Windows FileSystem Mini Filter Driver Development

A File system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. Examples of file system filter drivers include anti-virus filters, backup agents, and encryption products. To develop file systems and file system filter drivers, use the IFS (Installable File System) Kit, which is provided with the Windows Driver Kit (WDK).

Filter Manager and Minifilters Basics:

The Filter Manager is a file system filter driver provided by Microsoft that simplifies the development of third-party filter drivers and solves many of the problems with the existing legacy filter driver model, such as the ability to control load order through an assigned altitude. A filter driver developed to the Filter Manager model is called a minifilter. Every minifilter driver has an assigned altitude, which is a unique identifier that determines where the minifilter is loaded.

A minifilter driver can be loaded at any time while the system is running. If a minifilter driver's INF file specifies a driver start type of SERVICE_BOOT_START, SERVICE_SYSTEM_START, or SERVICE_AUTO_START, the minifilter driver is loaded according to existing load order group definitions for file system filter drivers, to support interoperability with legacy filter drivers. While the system is running, a minifilter driver can be loaded through a service start request (sc start, net start, or the service APIs), or through an explicit load request (fltmc load, FltLoadFilter, orFilterLoad).

A minifilter driver's DriverEntry routine is called when the minifilter driver is loaded, so the minifilter driver can perform initialization that will apply to all instances of the minifilter driver. Within its DriverEntry routine, the minifilter driver calls FltRegisterFilter to register callback routines with the filter manager and FltStartFiltering to notify the filter manager that the minifilter driver is ready to start attaching to volumes and filtering I/O requests.

Minifilter driver instances are defined in the INF file used to install the minifilter driver. A minifilter driver's INF file must define a default instance, and it can define additional instances. These definitions apply across all volumes. Each instance definition includes the instance name, its altitude, and flags that indicate whether the instance can be attached automatically, manually, or both. The default instance is used to order minifilter drivers so that the filter manager calls the minifilter driver's mount and instance setup callback routines in the correct order. The default instance is also used with explicit attachment requests when the caller doesn't specify an instance name.

Excerpts:

1. CreateService() API loads FilterDriver …. It’s equivalent of FilterLoad() API
2. StartService() API calls DriverEntry() API
3. StopService() API calls the DriverUnloadCallback() registered with FltRegisterFilter() API … This is not a real DriverUnload ; it’s kind of stopping the driver to work !
4. DeleteService() API calls the FilterUnload() API & which really unloads the driver.

i.e

FilterLoad() => CreateService() + StartService()

FilterUnload() => DeleteService()

StartService() => DriverEntry()

ref:

An Introduction To Writing TDI Filter Drivers - http://www.iseclab.org/papers/Writing_TDI_Drivers.pdf

Sample TDI Driver Firewall Opensource code - http://sourceforge.net/projects/tdifw/

File System Filter Driver - http://msdn.microsoft.com/en-us/windows/hardware/gg462968

FileSystem Mini Filter Drivers - http://msdn.microsoft.com/en-us/library/ff540402(v=vs.85).aspx

FileSystem Mini Filter Driver development Guide - http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/filterdriverdeveloperguide.doc

Developing FileSystem Mini filter drivers - http://www.osr.com/filters.pdf

Filter Driver Development Kit - http://www.osr.com/fddk.html

Mini Filter Driver sample code - http://read.pudn.com/downloads120/sourcecode/windows/vxd/512106/miniFilter/miniFilter/MetadataManager/operations.c__.htm

Filter Driver Sample code - https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c

Mini Filter Loading & Unloading - http://msdn.microsoft.com/en-us/library/ff549684(v=vs.85).aspx

Loading & Unloading TDI Device drivers - http://www.codeproject.com/KB/system/tdriver.aspx

Writing a FileSystem Filter Driver (VC++ sample code) - http://www.codeproject.com/KB/system/fs-filter-driver-tutorial.aspx?msg=3369734&display=Mobile

Loading & Unloading TDI Device drivers - http://www.codeproject.com/KB/system/tdriver.aspx

FileSystem Mini Filter driver (which makes use of IFS kit) - http://www.microsoft.com/whdc/DevTools/IFSKit/IFSKit_About.mspx

IFSK sample code - http://msdn.microsoft.com/en-us/library/ff548099(v=VS.85).aspx

Filter Driver - http://www.microsoft.com/whdc/driver/filterdrv/default.mspx

Handling file Rename - http://read.pudn.com/downloads126/ebook/535717/OSR_docs/Rename.pdf

IRP_MJ_SET_INFORMATION irp - http://ddk.h16.ru/index.php?BID=4&PID=490

File Screening Minifilter Driver - http://technet.microsoft.com/en-us/library/dd364850(WS.10).aspx

I/O System Filter Driver - http://www.calsoftlabs.com/whitepapers/filter-driver.html

File System Filter Driver Tutorial(CodeProject) - http://www.codeproject.com/KB/system/fs-filter-driver-tutorial.asp

Usermode to Kernel mode communication (Communication Ports) - http://msdn.microsoft.com/en-us/library/ff539277(v=vs.85).aspx

Kernel Sockets(TDI Driver) - http://msdn.microsoft.com/en-us/library/ff565094(v=vs.85).aspx

Windows Driver Kit Sample code - http://msdn.microsoft.com/en-us/library/ff554118(v=VS.85).aspx

Windows Driver Kit - http://msdn.microsoft.com/en-us/library/ff557573(v=VS.85).aspx