A security researcher has released a new proof-of-concept (PoC) tool on GitHub designed to stop ransomware at the deepest level of the operating system.
Part of a broader Endpoint Detection and Response (EDR) strategy named “Sanctum,” the project demonstrates how defenders can use Windows Minifilters to detect and intercept malicious file encryption before it destroys user data .
Detecting Ransomware
The core of the project relies on a Windows component called a “filter driver.” In simple terms, a filter driver sits in a stack between the applications you run (user mode) and the hard drive (core driver).
The researcher known as 0xflux describes this position as a “chokepoint” because all file activity, creating, writing, or renaming files, must pass through it.
This gives the driver perfect visibility and leverage to stop bad actors.
While the researcher originally intended to use the Rust programming language, the driver was ultimately written in C because the necessary bindings for filter drivers in Rust do not yet exist.
The Sanctum driver works by registering “callbacks” signals that notify the system whenever specific events occur.
The project focuses on two key signals to detect ransomware behavior:
- IRP_MJ_CREATE: This event fires when a process tries to open a file. The driver monitors this to spot processes attempting to gain “write” or “delete” access to many files rapidly, a common precursor to encryption .
- IRP_MJ_SET_INFORMATION: This is the primary detection mechanism for this PoC. It triggers when a file’s metadata changes, such as a file rename .
Ransomware often renames files after encrypting them, adding a “spooky” extension to signal the victim has been compromised.
In this demonstration, the driver watches specifically for the extension .HLJkNskOq, which is associated with a variant of the notorious LockBit ransomware .
Technical Implementation
When the driver detects a rename event, it uses the FltGetFileNameInformation API to parse the full file name.
It then compares the new extension against a list of known ransomware signatures.
If a match is found, the driver doesn’t just block the action, it identifies the attacker.
By using helper functions like IoThreadToProcess, the driver can immediately retrieve the Process ID (PID) and the name of the program responsible for the change.
This provides high-fidelity alerts to security teams, telling them exactly which program is trying to lock their files.
Currently, the project acts as a telemetry tool, logging these dangerous events. However, the researcher outlines future plans to expand the system.
The next iteration could analyze file “entropy” (randomness) to detect encryption in real-time and even freeze the threads of the malicious process, stopping the attack instantly .
This project highlights how moving defenses into the kernel can provide a speed and visibility advantage that traditional antivirus software often lacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
