Get IP and other SMB session parameters in kernel mode file system filter driver!
The Apriorit Team was in charge with an advanced cyber security project. Kernel-level driver to work with file system was a part of it. Kernel level gave the green light for a number of advanced features - but it also produces questions about implementation approaches. This time, the task was to improve file activity monitoring feature providing additional information about the user, who accessed a file in a network share; and also organize rule-based network share access.
How to organize kernel-level file system filtering? Internal Windows API research was conducted.
For more details:Reverse Engineering Case: Kernel-level File System Filtering
(PDF, 560 KB)
Take a look at the Apriorit file system development experience example: File system filter driver development tutorial.