Sniper

Installing the kernel mode driver

The kernel driver needs to be compiled and installed manually. Therefore, make sure you have the Windows Driver Kit (WDK) 10 installed. After compiling the driver with VS, you can install the driver with the following command

 RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 ./sniper.inf

The driver will be loaded automatically after reboot. To load it manually without reboot, run

 fltmc.exe load sniper

If you don't have a valid code signing certificate and try to install the driver on 64bit Windows, you need to enable test signed drivers as described here.

Please make sure to always compile and install the correct driver version (32/64bit) depending on your operating system!

To uninstall the driver, run

RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 ./sniper.inf

Usage

Check SniperTestApp for API Usage

WIP

Detect username responsible for I/O change.
Detect IP Address if change is done remotely.
Add Support for monitoring multiple paths.
Add package to nuget

About

Kernel mode minifilter driver and User mode C# API for filesystem events monitoring

minifilter-driver windows

Microsoft Public License

Languages

Language:C 68.7%Language:C# 31.0%Language:Batchfile 0.2%