Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Strange minifilter behaviour

FLunkyFLunky Member Posts: 3

Hello everyone.
I am developing a minifilter driver that has to detect ransomware based on modified files. I made a small program to test this, it walks through files and modify them randomly. The program is single threaded, but here comes the best part. When it reaches 5 modified files, the minifilter begin to analyse them and won't return until the analysis is complete. This means I should not receive any IRP_MJ_CREATE from this process, but they still come.
Is there a way to avoid cases like this?

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 314
    via Email
    Global lock.
  • FLunkyFLunky Member Posts: 3

    But how it is possible to get more IRP_MJ_CRATE requests from the same process with one thread if I'm not returning from the callback?

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 314
    via Email
    Malware won't be conforming to your tests.

    APCs can cause what you describe.
    Presuming it is the same thread actually. RTL can make its own threads and
    access files from them.

    I suggest posting a stack trace for the thread that analyses the
    modifications, and of the 6th IRP_MJ_CREATE.
  • FLunkyFLunky Member Posts: 3

    Catching malware will be the goal, but first I want to make sure this case is work as I intend. It seems IRP_MJ_CREATE works correctly, in fact. The problem might in the fact that the files are not modified as I expected. For example, after modifing 5 files, I should be able to give a verdict. But the files might be not be modified so I can analyse them as I should. And it seems this is the case actually, the files are not modified when opening the 6th file.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA