SymlinkProtect

File system minifilter driver for Windows written in C++ to block symbolic link attacks. It monitors user-mode applications and blocks malicious attempts to set a reparse point on a directory creating a mount point to some suspicious targets like \RPC Control. See here for more information about the inner workings of the driver.

Usage

Download the latest release or compile the driver.
Right-click on the SymlinkProtect.inf file and click on Install.
Open an elevated command prompt and enable test signing:
bcdedit /set testsigning on
After reboot, open an elevated command prompt again.
Load the driver with fltmc.exe with the load option:
fltmc load symlinkprotect
Unload the driver with fltmc.exe with the unload option:
fltmc unload symlinkprotect

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
.gitignore		.gitignore
FileNameInformation.cpp		FileNameInformation.cpp
FileNameInformation.h		FileNameInformation.h
LICENSE		LICENSE
README.md		README.md
SymlinkProtect.cpp		SymlinkProtect.cpp
SymlinkProtect.inf		SymlinkProtect.inf
SymlinkProtect.png		SymlinkProtect.png
SymlinkProtect.rc		SymlinkProtect.rc
SymlinkProtect.sln		SymlinkProtect.sln
SymlinkProtect.vcxproj		SymlinkProtect.vcxproj
SymlinkProtect.vcxproj.filters		SymlinkProtect.vcxproj.filters

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

SymlinkProtect

Usage

Demo

About

Releases 1

Languages

License

sgabe/SymlinkProtect

Folders and files

Latest commit

History

Repository files navigation

SymlinkProtect

Usage

Demo

About

Topics

Resources

License

Stars

Watchers

Forks

Releases 1

Languages