{"id":19199552,"url":"https://github.com/subconsciouscompute/fsfilter-rs","last_synced_at":"2025-05-09T01:22:46.833Z","repository":{"id":62217495,"uuid":"558894664","full_name":"SubconsciousCompute/fsfilter-rs","owner":"SubconsciousCompute","description":"Experimental: A rust library to monitor filesystem 🪛 and more in windows","archived":false,"fork":false,"pushed_at":"2023-04-20T04:41:05.000Z","size":6671,"stargazers_count":36,"open_issues_count":1,"forks_count":8,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-14T12:55:22.342Z","etag":null,"topics":["kernel","minifilter","observability","rust","windows","windows-kernel"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SubconsciousCompute.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-28T14:37:39.000Z","updated_at":"2025-01-05T21:34:04.000Z","dependencies_parsed_at":"2024-11-09T12:28:26.753Z","dependency_job_id":null,"html_url":"https://github.com/SubconsciousCompute/fsfilter-rs","commit_stats":{"total_commits":23,"total_committers":3,"mean_commits":7.666666666666667,"dds":0.4782608695652174,"last_synced_commit":"c7bc03168e2eba6d378c9bf73533a4147921d75b"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2Ffsfilter-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2Ffsfilter-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2Ffsfilter-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2Ffsfilter-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SubconsciousCompute","download_url":"https://codeload.github.com/SubconsciousCompute/fsfilter-rs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253172154,"owners_count":21865472,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel","minifilter","observability","rust","windows","windows-kernel"],"created_at":"2024-11-09T12:27:48.334Z","updated_at":"2025-05-09T01:22:46.800Z","avatar_url":"https://github.com/SubconsciousCompute.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# fsfilter-rs\n\n[![Rust](https://github.com/SubconsciousCompute/fsfilter-rs/actions/workflows/rust.yml/badge.svg)](https://github.com/SubconsciousCompute/fsfilter-rs/actions/workflows/rust.yml)\n[![Crates.io](https://img.shields.io/crates/v/fsfilter-rs?style=flat-square)](https://crates.io/crates/fsfilter-rs)\n[![docs.rs](https://img.shields.io/docsrs/fsfilter-rs?style=flat-square)](https://docs.rs/fsfilter-rs/latest/fsfilter_rs/)\n\nA rust library to monitor filesystem and more in windows.\n\n![shared_def](readme_resources/shared_def.png)\n\n**Also see [poc-windows-rust-filter](https://github.com/SubconsciousCompute/poc-windows-rust-filter) for a pure Rust minifilter.** \n\n## MINIFILTER\n\nSee [MINIFILTER.md](MINIFILTER.md) for building the minifilter or just [right click install using the `.inf` file\nprovided in releases](https://github.com/SubconsciousCompute/fsfilter-rs/releases/latest/download/snFilter.zip).\n\nYou can also build using [EWDK](EWDKbuild.md) if you don't want to install Visual Studio, SDK and WDK.\n\n**NOTE: By default, it is built for Windows 10 and above.**\n\n**NOTE: Enable Loading of Test Signed Drivers by executing `Bcdedit.exe -set TESTSIGNING ON` in administrative cmd.**\n\n## RUNNING EXAMPLE\n\nUse `cargo run --bin minifilter --release` to run the example application or just [run the `.exe` provided in\nreleases](https://github.com/SubconsciousCompute/fsfilter-rs/releases/latest/download/minifilter.exe) as administrator(\nfor\nsome reason the new default terminal (not the one that opens when you run it as administrator) on 2H22 is very, very\nslow).\n\nThe program starts to print the `IOMessage` which is defined like:\n\n```rust\n#[repr(C)]\npub struct IOMessage {\n    /// The file extension\n    pub extension: [wchar_t; 12],\n    /// Hard Disk Volume Serial Number where the file is saved (from [`FILE_ID_INFO`])\n    pub file_id_vsn: c_ulonglong,\n    /// File ID on the disk ([`FILE_ID_INFO`])\n    pub file_id_id: [u8; 16],\n    /// Number of bytes transferred (`IO_STATUS_BLOCK.Information`)\n    pub mem_sized_used: c_ulonglong,\n    /// (Optional) File Entropy calculated by the driver\n    pub entropy: f64,\n    /// Pid responsible for this io activity\n    pub pid: c_ulong,\n    /// Windows IRP Type caught by the minifilter:\n    /// - NONE (0)\n    /// - READ (1)\n    /// - WRITE (2)\n    /// - SETINFO (3)\n    /// - CREATE (4)\n    /// - CLEANUP (5)\n    pub irp_op: c_uchar,\n    /// Is the entropy calculated?\n    pub is_entropy_calc: u8,\n    /// Type of i/o operation:\n    /// - FILE_CHANGE_NOT_SET (0)\n    /// - FILE_OPEN_DIRECTORY (1)\n    /// - FILE_CHANGE_WRITE (2)\n    /// - FILE_CHANGE_NEW_FILE (3)\n    /// - FILE_CHANGE_RENAME_FILE (4)\n    /// - FILE_CHANGE_EXTENSION_CHANGED (5)\n    /// - FILE_CHANGE_DELETE_FILE (6)\n    /// - FILE_CHANGE_DELETE_NEW_FILE (7)\n    /// - FILE_CHANGE_OVERWRITE_FILE (8)\n    pub file_change: c_uchar,\n    /// The driver has the ability to monitor specific directories only (feature currently not used):\n    /// - FILE_NOT_PROTECTED (0): Monitored dirs do not contained this file\n    /// - FILE_PROTECTED (1)\n    /// - FILE_MOVED_IN (2)\n    /// - FILE_MOVED_OUT (3)\n    pub file_location_info: c_uchar,\n    /// File path on the disk\n    pub filepathstr: String,\n    /// Group Identifier (maintained by the minifilter) of the operation\n    pub gid: c_ulonglong,\n    /// see class [`RuntimeFeatures`]\n    pub runtime_features: RuntimeFeatures,\n    /// Size of the file. Can be equal to -1 if the file path is not found.\n    pub file_size: i64,\n    /// Rough time at which the IRP was created\n    pub time: SystemTime,\n}\n```\n\nWe end the process using `ctrl + c` in the example video:\n![video](readme_resources/example.gif)\n\n## PERFORMANCE\n\nThe performance of the minifilter doesn't really exceed `\u003c1%` of the CPU usage (I never saw it tickle even to 1% while\nrunning scripts to make multiple temporary files). Although depending on you console if you try running\n`cargo run --bin minifilter --release` you might see spikes reaching `1-3%` but that is because of the console itself(\ncomment out the `writeln!` in the bin example) or try changing consoles (maybe run `minifilter.exe` directly).\n\n## DEBUGGING\n\nSee [DEBUG](DEBUG.md) for setting up VMware windows machine debugging\nwith [VirtualKD-Redux](https://github.com/4d61726b/VirtualKD-Redux)\nand [WinDbg](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-using-windbg-preview).\n\n## MAINTAINERS\n\nFeel free to open issues to ask any questions/queries. You're free to ping the current maintainers.\n\nCurrently maintained by the following:\n\n- [sn99](https://github.com/sn99) (original author)\n\nPrevious maintainers:\n\n- N/A\n\n## LICENSE\n\nThis project is licensed under the terms of the [MIT license](LICENSE.md).\n\n## ACKNOWLEDGEMENTS\n\n- [RansomWatch](https://github.com/RafWu/RansomWatch)\n- [SitinCloud](https://github.com/SitinCloud)\n- [SubconsciousCompute](https://github.com/SubconsciousCompute)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubconsciouscompute%2Ffsfilter-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsubconsciouscompute%2Ffsfilter-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubconsciouscompute%2Ffsfilter-rs/lists"}