IRPLogger
(IRP stands for I/O Request Packet) is a tool to monitor and log any I/O activity that occurs in the system. IRPLogger is implemented as a File System Minifilter Drivers.
IRPLogger is based on the MiniSpy minifilter sample.
IRPLogger-like tools have been used in academic research projects to capture ransomware filesystem behavior, like in ShieldFS: A Self-healing, Ransomware-aware Filesystem. I developed this tool because it was necessary to re-implement these state-of-the-art detectors and to test our evasion attacks as shown in our paper The Naked Sun: Malicious Cooperation Between Benign-Looking Processes (accepted in ACNS '20).
Follow Microsoft Driver Develpment's Kit installation guide to set up the environment.
You can use the INF file provided to install, upgrade, and uninstall this file system filter driver. You can use the INF file alone or together with a batch file or a user-mode setup application. See Using an INF File to Install a File System Filter Driver for more information.
Once installed, to load this minifilter, run:
fltmc load irplogger
or
net start irplogger
In order to load this unsigned driver, make sure to disable the driver signature verification:
- Use shutdown /r /o /t 0 and access the Advanced Boot Options.
or
- install a test certificate in the Trusted Root Certification Authorities.