Rust Minifilter POC

A simple minifilter that informs about currently open files in Rust

Also see fsfilter-rs that has minifilter interacting with userspace Rust application

Prerequisites

• Rust
• Microsoft Visual Studio
• Windows SDK
• Windows Driver Kit
• LLVM and Clang (for bindgen)
• Cargo Make

It is best if you follow Codentium - Windows Drivers in Rust: Prerequisites.

You can set up a VM for testing by following DEBUG.

Building

From inside windows-rust-minifilter, run:

cargo make --profile production all

Note: You might need to run cargo clean before rebuilding again.

Loading and Running

You can use OsrLoader to load the Minifilter (Ideally I should make an .inf file but lazy thimes)

• Set type to minifilter
• Load Group to FSFilter Activity Monitor
• Altitude to 37777

You should be able to see the list of open files in the Debugger (You will need to remove comments in G_CALLBACKS global array).

You can also communicate with user space application by using windows-rust-application.

References

• apriorit
• Windows Drivers in Rust