jonny-jhnson

!object ffffcc8edb89b270
Object: ffffcc8edb89b270  Type: (ffffcc8ed58e7db0) FilterConnectionPort
    ObjectHeader: ffffcc8edb89b240 (new version)
    HandleCount: 1  PointerCount: 4
    Directory Object: ffffbb82c72a8d90  Name: PrjFltPort

jonny-jhnson

kd> !fltkd.filters
Filter List: ffffcc8ed638a790 "Frame 0"
<snipped>
      FLT_FILTER: ffffcc8edb552a30 "PrjFlt" "189800"
      FLT_INSTANCE: ffffcc8edba16820 "PrjFlt Instance" "189800"
<snipped>

jonny-jhnson

ProjFS.exe C:\ProjFSDir
[*] Directory created.
[*] Virtualization Root: C:\ProjFSDir
[*] Projected File 1: C:\ProjFSDir\ProjectedFile.txt
[*] Projected File 2: C:\ProjFSDir\TestDir\SecondProjectedFile.txt
[*] Press Ctrl+C to stop...

jonny-jhnson

switch (notification) {
	case PRJ_NOTIFICATION_PRE_DELETE:
	{
		std::wprintf(L"[*] PRE_DELETE. ACCESS DENIED. File: %s, TriggeringImageInfo: %s (PID: %d)\n",
			callbackData->FilePathName,
			callbackData->TriggeringProcessImageFileName,
			callbackData->TriggeringProcessId);
		 return HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED);
	}

jonny-jhnson

!fltkd.portlist ffffcc8edb552a30

FLT_FILTER: ffffcc8edb552a30 
   Client Port List         : Mutex (ffffcc8edb552c90) List [ffffcc8edfa87e10-ffffcc8edfa88190] mCount=2 
      FLT_PORT_OBJECT: ffffcc8edfa87e10 
         FilterLink               : [ffffcc8edfa88190-ffffcc8edb552cc8] 
         ServerPort               : ffffcc8edb89b270 
         Cookie                   : ffffbb82d7b791f0 
         Lock                     : (ffffcc8edfa87e38)
         MsgQ                     : (ffffcc8edfa87e70)  NumEntries=12 Enabled

jonny-jhnson

kd> dps 0xffffcc8edb552cf0 L10
ffffcc8e`db552cf0  00000000`00000000
ffffcc8e`db552cf8  fffff801`6d0aff50 prjflt!PrjfPreCreate
ffffcc8e`db552d00  fffff801`6d0aeec0 prjflt!PrjfPostCreate
ffffcc8e`db552d08  00000000`00000000
ffffcc8e`db552d10  00000000`00000003
ffffcc8e`db552d18  fffff801`6d095470 prjflt!PrjfPreRead
ffffcc8e`db552d20  00000000`00000000
ffffcc8e`db552d28  00000000`00000000
ffffcc8e`db552d30  00000000`00000004

jonny-jhnson

kd> !fltkd.filter ffffcc8edb552a30

FLT_FILTER: ffffcc8edb552a30 "PrjFlt" "189800"
   FLT_OBJECT: ffffcc8edb552a30  [02000000] Filter
      RundownRef               : 0x0000000000000014 (10)
      PointerCount             : 0x00000002 
      PrimaryLink              : [ffffcc8edb550530-ffffcc8edb9b8330] 
   Frame                    : ffffcc8ed638a6e0 "Frame 0" 
   Flags                    : [00000096] FilteringInitiated NameProvider BackedByPagefile FiltersReadWrite
   DriverObject             : ffffcc8ed9687d00 

jonny-jhnson

typedef enum PRJ_NOTIFICATION
{
    PRJ_NOTIFICATION_FILE_OPENED                        = 0x00000002,
    PRJ_NOTIFICATION_NEW_FILE_CREATED                   = 0x00000004,
    PRJ_NOTIFICATION_FILE_OVERWRITTEN                   = 0x00000008,
    PRJ_NOTIFICATION_PRE_DELETE                         = 0x00000010,
    PRJ_NOTIFICATION_PRE_RENAME                         = 0x00000020,
    PRJ_NOTIFICATION_PRE_SET_HARDLINK                   = 0x00000040,
    PRJ_NOTIFICATION_FILE_RENAMED                       = 0x00000080,
    PRJ_NOTIFICATION_HARDLINK_CREATED                   = 0x00000100,

jonny-jhnson

// Create Remote Trace Session
logman -s Wakanda-Wrkstn create trace -n KernelAPICallTrace -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

logman -s Wakanda-Wrkstn create trace -n "Service\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

logman -s Wakanda-Wrkstn create trace -n "Autosession\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

// Query Remote Trace Sessions
logman -s Wakanda-Wrkstn query -ets

jonny-jhnson

+0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   +0x460 ExitProcessReported : Pos 3, 1 Bit