Skip to content
This repository was archived by the owner on Aug 10, 2024. It is now read-only.
/ poc-windows-rust-filter Public archive

A PoC Windows Minifilter Driver in pure Rust (Don't use it in production)

License

MIT license
50 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SubconsciousCompute/poc-windows-rust-filter

2 Branches0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

sn99sn99
Merge pull request #9 from SubconsciousCompute/dilawar-add-license
Nov 17, 2023
52f5b99 · Nov 17, 2023

History

21 Commits
readme_resources
readme_resources
Mar 17, 2023
windows-kernel-alloc
windows-kernel-alloc
Apr 2, 2023
windows-kernel-macros
windows-kernel-macros
Mar 17, 2023
windows-kernel-mutex
windows-kernel-mutex
Apr 2, 2023
windows-kernel-string
windows-kernel-string
Mar 17, 2023
windows-kernel-sys
windows-kernel-sys
Apr 2, 2023
windows-rust-application
windows-rust-application
Apr 2, 2023
windows-rust-minifilter
windows-rust-minifilter
Apr 2, 2023
.gitignore
.gitignore
Mar 17, 2023
Cargo.toml
Cargo.toml
Apr 2, 2023
DEBUG.md
DEBUG.md
Apr 2, 2023
LICENSE
LICENSE
Nov 17, 2023
README.md
README.md
Mar 17, 2023

Repository files navigation

Rust Minifilter POC

A simple minifilter that informs about currently open files in Rust

Also see fsfilter-rs that has minifilter interacting with userspace Rust application

Prerequisites

It is best if you follow Codentium - Windows Drivers in Rust: Prerequisites.

You can set up a VM for testing by following DEBUG.

Building

From inside windows-rust-minifilter, run:

cargo make --profile production all

Note: You might need to run cargo clean before rebuilding again.

Loading and Running

You can use OsrLoader to load the Minifilter (Ideally I should make an .inf file but lazy thimes)

  • Set type to minifilter
  • Load Group to FSFilter Activity Monitor
  • Altitude to 37777

You should be able to see the list of open files in the Debugger (You will need to remove comments in G_CALLBACKS global array).

osrloader

You can also communicate with user space application by using windows-rust-application.

user

References

About

A PoC Windows Minifilter Driver in pure Rust (Don't use it in production)

Topics

windows rust kernel filesystem ffi minifilter-driver ffi-bindings minifilter

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

50 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Contributors 2

Languages