I will try to be brief but fully descriptive:
It depends on Windows. Using a set of drivers for Windows (DDK).
This is the first time I am writing a kernel mode driver (KMD) without prior experience in kernel mode. I am currently playing with a “scanner” mini-filter, which comes with DDK and is expanding in practice. The “scanner” mini-filter is the main circuit for a general “antivirus” scanner, which intercepts a file, creates / closes and works with the corresponding file to scan a “bad word” before approving / denying the requested operation.
The ultimate goal is to scan the file using the user-mode application when it is opened, to decide whether the mini-filter should allow the operation to be performed without noticeably slowing down the process or the user who is trying to open the file. I also want to scan the entire file again when a save attempt tries to decide whether to allow or not to save, or to prevent saving. The mini-filter example outlines the basics of how to intercept these calls, but it is a bit weak in terms of “scanning”.
I am considering a sample extension for scanning the entire file that was opened, for example, to generate a hash, and not just the first 1k (sample limit). I modified the sample to read the entire file and send it using the same mechanisms in the original sample. This method is used FltReadFileto read a file in KMD and FltSendMessageto send a buffer to a user-mode component. The user-mode application uses GetQueuedCompletionStatusto capture notifications from KMD and process buffers.
, / ++ (fstream). 4-8 , ++. , , , , .
, . ?