void InitNewFilterRule()
{
selectedFilterRule = new FilterRule();
selectedProcessFilterRule = new ProcessFilterRule();
selectedRegistryFilterRule = new RegistryFilterRule();
textBox_SandboxFolder.Text = "c:\\newSandboxFolder";
selectedFilterRule.IncludeFileFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*";
selectedProcessFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*";
selectedRegistryFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*";
//by default allow the binaries inside the sandbox to read/write the registry
selectedRegistryFilterRule.AccessFlag = FilterAPI.MAX_REGITRY_ACCESS_FLAG;
selectedProcessFilterRule.ProcessId = selectedRegistryFilterRule.ProcessId = "";
//by default not allow the executable
selectedProcessFilterRule.ControlFlag = (uint)FilterAPI.ProcessControlFlag.DENY_NEW_PROCESS_CREATION;
//set the maximum access rights to the sandbox for all binaries inside the sandbox
selectedProcessFilterRule.FileAccessRights = textBox_SandboxFolder.Text + "!" + FilterAPI.ALLOW_MAX_RIGHT_ACCESS.ToString() + ";";
//allow the windows dll or exe to be read by the process, or it can't be loaded.
selectedProcessFilterRule.FileAccessRights += "c:\\windows\\*!" + FilterAPI.ALLOW_FILE_READ_ACCESS + ";";
//No access rights to all other folders by default.
selectedProcessFilterRule.FileAccessRights += "*!" + ((uint)FilterAPI.AccessFlag.LEAST_ACCESS_FLAG).ToString() + ";";
//by default the sandbox folder doesn't allow being read/write by processes, if the processes want to access the sandbox, it needs to add process rights.
selectedFilterRule.AccessFlag = (uint)(FilterAPI.ALLOW_MAX_RIGHT_ACCESS | (uint)FilterAPI.AccessFlag.ENABLE_FILE_ENCRYPTION_RULE);
//Not allow the explorer.exe to read the encrytped files, when you copy the encrypted files from exploer, the file can stay encrypted.
selectedFilterRule.ProcessRights = "explorer.exe!" + ((uint)FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)(FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES)).ToString() + ";";
}
private void listView_FilterRules_SelectedIndexChanged(object sender, EventArgs e)
{
if (listView_FilterRules.SelectedItems.Count > 0)
{
selectedFilterRule = ((ProcessFilterRule)listView_FilterRules.SelectedItems[0].Tag).Copy();
InitSelectedFilterRule();
}
}
private void button_ConfigFileAccessRights_Click(object sender, EventArgs e)
{
if (textBox_ProcessId.Text.Trim().Length > 0 && textBox_ProcessId.Text != "0")
{
if (selectedFilterRule.ProcessId != textBox_ProcessId.Text)
{
selectedFilterRule = new ProcessFilterRule();
isNewFilterRule = true;
}
selectedFilterRule.ProcessId = textBox_ProcessId.Text;
}
else if (textBox_ProcessName.Text.Trim().Length > 0)
{
if (selectedFilterRule.ProcessNameFilterMask != textBox_ProcessName.Text)
{
isNewFilterRule = true;
selectedFilterRule = new ProcessFilterRule();
}
selectedFilterRule.ProcessNameFilterMask = textBox_ProcessName.Text;
}
else
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("The process name mask and Pid can't be null.", "Add Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
uint controlFlag = 0;
if (uint.TryParse(textBox_ControlFlag.Text, out controlFlag) && ((controlFlag & (uint)FilterAPI.ProcessControlFlag.DENY_NEW_PROCESS_CREATION) > 0))
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("The process was blocked to executed, no need to set the file access rights for the process.", "Add Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Information);
return;
}
if (isNewFilterRule)
{
//default file access rights setting for new process filter rule
//allow the windows dll or exe to be read by the process, or it can't be loaded.
selectedFilterRule.FileAccessRights = "c:\\windows\\*!" + FilterAPI.ALLOW_FILE_READ_ACCESS + ";";
//No access rights to all other folders by default.
selectedFilterRule.FileAccessRights += "*!" + ((uint)FilterAPI.AccessFlag.LEAST_ACCESS_FLAG).ToString() + ";";
}
ProcessFileAccessRights processFileAccessRigths = new ProcessFileAccessRights(selectedFilterRule);
processFileAccessRigths.ShowDialog();
}
private void AddItem(ProcessFilterRule newRule)
{
string[] itemStr = new string[listView_FilterRules.Columns.Count];
itemStr[0] = listView_FilterRules.Items.Count.ToString();
itemStr[1] = newRule.ProcessId;
itemStr[2] = newRule.ProcessNameFilterMask;
itemStr[3] = newRule.ControlFlag.ToString();
itemStr[4] = newRule.FileAccessRights;
ListViewItem item = new ListViewItem(itemStr, 0);
item.Tag = newRule;
listView_FilterRules.Items.Add(item);
}
private void button_AddFilter_Click(object sender, EventArgs e)
{
try
{
selectedFilterRule = null;
InitSelectedFilterRule();
}
catch (Exception ex)
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("Add registry filter rule failed." + ex.Message, "Add Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
}
void SetSelectedFilterRule(FilterRule filterRule)
{
selectedFilterRule = filterRule;
selectedProcessFilterRule = GlobalConfig.GetProcessFilterRule("", selectedFilterRule.IncludeFileFilterMask);
if (null == selectedProcessFilterRule)
{
selectedProcessFilterRule = new ProcessFilterRule();
}
selectedRegistryFilterRule = GlobalConfig.GetRegistryFilterRule("", selectedFilterRule.IncludeFileFilterMask);
if (null == selectedRegistryFilterRule)
{
selectedRegistryFilterRule = new RegistryFilterRule();
}
}
private void button_DeleteFilter_Click(object sender, EventArgs e)
{
if (listView_FilterRules.SelectedItems.Count == 0)
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("There are no filter rule selected.", "Delete Filter Rule", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
foreach (System.Windows.Forms.ListViewItem item in listView_FilterRules.SelectedItems)
{
ProcessFilterRule filterRule = (ProcessFilterRule)item.Tag;
GlobalConfig.RemoveProcessFilterRule(filterRule);
}
InitListView();
}
public void InitListView()
{
//init ListView control
listView_FilterRules.Clear(); //clear control
//create column header for ListView
listView_FilterRules.Columns.Add("#", 20, System.Windows.Forms.HorizontalAlignment.Left);
listView_FilterRules.Columns.Add("ProcessId", 100, System.Windows.Forms.HorizontalAlignment.Left);
listView_FilterRules.Columns.Add("ProcessNameMask", 200, System.Windows.Forms.HorizontalAlignment.Left);
listView_FilterRules.Columns.Add("ControlFlag", 100, System.Windows.Forms.HorizontalAlignment.Left);
listView_FilterRules.Columns.Add("FileAccessRights", 300, System.Windows.Forms.HorizontalAlignment.Left);
foreach (ProcessFilterRule rule in GlobalConfig.ProcessFilterRules.Values)
{
AddItem(rule);
selectedFilterRule = rule;
}
InitSelectedFilterRule();
}
private void toolStripButton_StartFilter_Click(object sender, EventArgs e)
{
try
{
string lastError = string.Empty;
bool ret = FilterAPI.StartFilter((int)GlobalConfig.FilterConnectionThreads
, registerKey
, new FilterAPI.FilterDelegate(FilterCallback)
, new FilterAPI.DisconnectDelegate(DisconnectCallback)
, ref lastError);
if (!ret)
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("Start filter failed." + lastError);
return;
}
if (GlobalConfig.ProcessFilterRules.Count == 0 && null != sender)
{
ProcessFilterRule defaultProcessFilterRule = new ProcessFilterRule();
defaultProcessFilterRule.ProcessNameFilterMask = "*";
defaultProcessFilterRule.ControlFlag = 16128;
GlobalConfig.AddProcessFilterRule(defaultProcessFilterRule);
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("You didn't setup any filtere rule, by defult it will monitor all process/thread operations.");
}
toolStripButton_StartFilter.Enabled = false;
toolStripButton_Stop.Enabled = true;
GlobalConfig.SendConfigSettingsToFilter();
EventManager.WriteMessage(102, "StartFilter", EventLevel.Information, "Start filter service succeeded.");
}
catch (Exception ex)
{
EventManager.WriteMessage(104, "StartFilter", EventLevel.Error, "Start filter service failed with error " + ex.Message);
}
}
public ProcessFileAccessRights(ProcessFilterRule filterRule)
{
InitializeComponent();
StartPosition = FormStartPosition.CenterParent;
currentFilterRule = filterRule;
string processFileAccessRights = filterRule.FileAccessRights;
string[] accessRightList = processFileAccessRights.ToLower().Split(new char[] { ';' });
if (accessRightList.Length > 0)
{
foreach (string processFileAccessRightStr in accessRightList)
{
if (processFileAccessRightStr.Trim().Length > 0)
{
string fileMask = processFileAccessRightStr.Substring(0, processFileAccessRightStr.IndexOf('!'));
uint accessFlag = uint.Parse(processFileAccessRightStr.Substring(processFileAccessRightStr.IndexOf('!') + 1));
if (!processFileAccessRightsList.ContainsKey(fileMask))
{
FileAccessRight fileAccessRight = new FileAccessRight();
fileAccessRight.FileNameMask = fileMask;
fileAccessRight.AccessFlag = accessFlag;
processFileAccessRightsList.Add(fileMask, fileAccessRight);
currentFileAccessRight = fileAccessRight;
}
textBox_FileMask.Text = fileMask;
textBox_AccessFlag.Text = accessFlag.ToString();
}
}
}
groupBox_ProcessRights.Text = "The file access rights for processes which match " + filterRule.ProcessNameFilterMask;
InitListView();
SetCheckBoxValue();
}
private void button_DeleteSandbox_Click(object sender, EventArgs e)
{
if (listView_Sandbox.SelectedItems.Count == 0)
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("There are no sandbox selected.", "Delete sendbox", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
foreach (System.Windows.Forms.ListViewItem item in listView_Sandbox.SelectedItems)
{
FilterRule filterRule = (FilterRule)item.Tag;
GlobalConfig.RemoveFilterRule(filterRule.IncludeFileFilterMask);
ProcessFilterRule processFilterRule = GlobalConfig.GetProcessFilterRule("", filterRule.IncludeFileFilterMask);
if (null != processFilterRule)
{
GlobalConfig.RemoveProcessFilterRule(processFilterRule);
}
RegistryFilterRule registryFilterRule = GlobalConfig.GetRegistryFilterRule("", filterRule.IncludeFileFilterMask);
if (null != registryFilterRule)
{
GlobalConfig.RemoveRegistryFilterRule(registryFilterRule);
}
GlobalConfig.SaveConfigSetting();
}
if (GlobalConfig.FilterRules.Count > 0)
{
SetSelectedFilterRule(GlobalConfig.FilterRules.Values.ElementAt(0).Copy());
}
else
{
selectedFilterRule = null;
}
InitListView();
}
private void InitSelectedFilterRule()
{
if (null == selectedFilterRule)
{
selectedFilterRule = new ProcessFilterRule();
selectedFilterRule.ProcessNameFilterMask = "*";
selectedFilterRule.ControlFlag = 16128;
isNewFilterRule = true;
}
if (selectedFilterRule.ProcessId.Length > 0 && selectedFilterRule.ProcessId != "0")
{
textBox_ProcessId.Text = selectedFilterRule.ProcessId;
radioButton_Pid_Click(null, null);
}
else
{
radioButton_Name_Click(null, null);
textBox_ProcessName.Text = selectedFilterRule.ProcessNameFilterMask;
textBox_ControlFlag.Text = selectedFilterRule.ControlFlag.ToString();
}
}
