diff --git a/Identifying Antivirus Software by enumerating Minifilter String Names/IdentifyingAntivirusSoftwarebyenumeratingMinifilterStringNames.c b/Identifying Antivirus Software by enumerating Minifilter String Names/IdentifyingAntivirusSoftwarebyenumeratingMinifilterStringNames.c new file mode 100644 index 0000000..8de107c --- /dev/null +++ b/Identifying Antivirus Software by enumerating Minifilter String Names/IdentifyingAntivirusSoftwarebyenumeratingMinifilterStringNames.c @@ -0,0 +1,73 @@ +#include +#include +#include + +#pragma comment( lib, "fltlib" ) + +DWORD Win32FromHResult(HRESULT Result) +{ + if ((Result & 0xFFFF0000) == MAKE_HRESULT(SEVERITY_ERROR, FACILITY_WIN32, 0)) + return HRESULT_CODE(Result); + + if (Result == S_OK) + return ERROR_SUCCESS; + + return ERROR_CAN_NOT_COMPLETE; +} +int main(VOID) +{ + DWORD dwError = ERROR_SUCCESS, dwBufferSize = 0; + HRESULT Result; + HANDLE Filter = INVALID_HANDLE_VALUE, ProcessHeap = GetProcessHeap(); + PFILTER_FULL_INFORMATION FilterInformation = NULL; + + FilterInformation = (PFILTER_FULL_INFORMATION)HeapAlloc(ProcessHeap, HEAP_ZERO_MEMORY, MAX_PATH); + if (FilterInformation == NULL) + goto FAILURE; + + Result = FilterFindFirst(FilterFullInformation, FilterInformation, MAX_PATH, &dwBufferSize, &Filter); + if (Result != S_OK || Filter == INVALID_HANDLE_VALUE) + { + SetLastError(Win32FromHResult(Result)); + goto FAILURE; + } + + _putws(FilterInformation->FilterNameBuffer); + + for (;;) + { + ZeroMemory(FilterInformation, dwBufferSize); + Result = FilterFindNext(Filter, FilterFullInformation, FilterInformation, MAX_PATH, &dwBufferSize); + if (Result != S_OK || Filter == INVALID_HANDLE_VALUE) + { + if (Win32FromHResult(Result) == ERROR_NO_MORE_ITEMS) + break; + + SetLastError(Win32FromHResult(Result)); + goto FAILURE; + } + + _putws(FilterInformation->FilterNameBuffer); + } + + + if (Filter) + FilterFindClose(Filter); + + if (FilterInformation) + HeapFree(ProcessHeap, HEAP_ZERO_MEMORY, FilterInformation); + + return ERROR_SUCCESS; + +FAILURE: + + dwError = GetLastError(); + + if (Filter) + FilterFindClose(Filter); + + if (FilterInformation) + HeapFree(ProcessHeap, HEAP_ZERO_MEMORY, FilterInformation); + + return dwError; +} \ No newline at end of file diff --git a/Identifying Antivirus Software by enumerating Minifilter String Names/IdentifyingAntivirusSoftwarebyenumeratingMinifilterStringNames.pdf b/Identifying Antivirus Software by enumerating Minifilter String Names/IdentifyingAntivirusSoftwarebyenumeratingMinifilterStringNames.pdf new file mode 100644 index 0000000..b7618d8 Binary files /dev/null and b/Identifying Antivirus Software by enumerating Minifilter String Names/IdentifyingAntivirusSoftwarebyenumeratingMinifilterStringNames.pdf differ