File System Filter Driver Programming

Download EaseFilter Filter Driver SDK Setup File
Download EaseFilter Filter Driver SDK Zip File

File Security Solution - with the file system filter driver SDK

  1. File monitor and file audit
    Monitor Windows file I/O activities in real time, track the file access and changes, monitor file and folder permission changes, audit who is writing, deleting, moving or reading files, report the user name and process name, get the user name and the ip address when the Windows file server's file is accessed by network user.
  2. File access control and data protection
    Control Windows file I/O activities in real time, intercept the file system IO request, modify the IO data before or after the request goes down to the file system, allow or block the file IO request based on filter rules. With the control filter driver, you can protect the sensitive files, verify the user identity, authenticate the user, authorize the file access, prevent the confidential files from being accessed, modified, renamed, deleted, or read by unauthorized users or processes. You can hide your sensitive files to the unauthorized users or processes, protect your intellectual property from being copied.
  3. Transparent file level encryption for enterprise
    The encryption uses a 256 bits symmetric key to encrypt or decrypt the data with AES encryption algorithm. The transparent file-level encryption protects against unauthorized access by users and processes, secures unstructured data for the enterprise. Secure file sharing across your network with digital right. High-performance hardware accelerated encryption, encryption overhead is minimized using the AES hardware encryption capabilities available in modern CPUs.
  4. Process monitoring and protection
    Protect your system environment by monitoring and protecting the process running in your system. Get the notification of the process/thread creation or termination, prevent the untrusted executable binaries ( malwares) from being launched.
  5. Registry monitoring and protection
    Protect Windows core registry keys and values and prevent potentially damaging system configuration changes, besides operating system files. Get the notifications of each registry operation when the registry key was accessed or modified by the applications.

File security programming demostration in C# and C++ snippet

With the EaseFilter File Monitor SDK, you can develop the file auditing, file tracking, continuous data protection software. With the EaseFilter File Control SDK, you can develop the data protection, file screening, file access control, automatically file encryption and decryption software.

Filter driver installation and uninstallation

InstallDriver()
UnInstallDriver()

The file system filter driver type

If you want to monitor the file IO activities, track the file change, get the notification event of the file IO, you need to choose the file monitor filter driver. If you want to authorize or block the specific users or processes to access the files, you need to choose the control filter driver. If you want to transparent file level encryption, you need to choose the encryption filter driver. If you want to monitor or protect the system process, you need to choose the process filter driver. If you want to monitor or protect the system registries, you need to choose the registry filter driver. To setup the filter driver type with the combination of the below filter type enumeration, then you will have the associated features of the filter driver.

Typedef  enum  FilterType 
{
	FILE_SYSTEM_CONTROL		= 1,
	FILE_SYSTEM_ENCRYPTION		= 2,
	FILE_SYSTEM_MONITOR		= 4,  
	FILE_SYSTEM_REGISTRY		= 8, 
	FILE_SYSTEM_PROCESS		= 16,
};
		
SetFilterType(ULONG FilterType);

Filter mask - filter the file I/O with the file name filter mask

Setup the filter rule with the filter mask to monitor or control the file IOs, the filter mask can include the wildcard character '*’ or ‘?’. For example: c:\test\*.txt, the filter will only monitor or control all the text files in the folder c:\test. To control the file I/O for the control filter driver, we can set the access flag for the filter rule, the access flags can be the combination of the bits as following enumeration.

File access rights - control the file access with the filter rule

To control the file I/O access rights, allow or block the file IO access, you can set the access control flag of the filter rule, the access flags can be the combination of the below enumeration. With the control flag settings, you can prevent the files from being accessed by the unauthorized users or processes.


typedef enum AccessFlag
{
  EXCLUDE_FILTER_RULE					= 0X00000000,
  EXCLUDE_FILE_ACCESS					= 0x00000001,
  REPARSE_FILE_OPEN					= 0x00000002,
  HIDE_FILES_IN_DIRECTORY_BROWSING			= 0x00000004,
  FILE_ENCRYPTION_RULE					= 0x00000008,
  ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY		= 0x00000010,
  ALLOW_OPEN_WITH_READ_ACCESS				= 0x00000020,
  ALLOW_OPEN_WITH_WRITE_ACCESS				= 0x00000040,
  ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS		= 0x00000080,
  ALLOW_OPEN_WITH_DELETE_ACCESS				= 0x00000100,
  ALLOW_READ_ACCESS					= 0x00000200,
  ALLOW_WRITE_ACCESS					= 0x00000400,
  ALLOW_QUERY_INFORMATION_ACCESS			= 0x00000800,
  ALLOW_SET_INFORMATION					= 0x00001000,
  ALLOW_FILE_RENAME					= 0x00002000,
  ALLOW_FILE_DELETE					= 0x00004000,
  ALLOW_FILE_SIZE_CHANGE		 		= 0x00008000,
  ALLOW_QUERY_SECURITY_ACCESS				= 0x00010000,
  ALLOW_SET_SECURITY_ACCESS				= 0x00020000,
  ALLOW_DIRECTORY_LIST_ACCESS				= 0x00040000,
  ALLOW_FILE_ACCESS_FROM_NETWORK			= 0x00080000,
  ALLOW_NEW_FILE_ENCRYPTION				= 0x00100000,
  ALLOW_READ_ENCRYPTED_FILES				= 0x00200000,
  ALLOW_ALL_SAVE_AS					= 0x00400000,
  ALLOW_COPY_PROTECTED_FILES_OUT			= 0x00800000,
  ALLOW_FILE_MEMORY_MAPPED				= 0x01000000,
  LEAST_ACCESS_FLAG					= 0xf0000000,
  ALLOW_MAX_RIGHT_ACCESS				= 0xfffffff0,
	
};


AddFileFilterRule(ULONG  AccessFlag,WCHAR* FilterMask, ULONG FilterId)
 

Exclude file filter rule - skip the file access from the filter rule

AddExcludeFileMaskToFilterRule is the API to exclude the I/Os of some file for the filter rule, it allows you to exclude the file access from the filter rule.

AddExcludeFileMaskToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeFileFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test, but exclude all the .txt files:


AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeFileMaskToFilterRule(L"c:\\test\\*",L"*.txt");

Process filter - Monitor or control the file I/Os only for the specific processes

If you want to setup the filter rule only for some specific processes, you can add the include process name filter mask to the filter rule.

AddIncludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeProcessNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test only for process "notepad.exe":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");

Process exclusion - Exclude the I/Os from the process in the filter rule

If you want to setup the filter rule except for some specific processes, you can add the exclude process name filter mask to the filter rule.

AddExcludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeProcessNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test except for process "notepad.exe":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");

User filter rule - Monitor or control the file I/Os only for the specific users

If you want to setup the filter rule only for some specific users, you can add the include user name filter mask to the filter rule.

AddIncludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeUserNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test only for user "TestDoman\\TestUser":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");

User exclusion - Exclude the I/Os from the user in the filter rule

If you want to setup the filter rule except for some specific users, you can add the exclude user name filter mask to the filter rule.

AddExcludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeUserNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test except for user "TestDoman\\TestUser":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");

Track file change - get notification when the file was changed

To track the file change, you need to register the file change events with the combination of the bits of the following enumeration. The events will be fired when the I/O was completed and the file handle was closed. FILE_WAS_CREATED is the event when there are new file was created in the watch folder, FILE_WAS_WRITTEN is the event when the file was written with some data, FILE_WAS_RENAMED is the event when the file was renamed, FILE_WAS_DELETED is the event when the file was deleted, FILE_SECURITY_CHANGED is the event when the file's security property was changed, FILE_INFO_CHANGED is the event when the file's information( file size, file time, file attributes) was changed, FILE_WAS_READ is the event when the file was read.

typedef enum FileEventType
{  
  	FILE_WAS_CREATED	= 0x00000020,
	FILE_WAS_WRITTEN	= 0x00000040,
	FILE_WAS_RENAMED	= 0x00000080,
	FILE_WAS_DELETED	= 0x00000100,
	FILE_SECURITY_CHANGED	= 0x00000200,
	FILE_INFO_CHANGED	= 0x00000400,
	FILE_WAS_READ		= 0x00000800,
};

		
RegisterEventTypeToFilterRule(WCHAR* FilterMask, ULONG  EventType );

//Example:
//Track the file change events ( written, renamed, deleted ) for files in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterEventTypeToFilterRule(L"c:\\test\\*",FILE_WAS_WRITTEN|FILE_WAS_RENAMED|FILE_WAS_DELETED); 

File audit - track the file IO activities in real time

To track the specific file I/O request, you can get the detail information of the IO. With the POST_CREATE event, you will know how the file was opened, to know if the file was opened or created, truncated, overwritten. For read IO, you will know the read offset, read length. For write IO, you will know the write offset and write length. For information query or set IO, you can get or set the file information: file size, file time, file attributes. For security query or set IO, you can get or change the file security information. For directory IO, you can get the file list of the directory.

typedef enum  MessageType
{
	POST_CREATE			= 0x00000002,	
	POST_FASTIO_READ		= 0x00000008,	
	POST_CACHE_READ			= 0x00000020,
	POST_NOCACHE_READ		= 0x00000080,
	POST_PAGING_IO_READ		= 0x00000200,
	POST_FASTIO_WRITE		= 0x00000800,
	POST_CACHE_WRITE		= 0x00002000,
	POST_NOCACHE_WRITE		= 0x00008000,
	POST_PAGING_IO_WRITE 		= 0x00020000,
	POST_QUERY_INFORMATION		= 0x00080000,
	POST_SET_INFORMATION		= 0x00200000,
	POST_DIRECTORY			= 0x00800000,
	POST_QUERY_SECURITY		= 0x02000000,
	POST_SET_SECURITY		= 0x08000000,
	POST_CLEANUP			= 0x20000000,
	POST_CLOSE			= 0x80000000, 

};

		
RegisterMonitorToFilterRule(WCHAR* FilterMask,ULONG  RegisterIO);


//Example:
//Get the notification when the file was opened/read for files in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterMonitorToFilterRule(L"c:\\test\\*",POST_CREATE|POST_FASTIO_READ|POST_CACHE_READ|POST_NOCACHE_READ|POST_PAGING_IO_READ); 

Block file creation - block the new file being created

To prevent the new file from being created or overwritten, you can disable the access flag ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS in the filter rule.


//Example:
//Block the new file creation in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS), L"c:\\test\\*", 1);

Block file copy - prevent the protected files from being copied out of your protected folder

Prevent your sensitive files from being copied out with the access flag setting.


//Example:
//Prevent the files in folder c:\test from being copied out.

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_COPY_PROTECTED_FILES_OUT), L"c:\\test\\*", 1);

Block file change - prevent the protected files from being modified, renamed or deleted in your protected folder

Protect your file from being changed with the access flag setting.


//Example:
//Prevent the file from being modified, renamed or deleted in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE), L"c:\\test\\*", 1);

Sentive files hidden - hide your sensitive files from your protected folder

Hide the files with access flag setting.


//Example:
//Hide the files in folder c:\test for process "explorer.exe"

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|HIDE_FILES_IN_DIRECTORY_BROWSING, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"explorer.exe");
AddHiddenFileMaskToFilterRule(L"c:\\test\\*",L"*.*");

Reparse file open - reparse the file open to another file in different folder

Reparse the file open with access flag setting.


//Example:
//Reparse the file open in folder c:\test to another folder c:\reparseFolder"

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|REPARSE_FILE_OPEN, L"c:\\test\\*", 1);
AddReparseFileMaskToFilterRule(L"c:\\test\\*",L"c:\\reparseFolder\\*");

Intercept file I/O - Get the notification for the file I/O, you can block this file IO, or modify the file IO data

You can register the preoperation or postoperation I/O operations, you can deny the I/O operation by completing the preoperation in your callback routine.


//Example:
//Register the PRE_CREATE, PRE_SETINFORMATION I/O for folder c:\test, you can allow or deny the file opern, creation, deletion, rename in the callback routine.

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterControlToFilterRule(L"c:\\test\\*",PRE_CREATE|PRE_SET_INFORMATION);

Authorize process access rights - Grant or revoke the file access rights to the specific processes

Set the process's access rights to the filter rule, with this feature you can authorize the access to the specific processes, or remove the access rights to the specific processes.


//Example:
//Set the full access rights to the process "notepad.exe", set the readonly access rights to the process "explorer.exe", remove all the access rights to other processes.

AddFileFilterRule(LEAST_ACCESS_FLAG, L"c:\\test\\*", 1);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"explorer.exe",ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION));

Transparsent file encryption - encrypt the files transparently

Protect your sensitive files with data encryption at rest.


//Example:
//Transparent encrypt or decrypt files in folder c:\test automatically with AES 256bits key.

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE, L"c:\\test\\*", 1);

//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);

Authorize encrypted file reading - prevent the encrypted sensitive files from being read without your authorization

Only allow the authroized processes can read the encrypted files, or other processes will get the raw encrypted data when they read the encrypted files.


//Example:
//Transparent encrypt files in folder c:\test automatically with AES 256bits key, only authorized process "notepad.exe" can read the encrypted file, 
//so when you copy the encrypted file in Windows explorer, the encrypted files will be copied out instead of the decrypted files.

AddFileFilterRule((ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE)&(~ALLOW_READ_ENCRYPTED_FILES), L"c:\\test\\*", 1);

//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);

Process monitoring - Get the notification when the process or thread creation or termination

Register the process operations callback service.


//Example:
//Get the notification when any new process or thread creation or termination.

AddProceeFilterEntry(2, L"*", PROCESS_CREATION_NOTIFICATION|PROCESS_TERMINATION_NOTIFICATION|THREAD_CREATION_NOTIFICATION|THREAD_TERMINATION_NOTIFICATION);

Block process from running - block the malware from running in your system

Prevent the untrusted executable binaries (malwares) from being launched, protect your data being damaged by the untrusted processes.


//Example:
//Block the processes running from the folder c:\untrustFiles.

AddProceeFilterEntry(wcslen(L"c:\\untrustFiles\\*")*2, L"c:\\untrustFiles\\*", DENY_NEW_PROCESS_CREATION);

Set file access rights to process

Restrict the process file access rights to folders.


//Example:
//Set readonly access to the folder c:\windows for the process "notepad.exe", set the full access rights to the folder c:\test for the process "notepad.exe".

AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );

AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\test\\*")*2,L"c:\\test\\*",ALLOW_MAX_RIGHT_ACCESS,0,0 );

Registry protection - prevent the registry from being accessed by unauthorized processes

To protect the registry against the unauthorized the change, you can set the registry access rights to readonly to the specific processes.


//Example:
//Set the registry readonly access rights to the process "notepad.exe".

ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
            | REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );

AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",ALLOW_READ_REGITRY_ACCESS_FLAG,0,0 );

Registry monitoring - Monitor the registry activities

You can register the registry access events to get the registry access callback notification when the registry operation was triggered.


//Example:
//Get the notification of the registry operation for the process "notepad.exe".

ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
            | REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );

AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",REG_MAX_ACCESS_FLAG,MAX_REG_CALLBACK_CLASS,0 );