File System Filter MiniDriver

Question

I have a Program.exe that I need to intercept. That specific program uses CreateFile & ReadFile, however I need to intercept ReadFile function.

I thought about writing my own File System Filter MiniDriver. I found this link by Googling: http://msdn.microsoft.com/en-us/library/ff551862(v=vs.85) It seems that is the correct way to do this. However last time I did any driver development, I remember that >= VISTA did not allow drivers to be installed easily. You needed to acquire "Signed" priviledge from Microsoft(you had to pay).

My question is that, can I create Simple File System Filter Driver for my USB stick and intercept any readings from ReadFile()? All I want to do is to allow ReadFile by a specific process.

1) I need this legally 2) I need to avoid unsigned drivers, so the driver would always work.

Will one minifilter driver work for every OS starting from XP?!

Answer 1

Prohibit of loading unsigned drivers is exist only on x64 versions of windows >= vista On x64 versions you can 1) Switch to test mode to turm off this restriction 2) Add test sertificate as root to certificate storage

But if you want distribute this driver you must bay certificate.

Answer 2

Yes, minifilter is the preferred way for this. You can intercept system calls/IRPs and allow-deny any of them depending upon your criteria. Also, same driver code can be used for multiple OSes, however you need to build for specific Os. WDK 7 can be used to build drivers from XP to Windows 7.

Also, as izlesa suggested, you need to sign for x64 windows higher than vista.