Is possible remove a file protected by a file system filter driver?

Forum for discussion about kernel-mode development.
User avatar
EP_X0FF
Global Moderator
Posts: 4790
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Is possible remove a file protected by a file system filter driver?

Post by EP_X0FF » Fri May 04, 2018 3:40 am

Ring0 - the source of inspiration

Li Yong
Posts: 32
Joined: Sun Feb 18, 2018 9:49 pm

Re: Is possible remove a file protected by a file system filter driver?

Post by Li Yong » Tue May 08, 2018 9:43 pm

EP_X0FF, thank you by link of reference.

This text below (about IRP hooks) also confirm the suggestion of Vrtule (see part where explains how bypass), already that FSD's use IRP hooks to prevent exclusion of yours files by some Anti Rootkit tool :D

IRP Major Function Hook

Description
The driver object of each driver contains a table of 28 function pointer, these pointer are to be called by other drivers via IoCallDriver or alternative means, the pointers correspond to operations such as read/write (IRP_MJ_READ/IRP_MJ_WRITE). These pointers can easily be replace by another driver.

Detection
Generally all IRP major function pointers for a driver should point to code within the driver’s address space, this is not always the case, but is a good start to identifying malicious drivers which have redirected the IRP major functions of legitimate drivers to their own code.

Bypass
Due to IRP major function pointers being initialized from withing the driver entry point (during runtime), it’s not really possible to get the original values by reading the original driver from disk, there are also issues with loading a new copy of the driver due to collisions. The only way I can think of for bypassing these sorts of hooks would be calling the lower driver (Drivers are generally stacked and the top driver passes the data to the driver below and so on, if the lowest driver isn’t hooked, an application could just send the request directly to the lowest driver).

Source: Ring3 / Ring0 Rootkit Hook Detection 2/2

Li Yong
Posts: 32
Joined: Sun Feb 18, 2018 9:49 pm

Re: Is possible remove a file protected by a file system filter driver?

Post by Li Yong » Fri Jun 08, 2018 11:52 am

Vrtule I tried follow what you suggested, but without success, see my last question.
Why i cannot delete a file protected by a FSD filter/minifilter?

User avatar
EP_X0FF
Global Moderator
Posts: 4790
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Is possible remove a file protected by a file system filter driver?

Post by EP_X0FF » Fri Jun 08, 2018 6:53 pm

You want me to close all your topics?

One more time -> RTFM.
Ring0 - the source of inspiration

Locked