Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yardenshafir/SymlinkCallback

A driver that hooks C: volume using symbolic link callback to track all FS access to the volume
https://github.com/yardenshafir/SymlinkCallback

Last synced: 3 months ago
JSON representation

A driver that hooks C: volume using symbolic link callback to track all FS access to the volume

Host: GitHub
URL: https://github.com/yardenshafir/SymlinkCallback
Owner: yardenshafir
Created: 2020-01-23T09:53:22.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2020-04-24T20:18:19.000Z (over 4 years ago)
Last Synced: 2024-06-16T02:43:04.202Z (5 months ago)
Language: C++
Homepage:
Size: 19.5 KB
Stars: 99
Watchers: 9
Forks: 40
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-game-security - SymlinkCallback

README

# SymlinkCallback

Write-ups: https://windows-internals.com/dkom-now-with-symbolic-links/, https://windows-internals.com/symhooks-part-two/, https://windows-internals.com/symhooks-part-three/, https://windows-internals.com/symhooks-part-four/

This driver uses the option to set a dynamic target for a symbolic link and hooks the symlink of the C: volume.

It modifies the symlink object and replaces the LinkTarget string with a callback function which will be called whenever the symlink is accessed.

Then, it creates a device object and redirects the symlink target to the device object, adding a "\Foo" suffix in order to avoid direct volume open attempts (which cannot be reparsed). This allows it to intercept all file open operations on the C: volume through its IRP_MJ_CREATE handler. This handler then reparses the name back to the original C: volume target device object, removing the "\Foo" suffix that was added.

Created by @aionescu (https://github.com/ionescu007/) and @yarden_shafir