NoMoreStealers: New Open-Source Tool Protects Windows Data via Kernel MiniFilter
A new open-source project named NoMoreStealers has just debuted on GitHub. Presented as a proof-of-concept defense for Windows systems against data-stealing malware, it is authored by a developer using the pseudonym EvilBytecode.
The solution centers on a kernel MiniFilter driver that intercepts file-creation operations and enforces access restrictions on selected directories according to the requesting process’s trust level. Though still a prototype, the tool already implements core protections to prevent unauthorized reads of users’ sensitive data.
The project comprises two parts: a kernel component and a user-mode application with a GUI built on the Wails framework. The driver registers with the Filter Manager and monitors filesystem calls; processes not present in a whitelist are denied access to protected paths such as browser profiles, cryptocurrency wallet stores, and messenger data.
Process trust is determined either by an embedded list of allowed executables or via PsIsProtectedProcessLight() where supported by modern Windows builds. Notifications are relayed through shared memory; at present, there is no full messaging subsystem, and events are surfaced only via the debugging interface.
The graphical front end displays events in real time and provides auxiliary features — for example, screen-capture protection using translucent overlays and minimizing to the system tray. However, the current implementation only covers file creation; it does not react to file modifications or deletions. The trust model is also brittle: it can be circumvented by merely spoofing an executable’s filename. Configuration values are hardcoded, requiring a rebuild to change, and there is no parent-process analysis or signature verification yet.
To build and test NoMoreStealers you need Windows 10 or 11, administrative privileges, and Visual Studio with the Windows Driver Kit. Installation involves enabling test-signing mode, compiling the driver, editing registry entries, and manually loading the driver via the command line. The author stresses that this is a research project — unsuitable for production — intended for education, experimentation, and community contribution.
Planned enhancements include extending the set of monitored operations, enabling dynamically configurable protected directories, improving the notification system, adding digital-signature checks, and implementing countermeasures against malware tampering. The project is released under the MIT license, and the creator welcomes collaboration and further development.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
