private string FormatDescription(FilterAPI.PROCESS_INFO processInfo) { string message = string.Empty; switch (processInfo.MessageType) { case (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_CREATION_INFO: { message = "ParentPid:" + processInfo.ParentProcessId + ";CreatingPid:" + processInfo.CreatingProcessId + ";CreatingTheadId:" + processInfo.CreatingThreadId + ";FileOpenNameAvailable:" + processInfo.FileOpenNameAvailable + ";CommandLine:" + processInfo.CommandLine; break; } case (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_HANDLE_INFO: case (uint)FilterAPI.FilterCommand.FILTER_SEND_THREAD_HANDLE_INFO: { if (processInfo.Operation == 1) { message = "Create Handle"; } else { message = "Duplicate Handle"; } message += "; DesiredAccess:" + processInfo.DesiredAccess.ToString("X"); break; } default: break; } return(message); }
public void AddMessage(FilterAPI.PROCESS_INFO processInfo) { lock (messageQueue) { if (messageQueue.Count > GlobalConfig.MaximumFilterMessages) { messageQueue.Clear(); } messageQueue.Enqueue(processInfo); } autoEvent.Set(); }
public ListViewItem FormatProcessInfo(FilterAPI.PROCESS_INFO processInfo) { ListViewItem lvItem = new ListViewItem(); try { string userName = string.Empty; FilterAPI.DecodeUserName(processInfo.Sid, out userName); string[] listData = new string[listView_Message.Columns.Count]; int col = 0; listData[col++] = processInfo.MessageId.ToString(); listData[col++] = ((FilterAPI.FilterCommand)processInfo.MessageType).ToString(); listData[col++] = userName; listData[col++] = processInfo.ImageFileName + " (" + processInfo.ProcessId + ")"; listData[col++] = processInfo.ThreadId.ToString(); listData[col++] = FormatDescription(processInfo); lvItem = new ListViewItem(listData, 0); if (processInfo.Status >= (uint)NtStatus.Status.Error) { lvItem.BackColor = Color.LightGray; lvItem.ForeColor = Color.Red; } else if (processInfo.Status > (uint)NtStatus.Status.Warning) { lvItem.BackColor = Color.LightGray; lvItem.ForeColor = Color.Yellow; } if (GlobalConfig.EnableLogTransaction) { FilterMessage.LogTrasaction(listData); } AddItemToList(lvItem); } catch (Exception ex) { EventManager.WriteMessage(445, "GetFilterMessage", EventLevel.Error, "Add callback message failed." + ex.Message); lvItem = null; } return(lvItem); }
Boolean FilterCallback(IntPtr sendDataPtr, IntPtr replyDataPtr) { Boolean ret = true; try { //for file access right unit test, to handle the monitor or control IO callback, reference the FileMonitor/FileProtector project FilterAPI.MessageSendData messageSend = (FilterAPI.MessageSendData)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.MessageSendData)); if (messageSend.MessageType == (uint)FilterAPI.MessageType.PRE_CREATE) { ProcessUnitTest.controlIONotification = true; FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData)); //if you want to block the file access, you can return below status. //messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED; //messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION; messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS; Marshal.StructureToPtr(messageReply, replyDataPtr, true); return(true); } if (messageSend.MessageType == (uint)FilterAPI.MessageType.POST_CREATE) { ProcessUnitTest.monitorIONotification = true; return(true); } FilterAPI.PROCESS_INFO processInfo = (FilterAPI.PROCESS_INFO)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.PROCESS_INFO)); if (FilterAPI.MESSAGE_SEND_VERIFICATION_NUMBER != processInfo.VerificationNumber) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("Received message corrupted.Please check if the PROCESS_INFO structure is correct."); EventManager.WriteMessage(139, "FilterCallback", EventLevel.Error, "Received message corrupted.Please check if the PROCESS_INFO structure is correct."); return(false); } processMessage.AddMessage(processInfo); if (replyDataPtr.ToInt64() != 0) { FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData)); if (processInfo.MessageType == (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_CREATION_INFO) { //this is new process creation, you can block it here by returning the STATUS_ACCESS_DENIED. messageReply.ReturnStatus = processInfo.Status; Marshal.StructureToPtr(messageReply, replyDataPtr, true); } } return(ret); } catch (Exception ex) { EventManager.WriteMessage(134, "FilterCallback", EventLevel.Error, "filter callback exception." + ex.Message); return(false); } }
Boolean FilterCallback(IntPtr sendDataPtr, IntPtr replyDataPtr) { Boolean ret = true; try { FilterAPI.MessageSendData messageSend = (FilterAPI.MessageSendData)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.MessageSendData)); if (FilterAPI.MESSAGE_SEND_VERIFICATION_NUMBER != messageSend.VerificationNumber) { MessageBoxHelper.PrepToCenterMessageBoxOnForm(this); MessageBox.Show("Received message corrupted.Please check if the MessageSendData structure is correct."); EventManager.WriteMessage(139, "FilterCallback", EventLevel.Error, "Received message corrupted.Please check if the MessageSendData structure is correct."); return(false); } EventManager.WriteMessage(149, "FilterCallback", EventLevel.Verbose, "Received message Id#" + messageSend.MessageId + " type:" + messageSend.MessageType + " CreateOptions:" + messageSend.CreateOptions.ToString("X") + " infoClass:" + messageSend.InfoClass + " fileName:" + messageSend.FileName); filterMessage.AddMessage(messageSend); FileProtectorUnitTest.FileIOEventHandler(messageSend); if (replyDataPtr.ToInt64() != 0) { FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData)); //if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_TERMINATION_INFO) //{ // //the process termination callback, you can get the notification if you register the callback setting of the process filter. //} if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_SEND_PROCESS_CREATION_INFO) { //this is new process creation, you can block it here by returning the STATUS_ACCESS_DENIED, below is the process information FilterAPI.PROCESS_INFO processInfo = (FilterAPI.PROCESS_INFO)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.PROCESS_INFO)); messageReply.ReturnStatus = processInfo.Status; Marshal.StructureToPtr(messageReply, replyDataPtr, true); } else if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_REQUEST_ENCRYPTION_IV_AND_KEY) { //this is encryption filter rule with boolean config "REQUEST_ENCRYPT_KEY_AND_IV_FROM_SERVICE" enabled. //the filter driver request the IV and key to open or create the encrypted file. //if you want to deny the file open or creation, you set the value as below: //messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED; //messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION; EventManager.WriteMessage(200, "filtercallback", EventLevel.Verbose, messageSend.FileName + " FILTER_REQUEST_ENCRYPTION_IV_AND_KEY"); //Here we return the test iv and key to the filter driver, you need to replace with you own iv and key in your code. AESDataBuffer aesData = new AESDataBuffer(); aesData.AccessFlags = FilterAPI.ALLOW_MAX_RIGHT_ACCESS; aesData.IV = FilterAPI.DEFAULT_IV_TAG; aesData.IVLength = (uint)aesData.IV.Length; aesData.EncryptionKey = Utils.GetKeyByPassPhrase(DigitalRightControl.PassPhrase); aesData.EncryptionKeyLength = (uint)aesData.EncryptionKey.Length; byte[] aesDataArray = DigitalRightControl.ConvertAESDataToByteArray(aesData); messageReply.DataBufferLength = (uint)aesDataArray.Length; Array.Copy(aesDataArray, messageReply.DataBuffer, aesDataArray.Length); messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS; } else if (messageSend.MessageType == (uint)FilterAPI.FilterCommand.FILTER_REQUEST_ENCRYPTION_IV_AND_KEY_AND_TAGDATA) { //this is encryption filter rule with boolean config "REQUEST_ENCRYPT_KEY_IV_AND_TAGDATA_FROM_SERVICE" enabled. //the filter driver request the IV and key to open or create the encrypted file. //if you want to deny the file open or creation, you set the value as below: //messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED; //messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION; if (messageSend.DataBufferLength > 0) { //this is the tag data which attached to the encrypted file . string tagDataStr = Encoding.Unicode.GetString(messageSend.DataBuffer); EventManager.WriteMessage(235, "filtercallback", EventLevel.Verbose, "EncryptedFile:" + messageSend.FileName + ",tagData:" + tagDataStr); } //Here we return the test iv ,key and tag data to the filter driver, you need to replace with you own iv and key in your code. AESDataBuffer aesData = new AESDataBuffer(); aesData.AccessFlags = FilterAPI.ALLOW_MAX_RIGHT_ACCESS; aesData.IV = FilterAPI.DEFAULT_IV_TAG; aesData.IVLength = (uint)aesData.IV.Length; aesData.EncryptionKey = Utils.GetKeyByPassPhrase(DigitalRightControl.PassPhrase); aesData.EncryptionKeyLength = (uint)aesData.EncryptionKey.Length; aesData.TagData = Encoding.Unicode.GetBytes("TagData:" + messageSend.FileName); aesData.TagDataLength = (uint)aesData.TagData.Length; byte[] aesDataArray = DigitalRightControl.ConvertAESDataToByteArray(aesData); messageReply.DataBufferLength = (uint)aesDataArray.Length; Array.Copy(aesDataArray, messageReply.DataBuffer, aesDataArray.Length); messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS; } else { //this is for control filter driver when the pre-IO was registered. //here you can control the IO behaviour and modify the data. if (!FileProtectorUnitTest.UnitTestCallbackHandler(messageSend) || !FilterService.AuthorizeFileAccess(messageSend, ref messageReply)) { //to comple the PRE_IO messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED; messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION; EventManager.WriteMessage(160, "FilterCallback", EventLevel.Error, "Return error for I/O request:" + ((FilterAPI.MessageType)messageSend.MessageType).ToString() + ",fileName:" + messageSend.FileName); } else { messageReply.MessageId = messageSend.MessageId; messageReply.MessageType = messageSend.MessageType; messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS; } } Marshal.StructureToPtr(messageReply, replyDataPtr, true); } return(ret); } catch (Exception ex) { EventManager.WriteMessage(134, "FilterCallback", EventLevel.Error, "filter callback exception." + ex.Message); return(false); } }