Windows File System Filter Driver Programming

Download EaseFilter Filter Driver SDK Setup File
Download EaseFilter Filter Driver SDK Zip File

What can you do with the EaseFilter SDK

1. File and Folder Monitoring
   Monitor Windows file I/O activities in real time, track the file access and changes, monitor file and folder permission changes, audit who is writing, deleting, moving or reading files, report the user name and process name, get the user name and the ip address when the Windows file server's file is accessed by network user.
2. File Access Control and Security Control
   Control Windows file I/O activities in real time, intercept the file system call, modify its content before or after the request goes down to the file system, allow/deny/cancel its execution based on filter rules. Protect the sensitive files, you can verify the user identity, authenticate them, authorize the file access, prevent the confidential files from being accessed, modified, renamed, deleted, or read by unauthorized users, you also hide your sensitive files to the unauthorized users, protect intellectual property from being copied.
3. File Encryption At-Rest for Enterprise
   Enterprise transparent and continuous file-level encryption protects against unauthorized access by users and processes, secures unstructured data for the enterprise. High-performance hardware accelerated encryption, encryption overhead is minimized using the AES hardware encryption capabilities available in modern CPUs.
4. Process Monitoring and Protection
   Get the callback notification for the process/thread creation or termination, prevent the untrusted executable binaries ( malwares) from being launched.
5. Registry Monitoring and Protection
   Protect Windows core registry keys and values and prevent potentially damaging system configuration changes, besides operating system files. Get the notifications of each registry operation when the registry key was accessed or modified by the applications.

How to use EaseFilter SDK

The EaseFilter control file system filter driver SDK includes two components (EaseFlt.sys and FilterAPI.dll) with 32bit and 64bit version. EaseFlt.sys is the file system filter driver which provides a complete, modular environment for building active file system filters. FilterAPI.dll is a user mode DLL which is responsible for the communication between filter driver and your use mode application ,and it is also a wrapper DLL which exports the API to the user mode applications.

Install/Uninstall the filter driver with admin privilege

InstallDriver()
UnInstallDriver()

Start the filter driver

To start the filter driver, first we need to set the registration key, then register the callback funtion with the worker thread number.

SetRegistrationKey(WCHAR* RegisterKey);

RegisterMessageCallback(ULONG ThreadCount,Proto_Message_Callback MessageCallback,Proto_Disconnect_Callback DisconnectCallback );

Setup the filter driver configuration

To setup the filter driver type with the combination of the below filter type enumeration, then you have have the associated features of the filter driver. If you register the I/O events or callback, setup the maximum time of the filter driver waits for the response from the user mode application.

Typedef  enum  FilterType 
{
	FILE_SYSTEM_CONTROL		= 1,
	FILE_SYSTEM_ENCRYPTION		= 2,
	FILE_SYSTEM_MONITOR		= 4,  
	FILE_SYSTEM_REGISTRY		= 8, 
	FILE_SYSTEM_PROCESS		= 16,
};
		
SetFilterType(ULONG FilterType);

SetConnectionTimeout(ULONG TimeOutInSeconds);

Filter the file I/O with file filter rule

To know which file we want to filter, we need to set the filter rule with the file name filter mask, the FilterMask sets the target folder or files,it can include wild character ‘*’or ‘?’. For example: c:\test\*txt, the filter only monitors I/Os of the files end with ‘txt’ in the folder c:\test. To control the file I/O for the control filter driver, we can set the access flag for the filter rule, the access flags can be the combination of the bits as following enumeration.

typedef enum AccessFlag
{
  EXCLUDE_FILTER_RULE					= 0X00000000,
  EXCLUDE_FILE_ACCESS					= 0x00000001,
  REPARSE_FILE_OPEN					= 0x00000002,
  HIDE_FILES_IN_DIRECTORY_BROWSING			= 0x00000004,
  FILE_ENCRYPTION_RULE					= 0x00000008,
  ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY		= 0x00000010,
  ALLOW_OPEN_WITH_READ_ACCESS				= 0x00000020,
  ALLOW_OPEN_WITH_WRITE_ACCESS				= 0x00000040,
  ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS		= 0x00000080,
  ALLOW_OPEN_WITH_DELETE_ACCESS				= 0x00000100,
  ALLOW_READ_ACCESS					= 0x00000200,
  ALLOW_WRITE_ACCESS					= 0x00000400,
  ALLOW_QUERY_INFORMATION_ACCESS			= 0x00000800,
  ALLOW_SET_INFORMATION					= 0x00001000,
  ALLOW_FILE_RENAME					= 0x00002000,
  ALLOW_FILE_DELETE					= 0x00004000,
  ALLOW_FILE_SIZE_CHANGE		 		= 0x00008000,
  ALLOW_QUERY_SECURITY_ACCESS				= 0x00010000,
  ALLOW_SET_SECURITY_ACCESS				= 0x00020000,
  ALLOW_DIRECTORY_LIST_ACCESS				= 0x00040000,
  ALLOW_FILE_ACCESS_FROM_NETWORK			= 0x00080000,
  ALLOW_NEW_FILE_ENCRYPTION				= 0x00100000,
  ALLOW_READ_ENCRYPTED_FILES				= 0x00200000,
  ALLOW_ALL_SAVE_AS					= 0x00400000,
  ALLOW_COPY_PROTECTED_FILES_OUT			= 0x00800000,
  ALLOW_FILE_MEMORY_MAPPED				= 0x01000000,
  LEAST_ACCESS_FLAG					= 0xf0000000,
  ALLOW_MAX_RIGHT_ACCESS				= 0xfffffff0,
	
};


AddFileFilterRule(ULONG  AccessFlag,WCHAR* FilterMask, ULONG FilterId)
 

Monitor or control the file I/Os except the excluded files

If you want to exclude the I/Os of some file for the filter rule, you can add the exclude file filter mask to the filter rule.

AddExcludeFileMaskToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeFileFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test, but exclude all the .txt files:


AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeFileMaskToFilterRule(L"c:\\test\\*",L"*.txt");

Monitor or control the file I/Os only for the specific processes

If you want to setup the filter rule only for some specific processes, you can add the include process name filter mask to the filter rule.

AddIncludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeProcessNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test only for process "notepad.exe":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");

Monitor or control the file I/Os except the specific excluded processes

If you want to setup the filter rule except for some specific processes, you can add the exclude process name filter mask to the filter rule.

AddExcludeProcessNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeProcessNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test except for process "notepad.exe":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");

Monitor or control the file I/Os only for the specific users

If you want to setup the filter rule only for some specific users, you can add the include user name filter mask to the filter rule.

AddIncludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* IncludeUserNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test only for user "TestDoman\\TestUser":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddIncludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");

Monitor or control the file I/Os except the specific excluded users

If you want to setup the filter rule except for some specific users, you can add the exclude user name filter mask to the filter rule.

AddExcludeUserNameToFilterRule(WCHAR* FilterMask,WCHAR* ExcludeUserNameFilterMask);


//Example:
//Manage the file I/Os for files in folder c:\test except for user "TestDoman\\TestUser":

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");

Monitor the file I/O events with the monitor filter driver

To track the file I/O events, first we need to add the filter rule for the file name filter mask which we want to manage, then register the I/O events we want to track, the register I/O events can be the combination of the bits of the following enumeration. The events will be sent after the I/O was completed and the file handle was closed.

typedef enum FileEventType
{  
  	FILE_WAS_CREATED	= 0x00000020,
	FILE_WAS_WRITTEN	= 0x00000040,
	FILE_WAS_RENAMED	= 0x00000080,
	FILE_WAS_DELETED	= 0x00000100,
	FILE_SECURITY_CHANGED	= 0x00000200,
	FILE_INFO_CHANGED	= 0x00000400,
	FILE_WAS_READ		= 0x00000800,
};

		
RegisterEventTypeToFilterRule(WCHAR* FilterMask, ULONG  EventType );

//Example:
//Track the file change events ( written, renamed, deleted ) for files in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterEventTypeToFilterRule(L"c:\\test\\*",FILE_WAS_WRITTEN|FILE_WAS_RENAMED|FILE_WAS_DELETED); 

Monitor the specific file I/O requests with the monitor filter driver

To track the specific file I/O request, first we need to add the filter rule for the file path filter mask which we want to manage, then register the I/O request type we want to track, the register I/O requests can be the combination of the bits of the following enumeration.

typedef enum  MessageType
{
	POST_CREATE			= 0x00000002,	
	POST_FASTIO_READ		= 0x00000008,	
	POST_CACHE_READ			= 0x00000020,
	POST_NOCACHE_READ		= 0x00000080,
	POST_PAGING_IO_READ		= 0x00000200,
	POST_FASTIO_WRITE		= 0x00000800,
	POST_CACHE_WRITE		= 0x00002000,
	POST_NOCACHE_WRITE		= 0x00008000,
	POST_PAGING_IO_WRITE 		= 0x00020000,
	POST_QUERY_INFORMATION		= 0x00080000,
	POST_SET_INFORMATION		= 0x00200000,
	POST_DIRECTORY			= 0x00800000,
	POST_QUERY_SECURITY		= 0x02000000,
	POST_SET_SECURITY		= 0x08000000,
	POST_CLEANUP			= 0x20000000,
	POST_CLOSE			= 0x80000000, 

};

		
RegisterMonitorToFilterRule(WCHAR* FilterMask,ULONG  RegisterIO);


//Example:
//Get the notification when the file was opened/read for files in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterMonitorToFilterRule(L"c:\\test\\*",POST_CREATE|POST_FASTIO_READ|POST_CACHE_READ|POST_NOCACHE_READ|POST_PAGING_IO_READ); 

Prevent the new file creation with the control filter driver

Block the new file creation with the access flag setting.

//Example:
//Block the new file creation in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS), L"c:\\test\\*", 1);

Prevent the files from being copied out of your folder with the control filter driver

Prevent your sensitive files from being copied out with the access flag setting.

//Example:
//Prevent the files in folder c:\test from being copied out.

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_COPY_PROTECTED_FILES_OUT), L"c:\\test\\*", 1);

Prevent the file from being modified, renamed or deleted with the control filter driver

Protect your file from being changed with the access flag setting.

//Example:
//Prevent the file from being modified, renamed or deleted in folder c:\test:

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE), L"c:\\test\\*", 1);

Hide the folder or files for specific process with the control filter driver

Hide the files with access flag setting.

//Example:
//Hide the files in folder c:\test for process "explorer.exe"

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|HIDE_FILES_IN_DIRECTORY_BROWSING, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"explorer.exe");
AddHiddenFileMaskToFilterRule(L"c:\\test\\*",L"*.*");

Reparse the file open with the control filter driver

Reparse the file open with access flag setting.

//Example:
//Reparse the file open in folder c:\test to another folder c:\reparseFolder"

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|REPARSE_FILE_OPEN, L"c:\\test\\*", 1);
AddReparseFileMaskToFilterRule(L"c:\\test\\*",L"c:\\reparseFolder\\*");

Manage preoperation or postoperation I/O operations with the callback routines

You can register the preoperation or postoperation I/O operations, you can deny the I/O operation by completing the preoperation in your callback routine.

//Example:
//Register the PRE_CREATE, PRE_SETINFORMATION I/O for folder c:\test, you can allow or deny the file opern, creation, deletion, rename in the callback routine.

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterControlToFilterRule(L"c:\\test\\*",PRE_CREATE|PRE_SET_INFORMATION);

Manage the process access rights for the folder and files with the control filter driver

Set the process's access rights to the filter rule, with this feature you can authorize the access to the specific processes, or remove the access rights to the specific processes.

//Example:
//Set the full access rights to the process "notepad.exe", set the readonly access rights to the process "explorer.exe", remove all the access rights to other processes.

AddFileFilterRule(LEAST_ACCESS_FLAG, L"c:\\test\\*", 1);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"explorer.exe",ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION));

Encrypt the file with encryption filter driver

Protect your sensitive files with data encryption at rest.

//Example:
//Transparent encrypt or decrypt files in folder c:\test automatically with AES 256bits key.

AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE, L"c:\\test\\*", 1);

//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);

Prevent the encrypted sensitive files from being accessed without your authorization with the encryption and control filter driver

Only allow the authroized processes can read the encrypted files, or other processes will get cipher data when they read the encrypted files.

//Example:
//Transparent encrypt files in folder c:\test automatically with AES 256bits key, only authorized process "notepad.exe" can read the encrypted file, 
//so when you copy the encrypted file in Windows explorer, the encrypted files will be copied out instead of the decrypted files.

AddFileFilterRule((ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE)&(~ALLOW_READ_ENCRYPTED_FILES), L"c:\\test\\*", 1);

//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);

Get the notification of the new process or thread creation or termination with the process filter driver

Register the process operations callback service.

//Example:
//Get the notification when any new process or thread creation or termination.

AddProceeFilterEntry(2, L"*", PROCESS_CREATION_NOTIFICATION|PROCESS_TERMINATION_NOTIFICATION|THREAD_CREATION_NOTIFICATION|THREAD_TERMINATION_NOTIFICATION);

Prevent the untrusted binaries from launch with the process filter driver

Prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.

//Example:
//Block the processes running from the folder c:\untrustFiles.

AddProceeFilterEntry(wcslen(L"c:\\untrustFiles\\*")*2, L"c:\\untrustFiles\\*", DENY_NEW_PROCESS_CREATION);

Filter the file IOs based for the specific processes

Restrict the process file access rights to folders.

//Example:
//Set readonly access to the folder c:\windows for the process "notepad.exe", set the full access rights to the folder c:\test for the process "notepad.exe".

AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );

AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\test\\*")*2,L"c:\\test\\*",ALLOW_MAX_RIGHT_ACCESS,0,0 );

Prevent the registries from being modified for the specific process with the registry filter driver

Restrict the process with readonly access rights to the registry.

//Example:
//Set the registry readonly access rights to the process "notepad.exe".

ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
            | REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );

AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",ALLOW_READ_REGITRY_ACCESS_FLAG,0,0 );

Get the notification of the registry operations by the specific processes with the registry filter driver

Register the notification for the registry operations, get the callback notification when the registry operation was triggered.

//Example:
//Get the notification of the registry operation for the process "notepad.exe".

ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
            | REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );

AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",REG_MAX_ACCESS_FLAG,MAX_REG_CALLBACK_CLASS,0 );