SymlinkCallback
A driver that hooks C: volume using symbolic link callback to track all FS access to the volume
Install / Use
/learn @yardenshafir/SymlinkCallbackREADME
SymlinkCallback
Write-ups: https://windows-internals.com/dkom-now-with-symbolic-links/, https://windows-internals.com/symhooks-part-two/, https://windows-internals.com/symhooks-part-three/, https://windows-internals.com/symhooks-part-four/
This driver uses the option to set a dynamic target for a symbolic link and hooks the symlink of the C: volume.
It modifies the symlink object and replaces the LinkTarget string with a callback function which will be called whenever the symlink is accessed.
Then, it creates a device object and redirects the symlink target to the device object, adding a "\Foo" suffix in order to avoid direct volume open attempts (which cannot be reparsed). This allows it to intercept all file open operations on the C: volume through its IRP_MJ_CREATE handler. This handler then reparses the name back to the original C: volume target device object, removing the "\Foo" suffix that was added.
Created by @aionescu (https://github.com/ionescu007/) and @yarden_shafir
Related Skills
node-connect
349.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
109.8kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
349.9kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
349.9kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
