Microsoft - FS mini filter driver - Some trouble

NTFSD
1

Hello,

I downloaded the FS mini filter driver from Microsoft as a test and compiled it using VS (Visual Studio).

Link: “https://github.com/microsoft/Windows-driver-samples/tree/main/filesys/miniFilter/avscan”

I need this AVscan mini-filter driver to track and analyze filesystem transactions live for my app. I am planning to develop a lightweight open-source security application.

Now I have two questions about this:

  1. I can't load the driver. When I install the .sys file, I get the following error message: “There is no signature in the applicant”

What do I have to configure in the VS compiler to be able to load the driver?
Is it possibly because I need a certificate for the driver and because I have compiled in debug mode?

  1. How can I communicate with my mini filter driver in userland? I simply want to receive all the information from the driver at user level (user mode / kernel mode) and then evaluate it. For this purpose, an API will be implemented. However, I need to know in advance which communication medium should be implemented on the driver side. Can I do this using the IOCTL interface? So how do I get the data that is processed by the driver?

Can someone please help me clarify my questions so that I am able to move forward with my project?

FS mini-filter driver kommunication
FS mini-filter driver kommunication586×672 15.3 KB

2

The high level answers:

  1. To load your driver for testing, you have a couple of options. You can disable OS signature validation at boot time. Or, you can enable testsigning via bcdedit and sign your driver.

  2. Filter manager communication is the easiest and safest way to communicate between user and kernel. The avscan sample you are using demonstrates this.

https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/communication-between-user-mode-and-kernel-model

4 Likes
3

Hello,

thank you for the explanations, unfortunately the installing does not work, I have also tried to pass a self-signed certificate when compiling and have also installed this correctly. The compilation process seems to have worked without errors, unfortunately I cannot install the driver via the .sys file.

Can you please explain this to me in more detail, I can't find the option “bcdedit” in the settings. Are there any other tips or hints on how I could compile the driver correctly?

Thanks in advance!

4 
bcdedit /set testsigning on
certutil /addstore root MyTestCert.cer
1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.