コード例 #1
0
        private string FormatDescription(FilterAPI.PROCESS_INFO processInfo)
        {
            string message = string.Empty;

            switch (processInfo.MessageType)
            {
            case (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_CREATION_INFO:
            {
                message = "ParentPid:" + processInfo.ParentProcessId + ";CreatingPid:" + processInfo.CreatingProcessId + ";CreatingTheadId:" + processInfo.CreatingThreadId
                          + ";FileOpenNameAvailable:" + processInfo.FileOpenNameAvailable + ";CommandLine:" + processInfo.CommandLine;
                break;
            }

            case (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_HANDLE_INFO:
            case (uint)FilterAPI.FilterCommand.FILTER_SEND_THREAD_HANDLE_INFO:
            {
                if (processInfo.Operation == 1)
                {
                    message = "Create Handle";
                }
                else
                {
                    message = "Duplicate Handle";
                }

                message += "; DesiredAccess:" + processInfo.DesiredAccess.ToString("X");
                break;
            }

            default:
                break;
            }

            return(message);
        }
コード例 #2
0
        public void AddMessage(FilterAPI.PROCESS_INFO processInfo)
        {
            lock (messageQueue)
            {
                if (messageQueue.Count > GlobalConfig.MaximumFilterMessages)
                {
                    messageQueue.Clear();
                }

                messageQueue.Enqueue(processInfo);
            }

            autoEvent.Set();
        }
コード例 #3
0
        public ListViewItem FormatProcessInfo(FilterAPI.PROCESS_INFO processInfo)
        {
            ListViewItem lvItem = new ListViewItem();

            try
            {
                string userName = string.Empty;
                FilterAPI.DecodeUserName(processInfo.Sid, out userName);

                string[] listData = new string[listView_Message.Columns.Count];
                int      col      = 0;
                listData[col++] = processInfo.MessageId.ToString();
                listData[col++] = ((FilterAPI.FilterCommand)processInfo.MessageType).ToString();
                listData[col++] = userName;
                listData[col++] = processInfo.ImageFileName + "  (" + processInfo.ProcessId + ")";
                listData[col++] = processInfo.ThreadId.ToString();
                listData[col++] = FormatDescription(processInfo);

                lvItem = new ListViewItem(listData, 0);

                if (processInfo.Status >= (uint)NtStatus.Status.Error)
                {
                    lvItem.BackColor = Color.LightGray;
                    lvItem.ForeColor = Color.Red;
                }
                else if (processInfo.Status > (uint)NtStatus.Status.Warning)
                {
                    lvItem.BackColor = Color.LightGray;
                    lvItem.ForeColor = Color.Yellow;
                }


                if (GlobalConfig.EnableLogTransaction)
                {
                    FilterMessage.LogTrasaction(listData);
                }

                AddItemToList(lvItem);
            }
            catch (Exception ex)
            {
                EventManager.WriteMessage(445, "GetFilterMessage", EventLevel.Error, "Add callback message failed." + ex.Message);
                lvItem = null;
            }

            return(lvItem);
        }
コード例 #4
0
        Boolean FilterCallback(IntPtr sendDataPtr, IntPtr replyDataPtr)
        {
            Boolean ret = true;

            try
            {
                //for file access right unit test, to handle the monitor or control IO callback, reference the FileMonitor/FileProtector project
                FilterAPI.MessageSendData messageSend = (FilterAPI.MessageSendData)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.MessageSendData));
                if (messageSend.MessageType == (uint)FilterAPI.MessageType.PRE_CREATE)
                {
                    ProcessUnitTest.controlIONotification = true;

                    FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData));

                    //if you want to block the file access, you can return below status.
                    //messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED;
                    //messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION;

                    messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS;
                    Marshal.StructureToPtr(messageReply, replyDataPtr, true);

                    return(true);
                }

                if (messageSend.MessageType == (uint)FilterAPI.MessageType.POST_CREATE)
                {
                    ProcessUnitTest.monitorIONotification = true;
                    return(true);
                }

                FilterAPI.PROCESS_INFO processInfo = (FilterAPI.PROCESS_INFO)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.PROCESS_INFO));
                if (FilterAPI.MESSAGE_SEND_VERIFICATION_NUMBER != processInfo.VerificationNumber)
                {
                    MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
                    MessageBox.Show("Received message corrupted.Please check if the PROCESS_INFO structure is correct.");

                    EventManager.WriteMessage(139, "FilterCallback", EventLevel.Error, "Received message corrupted.Please check if the PROCESS_INFO structure is correct.");
                    return(false);
                }

                processMessage.AddMessage(processInfo);

                if (replyDataPtr.ToInt64() != 0)
                {
                    FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData));

                    if (processInfo.MessageType == (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_CREATION_INFO)
                    {
                        //this is new process creation, you can block it here by returning the STATUS_ACCESS_DENIED.
                        messageReply.ReturnStatus = processInfo.Status;
                        Marshal.StructureToPtr(messageReply, replyDataPtr, true);
                    }
                }

                return(ret);
            }
            catch (Exception ex)
            {
                EventManager.WriteMessage(134, "FilterCallback", EventLevel.Error, "filter callback exception." + ex.Message);
                return(false);
            }
        }
コード例 #5
0
        Boolean FilterCallback(IntPtr sendDataPtr, IntPtr replyDataPtr)
        {
            Boolean ret = true;

            try
            {
                FilterAPI.MessageSendData messageSend = (FilterAPI.MessageSendData)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.MessageSendData));

                if (FilterAPI.MESSAGE_SEND_VERIFICATION_NUMBER != messageSend.VerificationNumber)
                {
                    MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
                    MessageBox.Show("Received message corrupted.Please check if the MessageSendData structure is correct.");

                    EventManager.WriteMessage(139, "FilterCallback", EventLevel.Error, "Received message corrupted.Please check if the MessageSendData structure is correct.");
                    return(false);
                }

                EventManager.WriteMessage(149, "FilterCallback", EventLevel.Verbose, "Received message Id#" + messageSend.MessageId + " type:" + messageSend.MessageType
                                          + " CreateOptions:" + messageSend.CreateOptions.ToString("X") + " infoClass:" + messageSend.InfoClass + " fileName:" + messageSend.FileName);

                filterMessage.AddMessage(messageSend);

                FileProtectorUnitTest.FileIOEventHandler(messageSend);

                if (replyDataPtr.ToInt64() != 0)
                {
                    FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData));

                    //if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_TERMINATION_INFO)
                    //{
                    //    //the process termination callback, you can get the notification if you register the callback setting of the process filter.
                    //}

                    if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_CREATION_INFO)
                    {
                        //this is new process creation, you can block it here by returning the STATUS_ACCESS_DENIED, below is the process information
                        FilterAPI.PROCESS_INFO processInfo = (FilterAPI.PROCESS_INFO)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.PROCESS_INFO));

                        messageReply.ReturnStatus = processInfo.Status;
                        Marshal.StructureToPtr(messageReply, replyDataPtr, true);
                    }
                    else if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_REQUEST_ENCRYPTION_IV_AND_KEY)
                    {
                        //this is encryption filter rule with boolean config "REQUEST_ENCRYPT_KEY_AND_IV_FROM_SERVICE" enabled.
                        //the filter driver request the IV and key to open or create the encrypted file.

                        //if you want to deny the file open or creation, you set the value as below:
                        //messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED;
                        //messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION;

                        EventManager.WriteMessage(200, "filtercallback", EventLevel.Verbose, messageSend.FileName + " FILTER_REQUEST_ENCRYPTION_IV_AND_KEY");

                        //Here we return the test iv and key to the filter driver, you need to replace with you own iv and key in your code.
                        AESDataBuffer aesData = new AESDataBuffer();
                        aesData.AccessFlags         = FilterAPI.ALLOW_MAX_RIGHT_ACCESS;
                        aesData.IV                  = FilterAPI.DEFAULT_IV_TAG;
                        aesData.IVLength            = (uint)aesData.IV.Length;
                        aesData.EncryptionKey       = Utils.GetKeyByPassPhrase(DigitalRightControl.PassPhrase);
                        aesData.EncryptionKeyLength = (uint)aesData.EncryptionKey.Length;

                        byte[] aesDataArray = DigitalRightControl.ConvertAESDataToByteArray(aesData);
                        messageReply.DataBufferLength = (uint)aesDataArray.Length;
                        Array.Copy(aesDataArray, messageReply.DataBuffer, aesDataArray.Length);

                        messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS;
                    }
                    else if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_REQUEST_ENCRYPTION_IV_AND_KEY_AND_TAGDATA)
                    {
                        //this is encryption filter rule with boolean config "REQUEST_ENCRYPT_KEY_IV_AND_TAGDATA_FROM_SERVICE" enabled.
                        //the filter driver request the IV and key to open or create the encrypted file.

                        //if you want to deny the file open or creation, you set the value as below:
                        //messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED;
                        //messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION;

                        if (messageSend.DataBufferLength > 0)
                        {
                            //this is the tag data which attached to the encrypted file .
                            string tagDataStr = Encoding.Unicode.GetString(messageSend.DataBuffer);
                            EventManager.WriteMessage(235, "filtercallback", EventLevel.Verbose, "EncryptedFile:" + messageSend.FileName + ",tagData:" + tagDataStr);
                        }

                        //Here we return the test iv ,key and tag data to the filter driver, you need to replace with you own iv and key in your code.
                        AESDataBuffer aesData = new AESDataBuffer();
                        aesData.AccessFlags         = FilterAPI.ALLOW_MAX_RIGHT_ACCESS;
                        aesData.IV                  = FilterAPI.DEFAULT_IV_TAG;
                        aesData.IVLength            = (uint)aesData.IV.Length;
                        aesData.EncryptionKey       = Utils.GetKeyByPassPhrase(DigitalRightControl.PassPhrase);
                        aesData.EncryptionKeyLength = (uint)aesData.EncryptionKey.Length;
                        aesData.TagData             = Encoding.Unicode.GetBytes("TagData:" + messageSend.FileName);
                        aesData.TagDataLength       = (uint)aesData.TagData.Length;

                        byte[] aesDataArray = DigitalRightControl.ConvertAESDataToByteArray(aesData);
                        messageReply.DataBufferLength = (uint)aesDataArray.Length;
                        Array.Copy(aesDataArray, messageReply.DataBuffer, aesDataArray.Length);

                        messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS;
                    }
                    else
                    {
                        //this is for control filter driver when the pre-IO was registered.

                        //here you can control the IO behaviour and modify the data.
                        if (!FileProtectorUnitTest.UnitTestCallbackHandler(messageSend) || !FilterService.AuthorizeFileAccess(messageSend, ref messageReply))
                        {
                            //to comple the PRE_IO
                            messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED;
                            messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION;

                            EventManager.WriteMessage(160, "FilterCallback", EventLevel.Error, "Return error for I/O request:" + ((FilterAPI.MessageType)messageSend.MessageType).ToString() +
                                                      ",fileName:" + messageSend.FileName);
                        }
                        else
                        {
                            messageReply.MessageId    = messageSend.MessageId;
                            messageReply.MessageType  = messageSend.MessageType;
                            messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS;
                        }
                    }

                    Marshal.StructureToPtr(messageReply, replyDataPtr, true);
                }

                return(ret);
            }
            catch (Exception ex)
            {
                EventManager.WriteMessage(134, "FilterCallback", EventLevel.Error, "filter callback exception." + ex.Message);
                return(false);
            }
        }