Process Filter Driver SDK
Download EaseFilter Process Filter Driver SDK Setup File Download EaseFilter Process Filter Driver SDK Zip File
What is the process filter driver
The EaseFilter Process Filter Driver SDK is a kernel-mode development kit designed to help developers monitor and control Windows process and thread activities. By intercepting process and thread operations at the kernel level, it enables the development of robust security applications that can prevent unauthorized or malicious processes from executing.
Key Features
🔍 Real-Time Process and Thread Monitoring
The SDK provides notifications for:
- Process Creation: Detect when new processes are initiated.
- Process Termination: Monitor when processes exit.
- Thread Creation: Identify the creation of new threads within processes.
- Thread Termination: Track the termination of threads.
This real-time monitoring is crucial for applications that need to enforce security policies or audit system activities.
🔐 Process Access Control
With the SDK, you can:
- Prevent Unauthorized Executions: Block the launch of untrusted or malicious executables.
- Protect Sensitive Data: Ensure that only authorized processes can access or modify critical data.
By setting specific control flags, applications can define granular access policies based on process names or IDs.
📁 File Access Monitoring and Protection
When combined with the File Access Control Filter Driver, the SDK allows:
- Process-Based File Access Control: Grant or deny file access to specific processes.
- Sensitive File Protection: Prevent unauthorized processes from accessing or modifying protected files.
This integration ensures comprehensive security by linking process activities with file system operations.
C# Example: Using the EaseFilter Process Filter Driver SDK
The EaseFilter Process Filter Driver SDK is easy to use, and includes demo source code in both C# and C++ to help you get started quickly.
To monitor or control Windows process activities, you must first create a process filter rule. Below are the basic steps for setting up the rule:
🔧 Steps to Configure a Process Filter Rule
- Define a process filter rule using a process name filter mask (e.g., *.exe) or a specific process ID to target particular processes.
- Exclude specific processes by adding excluded process name filter masks.
Example: Exclude system processes or trusted applications.
(This step is optional.) - Exclude processes created by specific users by adding excluded user filter masks.
(This step is also optional.) - Set process access control flags to define the actions you want to monitor or block.
For example:- Get notifications on process creation or termination
- Deny the creation of new processes based on your policy
By configuring these rules and control flags, your application can effectively monitor and manage process activities in real-time.
Here is the screenshot of the C# process demo application.
Here is the code snippet of the C# process demo application.
using System;
using EaseFilter.FilterControl;
namespace FileMonitorConsole
{
class Program
{
static FilterControl filterControl = new FilterControl();
static void Main(string[] args)
{
string lastError = string.Empty;
string licenseKey = "**************************";
FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
int serviceThreads = 5;
int connectionTimeOut = 10; //seconds
try
{
if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
{
Console.WriteLine("Start Filter Service failed with error:" + lastError);
return;
}
//the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
string watchPath = "c:\\test\\*";
if (args.Length > 0)
{
watchPath = args[0];
}
//create a file monitor filter rule, every filter rule must have the unique watch path.
FileFilter fileMonitorFilter = new FileFilter(watchPath);
//Filter the file change event to monitor all file change events.
fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;
//register the file change callback events.
fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;
//Filter the monitor file IO events
fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);
fileMonitorFilter.OnFileOpen += OnFileOpen;
fileMonitorFilter.OnFileRead += OnFileRead;
filterControl.AddFilter(fileMonitorFilter);
if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
return;
}
Console.WriteLine("Start filter service succeeded.");
// Wait for the user to quit the program.
Console.WriteLine("Press 'q' to quit the sample.");
while (Console.Read() != 'q') ;
filterControl.StopFilter();
}
catch (Exception ex)
{
Console.WriteLine("Start filter service failed with error:" + ex.Message);
}
}
/// Fires this event when the file was changed.
static void NotifyFileChanged(object sender, FileChangeEventArgs e)
{
Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString()
+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
}
/// Fires this event after the file was opened, the handle is not closed.
static void OnFileOpen(object sender, FileCreateEventArgs e)
{
Console.WriteLine("FileOpen:" + e.FileName + ",status:" + e.IOStatusToString()
+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
}
/// Fires this event after the read IO was returned.
static void OnFileRead(object sender, FileReadEventArgs e)
{
Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:"
+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
}
}
}