Download EaseFilter Filter Driver SDK Setup File
Download EaseFilter Filter Driver SDK Zip File

What is a File System Filter Driver?

A file system filter driver is an optional driver that adds value to or modifies the behavior of a file system. A file system filter driver is a kernel-mode component that runs as part of the Microsoft Windows NT executive. A file system filter driver can filter I/O operations for one or more file systems or file system volumes. Depending on the nature of the driver, filter can mean log, observe, modify, or even prevent the file I/O. Typical applications for file system filter drivers include antivirus utilities, encryption programs, and hierarchical storage management systems.

File System Filter Driver Framework

Developing file system filter driver certainly a challenge job, it will take you months to learn and get used to the file system filter driver development. The EaseFilter File System Filter Driver Framework can simplify your development and to provide you with a robust and well-tested file system filter driver that works well with all versions and patch releases of the Windows operating systems supported by Microsoft, it provides you a fully tested framework of the filter driver to support all IRP, tracing, logging, communication with user mode application, even you are a user mode developer and only knows c#, c++ or any other language, you can develop your own file system driver application without having the file system knowledge.

EaseFilter File System Filter Driver SDK

EaseFilter File System Filter Driver SDK is a set of file system filter driver software development kit which includes file monitor filter driver, file access control filter driver, transparent file encryption filter driver, process filter driver and registry filter driver. In a single solution, EaseFilter Comprehensive File Security SDK encompasses file security, digital rights management, encryption, file monitoring, file auditing, file tracking, data loss prevention, process monitoring and protection, and system configuration protection.

File Monitor Filter Driver

File system monitor filter can monitor the file system activities on the fly. With file system monitor filter you can monitor the file activities on file system level, capture file open,create, overwrite, read, write,query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests. You can develop the software for the following purposes:

• Create your own Continuous data protection (CDP) software to log the file update information, write information with offset and length in real time.
• Audit your file content.You can intercept any file system call, analyze it content, log it.
• Create Access Log, you will know who, when, what files were accessed.
• Journal the file update information. This control may be based on any file parameters, such as its location, type, size, etc.

File Control Filter Driver

File system control filter can control the file activities, which you can intercept the file system call, modify its content before or after the request goes down to the file system, allow/deny/cancel its execution based on the filter rule. You can fully control file open/create/overwrite, read/write, query/set file attribute/size/time security information, rename/delete, directory browsing these Io requests. With file system control filter you can developer these kinds of software:

• Create your Data protection Software. Block accessing your data based on your security policy, prevent data modification without permission.
• Create your own encryption software via encrypt the write data and decrypt the read data.
• Create your own custom security policies to control the file access.
• Hide or replace the files in the directory. You can modify the directory buffer to hide some files or change file name.

 

Transparent File Encryption Filter Driver

EaseFilter File system encryption filter driver SDK provides a comprehensive solution for transparent file level encryption. It allows developers to create transparent encryption products which it can encrypt or decrypt files on-the-fly, it can allow only authorized users or processes can access the encrypted files.

Supported strong cryptographic algorithm Rijndael is a high security algorithm which was chosen by the National Institute of Standards and Technology (NIST) as the new Advanced Encryption Standard (AES), it can support key length 128-bits,192-bits and 256-bits.

Registry Filter Driver

Monitoring registry calls to track the registry changes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation.

Blocking registry calls to prevent your registry from being changed by unauthorized processes. When the registry key, value or security is going to be modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation, If a RegistryCallback routine returns a status value "STATUS_ACCESS_DENIED" for a pre-notification, this registry operation will be blocked and the error code will be returned.

Modifying registry calls to create virtual registry key or value.

Process Filter Driver

Monitoring the process and thread creation or termination, get the notification of the process and thread operations when you register the events. Prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.

Process monitor and protector screenshot

How to use EaseFilter File System Filter Driver SDK

The EaseFilter file system filter SDK includes two components (EaseFlt.sys and FilterAPI.dll), The EaseFlt.sys and FilterAPI.dll are different for 32bit and 64bit windows system. EaseFlt.sys is the file system filter driver which implements all the functionalities in the file system level. FilterAPI.dll is a wrapper DLL which exports the API to the user mode applications.To check the binary is 32 bit or 64 bit you can right click file and go to the property, then go to the “Details” tag and check the “file description” section.

C++ Example

Copy the correct version (32bit or 64bit) EaseFlt.sys, FilterAPI.DLL,FilterAPI.h and FilterAPI.lib to your folder. FilterAPI.h file includes all the functions and structures used for connecting to the filter driver.

  
//Start the filter driver by registering the callback function with API RegisterMessageCallback:
RegisterMessageCallback(FilterConnectionThreadsCount, MessageCallback, DisconnectCallback);

//Setup global configuration setting for the filter driver:
//To enable the monitor/control/encryption/process/registry filter driver by setting the filter type with proper license key.
 SetFilterType(FILE_SYSTEM_MONITOR|FILE_SYSTEM_CONTROL);

//Set up the connection timeout in seconds, this is the maximum time for the filter driver waiting for the response of the callback function.
SetConnectionTimeout(30);

//Set up the global Boolean config setting to enable some features: ENABLE_SEND_DENIED_EVENT|ENABLE_SEND_DATA_BUFFER
SetBooleanConfig(booleanConfig);

//Add or remove protected process Id to the filter driver to prevent it from being terminated ungratefully:
AddProtectedProcessId (processId);
RemoveProtectedProcessId (processId);

//Set up the volume control flag to block the USB read write: BLOCK_USB_READ|BLOCK_USB_WRITE
SetvolumeControlFlag(volumeControlFlag);

//Setup the file filter rule for the filter driver:
//Setup the filter rule to monitor the file I/O in c:\test folder
AddFileFilterRule(AccessFlags,L”C:\test\*”, FALSE, FilterRuleId);

//Register the file change events to get the notification for below events: FILE_WAS_CREATED|FILE_WAS_WRITTEN|FILE_WAS_RENAMED|FILE_WAS_DELETED|FILE_SECURITY_CHANGED|FILE_INFO_CHANGED
RegisterFileChangedEventsToFilterRule(L”C:\test\*”,  FileChangedEvents);

//Register the POST IO to get the notification when the IO was processed by the file system.
RegisterMonitorlOToFilterRule(L”c:\test\*”, POST_NEW_FILE_CREATED|POST_FILE_RENAMED|POST_FILE_DELETED);

//Setup the filter rule to control the file I/O in c:\protected folder
configure the access control flag to protect the folder, not allow the file being renamed or deleted.
AccessFlags= ALLOW_MAX_RIGHT_ACCESS & (~ALLOW_FILE_RENAME) & (~ALLOW_FILE_DELETE)
AddFileFilterRule(AccessFlags,L”C:\protected\*”, FALSE, FilterRuleId);

//Register the PRE IO to get the callback before the IO was processed by the file system, you can allow or deny the file I/O in the callback function.
RegisterControllOToFilterRule(L”c:\protected\*”, PRE_CREATE);

//Add or remove the access rights for a specific process to the files in the protected folder. i.e., Set full access rights for process “wordpad.exe”
AddProecessRightsToFilterRule(L”c:\protected\*”, L”wordpad.exe”, ALLOW_MAX_RIGHT_ACCESS);

//Hide your sensitive files from the protected folder by enabling the hide file access flag. i.e., hide the files with extension .prt in folder c:\protected.
AccessFlags= ALLOW_MAX_RIGHT_ACCESS | ENABLE_HIDE_FILES_DIRECTORY_BROWSING
AddFileFilterRule(AccessFlags,L”C:\protected\*”, FALSE, FilterRuleId);
AddHiddenFileMaskToFilterRule(L”c:\protected\*”, L”*.prt”);

//Setup the filter rule for AUTO FILE ENCRYPTION in c:\protected folder
AccessFlags= ALLOW_MAX_RIGHT_ACCESS | ENABLE_FILE_ENCRYPTION_RULE
AddFileFilterRule(AccessFlags,L”C:\encrypt\*”, FALSE, FilterRuleId);

//Configure the processes to read the raw encrypted data for backup software or other software needs to send raw encrypted files.
AccessFlags= ALLOW_MAX_RIGHT_ACCESS & (~ALLOW_READ_ENCRYPTED_FILES)
AddProecessRightsToFilterRule(L”c:\encrypt\*”, L”explorer.exe”, AccessFlags);

//Setup the registry filter rule to monitor or protect the registry access
//You can block the registry access, for example you block the registry key change, you also can get the notification for the registry access.
AddRegistryFilterRule(2,L"*",0,2,L"*",0,NULL,REG_MAX_ACCESS_FLAG,regCallbackClass,FALSE, FilterRuleId);

//Setup the process filter rule to monitor or protect the process operation
//You can block the new process launching, you can get the notification when the process was created or terminated.
AddProcessFilterRule((ULONG)wcslen(ProcessFilterMask)*sizeof(WCHAR),ProcessFilterMask,ControlFlag);

C# Example

Copy the correct version (32bit or 64bit) EaseFlt.sys, FilterAPI.DLL to your binary folder, then add the reference “FilterControl” project to your project.

  
FilterControl filterControl = new FilterControl();

if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
{
	Console.WriteLine("Start Filter Service failed with error:" + lastError);
	return;
}

//create a file monitor filter rule, every filter
//rule must have the unique watch path.
FileFilter fileMonitorFilter = new FileFilter(watchPath);

//Filter the file change event to monitor all file change events.
fileMonitorFilter.FileChangeEventFilter = (FilterAPI.FileChangedEvents)FilterAPI.NotifyAllFileEvents;

//register the file change callback events.
fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;

//Filter the monitor file IO events
fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);

//fileMonitorFilter.OnFileOpen += OnFileOpen;
//fileMonitorFilter.OnFileRead += OnFileRead;
filterControl.AddFilter(fileMonitorFilter);

if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
   Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
   return;
}