Is it possible to drop IRPs in File System Filter Drivers?

Question

I have a couple of signatures and I want to build a File System Filter Driver which can check all possible operations with the signatures. If a match is found than the Filter Driver should drop the IRP packet completely.

Is it possible to do that?

Answer 1

Yes.

You're describing what just about every anti-virus package does. You'll need to brush up on your NT-kernel mode development chops, and get familiar with File System MiniFilters. You'll also want to start lurking on OSR NTFSD listserv.

A filter driver cannot "drop an IRP completely". What it CAN do is complete them before lower drivers see them, or in the case of IRP_MJ_CREATE, cancel them before in a post operation callback.

Buckle up, you're in for a bumpy ride :)