Dear OSR community,
a few weeks ago, I dove freshly into the exciting, yet deep, ocean of minifilter drivers. As I am new to the topic, I had to rely on the few tips I found on the internet and the driver development documentation on the Microsoft website.
Despite all efforts, I am still unable to load even the “nullfilter” sample that is provided on GitHub (which is basically an empty minifilter with no Pre-/PostOperationCallbacks). I can tell that the .inf-file provided there is not up to date as it does not contain architecture decoration for the install section.
Sadly, I am unable to dive any deeper into the matter, since Visual Studio 2022 (Community Edition) with installed SDK&WDK (Version: 10.0.22621) does not contain a template for minifilter drivers, which appears to be crucial for me to keep on testing.
I installed VS2019 (with appropriate SDK&WDK) and found a minifilter template there, but that template is not suited for my versions of Windows (Windows 10 Pro Build 19045 and Windows 11 Pro Build 22631, both 64-bit) as it also produces an .inf file that doesn’t contain architecture decoration. Besides the incorrect .inf-file, I can imagine that there are other settings that are outdated in the minifilter template from VS2019.
I created my own .inf file with (to my knowledge) accurate settings.
[content of .inf file is provided at the end of my post; nullfilter source code can be found here: https://github.com/microsoft/Windows-driver-samples/tree/main/filesys/miniFilter/nullFilter]
With this .inf, installation of the nullfilter minifilter driver I compiled with VS2019 works fine and the registry entries are successfully made, too.
Unfortunately, when I try to load the minifilter with fltmc load nullfilter, the system crashes with the error SYSTEM_THREAD _EXCEPTION _NOT_HANDLED. Before I get too engaged with kernel debugging with WinDbg, I would love to have a working nullfilter sample from which I can start my experiments and there must be a way to get the minifilter template from Visual Studio working.
First of all, thanks for bearing with me so far! Now I have the following questions:
-
Does anybody have VS2022 (incl. SDK&WDK) installed and has a minifilter template available at all? I tried so many varieties of installation processess that I can’t imagine that the template is actually available.
-
(How) Can I modify the VS2019 minifilter template so the compiled driver would work on my OS? -
Does my selfmade .inf file contain any mistakes?
Please send help! And let me know if you require further information to do so.
Best regards,
Ole
Content of .inf file:
[Version]
Signature = “$Windows NT$”
Class = “ActivityMonitor”
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %ManufacturerName%
DriverVer = 01/03/2024,15.22.32.172
CatalogFile = nullfilter.cat
[DestinationDirs]
DefaultDestDir = 13
MiniFilter.DriverFiles = 13
[DefaultInstall.NTamd64]
OptionDesc = %ServiceDescription%
CopyFiles = MiniFilter.DriverFiles
[DefaultInstall.NTamd64.Services]
AddService = %ServiceName%,MiniFilter.Service
[MiniFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %13%%DriverName%.sys
ServiceType = 2
StartType = 3
ErrorControl = 1
LoadOrderGroup = “FSFilter Activity Monitor”
AddReg = MiniFilter.AddRegistry
Dependencies = FltMgr
[MiniFilter.AddRegistry]
HKR,“DebugFlags”,0x00010001,0x0
HKR,“SupportedFeatures”,0x00010001,0x3
HKR,“Instances”,“DefaultInstance”,0x00000000,%DefaultInstance%
HKR,“Instances%Instance1.Name%”,“Altitude”,0x00000000,%Instance1.Altitude%
HKR,“Instances%Instance1.Name%”,“Flags”,0x00010001,%Instance1.Flags%
[MiniFilter.DriverFiles]
%DriverName%.sys
[SourceDisksFiles]
nullfilter.sys = 1,
[SourceDisksNames]
1 = %DiskId1%,
[Strings]
ManufacturerName = “Ole”
ServiceDescription = “nullfilter_MiniFilter_Driver”
ServiceName = “nullfilter”
DriverName = “nullfilter”
DiskId1 = “nullfilter_Device_Installation_Disk”
DefaultInstance = “nullfilter_Default_Instance”
Instance1.Name = “nullfilter_Instance”
Instance1.Altitude = 370080
Instance1.Flags = 0x0