEAN ret = FALSE; 209 | 210 | // Attempt to translate volume device name to DOS device name. 211 | UNICODE_STRING FilePath; 212 | if (NT_SUCCESS(GetFilePath(Data, &FilePath))) { 213 | DBG_PRINT("Attempt to delete file \"%wZ\".\n", &FilePath); 214 | // Compare file name and reject entry they are our files. 215 | if (RtlCompareUnicodeString(&Globals.DriverPath, &FilePath, FALSE) == 0 || RtlCompareUnicodeString(&Globals.ApplicationPath, &FilePath, FALSE) == 0) { 216 | DBG_PRINT("File deletion rejected.\n", Data->Iopb->MajorFunction, &FilePath); 217 | ret = TRUE; 218 | } else { 219 | DBG_PRINT("File deletion allowed.\n"); 220 | } 221 | 222 | ExFreePool(FilePath.Buffer); 223 | } else { 224 | DBG_PRINT("GetFilePath failed: <0x%08x>.\n"); 225 | } 226 | 227 | return ret; 228 | } 229 | 230 | /* 231 | * We allow file creation for the user-mode application. 232 | * We also check for any DELETE_ON_CLOSE options to reject deletion of protected, critical files. 233 | */ 234 | FLT_PREOP_CALLBACK_STATUS PreCreate(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext) { 235 | UNREFERENCED_PARAMETER(CompletionContext); 236 | 237 | PAGED_CODE(); 238 | 239 | FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_WITH_CALLBACK; 240 | PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL; 241 | 242 | // Allow our user-mode application through. 243 | if (IoThreadToProcess(Data->Thread) == Globals.UserProcess) { 244 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 245 | } 246 | 247 | // To deny deletion of our protected files, we must find and compare the names of files selected for deletion. 248 | // Check if the I/O request is file deletion. 249 | if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION && (Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation || 250 | Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformationEx) || 251 | (Data->Iopb->MajorFunction == IRP_MJ_CREATE && FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE))) { 252 | if (FltObjects->FileObject != NULL) { 253 | NTSTATUS status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo); 254 | if (NT_SUCCESS(status)) { 255 | // Parse name information. 256 | FltParseFileNameInformation(FileNameInfo); 257 | 258 | // Compare the received file name with protected files. 259 | if (IsProtectedFileName(Data)) { 260 | // Set status to access denied. 261 | Data->IoStatus.Status = STATUS_ACCESS_DENIED; 262 | Data->IoStatus.Information = 0; 263 | // Complete I/O request. 264 | ret = FLT_PREOP_COMPLETE; 265 | } 266 | } 267 | } 268 | } 269 | 270 | // Cleanup. 271 | if (FileNameInfo != NULL) { 272 | FltReleaseFileNameInformation(FileNameInfo); 273 | } 274 | 275 | // Pass on the I/O request. 276 | return ret; 277 | } 278 | 279 | /* 280 | * If successful file creation, we want to scan the file. 281 | * If the file was created with write access, we want to scan it again on cleanup. 282 | */ 283 | FLT_POSTOP_CALLBACK_STATUS PostCreate(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags) { 284 | UNREFERENCED_PARAMETER(CompletionContext); 285 | UNREFERENCED_PARAMETER(Flags); 286 | 287 | PAGED_CODE(); 288 | 289 | // Ignore failed creates and symbolic links. 290 | if (!NT_SUCCESS(Data->IoStatus.Status) || Data->IoStatus.Status == STATUS_REPARSE) { 291 | return FLT_POSTOP_FINISHED_PROCESSING; 292 | } 293 | 294 | // We don't care about directories. 295 | BOOLEAN IsDirectory = FALSE; 296 | NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDirectory); 297 | if (NT_SUCCESS(status) && IsDirectory == FALSE) { 298 | // Scan the file. 299 | BOOLEAN Infected = FALSE; 300 | ScanFileInUserMode(Data, &Infected); 301 | 302 | if (Infected == TRUE) { 303 | DBG_PRINT("File is infected!\n"); 304 | } 305 | 306 | // If the file is opened with write permissions, we want to scan it again in the cleanup. 307 | if (FltObjects->FileObject->WriteAccess || FlagOn(Data->Iopb->Parameters.Create.Options, GENERIC_WRITE)) { 308 | DBG_PRINT("File created with write access.\n"); 309 | // Allocate a scan context. 310 | PSTREAM_HANDLE_CONTEXT Context; 311 | status = FltAllocateContext(Globals.FilterHandle, FLT_STREAMHANDLE_CONTEXT, sizeof(STREAM_HANDLE_CONTEXT), PagedPool, &Context); 312 | if (NT_SUCCESS(status)) { 313 | // Set context to indicate a rescan. 314 | Context->Scan = TRUE; 315 | 316 | FltSetStreamHandleContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_REPLACE_IF_EXISTS, Context, NULL); 317 | 318 | // Decrement the reference count on success or failure. 319 | FltReleaseContext(Context); 320 | } 321 | } 322 | } 323 | 324 | return FLT_POSTOP_FINISHED_PROCESSING; 325 | } 326 | 327 | /* 328 | * Check if we need to scan the file again after file creation with write access. Scan if required. 329 | */ 330 | FLT_PREOP_CALLBACK_STATUS PreCleanup(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext) { 331 | UNREFERENCED_PARAMETER(CompletionContext); 332 | 333 | PAGED_CODE(); 334 | 335 | // Get the scan context to check if we need to rescan the file (after opening with write access). 336 | PSTREAM_HANDLE_CONTEXT Context; 337 | NTSTATUS status = FltGetStreamHandleContext(FltObjects->Instance, FltObjects->FileObject, &Context); 338 | if (NT_SUCCESS(status)) { 339 | if (Context->Scan) { 340 | BOOLEAN Infected = FALSE; 341 | ScanFileInUserMode(Data, &Infected); 342 | 343 | if (Infected) { 344 | DBG_PRINT("File is infected!\n"); 345 | } 346 | } 347 | 348 | FltReleaseContext(Context); 349 | } 350 | 351 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 352 | } 353 | 354 | /* 355 | * Detect and reject deletion of protected, critical files. 356 | */ 357 | FLT_PREOP_CALLBACK_STATUS PreSetInformation(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext) { 358 | UNREFERENCED_PARAMETER(CompletionContext); 359 | 360 | PAGED_CODE(); 361 | 362 | FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK; 363 | PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL; 364 | 365 | // To deny deletion of our protected files, we must find and compare the names of files selected for deletion. 366 | // Check if the I/O request is file deletion. 367 | if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION && (Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation || 368 | Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformationEx) || 369 | (Data->Iopb->MajorFunction == IRP_MJ_CREATE && FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE))) { 370 | if (FltObjects->FileObject != NULL) { 371 | 372 | NTSTATUS status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo); 373 | if (NT_SUCCESS(status)) { 374 | // Parse name information. 375 | FltParseFileNameInformation(FileNameInfo); 376 | 377 | // Compare the received file name with protected files. 378 | if (IsProtectedFileName(Data)) { 379 | // Set status to access denied. 380 | Data->IoStatus.Status = STATUS_ACCESS_DENIED; 381 | Data->IoStatus.Information = 0; 382 | // Complete I/O request. 383 | ret = FLT_PREOP_COMPLETE; 384 | } 385 | } 386 | } 387 | } 388 | 389 | // Cleanup. 390 | if (FileNameInfo != NULL) { 391 | FltReleaseFileNameInformation(FileNameInfo); 392 | } 393 | 394 | // Pass on the I/O request. 395 | return ret; 396 | } 397 | 398 | /* 399 | * Save the context of the user-mode application. 400 | * Application's process to bypass file creation. 401 | * Client port for disconnect routine. 402 | */ 403 | NTSTATUS PortConnect(_In_ PFLT_PORT ClientPort, _In_ PVOID ServerPortCookie, _In_ PVOID ConnectionContext, _In_ ULONG SizeOfContext, _Out_ PVOID *ConnectionPortCookie) { 404 | PAGED_CODE(); 405 | 406 | UNREFERENCED_PARAMETER(ClientPort); 407 | UNREFERENCED_PARAMETER(ServerPortCookie); 408 | UNREFERENCED_PARAMETER(ConnectionContext); 409 | UNREFERENCED_PARAMETER(SizeOfContext); 410 | UNREFERENCED_PARAMETER(ConnectionPortCookie); 411 | 412 | DBG_PRINT("User application connected.\n"); 413 | 414 | // Save the user-mode application's process so that we allow it through IRP_MJ_CREATE. 415 | Globals.UserProcess = PsGetCurrentProcess(); 416 | 417 | // Save the client port so we can close it on disconnect. 418 | Globals.ClientPort = ClientPort; 419 | 420 | return STATUS_SUCCESS; 421 | } 422 | 423 | /* 424 | * Close the saved client port and unset it. 425 | */ 426 | VOID PortDisconnect( _In_ PVOID ConnectionCookie) { 427 | UNREFERENCED_PARAMETER(ConnectionCookie); 428 | 429 | PAGED_CODE(); 430 | 431 | DBG_PRINT("User application disconnected.\n"); 432 | 433 | // Clean up the client's port so we can allow another connection (max: 1) 434 | FltCloseClientPort(Globals.FilterHandle, &Globals.ClientPort); 435 | 436 | // Unset the user process. 437 | Globals.UserProcess = NULL; 438 | } 439 | 440 | /* 441 | * Get the file name that is being created and send it to the user-mode application for scanning. 442 | */ 443 | NTSTATUS ScanFileInUserMode(_In_ PFLT_CALLBACK_DATA Data, _Out_ PBOOLEAN Infected) { 444 | // We need to check if the client did not disconnect. 445 | if (Globals.ClientPort == NULL) { 446 | return STATUS_SUCCESS; 447 | } 448 | 449 | UNICODE_STRING FilePath; 450 | NTSTATUS status = GetFilePath(Data, &FilePath); 451 | if (!NT_SUCCESS(status)) { 452 | DBG_PRINT("Failed to get file path: <0x%08x>.\n", status); 453 | return status; 454 | } 455 | 456 | // Check if the buffer can fit inside the message buffer including the null-terminating byte. Ideally we should have a max path length of 32,767. 457 | if (FilePath.Length > MAX_PATH) { 458 | DBG_PRINT("File path exceeds max size of %d (%hu).\n", MAX_PATH, FilePath.Length); 459 | goto cleanup; 460 | } 461 | 462 | // Allocate some space to store the file path to be sent to the user-mode application. 463 | //Message = ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(&Message->FilePath), 'nacS'); 464 | //if (Message == NULL) { 465 | // DBG_PRINT("Failed to allocate data for SCAN_DATA_MESSAGE.\n"); 466 | // status = STATUS_INSUFFICIENT_RESOURCES; 467 | // goto cleanup; 468 | //} 469 | 470 | SCAN_DATA_MESSAGE Message; 471 | 472 | // Convert the UNICODE_STRING to a WCHAR type. 473 | // Zero the buffer so we don't need to null-terminate after copy. 474 | RtlZeroMemory(Message.FilePath, MAX_PATH); 475 | // We already checked previously if FilePath.Length > MAX_PATH so we can just copy the bytes in. 476 | RtlCopyMemory(Message.FilePath, FilePath.Buffer, FilePath.Length); 477 | 478 | DBG_PRINT("Sending file path: %ws\n", Message.FilePath); 479 | 480 | // Send the file path to the user-mode application for scanning. 481 | SCAN_REPLY_MESSAGE Reply; 482 | ULONG ReplyLength = sizeof(SCAN_REPLY_MESSAGE); 483 | status = FltSendMessage(Globals.FilterHandle, &Globals.ClientPort, &Message, sizeof(SCAN_DATA_MESSAGE), &Reply, &ReplyLength, NULL); 484 | if (status != STATUS_SUCCESS) { 485 | DBG_PRINT("Failed to send message to user-mode application: <0x%08x>.\n", status); 486 | //goto cleanup; 487 | } 488 | 489 | // Return infected state. 490 | *Infected = Reply.Infected; 491 | 492 | cleanup: 493 | if (FilePath.Buffer != NULL) { 494 | ExFreePool(FilePath.Buffer); 495 | } 496 | 497 | //if (Message != NULL) { 498 | // ExFreePoolWithTag(Message, 'nacS'); 499 | //} 500 | 501 | return status; 502 | } 503 | --------------------------------------------------------------------------------