Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/subconsciouscompute/poc-windows-rust-filter

Windows Minifilter Driver in pure Rust
https://github.com/subconsciouscompute/poc-windows-rust-filter

ffi ffi-bindings filesystem kernel minifilter minifilter-driver rust windows

Last synced: about 2 months ago
JSON representation

Windows Minifilter Driver in pure Rust

Host: GitHub
URL: https://github.com/subconsciouscompute/poc-windows-rust-filter
Owner: SubconsciousCompute
License: mit
Created: 2023-03-10T09:43:14.000Z (almost 2 years ago)
Default Branch: master
Last Pushed: 2023-11-17T09:17:53.000Z (about 1 year ago)
Last Synced: 2023-11-17T10:34:15.592Z (about 1 year ago)
Topics: ffi, ffi-bindings, filesystem, kernel, minifilter, minifilter-driver, rust, windows
Language: Rust
Homepage:
Size: 5.72 MB
Stars: 28
Watchers: 2
Forks: 3
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Rust Minifilter POC

A simple minifilter that informs about currently open files in Rust

**Also see [fsfilter-rs](https://github.com/SubconsciousCompute/fsfilter-rs) that has minifilter interacting with

userspace Rust application**

## Prerequisites

- [Rust](https://www.rust-lang.org/)

- [Microsoft Visual Studio](https://visualstudio.microsoft.com/)

- [Windows SDK](https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/)

- [Windows Driver Kit](https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk)

- [LLVM and Clang (for bindgen)](https://releases.llvm.org/download.html)

- [Cargo Make](https://github.com/sagiegurari/cargo-make)

It is best if you

follow [Codentium - Windows Drivers in Rust: Prerequisites](https://codentium.com/guides/windows-dev/windows-drivers-in-rust-prerequisites/).

You can set up a VM for testing by following [DEBUG](DEBUG.md).

## Building

From inside [windows-rust-minifilter](windows-rust-minifilter), run:

`cargo make --profile production all`

**Note: You might need to run `cargo clean` before rebuilding again.**

## Loading and Running

You can use [OsrLoader](https://www.osronline.com/article.cfm%5Earticle=157.htm) to load the Minifilter (Ideally I

should make an `.inf` file but lazy thimes)

- Set type to `minifilter`

- Load Group to `FSFilter Activity Monitor`

- Altitude to `37777`

You should be able to see the list of open files in the Debugger (You will need to remove comments

in [`G_CALLBACKS`](windows-rust-minifilter/src/lib.rs) global array).

![osrloader](readme_resources/osrloader.png)

You can also communicate with user space application by using [windows-rust-application](windows-rust-application).

![user](readme_resources/user.png)

## References

- [apriorit](https://www.apriorit.com/dev-blog/675-driver-windows-minifilter-driver-development-tutorial)

- [Windows Drivers in Rust](https://codentium.com/guides/windows-dev/)