Re: Is possible remove a file protected by a file system filter driver?
PostPosted:Fri May 04, 2018 3:40 am
EP_X0FF, thank you by link of reference.
This text below (about IRP hooks) also confirm the suggestion of Vrtule (see part where explains how bypass), already that FSD's use IRP hooks to prevent exclusion of yours files by some Anti Rootkit tool :D
IRP Major Function Hook
Description
The driver object of each driver contains a table of 28 function pointer, these pointer are to be called by other drivers via IoCallDriver or alternative means, the pointers correspond to operations such as read/write (IRP_MJ_READ/IRP_MJ_WRITE). These pointers can easily be replace by another driver.
Detection
Generally all IRP major function pointers for a driver should point to code within the driver’s address space, this is not always the case, but is a good start to identifying malicious drivers which have redirected the IRP major functions of legitimate drivers to their own code.
Bypass
Due to IRP major function pointers being initialized from withing the driver entry point (during runtime), it’s not really possible to get the original values by reading the original driver from disk, there are also issues with loading a new copy of the driver due to collisions. The only way I can think of for bypassing these sorts of hooks would be calling the lower driver (Drivers are generally stacked and the top driver passes the data to the driver below and so on, if the lowest driver isn’t hooked, an application could just send the request directly to the lowest driver).
Source: Ring3 / Ring0 Rootkit Hook Detection 2/2