andronoob/FsFilter1.sys

Last active July 18, 2018 06:58

Star 0 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/andronoob/d5882c5e6d21f3dea534a68434abe040.js"></script>
Save andronoob/d5882c5e6d21f3dea534a68434abe040 to your computer and use it in GitHub Desktop.

Download ZIP

Stupid NTFS FSD Hook Driver

Raw

FsFilter1.sys

View raw

anotherfinemess84 commented Sep 1, 2017

Hi friend, do you have contact detail for Email, QQ or Gmail? I wish talk to you on similar project :)

Thankyou

Author

andronoob commented Jul 10, 2018 •

edited

1.Use FsFilter1.inf to install, or you may got BSoD. (DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS)
2.Load the driver:

sc start FsFilter1

3.Use DbgView to show intercepted messages of IRP_MJ_CREATE.
Note: You may encounter an error message, if you attempted to restart DbgView:

Could not extract Debug View driver to c:\Windows\System32\Drivers\Dbgv.sys

There is a patched version of DbgView which fixed this issue:
https://www.cnblogs.com/jiaochen/p/5581440.html
If you have some difficulty with downloading, you may try to patch the original DbgView.exe yourself.
4.Unload the driver:

sc stop FsFilter1

FsFilter1.inf

;;;
;;; FsFilter1
;;;

[Version]
Signature   = "$Windows NT$"
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963
; Class       = "ActivityMonitor"                         ;This is determined by the work this filter driver does
; ClassGuid   = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}    ;This value is determined by the Load Order Group value
Class = "ActivityMonitor"
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider    = %ManufacturerName%
DriverVer = 04/29/2017,17.25.29.681
CatalogFile = FsFilter1.cat

[DestinationDirs]
DefaultDestDir          = 12
MiniFilter.DriverFiles  = 12            ;%windir%\system32\drivers

;;
;; Default install sections
;;

[DefaultInstall]
OptionDesc          = %ServiceDescription%
CopyFiles           = MiniFilter.DriverFiles

[DefaultInstall.Services]
AddService          = %ServiceName%,,MiniFilter.Service

;;
;; Default uninstall sections
;;

[DefaultUninstall]
DelFiles   = MiniFilter.DriverFiles

[DefaultUninstall.Services]
DelService = %ServiceName%,0x200      ;Ensure service is stopped before deleting

;
; Services Section
;

[MiniFilter.Service]
DisplayName      = %ServiceName%
Description      = %ServiceDescription%
ServiceBinary    = %12%\%DriverName%.sys        ;%windir%\system32\drivers\
Dependencies     = "FltMgr"
ServiceType      = 2                            ;SERVICE_FILE_SYSTEM_DRIVER
StartType        = 3                            ;SERVICE_DEMAND_START
ErrorControl     = 1                            ;SERVICE_ERROR_NORMAL
; TODO - Change the Load Order Group value
; LoadOrderGroup = "FSFilter Activity Monitor"
LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
AddReg           = MiniFilter.AddRegistry

;
; Registry Modifications
;

[MiniFilter.AddRegistry]
HKR,,"DebugFlags",0x00010001 ,0x0
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%

;
; Copy Files
;

[MiniFilter.DriverFiles]
%DriverName%.sys

[SourceDisksFiles]
FsFilter1.sys = 1,,

[SourceDisksNames]
1 = %DiskId1%,,,

;;
;; String Section
;;

[Strings]
; TODO - Add your manufacturer
ManufacturerName        = "Template"
ServiceDescription      = "FsFilter1 Mini-Filter Driver"
ServiceName             = "FsFilter1"
DriverName              = "FsFilter1"
DiskId1                 = "FsFilter1 Device Installation Disk"

;Instances specific information.
DefaultInstance         = "FsFilter1 Instance"
Instance1.Name          = "FsFilter1 Instance"
; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers
Instance1.Altitude       = "_TODO_Change_Altitude_appropriately_"
Instance1.Flags         = 0x0              ; Allow all attachments

SHA256 of original DbgView.exe:
1244bd02a203bec1b1e0ab85ed8ed83501ec4d17e613f1934951abeb7956abb0
fc DbgView_orig.exe DbgView_patched.exe

00009A88: 32 B0
00009A89: C0 01
0006D96C: 31 32
0006D96E: 39 30
0006D970: 39 31
0006D972: 38 36
0006D97A: 31 32
0006D97C: 32 30
0006D980: 4D 4A
0006D982: 61 69
0006D984: 72 61
0006D986: 6B 6F
0006D98A: 52 43
0006D98C: 75 68
0006D98E: 73 65
0006D990: 73 6E
0006D992: 69 20
0006D994: 6E 20
0006D996: 6F 20
0006D998: 76 20
0006D99A: 69 20
0006D99C: 63 20
0006D99E: 68 20
0006D9EE: 82 20
0006D9F0: 53 20
0006D9F2: 79 20
0006D9F4: 73 20
0006D9F6: 69 20
0006D9F8: 6E 20
0006D9FA: 74 20
0006D9FC: 65 20
0006D9FE: 72 20
0006DA00: 6E 20
0006DA02: 61 20
0006DA04: 6C 20
0006DA06: 73 20
0006DA0A: 2D 20
0006DA0E: 77 20
0006DA10: 77 20
0006DA12: 77 20
0006DA14: 2E 20
0006DA16: 73 20
0006DA18: 79 20
0006DA1A: 73 20
0006DA1C: 69 20
0006DA1E: 6E 20
0006DA20: 74 20
0006DA22: 65 20
0006DA24: 72 20
0006DA26: 6E 20
0006DA28: 61 20
0006DA2A: 6C 20
0006DA2C: 73 20
0006DA2E: 2E 20
0006DA30: 63 20
0006DA32: 6F 20
0006DA34: 6D 20
0007044C: 31 32
0007044E: 39 30
00070450: 39 31
00070452: 38 36
0007045A: 31 32
0007045C: 32 30
00070460: 4D 4A
00070462: 61 69
00070464: 72 61
00070466: 6B 6F
0007046A: 52 43
0007046C: 75 68
0007046E: 73 65
00070470: 73 6E
00070472: 69 20
00070474: 6E 20
00070476: 6F 20
00070478: 76 20
0007047A: 69 20
0007047C: 63 20
0007047E: 68 20
000704E4: 53 44
000704E6: 79 65
000704E8: 73 62
000704EA: 69 75
000704EC: 6E 67
000704EE: 74 76
000704F0: 65 69
000704F2: 72 65
000704F4: 6E 77
000704F6: 61 28
000704F8: 6C 62
000704FA: 73 79
000704FE: 44 4A
00070500: 65 69
00070502: 62 61
00070504: 75 6F
00070506: 67 43
00070508: 76 68
0007050A: 69 65
0007050C: 65 6E
0007050E: 77 29

adeelmunir commented Jul 10, 2018

Thanks for you response, I used FsFilter1.inf file, by right clicking inf file and install it after that used following command.
sc start FsFilter1
I am attaching two snapshots one for case with patchguard enable and other case by using Fyyre tool to disable patch guard.

For patch guard disabled case, please check snapshot driver starts and shows some messages on cmd screen like service name, type and state etc, but I cant see any kernel debug messages on default dbgview, while the link you provided me is broken so I can download patched dbgview, so I am not sure what is happening using your driver code, not even sure about patchguard status.
For patch gurad enable case, please check snapshot in this case driver service does not start and gives StartService failed 577: message related to digital signatures.

I only want to know about patchguard status using your driver code, please let know what to do further.

Thanks

adeelmunir commented Jul 18, 2018

Hi Andronoob,

Can you tell me further for confirmation of your driver? I can't see it's working behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment