Kernel-level File System Filtering
Get IP and other SMB session parameters in kernel mode file system filter driver!
The Apriorit Team was in charge with an advanced cyber security project. Kernel-level driver to work with file system was a part of it. Kernel level gave the green light for a number of advanced features - but it also produces questions about implementation approaches. This time, the task was to improve file activity monitoring feature providing additional information about the user, who accessed a file in a network share; and also organize rule-based network share access.
How to organize kernel-level file system filtering? Internal Windows API research was conducted.
For more details:Reverse Engineering Case: Kernel-level File System Filtering
(PDF, 560 KB)
Take a look at the Apriorit file system development experience example: File system filter driver development tutorial.