Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
How can I scan every file accessed from kernel to user mode ?
I am working on a minifilter. I am making a program that checks whether a file is malicious or not on access. I know I can do it by using minifilter but not sure about how to do it effectively because the file is accessed too frequently in a system. Whenever a file is being accessed send the file path to user-mode and then the user-mode application will respond after checking the file. I want to know from your experience and understanding as I am not much familiar with it.
Very curious to know from your experience.
Thanks & regards,
Jay
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
https://github.com/microsoft/windows-driver-samples/tree/main/filesys/miniFilter/avscan
-scott
OSR
@Scott_Noone_(OSR) How can I ignore file open in kernel minifilter when user-mode takes too much time for scanning part. Once the scanning part is complete then if someone accesses the file again then allows or blocks based on the result.
While scanning if someone accesses the file then just block or ignore it silently.
I will make a hash of which path is currently being scanned/done scanning when first time someone accesses the file.
Your design is wrong.
Have you gone through the avscan sample? If you're trying to learn you should install that, set breakpoints, and learn what it's doing. You'll learn a lot more that way than feeling around in the dark.
-scott
OSR
@Scott_Noone_(OSR) Thank you so much. I will go through it and ask if anything I didn't understand. Thank you very much for the help & support.
@Scott_Noone_(OSR) I came across about avscan. It basically examines data in a file. I followed the code and executed both the user mode and filter part. It basically checks for the string "message to be found" in a file. if it is found then block the opening of the file.
It works fine for text files but when I open a pdf file with the same string then it doesn't block. I don't understand why?
Could you please help me out?
Will be very thankful
Sorry, are you asking how to interpret the content of a PDF? Or are you blocking the open but Acrobat can read the file anyway?
-scott
OSR
@Scott_Noone_(OSR) The way we are checking msg in the text file, can't check the same way in every file?
A PDF file is often a combination of vector graphics, text, and bitmap graphics. The basic types of content in a PDF are
Typeset text stored as content streams (i.e., not encoded in plain text);
-scott
OSR