https://github.com/sgabe/symlinkprotect

File system minifilter driver for Windows to block symbolic link attacks.
https://github.com/sgabe/symlinkprotect

kernel-driver minifilter-driver mitigation symlink windows-10

Last synced: about 2 months ago
JSON representation

File system minifilter driver for Windows to block symbolic link attacks.

• Host: GitHub
• URL: https://github.com/sgabe/symlinkprotect
• Owner: sgabe
• License: mit
• Created: 2020-12-08T22:44:53.000Z (almost 5 years ago)
• Default Branch: main
• Last Pushed: 2020-12-16T15:56:55.000Z (almost 5 years ago)
• Last Synced: 2023-02-27T06:55:09.377Z (over 2 years ago)
• Topics: kernel-driver, minifilter-driver, mitigation, symlink, windows-10
• Language: C++
• Homepage:
• Size: 47.9 KB
• Stars: 38
• Watchers: 4
• Forks: 12
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# SymlinkProtect

File system minifilter driver for Windows written in C++ to block symbolic link attacks. It monitors user-mode applications and blocks malicious attempts to set a reparse point on a directory creating a mount point to some suspicious targets like `\RPC Control`. See [here](https://www.seljan.hu/posts/how-to-mitigate-symbolic-link-attacks-on-windows/) for more information about the inner workings of the driver.

## Usage

1. [Download](https://github.com/sgabe/SymlinkProtect/releases) the latest release or compile the driver.

2. Right-click on the *SymlinkProtect.inf* file and click on **Install**.

3. Open an elevated command prompt and enable test signing: \

    `bcdedit /set testsigning on`

4. After reboot, open an elevated command prompt again.

5. Load the driver with `fltmc.exe` with the *load* option: \

    `fltmc load symlinkprotect`

6. Unload the driver with `fltmc.exe` with the *unload* option: \

    `fltmc unload symlinkprotect`

## Demo

![SymlinkProtect in action](SymlinkProtect.png)