File Access Control Filter Driver SDK

Download EaseFilter Data Protection Filter Driver SDK Setup File
Download EaseFilter Data Protection Filter Driver SDK Zip File

Develop File Access Control or File Protector Application with Control Filter Driver SDK

EaseFilter file system filter driver is a kernel-mode component that runs as part of the Windows executive above the file system. The EaseFilter file system filter driver can intercept requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter file system filter driver can log, observe, modify, or even prevent the I/O operations for one or more file systems or file system volumes.

control file filter

File Access Control and File Protection

The EaseFilter file protector can prevent your sensitive files from being accessed by unauthorized user. With the EaseFilter file protector you can control the file I/O activities on file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.

EaseFilter file protector provides a comprehensive security solution for transparent file level encryption. It allows the file to be encrypted or decrypted transparently on-the-fly, every file will be encrypted with the unique encryption iv key, it can allow only authorized users or processes can access the encrypted files.

Setup File Protection Policies with Different File Filter Rules

To monitor or control the file I/O, you need to setup multiple file filter rules. In the file filter rule, you have to setup the file filter mask which is the unique index of the filter rule, you can setup the what processes or users can monitor the file I/O, you can filter the file I/O with the file open options, you can register the file change events or register the specific file I/Os.

Filter rule setting

  • Setup the file filter mask of the filter rule: you can create the file filter mask with the wildcard characters, i.e., c:\test\*.txt, the control driver only manages the text files in folder c:\test.
  • Setup the exclude file filter mask: you can exclude the files from the file filter rule, i.e., *.exe, all the .exe files will be excluded from the filter rule.
  • Setup the include process name: the control driver will only manage the I/Os from the included processes.
  • Setup the exclude process name: the control driver will exclude the I/Os from the excluded processes.
  • Setup the include user name: the control driver will only manage the I/Os from the included users.
  • Setup the exclude user name: the control driver will exclude the I/Os from the excluded users.
  • Setup the file open filter options: you can control the I/Os only the files were opened with the specific option DesiredAccess, Disposition or CreateOptions when they are not 0.
  • Register the file changed events: you can get the notification when the files were changed. The file changed events will be sent only when the file handle was closed.
  • Register the specific file I/O events: you can get the notification when the specific file I/O was triggered with your setting. The file I/O events were sent right after the registered I/Os were completed and the file handle was not closed yet.

File Access Control Flag Settings of the File Filter Rule

To control the file access, you can configure the access control flag in the filter rule, or you can register the pre-io events, allow or deny the file access in the pre-io notification event. To configure the access flag of the filter rule, you can prevent your files from being read, written, deleted, renamed or changed by unauthorized processes or users.

file access control settings

Set the access flag to control the file access in the file filter rule

With the access flag of the filter rule, you can use every bit of the access flag integer to allow or block the specific I/O as below to run.

  • ALLOW_ENCRYPT_NEW_FILE: Allow to encrypt the new created file if the encryption filter rule is enabled.
  • ALLOW_READ_ENCRYPTED_FILES: Allow the encrypted files being read, or the raw encrypted data will return.
  • DISABLE_ENCRYPT_DATA_ON_READ: Encrypt the file on the go when it is false when encryption filter rule is enabled, it will encrypt unencrypted data on read.
  • ENABLE_HIDE_FILES_IN_DIRECTORY_BROWSING: Hide the files from the folder directory list if the hide file mask was added.
  • ENABLE_REPARSE_FILE_OPEN:Reparse the file open to the new file name if the reparse file mask was added.
  • ALLOW_FILE_ACCESS_FROM_NETWORK: Allow the file being accessed via smb share.
  • ALLOW_COPY_PROTECTED_FILES_OUT: Allow the file being copied out of the protected folder.
  • ALLOW_COPY_PROTECTED_FILES_TO_USB:Allow the file being copied out of the USB drive.
  • ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY: Allow the file open to access the file's security information.
  • ALLOW_OPEN_WITH_READ_ACCESS: Allow the file open for read access.
  • ALLOW_OPEN_WITH_WRITE_ACCESS: Allow the file open for write access.
  • ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS: Allow you to create new file or open file with overwrite access.
  • ALLOW_OPEN_WITH_DELETE_ACCESS: Allow the file open for delete.
  • ALLOW_READ_ACCESS: Allow the file data being read.
  • ALLOW_WRITE_ACCESS: Allow the file being written.
  • ALLOW_QUERY_INFORMATION_ACCESS: Allow to query file information.
  • ALLOW_SET_INFORMATION: Allow to change the file information: change file attribute, change file size, rename file name, delete file.
  • ALLOW_FILE_RENAME: Allow the file being renamed.
  • ALLOW_FILE_DELETE: Allow the file being deleted.
  • ALLOW_FILE_SIZE_CHANGE: Allow the file size being changed.
  • ALLOW_QUERY_SECURITY_ACCESS: Allow the file security information being queried.
  • ALLOW_SET_SECURITY_ACCESS: Allow the file security information being changed.
  • ALLOW_DIRECTORY_LIST_ACCESS: Allow you to browse the directory files.

file access control flags

Set the access rights to the specific processes or users in the file filter rule

With the access rights setting, you can add or remove the access rights to the specific processes or users in the file filter rule. So, you can authorize the users or processes to access your protected files, you also can prevent your protected files from being accessed by the unauthorized users or processes.

Register the file I/O events to control the file access in the file filter rule

By registering the specific I/O events, you can fully control the I/O, your callback functions will be invoked for every registered I/O, you can allow, modify or block this I/O based on the I/O information.

  • OnPreFileCreate: Fires this event before the file create IO was going down to the file system.
  • OnPostFileCreate: Fires this event after the file create IO was returned from the file system.
  • OnPreFileRead: Fires this event before the file read IO was going down to the file system.
  • OnPostFileRead: Fires this event after the file read IO was returned from the file system.
  • OnPreFileWrite: Fires this event before the file write IO was going down to the file system.
  • OnPostFileWrite: Fires this event after the file write IO was returned from the file system.
  • OnPreQueryFileSize: Fires this event before the query file size IO was going down to the file system.
  • OnPostQueryFileSize: Fires this event after the query file size IO was returned from the file system.
  • OnPreQueryFileBasicInfo: Fires this event before the query file basic info IO was going down to the file system.
  • OnPostQueryFileBasicInfo: Fires this event after the query file basic info IO was returned from the file system.
  • OnPreQueryFileStandardInfo: Fires this event before the query file standard info IO was going to the file system.
  • OnPostQueryFileStandardInfo: Fires this event after the query file standard info IO was returned from the file system.
  • OnPreQueryFileNetworkInfo: Fires this event before the query file network info IO was going down to the file system.
  • OnPostQueryFileNetworkInfo: Fires this event after the query file network info IO was returned from the file system.
  • OnPreQueryFileId: Fires this event before the query file Id IO was going down to the file system.
  • OnPostQueryFileId: Fires this event after the query file Id IO was returned from the file system.
  • OnPreQueryFileInfo: Fires this event before the query file info IO was going down to the file system
  • OnPostQueryFileInfo: Fires this event after the query file info IO was returned from the file system.
  • OnPreSetFileSize: Fires this event before the set file size IO was going down to the file system.
  • OnPostSetFileSize: Fires this event after the set file size IO was returned from the file system.
  • OnPreSetFileBasicInfo: Fires this event before the set file basic info IO was going down to the file system.
  • OnPostSetFileBasicInfo: Fires this event after the set file basic info IO was returned from the file system.
  • OnPreSetFileStandardInfo: Fires this event before the set file standard info IO was going down to the file system.
  • OnPostSetFileStandardInfo: Fires this event after the set file standard info IO was returned from the file system.
  • OnPreSetFileNetworkInfo: Fires this event before the set file network info was going down to the file system.
  • OnPostSetFileNetworkInfo: Fires this event after the set file network info was returned from the file system.
  • OnPreMoveOrRenameFile: Fires this event before the file move or rename IO was going down to the file system.
  • OnPostMoveOrRenameFile: Fires this event after the file move or rename IO was returned from the file system.
  • OnPreDeleteFile: Fires this event before the file delete IO was going down to the file system.
  • OnPostDeleteFile: Fires this event after the file delete IO was returned from the file system.
  • OnPreSetFileInfo: Fires this event before the set file info IO was going down to the file system.
  • OnPostSetFileInfo: Fires this event after the set file info IO was returned from the file system.
  • OnPreQueryDirectoryFile: Fires this event before the query directory file info was going down to the file system.
  • OnPostQueryDirectoryFile: Fires this event after the query directory file info was returned from the file system.
  • OnPreQueryFileSecurity: Fires this event before the query file security IO was going down to the file system.
  • OnPostQueryFileSecurity: Fires this event after the query file security IO was returned from the file system.
  • OnPreSetFileSecurity: Fires this event before the set file security IO was going down to the file system.
  • OnPostSetFileSecurity: Fires this event after the set file security IO was returned from the file system.
  • OnPreFileHandleClose: Fire this event before the file handle close IO was going down to the file system.
  • OnPostFileHandleClose: Fires this event after the file handle close IO was returned from the file system.
  • OnPreFileClose: Fires this event before the file close IO was going down to the file system.
  • OnPostFileClose: Fires this event after the file close IO was returned from the file system.

control file io events

The File Protector Console

In the file protector console, you can see the denied I/O information or the callback control I/O notification information as below:

file protector console

  • User name: the user who accessed the file.
  • Process name and process Id: the process which accessed the file and initiated this I/O request.
  • ThreadId: the thread which accessed the file and initiated this I/O request.
  • I/O Event name: for the file change event, you will know if the file was created, written, renamed, deleted or file information was changed. For file I/O event, you will know the specific I/O names: file open, file create, file read, file write, query or set file information, query or set file security, file close.
  • FileObject: it is similar to file handle concept, every file open, the system I/O manager will generate a unique file object till the file handle was closed.
  • File name: the file name which was associated to this I/O request.
  • File size: the file size of the file which was accessed.
  • File attributes: the file attributes of the file which was accessed.
  • Last write time: the last write time of the file which was accessed.
  • File Create Options: you will know how the file was opened with different options.
  • File I/O data: the read/write data, or query/set file information data.
  • I/O status: the return I/O status, it shows the I/O result if it was return with success, warning or error code.

A C# File Protector Example

The following example creates a filter rule to protect the directory specified at run time. The filter rule was set to protect the folder against the file being renamed, deleted, written. The component is registered with the create and delete IO callback event in the directory. If a file was opened or deleted, the event will be triggered, you can allow or block the IO in the event.

 
  
using System;
using EaseFilter.FilterControl;

namespace FileProtectorConsole
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key: info@easefilter.com";

            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER|FilterAPI.FilterType.CONTROL_FILTER
                |FilterAPI.FilterType.PROCESS_FILTER|FilterAPI.FilterType.REGISTRY_FILTER|FilterAPI.FilterType.ENCRYPTION_FILTER;

            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                //copy the right Dlls to the current folder.
                Utils.CopyOSPlatformDependentFiles(ref lastError);

                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\\test\\*";

                if (args.Length > 0)
                {
                    watchPath = args[0];
                }

                //create a file protector filter rule, every filter rule must have the unique watch path. 
                FileFilter fileProtectorFilter = new FileFilter(watchPath);

                //configure the access right for the protected folder

                //prevent the file from being deleted.
                fileProtectorFilter.EnableDeleteFile = false;

                //prevent the file from being renamed.
                fileProtectorFilter.EnableRenameOrMoveFile = false;

                //prevent the file from being written.
                fileProtectorFilter.EnableWriteToFile = false;

                //authorize process with full access right
                fileProtectorFilter.ProcessNameAccessRightList.Add("notepad.exe", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);

                //you can enable/disalbe more access right by setting the properties of the fileProtectorFilter.

                //Filter the callback file IO events, here get callback before the file was opened/created, and file was deleted.
                fileProtectorFilter.ControlFileIOEventFilter = (ulong)(ControlFileIOEvents.OnPreFileCreate | ControlFileIOEvents.OnPreDeleteFile);

                fileProtectorFilter.OnPreCreateFile += OnPreCreateFile;
                fileProtectorFilter.OnPreDeleteFile += OnPreDeleteFile;

                filterControl.AddFilter(fileProtectorFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

        /// 
        /// Fires this event before the file was opened. 
        /// 
        static void OnPreCreateFile(object sender, FileCreateEventArgs e)
        {
            Console.WriteLine("OnPreCreateFile:" + e.FileName + ",userName:" + e.UserName + ",processName:" + e.ProcessName);

            //you can block the file open here by returning below status.
            e.ReturnStatus = NtStatus.Status.AccessDenied;

        }

        /// 
        /// Fires this event before the file was deleted.
        /// 
        static void OnPreDeleteFile(object sender, FileIOEventArgs e)
        {
            Console.WriteLine("OnPreDeleteFile:" + e.FileName  + ",userName:" + e.UserName + ",processName:" + e.ProcessName);

            //you can block the file being deleted here by returning below status.
            e.ReturnStatus = NtStatus.Status.AccessDenied;
        }
    }
}

About EaseFilter

EaseFilter is a company who specializes in windows file system filter driver development. It can provide architect, implement and test file system filter drivers for a wide range of functionalities. It also can offer several levels of assistance to meet your specific needs: Provide consulting service for your existing file system filter driver; Customize the SDK to meet your requirement; Create your own filter driver with SDK source code.

For more information please go to the website: www.easefilter.com

You can download the demo binary and example projects zip file here