File Security SDK Programming

Download EaseFilter Filter Driver SDK With Demo Source Code Setup File
Download EaseFilter Filter Driver SDK With Demo Source Code Zip File

⚙️EaseFilter Filter Driver SDK

The EaseFilter Filter Driver SDK is a collection of tools, libraries, and sample code designed to facilitate the creation of Windows file system filter drivers. These drivers operate at a low level, intercepting file I/O requests before they reach the underlying file system or other filter drivers.

The EaseFilter SDK provides a powerful interface for developing Windows filter drivers in C++, C#, or other programming languages that support native DLL calls. This guide helps developers understand how to use the SDK effectively to monitor, filter, or control file system activities in real time.

🔍What can you do with EaseFilter File Security SDK

EaseFilter File Security SDK is a powerful Windows file system filter driver development kit that allows developers to monitor, control, and protect file system activities in real-time. Here’s what you can do with it:

1. Monitor file activities in real-time: Track who is accessing files, when, and how (read, write, delete, rename, etc.).

2. Control file access: Implement granular security policies to allow or deny file operations based on users, processes, file paths, or even content.

3. Implement transparent file encryption: Encrypt and decrypt data on-the-fly, ensuring sensitive information remains protected at rest.

4. Develop data loss prevention (DLP) solutions: Prevent unauthorized data exfiltration by controlling file transfers and modifications.

5. Build journaling and auditing tools: Maintain detailed logs of file system events for compliance and forensic analysis.

6. Create virtual file systems and storage tiering solutions: Manage data across different storage locations seamlessly.

7. Monitor and protect processes and the registry: Extend control beyond files to secure system configurations and prevent malicious software execution.

🛠️Common Use Cases

The versatility of the EaseFilter SDK opens doors to a wide range of applications:

• Data Security Software: Develop DLP solutions, file encryption utilities, and access control systems for sensitive data.

• File Auditing and Compliance Tools: Create applications that track every file operation for regulatory compliance and internal security audits.

• Endpoint Protection Platforms: Enhance endpoint security by controlling process execution and monitoring critical system files.

• Backup and Recovery Solutions: Implement Continuous Data Protection (CDP) by logging real-time file changes.

• Digital Rights Management (DRM): Securely share files with embedded access policies that can be revoked at any time.

• Cloud Storage Integration: Build solutions that seamlessly integrate local file systems with cloud storage, offering features like data tiering and virtual file systems.

• Application Sandboxing: Create secure environments for applications by controlling their file system access.

📈 AI Integration

By integrating EaseFilter SDK with artificial intelligence (AI) and machine learning (ML) models, developers can build smart security analytics tools, capable of anomaly detection, behavior-based threat detection, and automated response. This guide shows how to integrate EaseFilter SDK with Python-based AI models for intelligent, real-time file activity monitoring.

• SIEM Integration: Send file events to Splunk, Elastic, or Sentinel via syslog or HTTP

• AI Behavior Analytics: Analyze unusual file activity using anomaly detection

• Compliance Enforcement: Enforce GDPR, HIPAA, or CMMC policies via file rules

• Ransomware Prevention: Detect rapid file renames or entropy spikes and trigger a block

💡Programming Tips

• Understand File I/O Fundamentals: Even with the SDK abstracting complexities, a solid understanding of how Windows handles file I/O (IRPs, filter driver stack, pre- and post-operations) will be invaluable for effective debugging and optimization.

• Start Simple, Then Expand: Begin with the most basic filter rules and event handlers. Verify their functionality thoroughly before adding more complex logic, additional filter rules, or integrating with other application components.

• Avoid Synchronous Operations: Do not perform blocking I/O or network requests directly within a filter callback. This can lead to deadlocks or significant performance degradation. If external operations are required, dispatch them to a separate thread pool.

• Optimize Filter Rules: Design your FileFilter rules to be as specific as possible. Broad rules with wildcards can lead to more events being intercepted than necessary, impacting performance.

🔧Filter Rule Management:

• Dynamic Rule Updates: EaseFilter allows you to dynamically add, remove, and modify filter rules. Design your application to update rules efficiently without causing disruption.

• Rule Precedence: Understand how EaseFilter processes multiple filter rules. Typically, more specific rules take precedence, but always verify this behavior in the documentation.

• Process and User Filters: Leverage the ability to apply filter rules based on ProcessNameAccessRightList and UserNameAccessRightList for fine-grained control. This is essential for enterprise security solutions.

📘Leveraging Callback Context:

• When you receive an I/O event in your callback, the MESSAGE_SEND_DATA structure (or its equivalent in your chosen language) provides crucial context:

  • MessageId: Unique ID for the transaction, useful for correlating pre- and post-I/O events.
  • FileObject: Unique identifier for the file open instance.
  • FsContext: Unique identifier for the file (across different open instances).
  • FileName: The full path of the file.
  • ProcessName, ProcessId, ThreadId: Identify the process and thread initiating the I/O.
  • UserName, SID: The user SID data and user name of ther I/O.
  • Offset, Length: For read/write operations, critical for understanding data ranges.
  • IoStatus: The result of the I/O operation (for post-I/O callbacks).

• Use this information to build rich auditing, enforce complex policies, or modify file data intelligently.

🔑Key Features and Benefits for Developers

The EaseFilter SDK offers a rich set of features that translate directly into significant benefits for developers:

• Simplified Development: The SDK provides a high-level API, abstracting away the complexities of kernel-mode programming. This allows developers to focus on application logic rather than intricate driver internals.

• Comprehensive Functionality: From real-time monitoring to granular access control and transparent encryption, EaseFilter offers a broad spectrum of capabilities to address diverse file system security and management needs.

• Real-time Interception: The ability to intercept I/O requests before they are processed by the file system means you can implement proactive controls, blocking unauthorized actions in real-time.

• Granular Control with Filter Rules: Define sophisticated filter rules based on file masks, process names, user identities, and desired access rights to implement highly specific policies.

• Flexible Event Handling: Register callbacks for various file I/O events (pre- and post-operations) to execute custom logic, log information, or modify requests.

• Support for Multiple SDK Types: EaseFilter provides distinct SDKs for File Monitoring, File Access Control, Transparent File Encryption, Process Monitoring/Protection, and Registry Protection, allowing you to choose the specific functionality you need.

• C# and C++ Examples: The SDK includes demo source code in both C# and C++, making it easier to integrate into existing Windows applications.

• Robust and Well-Tested: Backed by years of experience in file system filter driver development, EaseFilter provides a stable and reliable framework that works across various Windows operating system versions.

• Scalability: The SDK is designed to handle a large volume of file I/O operations efficiently, making it suitable for enterprise-grade applications.

• Reduced Time-to-Market: By providing pre-built components and a streamlined development process, EaseFilter significantly accelerates the creation of sophisticated file system solutions.

📚Getting Started with EaseFilter SDK

Integrating EaseFilter into your development workflow typically involves these steps:

1. Obtain the SDK: Download the EaseFilter SDK, which usually includes the necessary driver files (EaseFlt.sys) and the user-mode API library (FilterAPI.dll).

2. Install the Driver: The EaseFilter filter driver needs to be installed on the system where your application will run. This often requires administrator privileges.

3. Initialize the Filter Control: In your application, initialize the FilterControl object from the SDK, setting your license key and configuring the filter type (e.g., FILE_SYSTEM_MONITOR, FILE_SYSTEM_CONTROL).

4. Define Filter Rules: Create FileFilter objects to define your policies. These rules specify which files or directories to monitor or control, and what access rights are allowed or denied. You can include/exclude files, processes, and even users.

5. Register Callbacks: For monitoring, register callback functions for the I/O events you wish to track (e.g., OnPostFileCreate, OnPostFileWrite). For control, register pre-I/O callbacks (e.g., OnPreFileCreate, OnPreFileWrite) where you can allow or block the operation.

6. Send Configuration to the Driver: Once your filter rules and callbacks are defined, send this configuration to the kernel-mode driver using the SDK's API.

7. Handle Events and Implement Logic: Within your callback functions, you'll receive detailed information about the file I/O operation. This is where you implement your custom logic, such as logging, modifying data, or preventing access.

8. Stop and Uninstall: Ensure proper shutdown of the filter service and uninstallation of the driver when your application is no longer needed.

✅ Set Up Your C++ Project

• Open Visual Studio.
• Create a Windows Console Application in C++.
• Add these SDK files to your project:
  • FilterAPI.h
  • FilterAPI.lib or link to FilterAPI.dll

Project Configuration:

• Include directories: Add the path to the SDK include folder.
• Library directories: Add the path to the SDK lib folder.
• Linker Input: Add FilterAPI.lib

✅ Set Up Your C# Project

Add References:

• EaseFilter.FilterControl.dll
• FilterAPI.dll

Add a using directive:

csharp
using EaseFilter.FilterControl;
        

📚 Sample Use Cases

🔍 File Monitoring Example

• Real-Time File Activity Logging: Capture file operations like create, open, read, write, rename, delete.

• Audit Trails: Track which users or processes accessed what files and when.

• Use Cases: Compliance logging, forensic investigation, SIEM integration.

Example Code Snippet:

 				
var filterControl = new FilterControl();
filterControl.StartFilter(...);

//create a file monitor filter rule, every filter rule must have the unique watch path. 
FileFilter fileFilter = new FileFilter("c:\\monitorFolder\\*");

//Filter the file change event to monitor all file deleting and renaming events.
fileFilter.FileChangeEventFilter = FilterAPI.FileChangedEvents.NotifyFileWasDeleted
|FilterAPI.FileChangedEvents.NotifyFileWasRenamed|FilterAPI.FileChangedEvents.NotifyFileWasWritten;

//register the file change callback events.
fileFilter.NotifyFileWasChanged += NotifyFileChanged;

//Filter the monitor file IO events
fileFilter.MonitorFileIOEventFilter = MonitorFileIOEvents.OnFileCreate;
fileFilter.OnFileOpen += OnFileCreate;

filterControl.AddFilter(fileFilter);
filterControl.SendConfigSettingsToFilter(ref lastError));

while (Console.Read() != 'q') ;

filterControl.StopFilter();
		
        

🔐 File Access Control Example

• Whitelist/Blacklist Rules: Allow or block access by process, user, or file type.

• Permission Enforcement: Read-only, deny access, or mask file content for unauthorized users or apps.

• Zero Trust Model: Default deny all, allow explicitly.

Example Code Snippet:

 				
var filterControl = new FilterControl();
filterControl.StartFilter(...);

var rule = new FileFilter("C:\\SecureFolder\\*");
rule.EnableWriteToFile = false;  // Prevent writes
rule.EnableDeleteFile = false;   // Prevent deletions
rule.EnableRenameOrMoveFile = false; // Prevent renames

rule.ProcessNameAccessRightList.Add("notepad.exe", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);

rule.ControlFileIOEventFilter = (ulong)(ControlFileIOEvents.OnPreFileCreate | ControlFileIOEvents.OnPreDeleteFile);
filterControl.AddFilter(rule);
filterControl.SendConfigSettingsToFilter();
		
        

🛡️ Transparent File Encryption (TFE) Example

• Per-File Encryption Key: Encrypt files with unique keys on-the-fly.

• Custom Key Management: Plug in your own key service (via callback).

• Content Protection: Even if copied, files remain encrypted unless opened by an authorized process.

Example Code Snippet:

 				
var filterControl = new FilterControl();
filterControl.StartFilter(...);

var rule = new FileFilter("C:\\SecureFolder\\*");
rule.EnableEncryption = true;
rule.OnFilterRequestEncryptKey += ProvideCustomKey;

filterControl.AddFilter(rule);
filterControl.SendConfigSettingsToFilter();

void ProvideCustomKey(object sender, EncryptKeyEventArgs e)
{
    e.EncryptionKey = GetKeyFromSecureServer(e.FileName);
    e.CustomTag = Encoding.UTF8.GetBytes("Confidential");
}
		
        

Conclusion

For developers looking to exert powerful, low-level control over file system interactions on Windows, the EaseFilter SDK is an invaluable asset. Its ability to simplify the complexities of file system filter driver development, coupled with its comprehensive feature set, empowers you to build sophisticated security, management, and data protection solutions with greater ease and efficiency. By leveraging EaseFilter, you can unlock new possibilities for your applications, providing unparalleled control and visibility over your data.