MinifilterHook

Silence file system monitoring components by hooking their minifilters

Tested on Windows 10 1903, 21H2 and 22H2 against WdFilter

POC can be easily modified to target other filter drivers -> simply change TARGET_FILTER_NAME and TARGET_FILTER_DRIVER

Usage:

Install .inf file -> right click + install or use SetupApi to install programtically

Load WdfltHook.sys -> via an unsigned driver loader like : https://github.com/0mWindyBug/KDP-compatible-driver-loader/tree/main

See "HowItWorks.pdf" (English) or https://www.digitalwhisper.co.il/files/Zines/0x9C/DW156-2-FilteringMinifilters.pdf (Hebrew)

Before loading our driver:

demo1

After loading our driver:

demp4

Thanks to @GetRektBoy724 for his contribution
We restore everything during unload so be aware
Similar implementation using only a r/w primitive from UM (no driver) has been published & integrated to https://github.com/wavestone-cdt/EDRSandblast