Contents
Introduction
This tutorial will show you how to develop a simple file system filter driver. The demo driver will print the names of opening files to the debug output.
The article requires basic Windows driver development and C/C++ knowledge. However, it may also be interesting to people without Windows driver development experience.
What is a file system filter driver?
A file system filter driver is called on every file system I/O operation (create, read, write, rename, and etc.), and thus it can modify the file system behavior. File system filter drivers are almost similar to legacy drivers, but they require some special steps to do. Such drivers are used by anti-viruses, security, backup, and snapshot software.
Creating a simple File System Filter Driver
Before starting
To build a driver, you need WDK or the IFS Kit. You can get them from Microsoft's website. Also, you have to set an environment variable %WINDDK% to the path where you have installed the WDK/IFS Kit.
Be careful: Even a small error in the driver may cause a BSOD or system instability.
Main.c
Driver entry
This is the entry point of any driver. The first thing that we do is to store DriverObject to a global variable (we will need it later).
////////////////////////////////////////////////////////
// Global data
PDRIVER_OBJECT g_fsFilterDriverObject = NULL;
////////////////////////////////////////////////////////
// DriverEntry - Entry point of the driver
NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG i = 0;
//ASSERT(FALSE); // This will break to debugger
//
// Store our driver object.
//
g_fsFilterDriverObject = DriverObject;
...
}
Read more: Codeproject