Skip to content
/ MinifilterHook Public

silence file system monitoring components by hooking their minifilters

51 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0mWindyBug/MinifilterHook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
WdfltHook
WdfltHook
 
 
HowItWorks.pdf
HowItWorks.pdf
 
 
README.md
README.md
 
 
gitignore.txt
gitignore.txt
 
 

Repository files navigation

MinifilterHook

Silence file system monitoring components by hooking their minifilters

Tested on Windows 10 1903, 21H2 and 22H2 against WdFilter

POC can be easily modified to target other filter drivers -> simply change TARGET_FILTER_NAME and TARGET_FILTER_DRIVER

Usage:

Install .inf file -> right click + install or use SetupApi to install programtically

Load WdfltHook.sys -> via an unsigned driver loader like : https://github.com/0mWindyBug/KDP-compatible-driver-loader/tree/main

How it works

See "HowItWorks.pdf" (English) or https://www.digitalwhisper.co.il/files/Zines/0x9C/DW156-2-FilteringMinifilters.pdf (Hebrew)

Demo

Before loading our driver:

demo1

After loading our driver:

demp4

Notes

  • Thanks to @GetRektBoy724 for his contribution
  • We restore everything during unload so be aware
  • Similar implementation using only a r/w primitive from UM (no driver) has been published & integrated to https://github.com/wavestone-cdt/EDRSandblast

About

silence file system monitoring components by hooking their minifilters

Topics

windows kernel driver hooking minifilter edr-bypass

Resources

Readme
Activity

Stars

51 stars

Watchers

3 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages