Last active
July 18, 2018 06:58
-
-
Save andronoob/d5882c5e6d21f3dea534a68434abe040 to your computer and use it in GitHub Desktop.
Stupid NTFS FSD Hook Driver
Thanks for you response, I used FsFilter1.inf file, by right clicking inf file and install it after that used following command.
sc start FsFilter1
I am attaching two snapshots one for case with patchguard enable and other case by using Fyyre tool to disable patch guard.
- For patch guard disabled case, please check snapshot driver starts and shows some messages on cmd screen like service name, type and state etc, but I cant see any kernel debug messages on default dbgview, while the link you provided me is broken so I can download patched dbgview, so I am not sure what is happening using your driver code, not even sure about patchguard status.
- For patch gurad enable case, please check snapshot in this case driver service does not start and gives StartService failed 577: message related to digital signatures.
I only want to know about patchguard status using your driver code, please let know what to do further.
Thanks
Hi Andronoob,
Can you tell me further for confirmation of your driver? I can't see it's working behavior
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1.Use
FsFilter1.inf
to install, or you may got BSoD. (DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS)2.Load the driver:
3.Use DbgView to show intercepted messages of IRP_MJ_CREATE.
Note: You may encounter an error message, if you attempted to restart DbgView:
There is a patched version of DbgView which fixed this issue:
https://www.cnblogs.com/jiaochen/p/5581440.html
If you have some difficulty with downloading, you may try to patch the original DbgView.exe yourself.
4.Unload the driver:
FsFilter1.inf
SHA256 of original DbgView.exe:
1244bd02a203bec1b1e0ab85ed8ed83501ec4d17e613f1934951abeb7956abb0
fc DbgView_orig.exe DbgView_patched.exe