File System Filter Driver – Part 1

Recently, we heard about the ransomware attacks that threaten more and more people all around the globe. The one that drew my attention the most is wannacry, which happened at May 2017 and made some real news around the world.

Since then, my partner and I decided to develop an Anti-Ransomware tool, that will be an extra protection to your pc. We have examined a few different technologies and we came to the conclusion that we should try and develop a File System Filter Driver.

Why have we come to Drivers?

  1. Drivers work in kernel mode, which means everything goes through our program.
  2. Drivers can identify and kill processes.
  3. Drivers take a small portion of resources, in comparison to another technologies.

First, before you dive in, I recommend you to read a little over here and watch some videos from this video series on Youtube especially the 11th and 12th video.

By now, you probably understand the basics of how File System Filter Driver works, the benefits of using it and most importantly how to use it.

So, How do we implement a simple Anti-Ransomware tool with a File System Filter Driver?

Our idea is to write the pre operation callback of the write file operation. Each time a process tries to change the contents of a file, our function will check the extension of the file and will compare that to the process name which tries to do that operation. For each allowed program we’ll have a series of extensions, and only files with those extensions will continue to the real writing, and the ones who aren’t in the database will be blocked and shut down.

For example, if Word tries to change .docx file, the driver will allow the operation to continue. But, if any other program who isn’t in the database tries to change .docx file, it will be blocked and its process will be killed.

This is how the operation registration should look like (I’m including also the create pre operations but you don’t have to):

  CreatePostOperation },
  NULL },

In the next part you will find extensive descriptions about how I’m getting the extensions and the name of the process with the given data structures and functions of the WDK.

Leave a Reply

Your email address will not be published. Required fields are marked *