Windows process monitoring and protection SDK 

Download EaseFilter Process Filter Driver SDK Setup File
Download EaseFilter Process Filter Driver SDK Zip File

Process Filter Driver SDK

Easefilter process filter driver is a kernel-mode driver that filters process/thread creation and termination, it provides you an easy way to develop Windows application for the Windows process monitoring and protection.

What can you do with process filter driver SDK?

  1. Monitor the process or thread handle operations: Get a notification for process handle operations, when a handle for a process is being created or duplicated.
  2. Monitor the process or thread creation or termination: Get the callback notification for the process/thread creation or termination, from the new process information you can get the parent process Id and thread Id of the new created process, you also can get the exact file name that is used to open the executable file and the command line that is used to execute the process if it is available.
  3. Data protection: it enables your application to prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.
  4. Process protection: Prevent your important processes from being killed by unauthorizes users.

An C# example to demo how to moinitor and protect the Windows process

Process Filter Screenshot

1. Flexible filter rule configuration

Filter the process by process Id or wildcard process name, i.e. filter process name c:\test\*, it meant it will filter all processes which were launched from the folder c:\test.

Process Filter Rule Setting

2. Block the specific processes creation with the control setting "DENY_NEW_PROCESS_CREATION".

3. Get notification of the process or thread creation and termination. Monitor the process and thread the handle operations.

if you want to get the notification of the new process creation, enable the flag "PROCESS_CREATION_NOTIFICATION", if you want to get the notification of the process termination, enable the flag "PROCESS_TERMINATION_NOTIFICATION", if you want to get the notification of the process handle was created or duplicated, enable the flag "PROCESS_HANDLE_OP_NOTIFICATION", if you want to get the notification of the new thread creation, enable the flag "THREAD_CREATION_NOTIFICATION", if you want to get the notification of the thread termination, enable the flag "THREAD_TERMINIATION_NOTIFICATION", if you want to get the notification of the thread handle was created or duplicated, enable the flag "THREAD_HANDLE_OP_NOTIFICATION".

Process Filter Rule Setting

4. Control the specific process file access privileges.

Setup the specific file access rights to different file folders for the process. By default, set the least access rights for all files to the process, then if you want to allow the process to access some specific folders, add these folders with specific rights to the process as the below image, allow the process with read access to the folder c:\windows, allow full rights access to the folder c:\mysandbox.

file access rights

 

ABOUT US

We specialize in file system filter driver development. We architect, implement and test file system filter drivers for a wide range of functionalities. We can offer several levels of assistance to meet your specific needs.

QUICK LINKS

CONTACT US

COPYRIGHT EASEFILTER, ALL RIGHT RESERVED.