Download EaseFilter Filter Driver SDK Setup File Download EaseFilter Filter Driver SDK Zip File
InstallDriver() UnInstallDriver()
SetRegistrationKey(WCHAR* RegisterKey); RegisterMessageCallback(ULONG ThreadCount,Proto_Message_Callback MessageCallback,Proto_Disconnect_Callback DisconnectCallback );
Typedef enum FilterType
{
FILE_SYSTEM_CONTROL = 1,
FILE_SYSTEM_ENCRYPTION = 2,
FILE_SYSTEM_MONITOR = 4,
FILE_SYSTEM_REGISTRY = 8,
FILE_SYSTEM_PROCESS = 16,
};
SetFilterType(ULONG FilterType);
SetConnectionTimeout(ULONG TimeOutInSeconds);
To know which file we want to filter, we need to set the filter rule with the file name filter mask, the FilterMask sets the target folder or files,it can include wild character ‘*’or ‘?’. For example: c:\test\*txt, the filter only monitors I/Os of the files end with ‘txt’ in the folder c:\test. To control the file I/O for the control filter driver, we can set the access flag for the filter rule, the access flags can be the combination of the bits as following enumeration.
typedef enum AccessFlag
{
EXCLUDE_FILTER_RULE = 0X00000000,
EXCLUDE_FILE_ACCESS = 0x00000001,
REPARSE_FILE_OPEN = 0x00000002,
HIDE_FILES_IN_DIRECTORY_BROWSING = 0x00000004,
FILE_ENCRYPTION_RULE = 0x00000008,
ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY = 0x00000010,
ALLOW_OPEN_WITH_READ_ACCESS = 0x00000020,
ALLOW_OPEN_WITH_WRITE_ACCESS = 0x00000040,
ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS = 0x00000080,
ALLOW_OPEN_WITH_DELETE_ACCESS = 0x00000100,
ALLOW_READ_ACCESS = 0x00000200,
ALLOW_WRITE_ACCESS = 0x00000400,
ALLOW_QUERY_INFORMATION_ACCESS = 0x00000800,
ALLOW_SET_INFORMATION = 0x00001000,
ALLOW_FILE_RENAME = 0x00002000,
ALLOW_FILE_DELETE = 0x00004000,
ALLOW_FILE_SIZE_CHANGE = 0x00008000,
ALLOW_QUERY_SECURITY_ACCESS = 0x00010000,
ALLOW_SET_SECURITY_ACCESS = 0x00020000,
ALLOW_DIRECTORY_LIST_ACCESS = 0x00040000,
ALLOW_FILE_ACCESS_FROM_NETWORK = 0x00080000,
ALLOW_NEW_FILE_ENCRYPTION = 0x00100000,
ALLOW_READ_ENCRYPTED_FILES = 0x00200000,
ALLOW_ALL_SAVE_AS = 0x00400000,
ALLOW_COPY_PROTECTED_FILES_OUT = 0x00800000,
ALLOW_FILE_MEMORY_MAPPED = 0x01000000,
LEAST_ACCESS_FLAG = 0xf0000000,
ALLOW_MAX_RIGHT_ACCESS = 0xfffffff0,
};
AddFileFilterRule(ULONG AccessFlag,WCHAR* FilterMask, ULONG FilterId)
AddExcludeFileMaskToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeFileFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test, but exclude all the .txt files:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeFileMaskToFilterRule(L"c:\\test\\*",L"*.txt");
AddIncludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeProcessNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test only for process "notepad.exe":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");
AddExcludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeProcessNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test except for process "notepad.exe":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");
AddIncludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeUserNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test only for user "TestDoman\\TestUser":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");
AddExcludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeUserNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test except for user "TestDoman\\TestUser":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");
typedef enum FileEventType
{
FILE_WAS_CREATED = 0x00000020,
FILE_WAS_WRITTEN = 0x00000040,
FILE_WAS_RENAMED = 0x00000080,
FILE_WAS_DELETED = 0x00000100,
FILE_SECURITY_CHANGED = 0x00000200,
FILE_INFO_CHANGED = 0x00000400,
FILE_WAS_READ = 0x00000800,
};
RegisterEventTypeToFilterRule(WCHAR* FilterMask, ULONG EventType );
//Example:
//Track the file change events ( written, renamed, deleted ) for files in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterEventTypeToFilterRule(L"c:\\test\\*",FILE_WAS_WRITTEN|FILE_WAS_RENAMED|FILE_WAS_DELETED);
typedef enum MessageType
{
POST_CREATE = 0x00000002,
POST_FASTIO_READ = 0x00000008,
POST_CACHE_READ = 0x00000020,
POST_NOCACHE_READ = 0x00000080,
POST_PAGING_IO_READ = 0x00000200,
POST_FASTIO_WRITE = 0x00000800,
POST_CACHE_WRITE = 0x00002000,
POST_NOCACHE_WRITE = 0x00008000,
POST_PAGING_IO_WRITE = 0x00020000,
POST_QUERY_INFORMATION = 0x00080000,
POST_SET_INFORMATION = 0x00200000,
POST_DIRECTORY = 0x00800000,
POST_QUERY_SECURITY = 0x02000000,
POST_SET_SECURITY = 0x08000000,
POST_CLEANUP = 0x20000000,
POST_CLOSE = 0x80000000,
};
RegisterMonitorToFilterRule(WCHAR* FilterMask,ULONG RegisterIO);
//Example:
//Get the notification when the file was opened/read for files in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterMonitorToFilterRule(L"c:\\test\\*",POST_CREATE|POST_FASTIO_READ|POST_CACHE_READ|POST_NOCACHE_READ|POST_PAGING_IO_READ);
//Example:
//Block the new file creation in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS), L"c:\\test\\*", 1);
//Example:
//Prevent the files in folder c:\test from being copied out.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_COPY_PROTECTED_FILES_OUT), L"c:\\test\\*", 1);
//Example:
//Prevent the file from being modified, renamed or deleted in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE), L"c:\\test\\*", 1);
//Example:
//Hide the files in folder c:\test for process "explorer.exe"
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|HIDE_FILES_IN_DIRECTORY_BROWSING, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"explorer.exe");
AddHiddenFileMaskToFilterRule(L"c:\\test\\*",L"*.*");
//Example:
//Reparse the file open in folder c:\test to another folder c:\reparseFolder"
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|REPARSE_FILE_OPEN, L"c:\\test\\*", 1);
AddReparseFileMaskToFilterRule(L"c:\\test\\*",L"c:\\reparseFolder\\*");
//Example:
//Register the PRE_CREATE, PRE_SETINFORMATION I/O for folder c:\test, you can allow or deny the file opern, creation, deletion, rename in the callback routine.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterControlToFilterRule(L"c:\\test\\*",PRE_CREATE|PRE_SET_INFORMATION);
//Example:
//Set the full access rights to the process "notepad.exe", set the readonly access rights to the process "explorer.exe", remove all the access rights to other processes.
AddFileFilterRule(LEAST_ACCESS_FLAG, L"c:\\test\\*", 1);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"explorer.exe",ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION));
//Example:
//Transparent encrypt or decrypt files in folder c:\test automatically with AES 256bits key.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE, L"c:\\test\\*", 1);
//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
//Example:
//Transparent encrypt files in folder c:\test automatically with AES 256bits key, only authorized process "notepad.exe" can read the encrypted file,
//so when you copy the encrypted file in Windows explorer, the encrypted files will be copied out instead of the decrypted files.
AddFileFilterRule((ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE)&(~ALLOW_READ_ENCRYPTED_FILES), L"c:\\test\\*", 1);
//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
//Example:
//Get the notification when any new process or thread creation or termination.
AddProceeFilterEntry(2, L"*", PROCESS_CREATION_NOTIFICATION|PROCESS_TERMINATION_NOTIFICATION|THREAD_CREATION_NOTIFICATION|THREAD_TERMINATION_NOTIFICATION);
//Example:
//Block the processes running from the folder c:\untrustFiles.
AddProceeFilterEntry(wcslen(L"c:\\untrustFiles\\*")*2, L"c:\\untrustFiles\\*", DENY_NEW_PROCESS_CREATION);
//Example:
//Set readonly access to the folder c:\windows for the process "notepad.exe", set the full access rights to the folder c:\test for the process "notepad.exe".
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\test\\*")*2,L"c:\\test\\*",ALLOW_MAX_RIGHT_ACCESS,0,0 );
//Example:
//Set the registry readonly access rights to the process "notepad.exe".
ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
| REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",ALLOW_READ_REGITRY_ACCESS_FLAG,0,0 );
//Example:
//Get the notification of the registry operation for the process "notepad.exe".
ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
| REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",REG_MAX_ACCESS_FLAG,MAX_REG_CALLBACK_CLASS,0 );