diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..1ff0c42 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,63 @@ +############################################################################### +# Set default behavior to automatically normalize line endings. +############################################################################### +* text=auto + +############################################################################### +# Set default behavior for command prompt diff. +# +# This is need for earlier builds of msysgit that does not have it on by +# default for csharp files. +# Note: This is only used by command line +############################################################################### +#*.cs diff=csharp + +############################################################################### +# Set the merge driver for project and solution files +# +# Merging from the command prompt will add diff markers to the files if there +# are conflicts (Merging from VS is not affected by the settings below, in VS +# the diff markers are never inserted). Diff markers may cause the following +# file extensions to fail to load in VS. An alternative would be to treat +# these files as binary and thus will always conflict and require user +# intervention with every merge. To do so, just uncomment the entries below +############################################################################### +#*.sln merge=binary +#*.csproj merge=binary +#*.vbproj merge=binary +#*.vcxproj merge=binary +#*.vcproj merge=binary +#*.dbproj merge=binary +#*.fsproj merge=binary +#*.lsproj merge=binary +#*.wixproj merge=binary +#*.modelproj merge=binary +#*.sqlproj merge=binary +#*.wwaproj merge=binary + +############################################################################### +# behavior for image files +# +# image files are treated as binary by default. +############################################################################### +#*.jpg binary +#*.png binary +#*.gif binary + +############################################################################### +# diff behavior for common document formats +# +# Convert binary document formats to text before diffing them. This feature +# is only available from the command line. Turn it on by uncommenting the +# entries below. +############################################################################### +#*.doc diff=astextplain +#*.DOC diff=astextplain +#*.docx diff=astextplain +#*.DOCX diff=astextplain +#*.dot diff=astextplain +#*.DOT diff=astextplain +#*.pdf diff=astextplain +#*.PDF diff=astextplain +#*.rtf diff=astextplain +#*.RTF diff=astextplain diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3c4efe2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,261 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. + +# User-specific files +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ + +# Visual Studio 2015 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUNIT +*.VisualState.xml +TestResult.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# DNX +project.lock.json +project.fragment.lock.json +artifacts/ + +*_i.c +*_p.c +*_i.h +*.ilk +*.meta +*.obj +*.pch +*.pdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# JustCode is a .NET coding add-in +.JustCode + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# TODO: Comment the next line if you want to checkin your web deploy settings +# but database connection strings (with potential passwords) will be unencrypted +#*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# The packages folder can be ignored because of Package Restore +**/packages/* +# except build/, which is used as an MSBuild target. +!**/packages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/packages/repositories.config +# NuGet v3's project.json files produces more ignoreable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +node_modules/ +orleans.codegen.cs + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm + +# SQL Server files +*.mdf +*.ldf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# JetBrains Rider +.idea/ +*.sln.iml + +# CodeRush +.cr/ + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc \ No newline at end of file diff --git a/GilRan.sln b/GilRan.sln new file mode 100644 index 0000000..d1ebb26 --- /dev/null +++ b/GilRan.sln @@ -0,0 +1,51 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 15 +VisualStudioVersion = 15.0.28010.2026 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GilRan", "GilRan\GilRan.vcxproj", "{3CAC765B-866C-4353-89AD-F4CD80D1BCA5}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|ARM = Debug|ARM + Debug|ARM64 = Debug|ARM64 + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|ARM = Release|ARM + Release|ARM64 = Release|ARM64 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|ARM.ActiveCfg = Debug|ARM + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|ARM.Build.0 = Debug|ARM + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|ARM.Deploy.0 = Debug|ARM + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|ARM64.Build.0 = Debug|ARM64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|ARM64.Deploy.0 = Debug|ARM64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|x64.ActiveCfg = Debug|x64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|x64.Build.0 = Debug|x64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|x64.Deploy.0 = Debug|x64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|x86.ActiveCfg = Debug|Win32 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|x86.Build.0 = Debug|Win32 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Debug|x86.Deploy.0 = Debug|Win32 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|ARM.ActiveCfg = Release|ARM + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|ARM.Build.0 = Release|ARM + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|ARM.Deploy.0 = Release|ARM + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|ARM64.ActiveCfg = Release|ARM64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|ARM64.Build.0 = Release|ARM64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|ARM64.Deploy.0 = Release|ARM64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|x64.ActiveCfg = Release|x64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|x64.Build.0 = Release|x64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|x64.Deploy.0 = Release|x64 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|x86.ActiveCfg = Release|Win32 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|x86.Build.0 = Release|Win32 + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5}.Release|x86.Deploy.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {6C6F6A95-4EB2-41A2-9F4A-FB6D5E922DB2} + EndGlobalSection +EndGlobal diff --git a/GilRan/GilRan.c b/GilRan/GilRan.c new file mode 100644 index 0000000..75c99ee --- /dev/null +++ b/GilRan/GilRan.c @@ -0,0 +1,180 @@ +/*++ + +Module Name: + + GilRan.c + +Abstract: + + This is the main module of the GilRan miniFilter driver. + +Environment: + + Kernel mode + +--*/ + +#include +#include +#include + +#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers") + +PFLT_FILTER gFilterHandle; +ULONG_PTR OperationStatusCtx = 1; + +/************************************************************************* + Prototypes +*************************************************************************/ + +EXTERN_C_START + +DRIVER_INITIALIZE DriverEntry; +NTSTATUS +DriverEntry ( + _In_ PDRIVER_OBJECT DriverObject, + _In_ PUNICODE_STRING RegistryPath + ); + +NTSTATUS +GilRanUnload ( + _In_ FLT_FILTER_UNLOAD_FLAGS Flags + ); + +EXTERN_C_END + +// +// Assign text sections for each routine. +// + +#ifdef ALLOC_PRAGMA +#pragma alloc_text(INIT, DriverEntry) +#pragma alloc_text(PAGE, GilRanUnload) +#endif + +// +// operation registration +// + +CONST FLT_OPERATION_REGISTRATION Callbacks[] = { + { IRP_MJ_OPERATION_END } +}; + +// +// This defines what we want to filter with FltMgr +// + +CONST FLT_REGISTRATION FilterRegistration = { + + sizeof( FLT_REGISTRATION ), // Size + FLT_REGISTRATION_VERSION, // Version + 0, // Flags + + NULL, // Context + Callbacks, // Operation callbacks + + GilRanUnload, // MiniFilterUnload + + NULL, // InstanceSetup + NULL, // InstanceQueryTeardown + NULL, // InstanceTeardownStart + NULL, // InstanceTeardownComplete + + NULL, // GenerateFileName + NULL, // GenerateDestinationFileName + NULL // NormalizeNameComponent + +}; + +/************************************************************************* + MiniFilter initialization and unload routines. +*************************************************************************/ + +NTSTATUS +DriverEntry ( + _In_ PDRIVER_OBJECT DriverObject, + _In_ PUNICODE_STRING RegistryPath + ) +/*++ + +Routine Description: + + This is the initialization routine for this miniFilter driver. This + registers with FltMgr and initializes all global data structures. + +Arguments: + + DriverObject - Pointer to driver object created by the system to + represent this driver. + + RegistryPath - Unicode string identifying where the parameters for this + driver are located in the registry. + +Return Value: + + Routine can return non success error codes. + +--*/ +{ + NTSTATUS status; + + UNREFERENCED_PARAMETER( RegistryPath ); + + // + // Register with FltMgr to tell it our callback routines + // + + status = FltRegisterFilter( DriverObject, + &FilterRegistration, + &gFilterHandle ); + + FLT_ASSERT( NT_SUCCESS( status ) ); + + if (NT_SUCCESS( status )) { + + // + // Start filtering i/o + // + + status = FltStartFiltering( gFilterHandle ); + + if (!NT_SUCCESS( status )) { + + FltUnregisterFilter( gFilterHandle ); + } + } + + return status; +} + +NTSTATUS +GilRanUnload ( + _In_ FLT_FILTER_UNLOAD_FLAGS Flags + ) +/*++ + +Routine Description: + + This is the unload routine for this miniFilter driver. This is called + when the minifilter is about to be unloaded. We can fail this unload + request if this is not a mandatory unload indicated by the Flags + parameter. + +Arguments: + + Flags - Indicating if this is a mandatory unload. + +Return Value: + + Returns STATUS_SUCCESS. + +--*/ +{ + UNREFERENCED_PARAMETER( Flags ); + + PAGED_CODE(); + + FltUnregisterFilter( gFilterHandle ); + + return STATUS_SUCCESS; +} \ No newline at end of file diff --git a/GilRan/GilRan.inf b/GilRan/GilRan.inf new file mode 100644 index 0000000..d2ecc86 --- /dev/null +++ b/GilRan/GilRan.inf @@ -0,0 +1,92 @@ +;;; +;;; GilRan +;;; + +[Version] +Signature = "$Windows NT$" +Class = "AntiVirus" ;This is determined by the work this filter driver does +ClassGuid = {b1d1a169-c54f-4379-81db-bee7d88d7454} ;This value is determined by the Load Order Group value +Provider = %ManufacturerName% +DriverVer = +CatalogFile = GilRan.cat + +[DestinationDirs] +DefaultDestDir = 12 +MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers + +;; +;; Default install sections +;; + +[DefaultInstall] +OptionDesc = %ServiceDescription% +CopyFiles = MiniFilter.DriverFiles + +[DefaultInstall.Services] +AddService = %ServiceName%,,MiniFilter.Service + +;; +;; Default uninstall sections +;; + +[DefaultUninstall] +DelFiles = MiniFilter.DriverFiles + +[DefaultUninstall.Services] +DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting + +; +; Services Section +; + +[MiniFilter.Service] +DisplayName = %ServiceName% +Description = %ServiceDescription% +ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ +Dependencies = "FltMgr" +ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER +StartType = 2 ;SERVICE_AUTO_START +ErrorControl = 1 ;SERVICE_ERROR_NORMAL +LoadOrderGroup = "FSFilter Anti-Virus" +AddReg = MiniFilter.AddRegistry + +; +; Registry Modifications +; + +[MiniFilter.AddRegistry] +HKR,,"DebugFlags",0x00010001 ,0x0 +HKR,,"SupportedFeatures",0x00010001,0x3 +HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% +HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% +HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% + +; +; Copy Files +; + +[MiniFilter.DriverFiles] +%DriverName%.sys + +[SourceDisksFiles] +GilRan.sys = 1,, + +[SourceDisksNames] +1 = %DiskId1%,,, + +;; +;; String Section +;; + +[Strings] +ManufacturerName = "GIL" +ServiceDescription = "GilRan Mini-Filter Driver" +ServiceName = "GilRan" +DriverName = "GilRan" +DiskId1 = "GilRan Device Installation Disk" + +;Instances specific information. +DefaultInstance = "GilRan Instance" +Instance1.Name = "GilRan Instance" +Instance1.Altitude = "321004" +Instance1.Flags = 0x0 ; Allow all attachments diff --git a/GilRan/GilRan.rc b/GilRan/GilRan.rc new file mode 100644 index 0000000..02aad23 --- /dev/null +++ b/GilRan/GilRan.rc @@ -0,0 +1,10 @@ +#include + +#include + +#define VER_FILETYPE VFT_DRV +#define VER_FILESUBTYPE VFT2_DRV_SYSTEM +#define VER_FILEDESCRIPTION_STR "GilRan Filter Driver" +#define VER_INTERNALNAME_STR "GilRan.sys" + +#include "common.ver" diff --git a/GilRan/GilRan.vcxproj b/GilRan/GilRan.vcxproj new file mode 100644 index 0000000..ed33453 --- /dev/null +++ b/GilRan/GilRan.vcxproj @@ -0,0 +1,196 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + + + + + + {3CAC765B-866C-4353-89AD-F4CD80D1BCA5} + {f2f62967-0815-4fd7-9b86-6eedcac766eb} + v4.5 + 12.0 + Debug + Win32 + GilRan + + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + + + + + + + + + DbgengKernelDebugger + true + + + DbgengKernelDebugger + true + + + DbgengKernelDebugger + true + + + DbgengKernelDebugger + true + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + + fltmgr.lib;%(AdditionalDependencies) + + + false + + + + + fltmgr.lib;%(AdditionalDependencies) + + + + + fltmgr.lib;%(AdditionalDependencies) + + + false + + + + + fltmgr.lib;%(AdditionalDependencies) + + + + + fltmgr.lib;%(AdditionalDependencies) + + + + + fltmgr.lib;%(AdditionalDependencies) + + + + + fltmgr.lib;%(AdditionalDependencies) + + + + + fltmgr.lib;%(AdditionalDependencies) + + + + + + + + + \ No newline at end of file diff --git a/GilRan/GilRan.vcxproj.filters b/GilRan/GilRan.vcxproj.filters new file mode 100644 index 0000000..b166d87 --- /dev/null +++ b/GilRan/GilRan.vcxproj.filters @@ -0,0 +1,36 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + + + Driver Files + + + + + Source Files + + + + + Resource Files + + + \ No newline at end of file