https://github.com/tandasat/scavenger

A minifilter driver preserves all modified and deleted files.
https://github.com/tandasat/scavenger

Last synced: 7 months ago
JSON representation

A minifilter driver preserves all modified and deleted files.

• Host: GitHub
• URL: https://github.com/tandasat/scavenger
• Owner: tandasat
• License: other
• Created: 2015-03-10T04:24:52.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2015-07-17T23:42:44.000Z (almost 10 years ago)
• Last Synced: 2023-08-04T17:08:19.894Z (almost 2 years ago)
• Language: C
• Size: 246 KB
• Stars: 61
• Watchers: 12
• Forks: 28
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
Scavenger

==========

It copies all files that were modified and some files that are being deleted to

a C:\Windows\Scavenger\ directory.

* IMPORTANT

It was initially developed to familiarize myself with a mini-filter driver and

unlikely to have any notable advantages over using other open source tools 

such as [Cockoo Sandbox](http://cuckoo.readthedocs.org/en/latest/)

or [Capture-BAT](https://www.honeynet.org/node/315). 

It is also rather incomplete as it does not handle FILE_DELETE_ON_CLOSE

events. For more comprehensive code, refer to the

[Delete File System Minifilter Driver](https://code.msdn.microsoft.com/windowshardware/Delete-File-System-b904651d) sample.

Installation and Uninstallation

--------------------------------

Get an archive file for compiled files form this link:

    https://github.com/tandasat/Scavenger/releases/latest

Then:

1. Extract the zip file and deploy appropriate version of files onto a target 

   system.

2. On the target system, execute install.bat with the administrator privilege.

On the x64 bit platform, you have to enable test signing to install the driver.

To do that, open the command prompt with the administrator privilege and type 

the following command, and then reboot the system to activate the change.

   >bcdedit /set {current} testsigning on

To uninstall the program, execute uninstall.bat with the administrator privilege.

Alternatively, you can use a [DrvLoader](https://github.com/tandasat/DrvLoader)

with a -F option on command prompt with the administrator privilege.

Usage

------

Once you have installed it, you should see output logs on DebugView and saved

files under the C:\Windows\Scavenger\ directory.

Caveats

--------

- It does not handle:

 - a file whose size is zero or larger than 4GB, or

 - any of operations done by a system thread.

Supported Platforms

--------------------

- Windows 7 SP1 and 8.1 (x86/x64)

License

--------

This software is released under the MIT License, see LICENSE.