Overview of Process Monitoring with CBFS Filter

Summary

CBProcess is a component of CBFS Filter, an SDK and library designed for monitoring and controlling various system activities, including the lifecycle of processes and threads, filesystem operations, and registry operations. This component—available as a class, struct, or trait depending on the programming language—enables developers to monitor operations related to processes and threads within their Windows applications. This article reviews the purpose, features, architecture, and applications of the CBProcess component.

Introduction

Windows provides a mechanism that notifies interested drivers about the creation and termination of processes and threads. The CBProcess driver leverages this mechanism to make notifications and supplementary information available to user-mode processes. Applications can react when a process is created or exits, or when a thread is created or exits, enabling them to take appropriate actions. Potential applications for this technology include data encryption, compression, data leak prevention, user isolation, backup and recovery, and more.

Monitoring of processes and threads plays a role in multiple scenarios:

1. Data Leak Prevention (DLP)
   • Use case: In corporate environments, sensitive data leakage can lead to significant security breaches. By using CBProcess, organizations can monitor process activity to prevent unauthorized access or data transmission.
   • Example: If a process is launched that is known to be able to leak the data, the system can trigger alerts or block the action.
2. Malware Detection
   • Use case: Security solutions can utilize CBProcess to detect the creation of potentially malicious processes.
   • Example: An application can analyze the executable and libraries used by the process being started for signs of malware and take action, such as quarantining the process or alerting the user.
3. Performance Monitoring
   • Use case: Applications that require monitoring resource usage can leverage CBProcess to track the lifecycle of processes and threads, enabling performance optimizations.
   • Example: An application can monitor which processes consume excessive CPU or memory and automatically adjust resources or notify administrators.
4. Backup and Recovery Solutions
   • Use case: Backup applications can utilize CBProcess to ensure that active processes are paused or completed before initiating backups to prevent data corruption.
   • Example: The backup system can monitor the creation of processes associated with critical applications and pause the backup operation until those processes are completed.
5. Auditing and Compliance
   • Use case: Organizations that must comply with regulatory requirements can use CBProcess to maintain an audit trail of process activity.
   • Example: By logging all process and thread creations and terminations, companies can create a detailed report to demonstrate compliance during audits.
6. File and Registry Operations Monitoring
   • Use case: CBProcess can be integrated with other components of CBFS Filter to provide a comprehensive view of file and registry changes related to specific processes.
   • Example: An application can detect starting and stopping of certain processes and dynamically add and remove process-specific filter rules in CBFilter and CBRegistry components.

What CBProcess Offers

With CBProcess, application developers can easily enhance their applications with powerful features without having to dive into kernel-mode development. CBProcess includes a pre-built kernel-mode driver and a user-mode library (which can be a component, class, struct, or trait). The user-mode library is what applications use to access the available functionality, while the driver is installed just once during the application installation. After that, the application doesn't directly communicate with the driver.

CBProcess can be used in Windows applications developed in C#, C++, Python, Java and Java-compatible languages (Kotlin, Scala, Groovy), Go, Rust, and Delphi.

Monitoring and control capabilities

With CBProcess, you can capture and intercept the following types of operations:

• process creation
• process termination
• thread creation
• thread termination
• opening a process handle
• duplicating a process handle
• opening a thread handle
• duplicating a thread handle

Each operation is delivered to the application as an event or a callback function, depending on the programming language used.

For each operation, an application can request the security token of the process that initiated it (the originator process); in the case of process or thread creation, this token belongs to the creator. From this token, the application can retrieve various information, such as the Security Identifier (SID) and the name of the user associated with the originator process. Additionally, each operation includes operation-specific details.

The process creation event provides information about which process created a child process and identifies its parent process (which may be different from the creator). This event also supplies the command-line parameters, the process name, and the path to the image file of the process being created. Furthermore, the application can block the creation of the process.

The thread creation event includes the IDs of the creator process and thread, the process in which the new thread is created (which can differ from the creator process), and the ID of the new thread.

The process termination event provides the ID and name of the terminating process, while the thread termination event includes the ID of the terminating thread and the ID of the process to which that thread belongs.

Additionally, two events are triggered when a process or thread handle is opened or duplicated. Opening a handle to a process or thread is essential for any application that needs to suspend, resume, or terminate a process or thread, or that intends to create a new process or thread within an existing process. A handle is also required to write to the process memory or change thread parameters. By handling these events, an application can revoke permissions from the handle, effectively preventing further operations on the process or thread associated with that handle.

For simpler scenarios, CBProcess offers a way to create a static snapshot of running processes, including their process names, IDs, and optionally command lines.

Performance Considerations

All events are fired synchronously, meaning that when an event is triggered, the operation hasn't completed yet, and processing must wait for the event handler to finish before the operation can continue. CBProcess optimizes performance by allowing applications to set rules that define which processes to track. You can include or exclude specific process names and, for running processes, specific PIDs (process IDs).

Since the driver handles all requests for thread and handle operations, improper configuration can negatively affect performance or even block the system entirely. CBProcess provides several ways to minimize this impact.

First, applications should establish rules that focus on the specific processes of interest while bypassing others. If all processes must be covered, it's crucial to minimize the activity in event handlers to reduce delays in processing system operations.

Another way to enhance performance is by carefully selecting which events should be triggered. The events to be fired are specified in the call to the StartFilter method.

Additionally, one of the parameters of the StartFilter method is the timeout, which defines the duration allowed for event handlers to execute before they are considered expired and processing resumes. This timeout helps prevent system-wide blockage when an event handler takes too long to complete.

Getting Started with CBProcess

You can find an evaluation version of the SDK for your platform and programming language in the Download Center. After downloading and installing the SDK, you will receive a library, sample code, and comprehensive documentation on your system. The documentation includes a "Getting Started" section with programming instructions. Additionally, free technical support is available during the evaluation phase.