void InitNewFilterRule() { selectedFilterRule = new FilterRule(); selectedProcessFilterRule = new ProcessFilterRule(); selectedRegistryFilterRule = new RegistryFilterRule(); textBox_SandboxFolder.Text = "c:\\newSandboxFolder"; selectedFilterRule.IncludeFileFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*"; selectedProcessFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*"; selectedRegistryFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*"; //by default allow the binaries inside the sandbox to read/write the registry selectedRegistryFilterRule.AccessFlag = FilterAPI.MAX_REGITRY_ACCESS_FLAG; selectedProcessFilterRule.ProcessId = selectedRegistryFilterRule.ProcessId = ""; //by default not allow the executable selectedProcessFilterRule.ControlFlag = (uint)FilterAPI.ProcessControlFlag.DENY_NEW_PROCESS_CREATION; //set the maximum access rights to the sandbox for all binaries inside the sandbox selectedProcessFilterRule.FileAccessRights = textBox_SandboxFolder.Text + "!" + FilterAPI.ALLOW_MAX_RIGHT_ACCESS.ToString() + ";"; //allow the windows dll or exe to be read by the process, or it can't be loaded. selectedProcessFilterRule.FileAccessRights += "c:\\windows\\*!" + FilterAPI.ALLOW_FILE_READ_ACCESS + ";"; //No access rights to all other folders by default. selectedProcessFilterRule.FileAccessRights += "*!" + ((uint)FilterAPI.AccessFlag.LEAST_ACCESS_FLAG).ToString() + ";"; //by default the sandbox folder doesn't allow being read/write by processes, if the processes want to access the sandbox, it needs to add process rights. selectedFilterRule.AccessFlag = (uint)(FilterAPI.ALLOW_MAX_RIGHT_ACCESS | (uint)FilterAPI.AccessFlag.ENABLE_FILE_ENCRYPTION_RULE); //Not allow the explorer.exe to read the encrytped files, when you copy the encrypted files from exploer, the file can stay encrypted. selectedFilterRule.ProcessRights = "explorer.exe!" + ((uint)FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)(FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES)).ToString() + ";"; }
private void listView_FilterRules_SelectedIndexChanged(object sender, EventArgs e) { if (listView_FilterRules.SelectedItems.Count > 0) { selectedFilterRule = ((ProcessFilterRule)listView_FilterRules.SelectedItems[0].Tag).Copy(); InitSelectedFilterRule(); } }
private void button_ConfigFileAccessRights_Click(object sender, EventArgs e) { if (textBox_ProcessId.Text.Trim().Length > 0 && textBox_ProcessId.Text != "0") { if (selectedFilterRule.ProcessId != textBox_ProcessId.Text) { selectedFilterRule = new ProcessFilterRule(); isNewFilterRule = true; } selectedFilterRule.ProcessId = textBox_ProcessId.Text; } else if (textBox_ProcessName.Text.Trim().Length > 0) { if (selectedFilterRule.ProcessNameFilterMask != textBox_ProcessName.Text) { isNewFilterRule = true; selectedFilterRule = new ProcessFilterRule(); } selectedFilterRule.ProcessNameFilterMask = textBox_ProcessName.Text; } else { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("The process name mask and Pid can't be null.", "Add Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Error); return; } uint controlFlag = 0; if (uint.TryParse(textBox_ControlFlag.Text, out controlFlag) && ((controlFlag & (uint)FilterAPI.ProcessControlFlag.DENY_NEW_PROCESS_CREATION) > 0)) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("The process was blocked to executed, no need to set the file access rights for the process.", "Add Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Information); return; } if (isNewFilterRule) { //default file access rights setting for new process filter rule //allow the windows dll or exe to be read by the process, or it can't be loaded. selectedFilterRule.FileAccessRights = "c:\\windows\\*!" + FilterAPI.ALLOW_FILE_READ_ACCESS + ";"; //No access rights to all other folders by default. selectedFilterRule.FileAccessRights += "*!" + ((uint)FilterAPI.AccessFlag.LEAST_ACCESS_FLAG).ToString() + ";"; } ProcessFileAccessRights processFileAccessRigths = new ProcessFileAccessRights(selectedFilterRule); processFileAccessRigths.ShowDialog(); }
private void AddItem(ProcessFilterRule newRule) { string[] itemStr = new string[listView_FilterRules.Columns.Count]; itemStr[0] = listView_FilterRules.Items.Count.ToString(); itemStr[1] = newRule.ProcessId; itemStr[2] = newRule.ProcessNameFilterMask; itemStr[3] = newRule.ControlFlag.ToString(); itemStr[4] = newRule.FileAccessRights; ListViewItem item = new ListViewItem(itemStr, 0); item.Tag = newRule; listView_FilterRules.Items.Add(item); }
private void button_AddFilter_Click(object sender, EventArgs e) { try { selectedFilterRule = null; InitSelectedFilterRule(); } catch (Exception ex) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("Add registry filter rule failed." + ex.Message, "Add Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Error); return; } }
void SetSelectedFilterRule(FilterRule filterRule) { selectedFilterRule = filterRule; selectedProcessFilterRule = GlobalConfig.GetProcessFilterRule("", selectedFilterRule.IncludeFileFilterMask); if (null == selectedProcessFilterRule) { selectedProcessFilterRule = new ProcessFilterRule(); } selectedRegistryFilterRule = GlobalConfig.GetRegistryFilterRule("", selectedFilterRule.IncludeFileFilterMask); if (null == selectedRegistryFilterRule) { selectedRegistryFilterRule = new RegistryFilterRule(); } }
private void button_DeleteFilter_Click(object sender, EventArgs e) { if (listView_FilterRules.SelectedItems.Count == 0) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("There are no filter rule selected.", "Delete Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Error); return; } foreach (System.Windows.Forms.ListViewItem item in listView_FilterRules.SelectedItems) { ProcessFilterRule filterRule = (ProcessFilterRule)item.Tag; GlobalConfig.RemoveProcessFilterRule(filterRule); } InitListView(); }
public void InitListView() { //init ListView control listView_FilterRules.Clear(); //clear control //create column header for ListView listView_FilterRules.Columns.Add("#", 20, System.Windows.Forms.HorizontalAlignment.Left); listView_FilterRules.Columns.Add("ProcessId", 100, System.Windows.Forms.HorizontalAlignment.Left); listView_FilterRules.Columns.Add("ProcessNameMask", 200, System.Windows.Forms.HorizontalAlignment.Left); listView_FilterRules.Columns.Add("ControlFlag", 100, System.Windows.Forms.HorizontalAlignment.Left); listView_FilterRules.Columns.Add("FileAccessRights", 300, System.Windows.Forms.HorizontalAlignment.Left); foreach (ProcessFilterRule rule in GlobalConfig.ProcessFilterRules.Values) { AddItem(rule); selectedFilterRule = rule; } InitSelectedFilterRule(); }
private void toolStripButton_StartFilter_Click(object sender, EventArgs e) { try { string lastError = string.Empty; bool ret = FilterAPI.StartFilter((int)GlobalConfig.FilterConnectionThreads , registerKey , new FilterAPI.FilterDelegate(FilterCallback) , new FilterAPI.DisconnectDelegate(DisconnectCallback) , ref lastError); if (!ret) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("Start filter failed." + lastError); return; } if (GlobalConfig.ProcessFilterRules.Count == 0 && null != sender) { ProcessFilterRule defaultProcessFilterRule = new ProcessFilterRule(); defaultProcessFilterRule.ProcessNameFilterMask = "*"; defaultProcessFilterRule.ControlFlag = 16128; GlobalConfig.AddProcessFilterRule(defaultProcessFilterRule); MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("You didn't setup any filtere rule, by defult it will monitor all process/thread operations."); } toolStripButton_StartFilter.Enabled = false; toolStripButton_Stop.Enabled = true; GlobalConfig.SendConfigSettingsToFilter(); EventManager.WriteMessage(102, "StartFilter", EventLevel.Information, "Start filter service succeeded."); } catch (Exception ex) { EventManager.WriteMessage(104, "StartFilter", EventLevel.Error, "Start filter service failed with error " + ex.Message); } }
public ProcessFileAccessRights(ProcessFilterRule filterRule) { InitializeComponent(); StartPosition = FormStartPosition.CenterParent; currentFilterRule = filterRule; string processFileAccessRights = filterRule.FileAccessRights; string[] accessRightList = processFileAccessRights.ToLower().Split(new char[] { ';' }); if (accessRightList.Length > 0) { foreach (string processFileAccessRightStr in accessRightList) { if (processFileAccessRightStr.Trim().Length > 0) { string fileMask = processFileAccessRightStr.Substring(0, processFileAccessRightStr.IndexOf('!')); uint accessFlag = uint.Parse(processFileAccessRightStr.Substring(processFileAccessRightStr.IndexOf('!') + 1)); if (!processFileAccessRightsList.ContainsKey(fileMask)) { FileAccessRight fileAccessRight = new FileAccessRight(); fileAccessRight.FileNameMask = fileMask; fileAccessRight.AccessFlag = accessFlag; processFileAccessRightsList.Add(fileMask, fileAccessRight); currentFileAccessRight = fileAccessRight; } textBox_FileMask.Text = fileMask; textBox_AccessFlag.Text = accessFlag.ToString(); } } } groupBox_ProcessRights.Text = "The file access rights for processes which match " + filterRule.ProcessNameFilterMask; InitListView(); SetCheckBoxValue(); }
private void button_DeleteSandbox_Click(object sender, EventArgs e) { if (listView_Sandbox.SelectedItems.Count == 0) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("There are no sandbox selected.", "Delete sendbox", MessageBoxButtons.OK, MessageBoxIcon.Error); return; } foreach (System.Windows.Forms.ListViewItem item in listView_Sandbox.SelectedItems) { FilterRule filterRule = (FilterRule)item.Tag; GlobalConfig.RemoveFilterRule(filterRule.IncludeFileFilterMask); ProcessFilterRule processFilterRule = GlobalConfig.GetProcessFilterRule("", filterRule.IncludeFileFilterMask); if (null != processFilterRule) { GlobalConfig.RemoveProcessFilterRule(processFilterRule); } RegistryFilterRule registryFilterRule = GlobalConfig.GetRegistryFilterRule("", filterRule.IncludeFileFilterMask); if (null != registryFilterRule) { GlobalConfig.RemoveRegistryFilterRule(registryFilterRule); } GlobalConfig.SaveConfigSetting(); } if (GlobalConfig.FilterRules.Count > 0) { SetSelectedFilterRule(GlobalConfig.FilterRules.Values.ElementAt(0).Copy()); } else { selectedFilterRule = null; } InitListView(); }
private void InitSelectedFilterRule() { if (null == selectedFilterRule) { selectedFilterRule = new ProcessFilterRule(); selectedFilterRule.ProcessNameFilterMask = "*"; selectedFilterRule.ControlFlag = 16128; isNewFilterRule = true; } if (selectedFilterRule.ProcessId.Length > 0 && selectedFilterRule.ProcessId != "0") { textBox_ProcessId.Text = selectedFilterRule.ProcessId; radioButton_Pid_Click(null, null); } else { radioButton_Name_Click(null, null); textBox_ProcessName.Text = selectedFilterRule.ProcessNameFilterMask; textBox_ControlFlag.Text = selectedFilterRule.ControlFlag.ToString(); } }