A security researcher has introduced an innovative proof-of-concept (PoC) tool on GitHub, designed to combat ransomware directly within the Windows operating system. This tool, named Sanctum, is a significant addition to a broader Endpoint Detection and Response (EDR) strategy, showcasing how defenders can leverage Windows Minifilters—specialized software hooks—to detect and thwart file encryption attempts before critical data is irretrievably lost.
How Sanctum Works
At its essence, Sanctum utilizes a feature within Windows known as a “filter driver.” This can be likened to a security checkpoint positioned between applications operating in user mode and the hard drive managed by core drivers. The researcher, known as 0xflux, refers to this strategic location as a “chokepoint.”
Every file operation—whether it involves creating, writing, or renaming files—must traverse this chokepoint, granting the driver comprehensive visibility to identify potential threats at an early stage.
Initially conceived in Rust for enhanced safety, the driver ultimately transitioned to C due to the absence of Rust bindings for Windows filters. The functionality hinges on the establishment of “callbacks,” which serve as alerts triggered by significant file events.
Sanctum focuses on two primary callbacks:
- IRPMJCREATE: This callback activates when a process opens a file. The driver monitors for rapid requests to write or delete multiple files, a telltale sign of ransomware preparing to initiate encryption.
- IRPMJSET_INFORMATION: This is the key detector, triggered by changes in file metadata, such as renaming. Ransomware often appends extensions like .HLJkNskOq (associated with LockBit) after encrypting files.
Upon detecting a suspicious rename, the driver employs FltGetFileNameInformation to retrieve the complete filename and cross-references it against a database of known malicious extensions.
If a match is found, the tool not only blocks the action but also identifies the source of the threat. Utilizing IoThreadToProcess, it extracts the Process ID (PID) and program name, providing precise alerts such as: “PID 1234 from suspicious.exe is attempting to rename your documents!”
Currently, Sanctum logs these events as a telemetry tool, enabling security teams to respond swiftly. However, 0xflux envisions ambitious enhancements for future iterations, including the ability to assess file “entropy”—a measure of randomness—to detect encryption in real-time. There are even plans to freeze malicious threads, potentially halting attacks instantaneously.
This kernel-level methodology surpasses traditional antivirus solutions by operating at machine speed with unparalleled file visibility. As ransomware tactics continue to evolve, tools like Sanctum demonstrate that customized kernel defenses can effectively outpace conventional user-space scanners.
For those interested, the GitHub repository and fluxsec.red provide access to code and demonstrations, making it an invaluable resource for red-teamers and blue-team builders eager to push the boundaries of EDR capabilities.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
