Download EaseFilter Process Filter Driver SDK Setup File Download EaseFilter Process Filter Driver SDK Zip File
The Easefilter Process Filter Driver SDK is a kernel-mode filter driver development kit. It runs as part of the Windows executive above the file system. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter Process Filter Driver can monitor and control the Windows process activities.
The Easefilter Process Filter Driver SDK provides you an easy way to develop Windows security application to monitor the Windows process activities. You can get the notification of a new process creation or an existing process termination. It enables your application to prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.
Bundle with the file access control filter driver, the Process Filter Driver allows you to monitor or control the file access based on the process name or process Id. It enables you to set the access right to the specific processes, allow or block the file access to the specific processes. It allows you to prevent your sensitive files from being accessed by the unauthorized processes.
It is very simple to use the EaseFilter Process Filter Driver SDK. There is C# and C++ demo source code to demonstrate how to use the SDK. To monitor or control the Windows process activities, you need to create a filter rule first as below:
Here is the screenshot of the C# process demo application.
Here is the code snippet of the C# process demo application.
using System;
using EaseFilter.FilterControl;
namespace FileMonitorConsole
{
class Program
{
static FilterControl filterControl = new FilterControl();
static void Main(string[] args)
{
string lastError = string.Empty;
string licenseKey = "**************************";
FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
int serviceThreads = 5;
int connectionTimeOut = 10; //seconds
try
{
if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
{
Console.WriteLine("Start Filter Service failed with error:" + lastError);
return;
}
//the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
string watchPath = "c:\\test\\*";
if (args.Length > 0)
{
watchPath = args[0];
}
//create a file monitor filter rule, every filter rule must have the unique watch path.
FileFilter fileMonitorFilter = new FileFilter(watchPath);
//Filter the file change event to monitor all file change events.
fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;
//register the file change callback events.
fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;
//Filter the monitor file IO events
fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);
fileMonitorFilter.OnFileOpen += OnFileOpen;
fileMonitorFilter.OnFileRead += OnFileRead;
filterControl.AddFilter(fileMonitorFilter);
if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
return;
}
Console.WriteLine("Start filter service succeeded.");
// Wait for the user to quit the program.
Console.WriteLine("Press 'q' to quit the sample.");
while (Console.Read() != 'q') ;
filterControl.StopFilter();
}
catch (Exception ex)
{
Console.WriteLine("Start filter service failed with error:" + ex.Message);
}
}
/// Fires this event when the file was changed.
static void NotifyFileChanged(object sender, FileChangeEventArgs e)
{
Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString()
+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
}
/// Fires this event after the file was opened, the handle is not closed.
static void OnFileOpen(object sender, FileCreateEventArgs e)
{
Console.WriteLine("FileOpen:" + e.FileName + ",status:" + e.IOStatusToString()
+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
}
/// Fires this event after the read IO was returned.
static void OnFileRead(object sender, FileReadEventArgs e)
{
Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:"
+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
}
}
}