/windows-inspector

A driver to intercept low level windows events

Primary LanguageC

Windows Inspector

This is a driver created to learn more about kernel programming, kernel callbacks and filesystem minifilters. Allows the user to hook many events and set some security policies.

The driver will intercept -

  • process creation
  • image load
  • file system operations
  • registry operations
  • networking events
  • thread events
  • process/thread handle callbacks

This driver will block unwanted operations based on a very simple policy:

  • child process blacklists
  • file operations on some files
  • registry operations

The driver will kill the unwanted process before the operation has been done. Also, information will be shared with the user mode side.