Process Filter Driver SDK

Download EaseFilter Process Filter Driver SDK Setup File
Download EaseFilter Process Filter Driver SDK Zip File

What is the process filter driver

The Easefilter Process Filter Driver SDK is a kernel-mode filter driver development kit. It runs as part of the Windows executive above the file system. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter Process Filter Driver can monitor and control the Windows process activities.

Process monitoring and protection

The Easefilter Process Filter Driver SDK provides you an easy way to develop Windows security application to monitor the Windows process activities. You can get the notification of a new process creation or an existing process termination. It enables your application to prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.

File access monitoring and protection.

Bundle with the file access control filter driver, the Process Filter Driver allows you to monitor or control the file access based on the process name or process Id. It enables you to set the access right to the specific processes, allow or block the file access to the specific processes. It allows you to prevent your sensitive files from being accessed by the unauthorized processes.

A C# example to use the Process Filter Driver SDK

It is very simple to use the EaseFilter Process Filter Driver SDK. There is C# and C++ demo source code to demonstrate how to use the SDK. To monitor or control the Windows process activities, you need to create a filter rule first as below:

  1. Setup the process filter rule with process name filter mask or process Id.
  2. You can exclude processes by adding the excluded process name filter mask. It is optional.
  3. You can exclude the process who created by the specific users by adding the excluded user filter mask. It is optional.
  4. Setup the process access control flags. By setting the control flag, you can get the notification of the process creation or termination, deny the new process creation.

process filter rule

Here is the screenshot of the C# process demo application.

process screenshot

Here is the code snippet of the C# process demo application.

  		
using System;
using EaseFilter.FilterControl;

namespace FileMonitorConsole
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "**************************";
                
            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\\test\\*";

                if (args.Length > 0)
                {
                    watchPath = args[0];
                }

                //create a file monitor filter rule, every filter rule must have the unique watch path. 
                FileFilter fileMonitorFilter = new FileFilter(watchPath);

                //Filter the file change event to monitor all file change events.
                fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;

                //register the file change callback events.
                fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;

                //Filter the monitor file IO events
                fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);

                fileMonitorFilter.OnFileOpen += OnFileOpen;
                fileMonitorFilter.OnFileRead += OnFileRead;

                filterControl.AddFilter(fileMonitorFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

        /// Fires this event when the file was changed.
        static void NotifyFileChanged(object sender, FileChangeEventArgs e)
        {
            Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the file was opened, the handle is not closed. 
        static void OnFileOpen(object sender, FileCreateEventArgs e)
        {
            Console.WriteLine("FileOpen:" + e.FileName + ",status:" +  e.IOStatusToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the read IO was returned.
        static void OnFileRead(object sender, FileReadEventArgs e)
        {
            Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:" 
				+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }
    }
}