Need direction with a Win32 API Interception Project

Question

Okay first a little context. I have started working on a project in my uni, one of the goals of which are to develop a module that will log when a process tries to:

-create, delete or modify a file (filesystem activity basically) -create, detete or modify a registry id/value

We will actually be specifying a process for this module to monitor, and whenever this process tries to perform any of the activities listed above it will get logged.

Right now, i am looking into the basics of Driver development, and Filter Drivers as suggested by my DS. Here is my question,

What would be the best method to achieve this, would it be by writing a filter driver of some sort? if yes than exactly what filter driver, a filesystem filter driver or a minifilter driver or something else? Or don't know maybe some other technique?

I just need a little direction, so that i can do targeted research and implementation, as i don't have much time for this project!

Answer 1

File system minifilter drivers is the way to do this.

But the tricky part would be how do specify process to monitor. If you are thinking of PID then its quite straight forward, but if you are thinking of using process/executable name like notepad.exe then that becomes little complicated.

Just to give you hint, you can get PID for the operation in mini filter but not process name. So you will have to maintain a map of PID to process name in your minifilter driver. You way want to use PsSetCreateProcessNotifyRoutineEx and PsSetLoadImageNotifyRoutine.