This repository contains a kernel-mode filter driver solution. The primary project in this workspace is EvtDrv, a minifilter-based kernel component that captures file open events, serializes them and forwards them to a user-mode client via a communication port.
flowchart LR
Engines["Kernel Engines<br/>(Filter System, Callbacks, Other)"]
Events["Event objects<br/>(Event::FileOpenEvent, ...)" ]
Queue["Worker::Queue<br/>(krn::queue)"]
WorkerN["Worker::Worker<br/>(kernel thread)"]
User["User-mode client\n(application)"]
Engines -->|produce events| Events
Events -->|enqueue| Queue
Queue -->|"dequeue & serialize"| WorkerN
WorkerN -->|"send via FltSendMessage"| User
classDef kernel fill:#fff7e6,stroke:#b36b00,stroke-width:1px;
class Engines,Events,Queue,WorkerN kernel;
| Event | Implement Status | Fields | Note |
|---|---|---|---|
| File Creation | β In Progress | ||
| File Modification | β Not Started | ||
| File Deletion | β Not Started | ||
| File Rename | β Not Started | ||
| File Linking | β Not Started | ||
| Registry Key Creation | β Not Started | ||
| Registry Key Deletion | β Not Started | ||
| Registry Value Creation | β Not Started | ||
| Registry Value Deletion | β Not Started | ||
| Registry Value Modification | β Not Started | ||
| Process Creation | β Done |
|
|
| Process Exit | β Done |
|
|
| Process Open | β Done |
|
|
| Process Exist | β Done |
|
Gathering existing process info; missed by Process Creation event. |
| Image Load | β Not Started | ||
| Network Connection | β In Progress | ||
| Remote Thread Creation | β Done |
|
β Pending start function |
| Access Token Acquisition | β Not Started |
| Task | Implement Status | Note |
|---|---|---|
| Implement the queue event allocation function to merge the node and event structures into a single allocation, reducing allocation overhead | β Not Started | |
| Allow batch pushing of multiple events to avoid redundant locking | β Not Started |
Build & test notes
- Requires Visual Studio + Windows Driver Kit (WDK).
- Build configurations are in the
EvtDrvproject files. Test in a VM with test-signing enabled.
Tested platforms
- Windows 11 (verified in a test VM)
For component-level diagrams and sequence flows see EvtDrv/readme.md.
- Implement authentication for user-mode clients connecting to the communication port.
- Implement authentication for unloading the driver
- Implement authentication events mechanism (e.g., only send events for specific processes or file paths).
- Improve event data
- Remote thread: start function, thread parameters, etc.