Download EaseFilter Filter Driver SDK Setup File Download EaseFilter Filter Driver SDK Zip File
InstallDriver() UnInstallDriver()
Typedef enum FilterType
{
FILE_SYSTEM_CONTROL = 1,
FILE_SYSTEM_ENCRYPTION = 2,
FILE_SYSTEM_MONITOR = 4,
FILE_SYSTEM_REGISTRY = 8,
FILE_SYSTEM_PROCESS = 16,
};
SetFilterType(ULONG FilterType);
Setup the filter rule with the filter mask to monitor or control the file IOs, the filter mask can include the wildcard character '*’ or ‘?’. For example: c:\test\*.txt, the filter will only monitor or control all the text files in the folder c:\test. To control the file I/O for the control filter driver, we can set the access flag for the filter rule, the access flags can be the combination of the bits as following enumeration.
To control the file I/O access rights, allow or block the file IO access, you can set the access control flag of the filter rule, the access flags can be the combination of the below enumeration. With the control flag settings, you can prevent the files from being accessed by the unauthorized users or processes.
typedef enum AccessFlag
{
EXCLUDE_FILTER_RULE = 0X00000000,
EXCLUDE_FILE_ACCESS = 0x00000001,
REPARSE_FILE_OPEN = 0x00000002,
HIDE_FILES_IN_DIRECTORY_BROWSING = 0x00000004,
FILE_ENCRYPTION_RULE = 0x00000008,
ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY = 0x00000010,
ALLOW_OPEN_WITH_READ_ACCESS = 0x00000020,
ALLOW_OPEN_WITH_WRITE_ACCESS = 0x00000040,
ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS = 0x00000080,
ALLOW_OPEN_WITH_DELETE_ACCESS = 0x00000100,
ALLOW_READ_ACCESS = 0x00000200,
ALLOW_WRITE_ACCESS = 0x00000400,
ALLOW_QUERY_INFORMATION_ACCESS = 0x00000800,
ALLOW_SET_INFORMATION = 0x00001000,
ALLOW_FILE_RENAME = 0x00002000,
ALLOW_FILE_DELETE = 0x00004000,
ALLOW_FILE_SIZE_CHANGE = 0x00008000,
ALLOW_QUERY_SECURITY_ACCESS = 0x00010000,
ALLOW_SET_SECURITY_ACCESS = 0x00020000,
ALLOW_DIRECTORY_LIST_ACCESS = 0x00040000,
ALLOW_FILE_ACCESS_FROM_NETWORK = 0x00080000,
ALLOW_NEW_FILE_ENCRYPTION = 0x00100000,
ALLOW_READ_ENCRYPTED_FILES = 0x00200000,
ALLOW_ALL_SAVE_AS = 0x00400000,
ALLOW_COPY_PROTECTED_FILES_OUT = 0x00800000,
ALLOW_FILE_MEMORY_MAPPED = 0x01000000,
LEAST_ACCESS_FLAG = 0xf0000000,
ALLOW_MAX_RIGHT_ACCESS = 0xfffffff0,
};
AddFileFilterRule(ULONG AccessFlag,WCHAR* FilterMask, ULONG FilterId)
AddExcludeFileMaskToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeFileFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test, but exclude all the .txt files:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeFileMaskToFilterRule(L"c:\\test\\*",L"*.txt");
AddIncludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeProcessNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test only for process "notepad.exe":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");
AddExcludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeProcessNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test except for process "notepad.exe":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");
AddIncludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeUserNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test only for user "TestDoman\\TestUser":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");
AddExcludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeUserNameFilterMask);
//Example:
//Manage the file I/Os for files in folder c:\test except for user "TestDoman\\TestUser":
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");
typedef enum FileEventType
{
FILE_WAS_CREATED = 0x00000020,
FILE_WAS_WRITTEN = 0x00000040,
FILE_WAS_RENAMED = 0x00000080,
FILE_WAS_DELETED = 0x00000100,
FILE_SECURITY_CHANGED = 0x00000200,
FILE_INFO_CHANGED = 0x00000400,
FILE_WAS_READ = 0x00000800,
};
RegisterEventTypeToFilterRule(WCHAR* FilterMask, ULONG EventType );
//Example:
//Track the file change events ( written, renamed, deleted ) for files in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterEventTypeToFilterRule(L"c:\\test\\*",FILE_WAS_WRITTEN|FILE_WAS_RENAMED|FILE_WAS_DELETED);
typedef enum MessageType
{
POST_CREATE = 0x00000002,
POST_FASTIO_READ = 0x00000008,
POST_CACHE_READ = 0x00000020,
POST_NOCACHE_READ = 0x00000080,
POST_PAGING_IO_READ = 0x00000200,
POST_FASTIO_WRITE = 0x00000800,
POST_CACHE_WRITE = 0x00002000,
POST_NOCACHE_WRITE = 0x00008000,
POST_PAGING_IO_WRITE = 0x00020000,
POST_QUERY_INFORMATION = 0x00080000,
POST_SET_INFORMATION = 0x00200000,
POST_DIRECTORY = 0x00800000,
POST_QUERY_SECURITY = 0x02000000,
POST_SET_SECURITY = 0x08000000,
POST_CLEANUP = 0x20000000,
POST_CLOSE = 0x80000000,
};
RegisterMonitorToFilterRule(WCHAR* FilterMask,ULONG RegisterIO);
//Example:
//Get the notification when the file was opened/read for files in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterMonitorToFilterRule(L"c:\\test\\*",POST_CREATE|POST_FASTIO_READ|POST_CACHE_READ|POST_NOCACHE_READ|POST_PAGING_IO_READ);
//Example:
//Block the new file creation in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS), L"c:\\test\\*", 1);
//Example:
//Prevent the files in folder c:\test from being copied out.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_COPY_PROTECTED_FILES_OUT), L"c:\\test\\*", 1);
//Example:
//Prevent the file from being modified, renamed or deleted in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE), L"c:\\test\\*", 1);
//Example:
//Hide the files in folder c:\test for process "explorer.exe"
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|HIDE_FILES_IN_DIRECTORY_BROWSING, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"explorer.exe");
AddHiddenFileMaskToFilterRule(L"c:\\test\\*",L"*.*");
//Example:
//Reparse the file open in folder c:\test to another folder c:\reparseFolder"
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|REPARSE_FILE_OPEN, L"c:\\test\\*", 1);
AddReparseFileMaskToFilterRule(L"c:\\test\\*",L"c:\\reparseFolder\\*");
//Example:
//Register the PRE_CREATE, PRE_SETINFORMATION I/O for folder c:\test, you can allow or deny the file opern, creation, deletion, rename in the callback routine.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterControlToFilterRule(L"c:\\test\\*",PRE_CREATE|PRE_SET_INFORMATION);
//Example:
//Set the full access rights to the process "notepad.exe", set the readonly access rights to the process "explorer.exe", remove all the access rights to other processes.
AddFileFilterRule(LEAST_ACCESS_FLAG, L"c:\\test\\*", 1);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"explorer.exe",ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION));
//Example:
//Transparent encrypt or decrypt files in folder c:\test automatically with AES 256bits key.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE, L"c:\\test\\*", 1);
//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
//Example:
//Transparent encrypt files in folder c:\test automatically with AES 256bits key, only authorized process "notepad.exe" can read the encrypted file,
//so when you copy the encrypted file in Windows explorer, the encrypted files will be copied out instead of the decrypted files.
AddFileFilterRule((ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE)&(~ALLOW_READ_ENCRYPTED_FILES), L"c:\\test\\*", 1);
//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
//Example:
//Get the notification when any new process or thread creation or termination.
AddProceeFilterEntry(2, L"*", PROCESS_CREATION_NOTIFICATION|PROCESS_TERMINATION_NOTIFICATION|THREAD_CREATION_NOTIFICATION|THREAD_TERMINATION_NOTIFICATION);
//Example:
//Block the processes running from the folder c:\untrustFiles.
AddProceeFilterEntry(wcslen(L"c:\\untrustFiles\\*")*2, L"c:\\untrustFiles\\*", DENY_NEW_PROCESS_CREATION);
//Example:
//Set readonly access to the folder c:\windows for the process "notepad.exe", set the full access rights to the folder c:\test for the process "notepad.exe".
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\test\\*")*2,L"c:\\test\\*",ALLOW_MAX_RIGHT_ACCESS,0,0 );
//Example:
//Set the registry readonly access rights to the process "notepad.exe".
ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
| REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",ALLOW_READ_REGITRY_ACCESS_FLAG,0,0 );
//Example:
//Get the notification of the registry operation for the process "notepad.exe".
ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
| REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",REG_MAX_ACCESS_FLAG,MAX_REG_CALLBACK_CLASS,0 );