securitywinapidriverhoneypot

Win32API/Win drivers: How to detect if file is accessed


I would like to create something like "file honeypot" on Windows OS.

The problem I would like to answer is this: I need to detect that file is accessed (Malware wants to read file to send it over internet) so I can react to it. But I do not know how exacly tackle this thing.

  1. I can periodically test file - Do not like this sollution. Would like some event driven without need to bother processor every few ms. But could work if file is huge enought so it cannot be read between checks.

  2. I could exclusively open file myselve and somehow detect if file is accessed. But I have no idea how to do this thing.

Any idea about how to resolve this issue effectively? Maybe creating specialized driver could help but I have little experience in this.

Thanks


Solution

  • Tracking (and possibly preventing) filesystem access on Windows is accomplished using filesystem filter drivers. But you must be aware that kernel-mode code (rootkits etc) can bypass the filter driver stack and send the request directly to the filesystem. In this case only the filesystem driver itself can log or intercept access.