Hi,
I’m trying to create a filter driver that examines all writes to the the
file system. The issue I’m hoping people can help me with is boot-time
writes. During the boot phase, Nagar’s book says that the boot loader uses
special compiled-in (boot file system) code to access the information on
the boot partition. Later on, the raw file system is loaded. The raw file
system seems to be loaded after drivers with a start value entry of 0, so
it seems like it should be possible to get all the raw file system writes.
So my questions are:
- Does the boot file system make writes?
- If so, is it possible to intercept all the writes that the boot file
system makes? (Or is there a well-known subset of files that are written
to by the boot file system so that diffs can be used to figure out later
what was written to?) - Am I correct in my belief that it is possible to hook onto the raw file
system as it is loaded, and thereby intercept all raw file system writes? - Is there anything else that I should be concerned about during boot
time?
Thanks,
Richard