Download Process Filter Driver SDK Setup File
Download Process Filter Driver SDK Zip File
What is the Process Filter Driver
The Easefilter Process Filter Driver SDK is a kernel-mode filter driver development kit. It runs as part of the Windows executive above the file system. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter Process Filter Driver can monitor and control the Windows process activities.
Process monitoring and protection
The Easefilter Process Filter Driver SDK provides you an easy way to develop Windows security application to monitor the Windows process activities. You can get the notification of a new process creation or an existing process termination. It enables your application to prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.
File access monitoring and protection.
Bundle with the file access control filter driver, the Process Filter Driver allows you to monitor or control the file access based on the process name or process Id. It enables you to set the access right to the specific processes, allow or block the file access to the specific processes. It allows you to prevent your sensitive files from being accessed by the unauthorized processes.
A C# example to use the Process Filter Driver SDK
It is very simple to use the EaseFilter Process Filter Driver SDK. There is C# and C++ demo source code to demonstrate how to use the SDK. To monitor or control the Windows process activities, you need to create a filter rule first as below:
- Setup the process filter rule with process name filter mask or process Id.
- You can exclude processes by adding the excluded process name filter mask. It is optional.
- You can exclude the process who created by the specific users by adding the excluded user filter mask. It is optional.
- Setup the process access control flags. By setting the control flag, you can get the notification of the process creation or termination, deny the new process creation.
Here is the screenshot of the C# process demo application.
Here is the code snippet of the C# process demo application.
using System;
using EaseFilter.FilterControl;
namespace FileProtectorConsole
{
class Program
{
static FilterControl filterControl = new FilterControl();
static void Main(string[] args)
{
string lastError = string.Empty;
string licenseKey = "Email us to request a trial key: info@easefilter.com";
FilterAPI.FilterType filterType = FilterAPI.FilterType.PROCESS_FILTER;
int serviceThreads = 5;
int connectionTimeOut = 10; //seconds
try
{
if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
{
Console.WriteLine("Start Filter Service failed with error:" + lastError);
return;
}
ProcessFilter processFilter = new ProcessFilter("*");
processFilter.ControlFlag = FilterAPI.ProcessControlFlag.PROCESS_CREATION_NOTIFICATION | FilterAPI.ProcessControlFlag.PROCESS_TERMINATION_NOTIFICATION;
processFilter.OnProcessCreation += OnProcessCreation;
processFilter.OnProcessPreTermination += OnProcessPreTermination;
processFilter.NotifyProcessTerminated += NotifyProcessTerminated;
filterControl.AddFilter(processFilter);
if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
return;
}
Console.WriteLine("Start filter service succeeded.");
// Wait for the user to quit the program.
Console.WriteLine("Press 'q' to quit the sample.");
while (Console.Read() != 'q') ;
filterControl.StopFilter();
}
catch (Exception ex)
{
Console.WriteLine("Start filter service failed with error:" + ex.Message);
}
}
/// <summary>
/// Fires this event when the new process was being created.
/// </summary>
public void OnProcessCreation(object sender, ProcessEventArgs e)
{
// //test block the process creation.
// e.ReturnStatus = NtStatus.Status.AccessDenied;
}
/// <summary>
/// Fires this event before the processs was terminiated.
/// </summary>
public void OnProcessPreTermination(object sender, ProcessEventArgs e)
{
//test block the process terminiation.
//if (e.ImageFileName.IndexOf("cmd.exe") >= 0)
//{
// e.ReturnStatus = NtStatus.Status.AccessDenied;
//}
}
/// <summary>
/// Fires this event after the process was terminated.
/// </summary>
public void NotifyProcessTerminated(object sender, ProcessEventArgs e)
{
//do your job here.
}
}
}