A PART OF ANTI-VIRUS - Learn Windows AntiVirus and Minifilter Drivers from Sample Code - (Web Edition)

This page has been machine-translated from the original page.-

In this article, I am publishing the content of A PART OF ANTI-VIRUS - Learn Windows AntiVirus and Minifilter Drivers from Sample Code -, which I distributed for free at Tech Book Fest 17.

The PDF edition can still be downloaded from the Tech Book Fest online market page at the link above.

This time, I am publishing this as the 12/7 article for the Technical Doujinshi / Various Writing Around Technology Advent Calendar 2024.

Yesterday’s article was @Kerdy’s Things that were good and bad to bring as a booth staffer.

All content in this book is based on information in official documentation and other websites, or information from publicly available books. When discussing technical topics, I clearly note references whenever possible. Also, all opinions in this book are my own and do not represent the company or organization I belong to.

All implementation details of AntiVirus software introduced in this book are about the Scanner File System Minifilter Driver sample code. I do not discuss implementation details of commercial software provided by any specific vendor.¹

Also note that publicly available driver sample code may differ from real implementations in commercial software.

Table of Contents

• Preface
• Chapter 1: Setup Environment Used in This Book
• Chapter 2: Introduction to File System Minifilter Drivers
• Chapter 3: Reading the Scanner Sample Code
• Chapter 4: Kernel Debugging Scanner with WinDbg

About This Book

Thank you very much for reading this book. I am Kashiwaba (@kash1064).

I am mainly interested in reverse engineering and forensics, and I usually participate in security competitions called Capture The Flag (CTF) as a hobby.

My main job is technical support engineer at a security product vendor. I have done troubleshooting and debugging for Windows and Linux AntiVirus software at two security vendors.

In this book, based on the Scanner File System Minifilter Driver sample code published in the official Windows Driver Samples repository², I explain how real-time file scanning works in AntiVirus software for Windows.

Real-time file scanning in AntiVirus software is also called on-access scanning, and it is implemented in many commercial AntiVirus products.

With this feature, AntiVirus software monitors file operations by users and programs in the system, detects creation or execution of malicious files (malware), and can block those operations.

Recent AntiVirus software for Windows may monitor many targets beyond files, such as behavior at process startup and in-memory content, to handle many kinds of threats and malware variants.

Those monitoring features may use mechanisms different from real-time file scanning, but this book does not cover process monitoring or memory scanning.

As stated above, this book aims to help readers learn the technologies many AntiVirus products use to implement real-time file scanning through the Scanner sample code.

The Scanner sample code used in this book consists of two components: a file system minifilter driver that runs in kernel mode, and a client program that runs in user mode.

The Scanner sample code is very simple, and it has rich comments, so if you have basic knowledge of Windows kernel driver development, you can read it smoothly.

By reading Scanner sample code, you can deepen your understanding of how AntiVirus software scans data in files using Windows file system minifilter drivers.

The Windows Driver Samples repository also contains another sample named AvScan File System Minifilter Driver, which is a transaction-aware file scanner.

While Scanner is about 2,500 lines including comments, AvScan is around 10,000 lines including comments.

This book focuses on Scanner because it is simpler, so AvScan is not covered here. However, AvScan is also very readable and heavily commented like Scanner, so if you want deeper understanding of AntiVirus software for Windows, I recommend checking it as well.

Why I Wrote This Book

Today, most Windows machines run AntiVirus software with real-time file scanning (on-access scanning).

However, even though AntiVirus software is familiar to most PC users, there is very little public information about detailed implementations, and many users still have major misunderstandings about how it works.

Scanner used in this book is only sample code, so some behavior is very different from real commercial products. Even so, it is very useful for understanding real-time file scan mechanisms.

Through sample code published by Microsoft, this book explains technologies used by AntiVirus software for Windows in real-time file scanning, and aims to help readers learn how AntiVirus software works.

I hope this book helps readers interested in AntiVirus software mechanisms.

What This Book Covers

This book uses Scanner File System Minifilter Driver sample code and explains real-time file scan mechanisms in Windows AntiVirus software in the following chapters.

• Chapter 1: Building an environment to build and debug Scanner
• Chapter 2: About Windows file system minifilter drivers
• Chapter 3: Explanation of Scanner sample code
• Chapter 4: Debugging Scanner with WinDbg

In this book, we create a Windows Server 2019 virtual machine and perform kernel debugging with WinDbg to verify AntiVirus behavior.

Chapter 1 introduces components you need to set up before practicing this book.

However, this book does not cover step-by-step instructions for environment setup such as creating virtual machines or preparing kernel debugging.

For those topics, please see Magical WinDbg 2³, which was distributed for free at Tech Book Fest 16.

In Chapter 2, before reading Scanner sample code, I explain introductory concepts of Windows minifilter drivers using nullFilter, a very small minifilter sample.

In Chapters 3 and 4, I explain Scanner sample code and verify real behavior through kernel debugging with WinDbg.

This book does not cover AntiVirus features other than real-time file scanning.

It also does not cover pattern file signatures, heuristics for malware detection, or detection bypass techniques called Antivirus Evasion.

If you are interested in detailed detection technologies or bypass techniques, the following books and training modules from Maldev Academy⁴ may be helpful.

• The Antivirus Hacker’s Handbook (Joxean Koret, Elias Bachaalany / Wiley / 2015)
• Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software (Nir Yehoshua, Uriel Kosayev / Packt Publishing / 2021)

Target Readers

This book assumes you have basic knowledge of C programming and Windows kernel drivers.

Therefore, it does not provide a comprehensive beginner tutorial for filter drivers and kernel driver development.

If you are interested in Windows kernel driver development, the following books may help.

• Windows Kernel Programming, Second Edition (Pavel Yosifovich / Independently published / 2023)
• WDM Device Driver Programming Complete Guide Vol.1/Vol.2 (Edward N. Dekker, Joseph M. Newcomer / translated by Quick / ASCII / 2000)

In particular, Windows Kernel Programming covers a wide range from environment setup to file system minifilter drivers discussed in this book.

If reading English books is difficult, I also recommend the Japanese translation of the first edition: “Windows Kernel Driver Programming” (Pavel Yosifovich / translated by Kunio Yoshikawa / Shoeisha / 2021).

At the time of writing, the Second Edition has more information and is not yet translated into Japanese, but for environment setup and file system minifilter drivers, the first edition is still sufficient.

Acknowledgements

I received tremendous support from members of CTF team 0nePadding while writing this book.

I sincerely thank @salty_byte and Mikio Hirokawa from 0nePadding for helping with proofreading.