void InitNewFilterRule()
{
selectedFilterRule = new FilterRule();
selectedProcessFilterRule = new ProcessFilterRule();
selectedRegistryFilterRule = new RegistryFilterRule();
textBox_SandboxFolder.Text = "c:\\newSandboxFolder";
selectedFilterRule.IncludeFileFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*";
selectedProcessFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*";
selectedRegistryFilterRule.ProcessNameFilterMask = textBox_SandboxFolder.Text.Trim() + "\\*";
//by default allow the binaries inside the sandbox to read/write the registry
selectedRegistryFilterRule.AccessFlag = FilterAPI.MAX_REGITRY_ACCESS_FLAG;
selectedProcessFilterRule.ProcessId = selectedRegistryFilterRule.ProcessId = "";
//by default not allow the executable
selectedProcessFilterRule.ControlFlag = (uint)FilterAPI.ProcessControlFlag.DENY_NEW_PROCESS_CREATION;
//set the maximum access rights to the sandbox for all binaries inside the sandbox
selectedProcessFilterRule.FileAccessRights = textBox_SandboxFolder.Text + "!" + FilterAPI.ALLOW_MAX_RIGHT_ACCESS.ToString() + ";";
//allow the windows dll or exe to be read by the process, or it can't be loaded.
selectedProcessFilterRule.FileAccessRights += "c:\\windows\\*!" + FilterAPI.ALLOW_FILE_READ_ACCESS + ";";
//No access rights to all other folders by default.
selectedProcessFilterRule.FileAccessRights += "*!" + ((uint)FilterAPI.AccessFlag.LEAST_ACCESS_FLAG).ToString() + ";";
//by default the sandbox folder doesn't allow being read/write by processes, if the processes want to access the sandbox, it needs to add process rights.
selectedFilterRule.AccessFlag = (uint)(FilterAPI.ALLOW_MAX_RIGHT_ACCESS | (uint)FilterAPI.AccessFlag.ENABLE_FILE_ENCRYPTION_RULE);
//Not allow the explorer.exe to read the encrytped files, when you copy the encrypted files from exploer, the file can stay encrypted.
selectedFilterRule.ProcessRights = "explorer.exe!" + ((uint)FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)(FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES)).ToString() + ";";
}
void SetSelectedFilterRule(FilterRule filterRule)
{
selectedFilterRule = filterRule;
selectedProcessFilterRule = GlobalConfig.GetProcessFilterRule("", selectedFilterRule.IncludeFileFilterMask);
if (null == selectedProcessFilterRule)
{
selectedProcessFilterRule = new ProcessFilterRule();
}
selectedRegistryFilterRule = GlobalConfig.GetRegistryFilterRule("", selectedFilterRule.IncludeFileFilterMask);
if (null == selectedRegistryFilterRule)
{
selectedRegistryFilterRule = new RegistryFilterRule();
}
}
private void toolStripButton_StartFilter_Click(object sender, EventArgs e)
{
try
{
string lastError = string.Empty;
bool ret = FilterAPI.StartFilter((int)GlobalConfig.FilterConnectionThreads
, registerKey
, new FilterAPI.FilterDelegate(FilterCallback)
, new FilterAPI.DisconnectDelegate(DisconnectCallback)
, ref lastError);
if (!ret)
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("Start filter failed." + lastError);
return;
}
toolStripButton_StartFilter.Enabled = false;
toolStripButton_Stop.Enabled = true;
if (GlobalConfig.RegistryFilterRules.Count == 0 && null != sender)
{
RegistryFilterRule regFilterRule = new RegistryFilterRule();
regFilterRule.ProcessNameFilterMask = "*";
regFilterRule.AccessFlag = FilterAPI.MAX_REGITRY_ACCESS_FLAG;
regFilterRule.RegCallbackClass = 93092006832128;
GlobalConfig.AddRegistryFilterRule(regFilterRule);
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("You didn't setup any filtere rule, by defult it will monitor all registry access.");
}
GlobalConfig.SendConfigSettingsToFilter();
EventManager.WriteMessage(102, "StartFilter", EventLevel.Information, "Start filter service succeeded.");
}
catch (Exception ex)
{
EventManager.WriteMessage(104, "StartFilter", EventLevel.Error, "Start filter service failed with error " + ex.Message);
}
}
private void button_DeleteSandbox_Click(object sender, EventArgs e)
{
if (listView_Sandbox.SelectedItems.Count == 0)
{
MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
MessageBox.Show("There are no sandbox selected.", "Delete sendbox", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
foreach (System.Windows.Forms.ListViewItem item in listView_Sandbox.SelectedItems)
{
FilterRule filterRule = (FilterRule)item.Tag;
GlobalConfig.RemoveFilterRule(filterRule.IncludeFileFilterMask);
ProcessFilterRule processFilterRule = GlobalConfig.GetProcessFilterRule("", filterRule.IncludeFileFilterMask);
if (null != processFilterRule)
{
GlobalConfig.RemoveProcessFilterRule(processFilterRule);
}
RegistryFilterRule registryFilterRule = GlobalConfig.GetRegistryFilterRule("", filterRule.IncludeFileFilterMask);
if (null != registryFilterRule)
{
GlobalConfig.RemoveRegistryFilterRule(registryFilterRule);
}
GlobalConfig.SaveConfigSetting();
}
if (GlobalConfig.FilterRules.Count > 0)
{
SetSelectedFilterRule(GlobalConfig.FilterRules.Values.ElementAt(0).Copy());
}
else
{
selectedFilterRule = null;
}
InitListView();
}
