Windows Filter Drivers

Course Description

Wndows is the desktop operating system that provides the most amount of filtering and interception capabilities to 3rd party drivers, through documented, exposed, and supported interfaces. Everything from thread creation, to file access, to network I/O and even Remote Desktop connections and Wireless LAN SSID changes can be monitored by a properly written Windows driver, without resorting to hooking, patching, or other dangerous behaviors that will leave machines in unsafe states, or badly interacting with Windows Defender and PatchGuard/HyperGuard, up to and including blue screens of death.

In this course, attendees will learn how to write such a driver, while first going through a thorough overview of the Windows driver programming model (as it relates to virtual devices/loadable kernel modules, and not the traditional Plug-and-Play driver stack which most other references will attempt to teach). Attendees will learn the correct SAL 2.0 annotations and settings for correct static driver verification, using the right prototypes, #pragmas, #includes, and #defines to make a standard Windows driver, the creation and installation of an .inf file, as well as how to leverage kernel technologies such as WPP, PCW, ETW, TraceLogging, and tools such as TraceView or Driver Verifier. Additionally, kernel-mode debugging with the Windows Kernel Debugger, Visual Studio 2015 and the KDNET library will also be covered.

Once these basic concepts are sunk in, the course will proceed by offering theoretical and practical examples of how to implement monitoring (detect-only) policies, blocking policies, and deception policies by leveraging Windows filtering technologies, at the thread, process, registry, library, driver, file, and network layer. Additional monitoring and filtering capabilities will also be discussed, with potential applications. Windows 8+ ELAM drivers, and Windows 8.1 Secure Image Validation callback filter drivers will also be covered. Finally, we will take a look at new Windows 10 filtering technologies, such as Secure ETW Callbacks and Anti-Malware Scanning Interface (AMSI).

Course Outline

  • Basics of Windows Kernel Development
  • Advanced Windows Technologies
  • Simple Filters
  • Advanced Filters
  • Filtering Techniques
  • Practical Filtering Applications
  • Beyond Filtering 

In-Depth Topics

Kernel Verification

SAL 2 (ORCA)/OACR/PREfast for Drivers (PFD), Driver Verifier, Static Driver Verifier

Kernel Development

Annotations & Code Style, Code Placement Pragmas, Headers & Macros, Tracing and Performance, Kernel Debugging

Kernel Modules

DriverEntry & DriverUnload, DeviceOpen & DeviceClose, DeviceControl, IOCTL and IRP communications

Simple Filters

Process Filtering, Thread Filtering, Load Image Filtering

Altitude Filters

Object Filtering, Registry Filtering (and its Extensions)

Complex Filters

File System Minifilters, Windows Filtering Platform Filters, NDIS Lightweight Filters

Beyond Filters

Beyond Filters

Early Launch Anti-Malware (ELAM) Callbacks, Image Validation Callbacks, Secure ETW Channel, Anti-Malware Scan Interface (AMSI), Session Callbacks, PnP and Power Notifications, WDM Filtering

Filtering Techniques

Contexts, Cross-filter communication, Dealing with Recursion

Filtering Applications

Protecting a Process, Blocking a Process, Registry Deception, File Redirection