EaseFilter Windows File System Filter Driver Framework

Download EaseFilter Filter Driver SDK Setup File
Download EaseFilter Filter Driver SDK Zip File

Windows File System Filter Driver

A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. File system filtering services are available through the filter manager in Windows. The Filter Manager provides a framework for developing File Systems and File System Filter Drivers without having to manage all the complexities of file I/O. The Filter Manager simplifies the development of third-party filter drivers and solves many of the problems with the existing legacy filter driver model, such as the ability to control load order through an assigned altitude. A filter driver developed to the Filter Manager model is called a minifilter. Every minifilter driver has an assigned altitude, which is a unique identifier that determines where the minifilter is loaded relative to other minifilters in the I/O stack. Altitudes are allocated and managed by Microsoft.

filter model

Even to an experienced developer, developing file system filter driver is certainly a challenge. To develop the filter driver, you can use the WDK, a software toolset from Microsoft that enables the development of device drivers for the Microsoft Windows platform. It includes documentation, samples, build environments, and tools for driver developers. To simplify your development and to provide you with a robust and well-tested file system filter driver that works with all versions and patch releases of the Windows operating systems supported by Microsoft, EaseFilter filter driver SDK will be your best choice, it provides a complete, modular environment for building active file system filters in your application.

Common Modules in EaseFilter Filter Driver SDK

One might think that writing a file system filter would be a much easier task, since there are lots of starter samples available on internet, but the truth is to write a professional commercial file system filters in the real world is very hard.Sometime writing a file system filter driver is harder than a file system. A  successful filter driver might have these common modules, this includes but is not limited to the following.

Managing Contexts

File system filter drivers can attach to, and filter I/O for, any file system volume. A file system filter driver attaches itself to one or more mounted volumes and filters all I/O operations on them. But how does it determine which volumes to attach itself to? It can be configured by the settings. An instance context can be created when the mini filter attachs to a volume, the filter manager enables minifilter drivers to associate contexts with objects to preserve state across I/O operations. Objects that can have contexts include volumes, instances, streams, and stream handles. Contexts are freed automatically when all outstanding references have been released. If the minifilter driver defines a context cleanup callback routine, the filter manager calls the routine before the context is freed.

User/Kernel Communication

Given that the majority of file system filter drivers communicate with user mode, Filter Manager provides a nice Communication Port package for bi-directional communication. User mode applications can easily send messages to the minifilter, and the minifilter can easily send messages to user mode (with or without a response). In the communication component, it is very convenient to send or receive message from filter driver to the user mode application.

Message Logging and Tracing

One of the challenges of working with software tracing is the volume of messages that is generated by even a simple and familiar provider. Trace message filters in TraceView help you to find and highlight critical messages and hide the others. A trace message filter is a set of rules that changes the appearance of trace messages in a Trace Message List. It applies to all trace messages in a trace session, log display, or trace session (or log) group. The filter does not change the underlying trace provider or trace log.

Filter Rule Policies

A filter rule is the policy for the filter driver, it tells the filter driver how to manage the I/O filtering. You can have the monitor filter rule which you can monitor the file I/O, if you register the specific I/O events, for example file creations, deletion, writing events, you will get the notification with the I/O information when the registered I/O was triggered;You can have the control filter rule which you can control the file access, prevent the file from being deleting, changing based on the process or the user; You can have the filter rule to hide the files based on the file name; You also can have the encryption filter rule to encrypt the file.

File I/O Monitoring

File monitor will get the I/O status after the I/O was returned from the file system. With the file monitor it enable you to track the file activities on file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.You can create the file access log, you will know who, when, what files were accessed.

File Access Control

With file access control, you have the control of the IO before it goes down to the file system, in pre_create IO, you can block the file creation, file open, or reparse the file open to another file at this point, in pre_setinformation IO, you can block the file rename, or file deletion, or change the information data of the file which was passed from the user, in pre_write IO, you can replace your own write data with your own data to the disk, for example, the encryption filter driver need to change the write data before it was written to the disk. You also have the control of the IO after it was returned from the file system, for example encryption filter, in pos_read, you can decrypt the read data from disk and return back to the user.

File Encryption Engine

File encryption filter driver is very complicated, we used an isolation filter driver to implement this feature. The isolation filters separate (or “isolate”) the view of a file’s data from the actual underlying data stored by the file system. To implment the separating view of a file’s data form the actual underlying data, we need two types of file object, the first file object is the uper file object which is the open instance associated with the application. The other file object we called is the shadow file object, it is created by the Isolation Minifilter, and represents the Minifilter’s (and the underlying file system’s) view of the file. The isolation filter driver needs to handle all the IOs for the uper file object which was from the filter manager.

Process Filtering

Process filter driver enables you to get the callback notification for the process/thread creation or termination, from the new process information you can get the parent process Id and thread Id of the new created process, you also can get the exact file name that is used to open the executable file and the command line that is used to execute the process if it is available. It also enables you to prevent the untrusted executable binaries ( malwares) from being launched.

Registry Filtering

Registry filter driver enables you to protect Windows core registry keys and values and to prevent potentially damaging system configuration changes, besides operating system files. By registering a RegistryCallback routine in the registry filter driver, it can receive notifications of each registry operation before the configuration manager processes the operation.