Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


anti encryption filter

Dor2003gerDor2003ger Member Posts: 21
edited January 27 in NTFSD
Hey, I’m working on an anti encryption filter driver - my detection logic is run at cleanup so as long as the handle is still open no encryption will be identified , as a result I’m trying to deal with the following scenario
1.Process encrypts files
2. Process copies the encrypted files
3. Process closes the handle

- since taking a copy is just a few reads and writes at the end of the day, what would be an approach to prevent ‘2’ ? (Prevent the presence of those “encrypted files” upon detection )
I thought of the following options
1. Move some detection logic to post write , save the potentially encrypted content , and check if it’s ever written to another file, if so mark the target file as encrypted too
2. Somehow detect copy operations , and whenever a file marked as encrypted is copied mark the copy as encrypted too(that would require again to be able to identify a file as encrypted within the write filter

Would appreciate if anyone is willing to share his throughout regarding approaching this problem

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online