Hello everybody,
I am working on the scanner minifilter driver example from Microsoft
(latest edition, the one you can find at
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/scanner
that has been recently updated to compile and run on Windows 10) and I am
completely new to driver development.
I would like to modify the kernel part so that it will only pass the path
of every file that gets accessed to the user mode software and then modify
accordingly the user mode component itself to show a list of files being
accessed in real time.
I read many topics on this forum and on many other ones but I could not
find an exhaustive guide to do that.
Since I am completely new to this kind of programming, I would like a sort
of a tutorial about the modifications I should do. I know there are many
ways I can achieve my goal but I let you choose one because I don’t know
where to begin from.
I am looking for an in-depth help, I don’t want the usually asked
“copy-and-paste” code but a deep explaination about the modifications I
need to make (for both of the parts: kernel and user) and then I will
eventually ask for a help about the code.
I hope I haven’t asked too much,
thanks
Luca
https:
Mail
priva di virus. www.avast.com
https:
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2></https:></https:>
You can save yourself Much Suffering™ by going to https://www.osr.com
and finding the right training seminar for you. As a
graduate/participant/student myself, I can tell you that it will pay for
itself.
On Sep 27, 2017 10:40 AM, “Luca PerProva ” <
xxxxx@lists.osr.com> wrote:
> Hello everybody,
>
> I am working on the scanner minifilter driver example from Microsoft
> (latest edition, the one you can find at https://github.com/
> Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/scanner
> that has been recently updated to compile and run on Windows 10) and I am
> completely new to driver development.
>
> I would like to modify the kernel part so that it will only pass the path
> of every file that gets accessed to the user mode software and then modify
> accordingly the user mode component itself to show a list of files being
> accessed in real time.
> I read many topics on this forum and on many other ones but I could not
> find an exhaustive guide to do that.
> Since I am completely new to this kind of programming, I would like a sort
> of a tutorial about the modifications I should do. I know there are many
> ways I can achieve my goal but I let you choose one because I don’t know
> where to begin from.
>
> I am looking for an in-depth help, I don’t want the usually asked
> “copy-and-paste” code but a deep explaination about the modifications I
> need to make (for both of the parts: kernel and user) and then I will
> eventually ask for a help about the code.
>
> I hope I haven’t asked too much,
> thanks
>
> Luca
>
>
> https: Mail
> priva di virus. www.avast.com
> https:
> <#m_5349909095745197957_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</https:></https:>
Thanks Mike 
OP: Take a look at Minispy:
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy
It logs everything (including file paths) to user mode.
You might also want to describe a bit about what you’re ultimately trying to
accomplish in case there’s a better answer.
-scott
OSR
@OSRDrivers
Thanks for your replies!
@Mike I knew about OSR and their courses but I can’t afford them, at the
moment. I would love to have the possibility but I am too young for the
moment and I am from the EU.
@Scott thanks for the tip! I thought my explaination was exhaustive but I
will try to explain it again: I would like to print every file path that is
accessed in real time to screen. I thought the scanner example was the one
to start from because it filters basic IRP codes instead of having the
whole quantity that Minispy has. Anyway, I will surely take a look at it
and try to “strip off” (I don’t know if it’s the correct term) the excess
of things it filters. Since we went OP, only one last question: let’s
suppose I only modify the user side of that Minispy; would the kernel side
still filter the whole codes or would it only filter what the user mode
application requests?
Best regards again and thank you,
Luca
2017-09-27 21:15 GMT+02:00 Scott Noone >:
> Thanks Mike
>
> OP: Take a look at Minispy:
>
> https://github.com/Microsoft/Windows-driver-samples/tree/mas
> ter/filesys/miniFilter/minispy
>
> It logs everything (including file paths) to user mode.
>
> You might also want to describe a bit about what you’re ultimately trying
> to accomplish in case there’s a better answer.
>
> -scott
> OSR
> @OSRDrivers
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
>@Scott thanks for the tip! I thought my explaination was exhaustive but I
will try to explain it again: I would like to print every file path >that
is accessed in real time to screen.
And then what? Presumably that’s not the ultimate goal of your project
(unless you’re doing this for your own amusement).
Also, what do you mean by “accessed”? Do you just care to see when the file
is opened or do you want every operation?
Since we went OP, only one last question: let’s suppose I only modify the
user side of that Minispy; would the kernel side still filter the >whole
codes or would it only filter what the user mode application requests?
No, the kernel is still going to send everything down. If you just care
about opens then you should be able to strip out everything but the
IRP_MJ_CREATE handlers (in theory…I haven’t actually tried this)
-scott
OSR
@OSRDrivers
Yes, that is for learning purposes, actually. I am not really planning to
distribute the software, just playing around and starting to figure out how
kernel mode components and user mode components relate and communicate.
Thanks again,
Luca
https:
Mail
priva di virus. www.avast.com
https:
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
2017-09-28 15:39 GMT+02:00 Scott Noone >:
> @Scott thanks for the tip! I thought my explaination was exhaustive but I
>> will try to explain it again: I would like to print every file path >that
>> is accessed in real time to screen.
>>
>
> And then what? Presumably that’s not the ultimate goal of your project
> (unless you’re doing this for your own amusement).
>
> Also, what do you mean by “accessed”? Do you just care to see when the
> file is opened or do you want every operation?
>
> Since we went OP, only one last question: let’s suppose I only modify the
>> user side of that Minispy; would the kernel side still filter the >whole
>> codes or would it only filter what the user mode application requests?
>>
>
> No, the kernel is still going to send everything down. If you just care
> about opens then you should be able to strip out everything but the
> IRP_MJ_CREATE handlers (in theory…I haven’t actually tried this)
>
>
> -scott
> OSR
> @OSRDrivers
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></https:></https:>