fsfilter-rs

A rust library to monitor filesystem and more in windows.

MINIFILTER

See MINIFILTER.md for building the minifilter or just right click install using the .inf file provided in releases.

You can also build using EWDK if you don't want to install Visual Studio, SDK and WDK.

NOTE: By default it is built for Windows 10 and above.

NOTE: Enable Loading of Test Signed Drivers by executing Bcdedit.exe -set TESTSIGNING ON in administrative cmd.

RUNNING EXAMPLE

Use cargo run --bin minifilter --release to run the example application or just run the .exe provided in releases as administrator ( for some reason the new default terminal on 2H22 is very, very slow ).

The program starts to print the IOMessage which is defined like:

#[repr(C)]
pub struct IOMessage {
    pub extension: [wchar_t; 12],
    pub file_id_vsn: c_ulonglong,
    pub file_id_id: [u8; 16],
    pub mem_sized_used: c_ulonglong,
    pub entropy: f64,
    pub pid: c_ulong,
    pub irp_op: c_uchar,
    pub is_entropy_calc: u8,
    pub file_change: c_uchar,
    pub file_location_info: c_uchar,
    pub filepathstr: String,
    pub gid: c_ulonglong,
    pub runtime_features: RuntimeFeatures,
    pub file_size: i64,
}

We end the process using ctrl + c in the example video:

PERFORMANCE

The performance of the minifilter doesn't really exceed <1% of the CPU usage (I never saw it tickle even to 1% while running scripts to make multiple temporary files). Although depending on you console if you try running cargo run --bin minifilter --release you might see spikes reaching 1-3% but that is because of the console itself ( comment out the writeln! in the bin example) or try changing consoles (maybe run minifilter.exe directly).

LICENSE

This project is licensed under the terms of the MIT license.

ACKNOWLEDGEMENTS

• RansomWatch
• SitinCloud
• SubconsciousCompute