A clever proof-of-concept (PoC) tool that combats ransomware at the core of Windows has been made public on GitHub by a security researcher This article explores combats ransomware core. . This project, known as "Sanctum," is a component of a broader Endpoint Detection and Response (EDR) plan.

It demonstrates how defenders can identify and stop file encryption attempts before data is permanently lost by using Windows Minifilters' unique software hooks. Fundamentally, Sanctum uses a Windows function called a "filter driver." Imagine it as a security checkpoint positioned between your hard drive (managed by core drivers) and your apps (running in user mode). This location is referred to as a "chokepoint" by researcher 0xflux.

It requires that all file operations—creation, writing, and renaming—pass through it, providing the driver complete visibility to identify threats early.

Due to the absence of Rust bindings for Windows filters, the driver that was initially intended to be in Rust for safety ended up in C. It operates by configuring "callbacks," which are notifications that are triggered by significant file events. http://Detecting the Files – Source: fluxsec Sanctum focuses on two: IRP_MJ_CREATE: When a process opens a file, it fires. As a warning sign for ransomware getting ready to encrypt, the driver keeps an eye out for requests to write or remove a large number of files quickly.

IRP_MJ_SET_INFORMATION: The detector for stars. When file metadata changes, such as renaming, it becomes active. Attackers frequently add extensions like these because ransomware loves them.HLJkNskOq (connected to LockBit) following file locking. The driver retrieves the complete filename by calling FltGetFileNameInformation whenever a suspicious rename occurs.

It compares itself to a list of known malicious extensions. A game?

It identifies the offender in addition to blocking. It retrieves the program name and Process ID (PID) using IoThreadToProcess, providing accurate warnings: "PID 1234 from suspicious.exe is attempting to rename your documents!" To help security teams react quickly, Sanctum currently logs these events as a telemetry tool.

Future iterations of 0xflux, however, will use file "entropy," a measure of randomness, to detect encryption in real time. Malicious threads could even be frozen, immediately stopping attacks. By operating at machine speed and providing flawless file visibility, this kernel-level method outperforms conventional antivirus software. Tools such as Sanctum demonstrate that custom kernel defenses can surpass user-space scanners as ransomware develops.

For code and demos ideal for red-teamers or blue-team builders pushing the boundaries of EDR, check out the GitHub repository and fluxsec.red.