A simple ransomware defender for windows.
It uses minifilter to filt "rewrite" and "delete" events with filename's suffix in kernel.And it handles events in user mode by counting a process's behavior in 30s.If a process tried to delete or rewrite more than 5 files in 30 seconds,it will display a notice messagebox.
Defend all ransomware so far,unless it bypasses us by following ways.
- rewrite(or delete) less than 5 files in 30s.
- rename a file then rewrite(or delete) it.
- kill user mode handler.
- add itself to whitelist.
- repeatly rewrite(or delete) a file in new process.
- ransomware injects explorer.exe then delete or rewrite files.
- detach file type in kernel instead of matching suffix.
- protect user handler and user mode whitelist file.
- verify certification of a execution program,if it is signed,pass it,if not,record process tree,check if tree is trusted.
- protect injection by other defender.
From now on,I have no certification for driver.So it's a test demo.
Firstly,install the driver by loadMiniFilterDriver.exe
loadMiniFilterDriver.exe install dp \path\to\dataproctorDriver.sys
Then run dataproctorUser.exe.
avoid bypass method.