subconsciouscompute / poc-windows-rust-filter Goto Github PK

View Code? Open in Web Editor NEW

39.0 2.0 5.0 5.86 MB

Windows Minifilter Driver in pure Rust

License: MIT License

Rust 95.05% C 4.95%

ffi ffi-bindings filesystem kernel minifilter minifilter-driver rust windows

poc-windows-rust-filter's Introduction

Rust Minifilter POC

A simple minifilter that informs about currently open files in Rust

Also see fsfilter-rs that has minifilter interacting with userspace Rust application

Prerequisites

It is best if you follow Codentium - Windows Drivers in Rust: Prerequisites.

You can set up a VM for testing by following DEBUG.

Building

From inside windows-rust-minifilter, run:

cargo make --profile production all

Note: You might need to run cargo clean before rebuilding again.

Loading and Running

You can use OsrLoader to load the Minifilter (Ideally I should make an .inf file but lazy thimes)

Set type to minifilter
Load Group to FSFilter Activity Monitor
Altitude to 37777

You should be able to see the list of open files in the Debugger (You will need to remove comments in G_CALLBACKS global array).

You can also communicate with user space application by using windows-rust-application.

References

poc-windows-rust-filter's People

Contributors

Stargazers

Watchers

Forkers

sn99 gmh5225 not4rt undead34 kryptopass

poc-windows-rust-filter's Issues

Missing license

Can we have this clearly licensed under MIT so it can be utilized when contributing to https://github.com/microsoft/Windows-rust-driver-samples ?

PS D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter> cargo make --profile production all
[cargo-make] INFO - cargo make 0.36.12
[cargo-make] INFO - Calling cargo metadata to extract project info
[cargo-make] INFO - Cargo metadata done
[cargo-make] INFO - Project: driver
[cargo-make] INFO - Build File: Makefile.toml
[cargo-make] INFO - Task: all
[cargo-make] INFO - Profile: production
[cargo-make] INFO - Running Task: legacy-migration
[cargo-make] INFO - Running Task: build-driver

D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter>cd "D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter"

D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter>cargo b --release
warning: profiles for the non root package will be ignored, specify profiles at the workspace root:
package: D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter\Cargo.toml
workspace: D:\code\rust\poc-windows-rust-filter\Cargo.toml
warning: some crates are on edition 2021 which defaults to resolver = "2", but virtual workspaces default to resolver = "1"
note: to keep the current resolver, specify workspace.resolver = "1" in the workspace root's manifest
note: to use the edition 2021 resolver, specify workspace.resolver = "2" in the workspace root's manifest
Compiling proc-macro2 v1.0.66
Compiling unicode-ident v1.0.11
Compiling winapi v0.3.9
Compiling libc v0.2.147
Compiling windows_x86_64_msvc v0.48.0
Compiling glob v0.3.1
Compiling memchr v2.5.0
Compiling thiserror v1.0.44
Compiling clang-sys v1.6.1
Compiling cfg-if v1.0.0
Compiling prettyplease v0.2.12
Compiling quote v1.0.32
Compiling syn v2.0.28
Compiling minimal-lexical v0.2.1
Compiling regex-syntax v0.7.4
Compiling windows-targets v0.48.1
Compiling nom v7.1.3
Compiling either v1.9.0
Compiling bindgen v0.66.1
Compiling once_cell v1.18.0
Compiling which v4.4.0
Compiling windows-sys v0.48.0
Compiling libloading v0.7.4
Compiling lazy_static v1.4.0
Compiling peeking_take_while v0.1.2
Compiling bitflags v2.3.3
Compiling shlex v1.1.0
Compiling regex-automata v0.3.4
Compiling cexpr v0.6.0
Compiling log v0.4.19
Compiling regex v1.9.1
Compiling rustc-hash v1.1.0
Compiling lazycell v1.3.0
Compiling cc v1.0.80
Compiling winreg v0.50.0
Compiling cty v0.2.2
Compiling winreg v0.11.0
Compiling thiserror-impl v1.0.44
Compiling driver v0.1.0 (D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter)
Compiling windows-kernel-sys v0.1.0 (D:\code\rust\poc-windows-rust-filter\windows-kernel-sys)
error: failed to run custom build command for windows-kernel-sys v0.1.0 (D:\code\rust\poc-windows-rust-filter\windows-kernel-sys)
note: To improve backtraces for build dependencies, set the CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG=true environment variable to enable debug information generation.

Caused by:
process didn't exit successfully: D:\code\rust\poc-windows-rust-filter\target\release\build\windows-kernel-sys-d32074abc06a091f\build-script-build (exit code: 101)
--- stdout
cargo:rerun-if-changed=src/wrapper.h
cargo:rerun-if-env-changed=TARGET
cargo:rerun-if-env-changed=BINDGEN_EXTRA_CLANG_ARGS_x86_64-pc-windows-msvc
cargo:rerun-if-env-changed=BINDGEN_EXTRA_CLANG_ARGS_x86_64_pc_windows_msvc
cargo:rerun-if-env-changed=BINDGEN_EXTRA_CLANG_ARGS

--- stderr
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/ntifs.h:25:2: error: Compiler version not supported by Windows DDK
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/ntddk.h:28:2: error: Compiler version not supported by Windows DDK
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:38:2: error: Compiler version not supported by Windows DDK
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:75:16: warning: declaration of 'struct _ACCESS_STATE' will not be visible outside of this function [-Wvisibility]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:75:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:75:31: error: parameter named 'PACCESS_STATE' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:76:16: warning: declaration of 'struct _CALLBACK_OBJECT' will not be visible outside of this function [-Wvisibility]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:76:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:76:34: error: parameter named 'PCALLBACK_OBJECT' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:81:16: warning: declaration of 'struct _KPROCESS' will not be visible outside of this function [-Wvisibility]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:81:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:81:27: error: parameter named 'PEPROCESS' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:82:16: warning: declaration of 'struct _KTHREAD' will not be visible outside of this function [-Wvisibility]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:82:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:82:26: error: parameter named 'PETHREAD' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:87:16: warning: declaration of 'struct _IO_TIMER' will not be visible outside of this function [-Wvisibility]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:87:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:87:27: error: parameter named 'PIO_TIMER' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:88:16: warning: declaration of 'struct _KINTERRUPT' will not be visible outside of this function [-Wvisibility]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:88:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:88:29: error: parameter named 'PKINTERRUPT' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:89:1: error: invalid storage class specifier in function declarator
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:89:26: error: parameter named 'PKTHREAD' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:89:37: error: parameter named 'PRKTHREAD' is missing
C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:90:1: error: invalid storage class specifier in function declarator
fatal error: too many errors emitted, stopping now [-ferror-limit=]
clang diag: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:75:16: warning: declaration of 'struct _ACCESS_STATE' will not be visible outside of this function [-Wvisibility]
clang diag: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:76:16: warning: declaration of 'struct _CALLBACK_OBJECT' will not be visible outside of this function [-Wvisibilit
y]
clang diag: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:81:16: warning: declaration of 'struct _KPROCESS' will not be visible outside of this function [-Wvisibility]
clang diag: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:82:16: warning: declaration of 'struct _KTHREAD' will not be visible outside of this function [-Wvisibility]
clang diag: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:87:16: warning: declaration of 'struct _IO_TIMER' will not be visible outside of this function [-Wvisibility]
clang diag: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:88:16: warning: declaration of 'struct _KINTERRUPT' will not be visible outside of this function [-Wvisibility]
thread 'main' panicked at 'called Result::unwrap() on an Err value: ClangDiagnostic("C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/ntifs.h:25:2: error: Compiler version
not supported by Windows DDK\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/ntddk.h:28:2: error: Compiler version not supported by Windows DDK\nC:\Program Files (x86)\Wind
ows Kits\10\Include\10.0.22621.0\km/wdm.h:38:2: error: Compiler version not supported by Windows DDK\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:75:1: error: inv
alid storage class specifier in function declarator\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:75:31: error: parameter named 'PACCESS_STATE' is missing\nC:\Program
Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:76:1: error: invalid storage class specifier in function declarator\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0
\km/wdm.h:76:34: error: parameter named 'PCALLBACK_OBJECT' is missing\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:81:1: error: invalid storage class specifier in fu
nction declarator\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:81:27: error: parameter named 'PEPROCESS' is missing\nC:\Program Files (x86)\Windows Kits\10\Includ
e\10.0.22621.0\km/wdm.h:82:1: error: invalid storage class specifier in function declarator\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:82:26: error: parameter nam
ed 'PETHREAD' is missing\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:87:1: error: invalid storage class specifier in function declarator\nC:\Program Files (x86)\Wi
ndows Kits\10\Include\10.0.22621.0\km/wdm.h:87:27: error: parameter named 'PIO_TIMER' is missing\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:88:1: error: invalid
storage class specifier in function declarator\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:88:29: error: parameter named 'PKINTERRUPT' is missing\nC:\Program Files
(x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:89:1: error: invalid storage class specifier in function declarator\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/w
dm.h:89:26: error: parameter named 'PKTHREAD' is missing\nC:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:89:37: error: parameter named 'PRKTHREAD' is missing\nC:\Progra
m Files (x86)\Windows Kits\10\Include\10.0.22621.0\km/wdm.h:90:1: error: invalid storage class specifier in function declarator\nfatal error: too many errors emitted, stopping now [-ferror-lim
it=]\n")', windows-kernel-sys\build.rs:83:10
stack backtrace:
0: 0x7ff7ea70232c - std::sys_common::backtrace::_print::impl$0::fmt
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\sys_common\backtrace.rs:44
1: 0x7ff7ea72515b - core::fmt::rt::Argument::fmt
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\core\src\fmt\rt.rs:138
2: 0x7ff7ea72515b - core::fmt::write
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\core\src\fmt\mod.rs:1094
3: 0x7ff7ea6fcaa1 - std::io::Write::write_fmtstd::sys::windows::stdio::Stderr
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\io\mod.rs:1714
4: 0x7ff7ea7020db - std::sys_common::backtrace::_print
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\sys_common\backtrace.rs:47
5: 0x7ff7ea7020db - std::sys_common::backtrace::print
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\sys_common\backtrace.rs:34
6: 0x7ff7ea704ec3 - std::panicking::panic_hook_with_disk_dump::closure$1
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:278
7: 0x7ff7ea704a6a - std::panicking::panic_hook_with_disk_dump
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:312
8: 0x7ff7ea705640 - std::panicking::default_hook
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:239
9: 0x7ff7ea705640 - std::panicking::rust_panic_with_hook
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:729
10: 0x7ff7ea70552d - std::panicking::begin_panic_handler::closure$0
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:621
11: 0x7ff7ea702f79 - std::sys_common::backtrace::__rust_end_short_backtracestd::panicking::begin_panic_handler::closure_env$0,never$
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\sys_common\backtrace.rs:151
12: 0x7ff7ea705230 - std::panicking::begin_panic_handler
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:617
13: 0x7ff7ea72e7c5 - core::panicking::panic_fmt
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\core\src\panicking.rs:67
14: 0x7ff7ea72ec73 - core::result::unwrap_failed
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\core\src\result.rs:1651
15: 0x7ff7ea1831ba - std::rt::lang_start::hd46972787ff3f5a4
16: 0x7ff7ea186101 - std::rt::lang_start::hd46972787ff3f5a4
17: 0x7ff7ea186f39 - std::rt::lang_start::hd46972787ff3f5a4
18: 0x7ff7ea181cd6 - std::rt::lang_start::hd46972787ff3f5a4
19: 0x7ff7ea181469 - __ImageBase
20: 0x7ff7ea1819dc - std::rt::lang_start::hd46972787ff3f5a4
21: 0x7ff7ea6f6338 - std::rt::lang_start_internal::closure$2
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\rt.rs:148
22: 0x7ff7ea6f6338 - std::panicking::try::do_call
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:524
23: 0x7ff7ea6f6338 - std::panicking::try
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panicking.rs:488
24: 0x7ff7ea6f6338 - std::panic::catch_unwind
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\panic.rs:142
25: 0x7ff7ea6f6338 - std::rt::lang_start_internal
at /rustc/1d56e3a6d943062e41165bf07fea5ea8324ae011/library\std\src\rt.rs:148
26: 0x7ff7ea1819b7 - std::rt::lang_start::hd46972787ff3f5a4
27: 0x7ff7ea187009 - main
28: 0x7ff7ea72bf10 - invoke_main
at D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
29: 0x7ff7ea72bf10 - __scrt_common_main_seh
at D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
30: 0x7ffa5ee47614 - BaseThreadInitThunk
31: 0x7ffa5fc826b1 - RtlUserThreadStart
[cargo-make] ERROR - Error while executing command, exit code: 101
[cargo-make] WARN - Build Failed.
PS D:\code\rust\poc-windows-rust-filter\windows-rust-minifilter>

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.