Giter VIP home page Giter VIP logo

windows-fs-minifilter-rust's Introduction

windows-fs-minifilter-rust

this is for the x86_64-pc-windows-gnu target

prerequisites

build

  • install rustup
  • install the x86_64-pc-windows-gnu target via rustup target add x86_64-pc-windows-gnu
  • install mingw-w64 -- apt install mingw-w64 gcc-mingw-w64 -- dnf install mingw64-\*

target

  • install Windows SDK from here -- we need certmgr, MakeCert, and signtool from the SDK
  • install DbgView from sysinternals

submodules

  • bindgen - generate winapi bindings via windows-bindgen
  • filter - the minifilter driver

setup

the sample filter is a minifilter driver, so you'll need to enable test signing to load it

bcdedit /set testsigning on

also the example logs via DbgPrint, so you'll need to enable debug output

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter"; New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" -Name DEFAULT -Value 0xffffffff -PropertyType DWORD -Force

reboot. you should see some text on the desktop saying Test Mode if setup correctly

bindgen

note: this is a one-time setup, the bindings are already generated

cd bindgen
cargo run

output bindings to ./filter/bindings.rs

filter

cargo --release 2>&1

install filter

  1. copy ./filter/target/x86_64-pc-windows-gnu/release/filter.dll
  2. create the service in the registry
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "DependOnService" -Value "FltMgr" -PropertyType EXPANDSTRING -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "Description" -Value "RustFilter" -PropertyType STRING -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "DisplayName" -Value "RustFilter" -PropertyType STRING -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "ErrorControl" -Value 1 -PropertyType DWORD -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "Group" -Value "FSFilter Activity Monitor" -PropertyType STRING -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "ImagePath" -Value "\??\C:\Users\Administrator\Desktop\filter.dll" -PropertyType STRING -Force >> log.txt 2> err.txt # !!set this!!
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "Owners" -Value "oem99.inf" -PropertyType STRING -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "Start" -Value 3 -PropertyType DWORD -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter" -Name "Type" -Value 2 -PropertyType DWORD -Force >> log.txt 2> err.txt
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter\Instances" -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter\Instances" -Name "DefaultInstance" -Value "filter" -PropertyType STRING -Force >> log.txt 2> err.txt
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter\Instances\filter" -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter\Instances\filter" -Name "Altitude" -Value "370000" -PropertyType STRING -Force >> log.txt 2> err.txt
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RustFilter\Instances\filter" -Name "Flags" -Value "0" -PropertyType DWORD -Force >> log.txt 2> err.txt
  1. generate a test certificate and install it (do this once)
    & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\MakeCert.exe' -r -pe -ss PrivateCertStore -n "CN=Contoso.com(Test)" -eku 1.3.6.1.5.5.7.3.3 ContosoTest.cer
    & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\certmgr.exe' /add .\ContosoTest.cer /s /r localMachine root
  1. sign the driver
    & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool' sign /v /fd sha256 /s PrivateCertStore /n "Contoso.com(Test)" /t http://timestamp.digicert.com C:\Users\Administrator\Desktop\filter.dll
  1. run fltmc load rustfilter

tested on

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016

the real heroes

windows-fs-minifilter-rust's People

Contributors

wsxqaz avatar

Stargazers

M avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.