void InitNewFilterRule() { selectedFilterRule = new FilterRule(); selectedProcessFilterRule = new ProcessFilterRule(); selectedRegistryFilterRule = new RegistryFilterRule(); textBox_SandboxFolder.Text = "c:\\newSandboxFolder"; selectedFilterRule.IncludeFileFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*"; selectedProcessFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*"; selectedRegistryFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*"; //by default allow the binaries inside the sandbox to read/write the registry selectedRegistryFilterRule.AccessFlag = FilterAPI.MAX_REGITRY_ACCESS_FLAG; selectedProcessFilterRule.ProcessId = selectedRegistryFilterRule.ProcessId = ""; //by default not allow the executable selectedProcessFilterRule.ControlFlag = (uint)FilterAPI.ProcessControlFlag.DENY_NEW_PROCESS_CREATION; //set the maximum access rights to the sandbox for all binaries inside the sandbox selectedProcessFilterRule.FileAccessRights = textBox_SandboxFolder.Text + "!" + FilterAPI.ALLOW_MAX_RIGHT_ACCESS.ToString() + ";"; //allow the windows dll or exe to be read by the process, or it can't be loaded. selectedProcessFilterRule.FileAccessRights += "c:\\windows\\*!" + FilterAPI.ALLOW_FILE_READ_ACCESS + ";"; //No access rights to all other folders by default. selectedProcessFilterRule.FileAccessRights += "*!" + ((uint)FilterAPI.AccessFlag.LEAST_ACCESS_FLAG).ToString() + ";"; //by default the sandbox folder doesn't allow being read/write by processes, if the processes want to access the sandbox, it needs to add process rights. selectedFilterRule.AccessFlag = (uint)(FilterAPI.ALLOW_MAX_RIGHT_ACCESS | (uint)FilterAPI.AccessFlag.ENABLE_FILE_ENCRYPTION_RULE); //Not allow the explorer.exe to read the encrytped files, when you copy the encrypted files from exploer, the file can stay encrypted. selectedFilterRule.ProcessRights = "explorer.exe!" + ((uint)FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)(FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES)).ToString() + ";"; }
void SetSelectedFilterRule(FilterRule filterRule) { selectedFilterRule = filterRule; selectedProcessFilterRule = GlobalConfig.GetProcessFilterRule("", selectedFilterRule.IncludeFileFilterMask); if (null == selectedProcessFilterRule) { selectedProcessFilterRule = new ProcessFilterRule(); } selectedRegistryFilterRule = GlobalConfig.GetRegistryFilterRule("", selectedFilterRule.IncludeFileFilterMask); if (null == selectedRegistryFilterRule) { selectedRegistryFilterRule = new RegistryFilterRule(); } }
private void toolStripButton_StartFilter_Click(object sender, EventArgs e) { try { string lastError = string.Empty; bool ret = FilterAPI.StartFilter((int)GlobalConfig.FilterConnectionThreads , registerKey , new FilterAPI.FilterDelegate(FilterCallback) , new FilterAPI.DisconnectDelegate(DisconnectCallback) , ref lastError); if (!ret) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("Start filter failed." + lastError); return; } toolStripButton_StartFilter.Enabled = false; toolStripButton_Stop.Enabled = true; if (GlobalConfig.RegistryFilterRules.Count == 0 && null != sender) { RegistryFilterRule regFilterRule = new RegistryFilterRule(); regFilterRule.ProcessNameFilterMask = "*"; regFilterRule.AccessFlag = FilterAPI.MAX_REGITRY_ACCESS_FLAG; regFilterRule.RegCallbackClass = 93092006832128; GlobalConfig.AddRegistryFilterRule(regFilterRule); MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("You didn't setup any filtere rule, by defult it will monitor all registry access."); } GlobalConfig.SendConfigSettingsToFilter(); EventManager.WriteMessage(102, "StartFilter", EventLevel.Information, "Start filter service succeeded."); } catch (Exception ex) { EventManager.WriteMessage(104, "StartFilter", EventLevel.Error, "Start filter service failed with error " + ex.Message); } }
private void button_DeleteSandbox_Click(object sender, EventArgs e) { if (listView_Sandbox.SelectedItems.Count == 0) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("There are no sandbox selected.", "Delete sendbox", MessageBoxButtons.OK, MessageBoxIcon.Error); return; } foreach (System.Windows.Forms.ListViewItem item in listView_Sandbox.SelectedItems) { FilterRule filterRule = (FilterRule)item.Tag; GlobalConfig.RemoveFilterRule(filterRule.IncludeFileFilterMask); ProcessFilterRule processFilterRule = GlobalConfig.GetProcessFilterRule("", filterRule.IncludeFileFilterMask); if (null != processFilterRule) { GlobalConfig.RemoveProcessFilterRule(processFilterRule); } RegistryFilterRule registryFilterRule = GlobalConfig.GetRegistryFilterRule("", filterRule.IncludeFileFilterMask); if (null != registryFilterRule) { GlobalConfig.RemoveRegistryFilterRule(registryFilterRule); } GlobalConfig.SaveConfigSetting(); } if (GlobalConfig.FilterRules.Count > 0) { SetSelectedFilterRule(GlobalConfig.FilterRules.Values.ElementAt(0).Copy()); } else { selectedFilterRule = null; } InitListView(); }