apriorit · RuslanValiakhmetov · Dec 31, 2019 · May 4, 2020
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+**/.vs
+**/x64
+**/release
+**/debug
+*.user
diff --git a/readme.md b/readme.md
@@ -1,30 +1,30 @@
-# Windows File System Filter Driver Development Tutorial
+# Windows File System Filter and Minifilter Drivers Development Tutorial
 
 ## About
 
-A simple Windows file system filter driver solution, created mainly for the demonstration and further customization purposes.
+A simple Windows file system filter and minifilter drivers solution, created mainly for the demonstration and further customization purposes.
 
-The main purpose when you develop a file system filter driver is to change file system behavior. It is called at each I/O operation and provides possibility to additionally process its parameters and change its results (�filter� this request).
+The main purpose when you develop a file system filter or minifilter driver is to change file system behavior. It is called at each I/O operation and provides possibility to additionally process its parameters and change its results ("filter" this request).
 
-File system filter driver development is used for context-based permission management, configuration change management, access management, continuous backup solutions, anti-malware solutions and many other applications.
+File system filter or minifilter driver development is used for context-based permission management, configuration change management, access management, continuous backup solutions, anti-malware solutions and many other applications. But note that the minifilter driver is easier to develop, use, and maintain.
 
 Author: @SergiusTheBest
 
 ## Implementation
 
 The code is written in C++. You will also need WDK/IFS kit to build the solution.
-You can find a step-by-step file system filter driver tutorial with code samples as well as instructions on how to install/uninstall and start/stop this driver in the [detailed related article](https://www.apriorit.com/dev-blog/167-file-system-filter-driver).
+You can find a step-by-step file system filter and minifilter drivers tutorial with code samples as well as instructions on how to install/uninstall and start/stop this driver in the [detailed related article](https://www.apriorit.com/dev-blog/167-file-system-filter-driver).
 
 ## License
 
-Licensed under the MIT license. � Apriorit.
+Licensed under the MIT license. © Apriorit.
 
 ## How to build
 
-To build filter driver solution you need:
+To build file system drivers you need:
 - Visual Studio 2019 16.4 or higher (with all SDK available in additional features);
 - Windows 10 SDK 10.1.18362.1 or higher;
 - WDK 10.1.18362.1 or higher;
 - MSVC v142 C++ Spectre-Mitigation tools (via Visual Studio Installer -> Individual Components).
 
-After installing all the necessary tools open FsFilter.sln file and build FsFilter project.
+After installing all the necessary tools open FsFilter.sln file and build FsFilter solution.
diff --git a/src/FSFilter/FsFilter.vcxproj b/src/FSFilter/FsFilter.vcxproj
@@ -17,22 +17,6 @@
       <Configuration>Release</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|ARM">
-      <Configuration>Debug</Configuration>
-      <Platform>ARM</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|ARM">
-      <Configuration>Release</Configuration>
-      <Platform>ARM</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|ARM64">
-      <Configuration>Debug</Configuration>
-      <Platform>ARM64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|ARM64">
-      <Configuration>Release</Configuration>
-      <Platform>ARM64</Platform>
-    </ProjectConfiguration>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="FsFilter.rc" />
@@ -76,34 +60,6 @@
     <ConfigurationType>Driver</ConfigurationType>
     <DriverType>WDM</DriverType>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
-    <TargetVersion>Windows10</TargetVersion>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
-    <ConfigurationType>Driver</ConfigurationType>
-    <DriverType>WDM</DriverType>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
-    <TargetVersion>Windows10</TargetVersion>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
-    <ConfigurationType>Driver</ConfigurationType>
-    <DriverType>WDM</DriverType>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
-    <TargetVersion>Windows10</TargetVersion>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
-    <ConfigurationType>Driver</ConfigurationType>
-    <DriverType>WDM</DriverType>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
-    <TargetVersion>Windows10</TargetVersion>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
-    <ConfigurationType>Driver</ConfigurationType>
-    <DriverType>WDM</DriverType>
-  </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
   </ImportGroup>
@@ -124,18 +80,6 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
-    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
-    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
-    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
-    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
-  </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <Link>
       <AdditionalDependencies>fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
@@ -156,26 +100,6 @@
       <AdditionalDependencies>fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
-    <Link>
-      <AdditionalDependencies>fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
-    <Link>
-      <AdditionalDependencies>fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
-    <Link>
-      <AdditionalDependencies>fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
-    <Link>
-      <AdditionalDependencies>fltmgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
   <ItemGroup>
     <FilesToPackage Include="$(TargetPath)" />
   </ItemGroup>

diff --git a/src/FsFilter.sln b/src/FsFilter.sln
@@ -3,44 +3,42 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 16
 VisualStudioVersion = 16.0.29519.181
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FsFilter", "FsFilter\FsFilter.vcxproj", "{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FsFilter", "FSFilter\FsFilter.vcxproj", "{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FsMinifilter", "FsMinifilter\FsMinifilter.vcxproj", "{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|ARM = Debug|ARM
-		Debug|ARM64 = Debug|ARM64
 		Debug|x64 = Debug|x64
 		Debug|x86 = Debug|x86
-		Release|ARM = Release|ARM
-		Release|ARM64 = Release|ARM64
 		Release|x64 = Release|x64
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|ARM.ActiveCfg = Debug|ARM
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|ARM.Build.0 = Debug|ARM
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|ARM.Deploy.0 = Debug|ARM
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|ARM64.ActiveCfg = Debug|ARM64
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|ARM64.Build.0 = Debug|ARM64
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|ARM64.Deploy.0 = Debug|ARM64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|x64.ActiveCfg = Debug|x64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|x64.Build.0 = Debug|x64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|x64.Deploy.0 = Debug|x64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|x86.ActiveCfg = Debug|Win32
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|x86.Build.0 = Debug|Win32
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Debug|x86.Deploy.0 = Debug|Win32
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|ARM.ActiveCfg = Release|ARM
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|ARM.Build.0 = Release|ARM
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|ARM.Deploy.0 = Release|ARM
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|ARM64.ActiveCfg = Release|ARM64
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|ARM64.Build.0 = Release|ARM64
-		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|ARM64.Deploy.0 = Release|ARM64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|x64.ActiveCfg = Release|x64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|x64.Build.0 = Release|x64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|x64.Deploy.0 = Release|x64
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|x86.ActiveCfg = Release|Win32
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|x86.Build.0 = Release|Win32
 		{140A7CB4-A057-4FEB-9C5A-838ED6C1B921}.Release|x86.Deploy.0 = Release|Win32
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Debug|x64.ActiveCfg = Debug|x64
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Debug|x64.Build.0 = Debug|x64
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Debug|x64.Deploy.0 = Debug|x64
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Debug|x86.ActiveCfg = Debug|Win32
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Debug|x86.Build.0 = Debug|Win32
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Debug|x86.Deploy.0 = Debug|Win32
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Release|x64.ActiveCfg = Release|x64
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Release|x64.Build.0 = Release|x64
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Release|x64.Deploy.0 = Release|x64
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Release|x86.ActiveCfg = Release|Win32
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Release|x86.Build.0 = Release|Win32
+		{AB9EA1EB-D358-4FDE-B50B-6D0588EFACE3}.Release|x86.Deploy.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

diff --git a/src/FsMinifilter/FsMinifilter.cpp b/src/FsMinifilter/FsMinifilter.cpp
@@ -0,0 +1,78 @@
+#include "FsMinifilter.h"
+
+//
+// Global minifilter handle
+//
+extern PFLT_FILTER g_minifilterHandle;
+
+NTSTATUS FLTAPI InstanceFilterUnloadCallback(_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
+{
+    //
+    // This is called before a filter is unloaded.
+    // If a NULL is specified for this routine then the filter can never be unloaded.
+    //
+
+    UNREFERENCED_PARAMETER(Flags);
+
+    if (NULL != g_minifilterHandle)
+    {
+        FltUnregisterFilter(g_minifilterHandle);
+    }
+
+    return STATUS_SUCCESS;
+}
+
+NTSTATUS FLTAPI InstanceSetupCallback(
+    _In_ PCFLT_RELATED_OBJECTS  FltObjects,
+    _In_ FLT_INSTANCE_SETUP_FLAGS  Flags,
+    _In_ DEVICE_TYPE  VolumeDeviceType,
+    _In_ FLT_FILESYSTEM_TYPE  VolumeFilesystemType)
+{
+    //
+    // This is called to see if a filter would like to attach an instance to the given volume.
+    // If a NULL is specified for this routine, the attachment is always made.
+    //
+
+    UNREFERENCED_PARAMETER(FltObjects);
+    UNREFERENCED_PARAMETER(Flags);
+    UNREFERENCED_PARAMETER(VolumeDeviceType);
+    UNREFERENCED_PARAMETER(VolumeFilesystemType);
+
+    return STATUS_SUCCESS;
+}
+
+NTSTATUS FLTAPI InstanceQueryTeardownCallback(
+    _In_ PCFLT_RELATED_OBJECTS FltObjects,
+    _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
+)
+{
+    //
+    // This is called to see if the filter wants to detach from the given
+    // volume. This is only called for manual detach requests.
+    // If a NULL is specified for this routine, then instances can never be manually detached.
+    //
+
+    UNREFERENCED_PARAMETER(FltObjects);
+    UNREFERENCED_PARAMETER(Flags);
+
+    return STATUS_SUCCESS;
+}
+
+FLT_PREOP_CALLBACK_STATUS FLTAPI PreOperationCreate(
+    _Inout_ PFLT_CALLBACK_DATA Data,
+    _In_ PCFLT_RELATED_OBJECTS FltObjects,
+    _Flt_CompletionContext_Outptr_ PVOID* CompletionContext
+)
+{
+    //
+    // Pre-create callback to get file info during creation or opening
+    //
+
+    UNREFERENCED_PARAMETER(Data);
+    UNREFERENCED_PARAMETER(FltObjects);
+    UNREFERENCED_PARAMETER(CompletionContext);
+
+    DbgPrint("%wZ\n", &Data->Iopb->TargetFileObject->FileName);
+
+    return FLT_PREOP_SUCCESS_NO_CALLBACK;
+}
diff --git a/src/FsMinifilter/FsMinifilter.h b/src/FsMinifilter/FsMinifilter.h
@@ -0,0 +1,21 @@
+#pragma once
+#include <fltKernel.h>
+
+NTSTATUS FLTAPI InstanceFilterUnloadCallback(_In_ FLT_FILTER_UNLOAD_FLAGS Flags);
+
+NTSTATUS FLTAPI InstanceSetupCallback(
+    _In_ PCFLT_RELATED_OBJECTS  FltObjects,
+    _In_ FLT_INSTANCE_SETUP_FLAGS  Flags,
+    _In_ DEVICE_TYPE  VolumeDeviceType,
+    _In_ FLT_FILESYSTEM_TYPE  VolumeFilesystemType);
+
+NTSTATUS FLTAPI InstanceQueryTeardownCallback(
+    _In_ PCFLT_RELATED_OBJECTS FltObjects,
+    _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
+);
+
+FLT_PREOP_CALLBACK_STATUS FLTAPI PreOperationCreate(
+    _Inout_ PFLT_CALLBACK_DATA Data,
+    _In_ PCFLT_RELATED_OBJECTS FltObjects,
+    _Flt_CompletionContext_Outptr_ PVOID* CompletionContext
+);