System Overview

This document describes the high-level architecture, technology stack, and deployment topology of the Windows File System Minifilter project.

Related: Driver Architecture Β· Communication Architecture Β· Design Decisions

1. Architecture Topology

The system is a three-process architecture spanning the Windows kernel/user boundary. A kernel-mode minifilter driver intercepts file system I/O, a user-mode monitor bridges kernel events to the scanner, and a user-mode scanner performs malware analysis.

flowchart LR
    subgraph Kernel["Kernel Space (Ring 0)"]
        direction TB
        NTFS["NTFS / ReFS"]
        FltMgr["Filter Manager"]
        Driver["WindowsFileSystemMinifilter.sys"]
        NTFS --> FltMgr --> Driver
    end

    subgraph User["User Space (Ring 3)"]
        direction TB
        Monitor["FsMinifilterMonitor.exe"]
        Scanner["Scanner.exe"]
        Monitor -->|Named Pipe| Scanner
    end

    Driver -->|"Filter Comm Port\n(\\FsMinifilterPort)"| Monitor

    style Kernel fill:#2d1b69,color:#fff
    style User fill:#1b3a4b,color:#fff

Component Responsibilities

Component Ring Responsibility
WindowsFileSystemMinifilter.sys 0 Intercept IRP_MJ_CREATE, READ, WRITE, SET_INFORMATION, CLEANUP for .exe/.dll files
FsMinifilterMonitor.exe 3 Connect to filter port, receive messages, deduplicate, forward to scanner via named pipe
Scanner.exe 3 Receive scan requests, parse PE headers, extract features, classify, enforce policy

2. Technology Stack

flowchart TB
    subgraph Stack["Technology Stack"]
        direction LR
        subgraph KernelTech["Kernel"]
            WDK["Windows Driver Kit (WDK)"]
            FltAPI["Filter Manager API\n(fltKernel.h)"]
            CRT_K["Kernel C Runtime"]
        end
        subgraph UserTech["User Mode"]
            MSVC["MSVC C++17"]
            FltUser["fltUser.h / fltlib.lib"]
            Win32["Win32 API\n(Pipes, Threads, Heap)"]
            STL["C++ STL\n(vector, queue, mutex, string)"]
        end
    end

    style KernelTech fill:#3a0ca3,color:#fff
    style UserTech fill:#4361ee,color:#fff
Layer Technology Purpose
Kernel Driver WDK / fltKernel.h Minifilter registration, IRP callbacks, stream contexts
Kernel ↔ User Comm FltCreateCommunicationPort / FilterConnectCommunicationPort Type-safe message passing across Ring 0/3 boundary
User ↔ Scanner Comm Win32 Named Pipes (\\\\.\\pipe\\ScannerPipe) IPC between monitor and scanner processes
PE Analysis Raw Win32 (CreateFileW, HeapAlloc) Memory-mapped PE parsing without external dependencies
Concurrency C++ std::mutex, std::queue, Win32 Events Thread-safe scan queue with backpressure (10,000 cap)
Build System Visual Studio / MSBuild Multi-architecture (ARM64, x64) with WDK integration

3. Deployment Model

flowchart TB
    subgraph Target["Target Machine"]
        subgraph KernelDeploy["System32\\drivers"]
            SYS["WindowsFileSystemMinifilter.sys"]
        end
        subgraph UserDeploy["Application Directory"]
            MON["FsMinifilterMonitor.exe"]
            SCANNER["Scanner.exe"]
        end
        subgraph Registry["HKLM\\SYSTEM\\CurrentControlSet\\Services"]
            SVC["WindowsFileSystemMinifilter"]
            INST["Instances\\WindowsFileSystemMinifilter Instance"]
        end
    end

    SYS ---|"Altitude: 47777"| INST
    SVC ---|"Group: FSFilter Activity Monitor"| SYS

    style KernelDeploy fill:#d62828,color:#fff
    style UserDeploy fill:#457b9d,color:#fff
    style Registry fill:#2a9d8f,color:#fff
Artifact Location Install Method
WindowsFileSystemMinifilter.sys C:\Windows\System32\drivers\ InstallDriver.cmd (sc.exe create + reg add)
Service registration Registry (HKLM) Altitude 47777, FSFilter Activity Monitor group
FsMinifilterMonitor.exe Any user-accessible directory Manual copy
Scanner.exe Any user-accessible directory Manual copy

Prerequisites: Test signing must be enabled (bcdedit /set testsigning on) for unsigned driver loading.

4. Security Boundaries

flowchart LR
    subgraph Trust["Trust Boundaries"]
        K["Kernel (Fully Trusted)"]
        M["Monitor (Admin Required)"]
        S["Scanner (User-Level)"]
    end

    K -->|"Filtered Messages Only"| M
    M -->|"Scan Requests Only"| S

    style K fill:#c1121f,color:#fff
    style M fill:#e07a5f,color:#fff
    style S fill:#81b29a,color:#fff
  • Kernel β†’ Monitor: Communication port is secured via FltBuildDefaultSecurityDescriptor with FLT_PORT_ALL_ACCESS. Only one connection is allowed at a time (MaxConnections = 1).
  • Monitor β†’ Scanner: Named pipe with default security. The monitor writes SCAN_REQUEST structs; the scanner reads them.
  • Self-exclusion: The driver records the monitor’s PID on connect (g_clientProcessId) and skips all I/O from that process to prevent feedback loops.

Next Steps