Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Problems with a disk encryption filter driver

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi all,

I am developing a filter driver for xp. It encrypts/decrypts the whole
disk except the MBR.

My filter driver is an upper filter over the DiskDrive and FloppyDisk
devices, with SERVICE_BOOT_START StartType.

First, I have tested the driver with the floppy device and it works
perfectly :D

Then, I installed the driver attaching it, additionally, to the
harddisk device and rebooted the machine.

At boot, the MBR loads two sectors (not encrypted) containing some code
that hooks the int 13h. This code processes CHS and LBA reads decrypting
the resulting buffers. The writings are not allowed.

Additionally, in the first boot, this code (the-two-sectors-code)
encrypts the whole disk except the MBR. Then, it loads the boot sector
and jumps to this code (boot sector code). Now, the boot sector will
continue loading the needed sectors and the int 13h will decrypt them
transparently.

Windows XP boots and shows the login screen. I enter in the session and
the "new hardware wizard" appears saying someting about new hardware
found ¿?. Then, it says that the new hardware is configured and that it
is necessary to reboot the system.

In the next boot (and the next, ...), there are possibilities around
80% that scandisk appears due coherency problems in the filesystem.

Why? I suppose that this two weird things (new hardware and coherency
problem) arise because some data corruption in the readings/writings in
the disk. I am lost. I've reviewed the code but this is my first driver
and all seems ok, at least for me :)

I am including the code relative to IRP_MJ_READ and IRP_MJ_WRITE
process and the encryption procedure (a simple dword xor) but if someone
needs more info, please, ask me:

<------------------------------------------------------------------------------->

//
// FCifradorReadWrite
//
NTSTATUS
FCifradorReadWrite(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
PIO_STACK_LOCATION NextIrpS = IoGetNextIrpStackLocation (Irp);
PDEVICE_EXTENSION deviceExtension;
BOOLEAN enter = TRUE;
PUCHAR address;
PMDL ptr;

deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;

// IRP_MJ_WRITE -> Cipher
if ((IrpS->MajorFunction == IRP_MJ_WRITE) && IrpS->Parameters.Write.Length)
{
for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
{
address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);

// The pages couldn't be mapped
if (address == NULL)
{
DbgPrint("filtro_cifrador: FCifradorReadWrite - No pudo mapearse
MdlAddress.\n");
return STATUS_INSUFFICIENT_RESOURCES;
}

// The sector 0 (MBR) must not be ciphered
if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
{
enter = FALSE;
FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
}
else
{
FCifradorCipher (address, MmGetMdlByteCount (ptr));
}
}
}

//
// Copy current stack to next stack.
//
*NextIrpS = *IrpS;

// Add the completion routine
IoSetCompletionRoutine (Irp, FCifradorCompletion, DeviceObject, TRUE,
TRUE, TRUE);

//
// Return the results of the call to the disk driver.
//
return IoCallDriver(deviceExtension->TargetDeviceObject, Irp);
}

//
// FCifradorCompletion
//
NTSTATUS
FCifradorCompletion(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
BOOLEAN enter = TRUE;
PUCHAR address;
PMDL ptr;

UNREFERENCED_PARAMETER (Context);

// Tratar el IRP
if (IrpS->MajorFunction == IRP_MJ_READ)
{
if (IrpS->Parameters.Read.Length)
{
for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
{
address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);

// The pages couldn't be mapped
if (address == NULL)
return STATUS_INSUFFICIENT_RESOURCES;

// The sector 0 (MBR) must not be deciphered
if (enter && ((IrpS->Parameters.Read.ByteOffset.QuadPart / 512) == 0))
{
enter = FALSE;
FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
}
else
{
FCifradorCipher (address, MmGetMdlByteCount (ptr));
}
}
}
}
else // IRP_MJ_WRITE //
{
if (IrpS->Parameters.Write.Length)
{
for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
{
address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);

// The pages couldn't be mapped
if (address == NULL)
return STATUS_INSUFFICIENT_RESOURCES;

// The sector 0 (MBR) must not be deciphered
if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
{
enter = FALSE;
FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
}
else
{
FCifradorCipher (address, MmGetMdlByteCount (ptr));
}
}
}
}

// Check IrPending flag
if (Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}

return STATUS_SUCCESS;
}

//
// FCifradorCipher
//
VOID
FCifradorCipher (
IN PUCHAR address,
IN ULONG bytes
)
{
ULONG i;
DWORD t;

if (bytes == 0)
return;

// XOR one dword with 0x01020304
for (i = 0; i < bytes; i += 4)
{
t = 0x00000000;
t = address[i + 3];
t = (t << 8) | address[i + 2];
t = (t << 8) | address[i + 1];
t = (t << 8) | address[i];
t ^= 0x01020304;

address[i] = (BYTE) t;
address[i + 1] = (BYTE) (t >> 8);
address[i + 2] = (BYTE) (t >> 16);
address[i + 3] = (BYTE) (t >> 24);
}

return;
}

<------------------------------------------------------------------------------->

Thanks in advance,

Rafa.

Comments

  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    Note: IoReadPartitionTable is not subject to filtering. It ignores the disk
    upper filters. Possibly this is a bug, but nevertheless it is so.

    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation
    [email protected]
    http://www.storagecraft.com

    ----- Original Message -----
    From: "Rafa" <[email protected]>
    To: "Windows System Software Devs Interest List" <[email protected]>
    Sent: Sunday, August 22, 2004 6:19 PM
    Subject: [ntdev] Problems with a disk encryption filter driver


    > Hi all,
    >
    > I am developing a filter driver for xp. It encrypts/decrypts the whole
    > disk except the MBR.
    >
    > My filter driver is an upper filter over the DiskDrive and FloppyDisk
    > devices, with SERVICE_BOOT_START StartType.
    >
    > First, I have tested the driver with the floppy device and it works
    > perfectly :D
    >
    > Then, I installed the driver attaching it, additionally, to the
    > harddisk device and rebooted the machine.
    >
    > At boot, the MBR loads two sectors (not encrypted) containing some code
    > that hooks the int 13h. This code processes CHS and LBA reads decrypting
    > the resulting buffers. The writings are not allowed.
    >
    > Additionally, in the first boot, this code (the-two-sectors-code)
    > encrypts the whole disk except the MBR. Then, it loads the boot sector
    > and jumps to this code (boot sector code). Now, the boot sector will
    > continue loading the needed sectors and the int 13h will decrypt them
    > transparently.
    >
    > Windows XP boots and shows the login screen. I enter in the session and
    > the "new hardware wizard" appears saying someting about new hardware
    > found ¿?. Then, it says that the new hardware is configured and that it
    > is necessary to reboot the system.
    >
    > In the next boot (and the next, ...), there are possibilities around
    > 80% that scandisk appears due coherency problems in the filesystem.
    >
    > Why? I suppose that this two weird things (new hardware and coherency
    > problem) arise because some data corruption in the readings/writings in
    > the disk. I am lost. I've reviewed the code but this is my first driver
    > and all seems ok, at least for me :)
    >
    > I am including the code relative to IRP_MJ_READ and IRP_MJ_WRITE
    > process and the encryption procedure (a simple dword xor) but if someone
    > needs more info, please, ask me:
    >
    >
    <------------------------------------------------------------------------------
    ->
    >
    > //
    > // FCifradorReadWrite
    > //
    > NTSTATUS
    > FCifradorReadWrite(
    > IN PDEVICE_OBJECT DeviceObject,
    > IN PIRP Irp
    > )
    > {
    > PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
    > PIO_STACK_LOCATION NextIrpS = IoGetNextIrpStackLocation (Irp);
    > PDEVICE_EXTENSION deviceExtension;
    > BOOLEAN enter = TRUE;
    > PUCHAR address;
    > PMDL ptr;
    >
    > deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;
    >
    > // IRP_MJ_WRITE -> Cipher
    > if ((IrpS->MajorFunction == IRP_MJ_WRITE) && IrpS->Parameters.Write.Length)
    > {
    > for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
    > {
    > address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);
    >
    > // The pages couldn't be mapped
    > if (address == NULL)
    > {
    > DbgPrint("filtro_cifrador: FCifradorReadWrite - No pudo mapearse
    > MdlAddress.\n");
    > return STATUS_INSUFFICIENT_RESOURCES;
    > }
    >
    > // The sector 0 (MBR) must not be ciphered
    > if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
    > {
    > enter = FALSE;
    > FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
    > }
    > else
    > {
    > FCifradorCipher (address, MmGetMdlByteCount (ptr));
    > }
    > }
    > }
    >
    > //
    > // Copy current stack to next stack.
    > //
    > *NextIrpS = *IrpS;
    >
    > // Add the completion routine
    > IoSetCompletionRoutine (Irp, FCifradorCompletion, DeviceObject, TRUE,
    > TRUE, TRUE);
    >
    > //
    > // Return the results of the call to the disk driver.
    > //
    > return IoCallDriver(deviceExtension->TargetDeviceObject, Irp);
    > }
    >
    > //
    > // FCifradorCompletion
    > //
    > NTSTATUS
    > FCifradorCompletion(
    > IN PDEVICE_OBJECT DeviceObject,
    > IN PIRP Irp,
    > IN PVOID Context
    > )
    > {
    > PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
    > BOOLEAN enter = TRUE;
    > PUCHAR address;
    > PMDL ptr;
    >
    > UNREFERENCED_PARAMETER (Context);
    >
    > // Tratar el IRP
    > if (IrpS->MajorFunction == IRP_MJ_READ)
    > {
    > if (IrpS->Parameters.Read.Length)
    > {
    > for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
    > {
    > address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);
    >
    > // The pages couldn't be mapped
    > if (address == NULL)
    > return STATUS_INSUFFICIENT_RESOURCES;
    >
    > // The sector 0 (MBR) must not be deciphered
    > if (enter && ((IrpS->Parameters.Read.ByteOffset.QuadPart / 512) == 0))
    > {
    > enter = FALSE;
    > FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
    > }
    > else
    > {
    > FCifradorCipher (address, MmGetMdlByteCount (ptr));
    > }
    > }
    > }
    > }
    > else // IRP_MJ_WRITE //
    > {
    > if (IrpS->Parameters.Write.Length)
    > {
    > for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
    > {
    > address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);
    >
    > // The pages couldn't be mapped
    > if (address == NULL)
    > return STATUS_INSUFFICIENT_RESOURCES;
    >
    > // The sector 0 (MBR) must not be deciphered
    > if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
    > {
    > enter = FALSE;
    > FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
    > }
    > else
    > {
    > FCifradorCipher (address, MmGetMdlByteCount (ptr));
    > }
    > }
    > }
    > }
    >
    > // Check IrPending flag
    > if (Irp->PendingReturned)
    > {
    > IoMarkIrpPending(Irp);
    > }
    >
    > return STATUS_SUCCESS;
    > }
    >
    > //
    > // FCifradorCipher
    > //
    > VOID
    > FCifradorCipher (
    > IN PUCHAR address,
    > IN ULONG bytes
    > )
    > {
    > ULONG i;
    > DWORD t;
    >
    > if (bytes == 0)
    > return;
    >
    > // XOR one dword with 0x01020304
    > for (i = 0; i < bytes; i += 4)
    > {
    > t = 0x00000000;
    > t = address[i + 3];
    > t = (t << 8) | address[i + 2];
    > t = (t << 8) | address[i + 1];
    > t = (t << 8) | address[i];
    > t ^= 0x01020304;
    >
    > address[i] = (BYTE) t;
    > address[i + 1] = (BYTE) (t >> 8);
    > address[i + 2] = (BYTE) (t >> 16);
    > address[i + 3] = (BYTE) (t >> 24);
    > }
    >
    > return;
    > }
    >
    >
    <------------------------------------------------------------------------------
    ->
    >
    > Thanks in advance,
    >
    > Rafa.
    >
    > ---
    > Questions? First check the Kernel Driver FAQ at
    http://www.osronline.com/article.cfm?id=256
    >
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to [email protected]
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi Maxim,

    I think that's not a problem because the Partition Table (really, the
    sector 0) at the MBR is not encrypted and the filter driver does not
    encrypt/decrypt the accesses to the sector 0.

    Besides, the harddisk that I'm talking about has only one primary
    partition. I'm not interested in logic partitions because this is a
    concept-proof driver (at least, for now ;) ).

    Maxim S. Shatskih wrote:
    > Note: IoReadPartitionTable is not subject to filtering. It ignores the disk
    > upper filters. Possibly this is a bug, but nevertheless it is so.
    >
    > Maxim Shatskih, Windows DDK MVP
    > StorageCraft Corporation
    > [email protected]
    > http://www.storagecraft.com
    >
    > ---
    > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
    >
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to [email protected]
    >
  • David_J._CraigDavid_J._Craig Member Posts: 1,885
    Why not just look for "SafeBoot"? That is a good proof of concept as it
    works and has for several years.

    "Rafa" wrote in message news:[email protected]
    > Hi Maxim,
    >
    > I think that's not a problem because the Partition Table (really, the
    > sector 0) at the MBR is not encrypted and the filter driver does not
    > encrypt/decrypt the accesses to the sector 0.
    >
    > Besides, the harddisk that I'm talking about has only one primary
    > partition. I'm not interested in logic partitions because this is a
    > concept-proof driver (at least, for now ;) ).
    >
    > Maxim S. Shatskih wrote:
    >> Note: IoReadPartitionTable is not subject to filtering. It ignores
    >> the disk
    >> upper filters. Possibly this is a bug, but nevertheless it is so.
    >>
    >> Maxim Shatskih, Windows DDK MVP
    >> StorageCraft Corporation
    >> [email protected]
    >> http://www.storagecraft.com
    >>
    >> ---
    >> Questions? First check the Kernel Driver FAQ at
    >> http://www.osronline.com/article.cfm?id=256
    >>
    >> You are currently subscribed to ntdev as: [email protected]
    >> To unsubscribe send a blank email to [email protected]
    >>
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi David,

    Do you mean the "Safe Boot" mode? I don't understand how that could be
    useful.

    I'm sorry, if I've misunderstood you.

    Oh, when I'm talking about the proof of concept I'm referring to
    include very simple cases of partitions. As much, four primary
    partitions but the part relative to encryption/decryption must be
    accomplished.

    In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
    works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
    correct this approach?

    It seems that some kind of writing (reading?), that my filter does not
    treat correctly, introduces corruption in the filesystem but I cannot
    see why. Any suggestions?

    Thanks in advance,

    Rafa.


    David J. Craig wrote:
    > Why not just look for "SafeBoot"? That is a good proof of concept as it
    > works and has for several years.
    >
    > "Rafa" <[email protected]> wrote in message news:[email protected]
    >
    >>Hi Maxim,
    >>
    >>I think that's not a problem because the Partition Table (really, the
    >>sector 0) at the MBR is not encrypted and the filter driver does not
    >>encrypt/decrypt the accesses to the sector 0.
    >>
    >>Besides, the harddisk that I'm talking about has only one primary
    >>partition. I'm not interested in logic partitions because this is a
    >>concept-proof driver (at least, for now ;) ).
    >>
    >>Maxim S. Shatskih wrote:
    >>
    >>> Note: IoReadPartitionTable is not subject to filtering. It ignores
    >>>the disk
    >>>upper filters. Possibly this is a bug, but nevertheless it is so.
    >>>
    >>>Maxim Shatskih, Windows DDK MVP
    >>>StorageCraft Corporation
    >>>[email protected]
    >>>http://www.storagecraft.com
    >>>
    >>>---
    >>>Questions? First check the Kernel Driver FAQ at
    >>>http://www.osronline.com/article.cfm?id=256
    >>>
    >>>You are currently subscribed to ntdev as: [email protected]
    >>>To unsubscribe send a blank email to [email protected]
    >>>
    >>
    >>
    >
    >
    >
    > ---
    > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
    >
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to [email protected]
    >
  • David_J._CraigDavid_J._Craig Member Posts: 1,885
    Did I write "Safe Boot" mode? I put it in quotes as "SafeBoot" as a fairly
    too subtle hint you should search Google for it. Or maybe just try
    www.safeboot.com. If you look at that product, which I have no relationship
    too, you can find your proof of concept. If it works and yours doesn't,
    then it leads me to believe that the problem is in your code.

    "Rafa" wrote in message news:[email protected]
    > Hi David,
    >
    > Do you mean the "Safe Boot" mode? I don't understand how that could be
    > useful.
    >
    > I'm sorry, if I've misunderstood you.
    >
    > Oh, when I'm talking about the proof of concept I'm referring to include
    > very simple cases of partitions. As much, four primary partitions but the
    > part relative to encryption/decryption must be accomplished.
    >
    > In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
    > works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
    > correct this approach?
    >
    > It seems that some kind of writing (reading?), that my filter does not
    > treat correctly, introduces corruption in the filesystem but I cannot see
    > why. Any suggestions?
    >
    > Thanks in advance,
    >
    > Rafa.
    >
    >
    > David J. Craig wrote:
    >> Why not just look for "SafeBoot"? That is a good proof of concept as it
    >> works and has for several years.
    >>
    >> "Rafa" wrote in message news:[email protected]
    >>
    >>>Hi Maxim,
    >>>
    >>>I think that's not a problem because the Partition Table (really, the
    >>>sector 0) at the MBR is not encrypted and the filter driver does not
    >>>encrypt/decrypt the accesses to the sector 0.
    >>>
    >>>Besides, the harddisk that I'm talking about has only one primary
    >>>partition. I'm not interested in logic partitions because this is a
    >>>concept-proof driver (at least, for now ;) ).
    >>>
    >>>Maxim S. Shatskih wrote:
    >>>
    >>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
    >>>> the disk
    >>>>upper filters. Possibly this is a bug, but nevertheless it is so.
    >>>>
    >>>>Maxim Shatskih, Windows DDK MVP
    >>>>StorageCraft Corporation
    >>>>[email protected]
    >>>>http://www.storagecraft.com
    >>>>
    >>>>---
    >>>>Questions? First check the Kernel Driver FAQ at
    >>>>http://www.osronline.com/article.cfm?id=256
    >>>>
    >>>>You are currently subscribed to ntdev as: [email protected]
    >>>>To unsubscribe send a blank email to [email protected]
    >>>>
    >>>
    >>>
    >>
    >>
    >>
    >> ---
    >> Questions? First check the Kernel Driver FAQ at
    >> http://www.osronline.com/article.cfm?id=256
    >>
    >> You are currently subscribed to ntdev as: [email protected]
    >> To unsubscribe send a blank email to [email protected]
    >>
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I know that the problem is in my code, but I am looking for some hint or
    advice from someone that has developed something similar.

    SafeBoot surely works fine, and Secuware, and SafeGuard, ... I know
    that's possible to develop this kind of filter driver. But the problem
    it's that my filter is not working and I'm asking for help in this list
    because I don't know why is failing.

    I have reviewed the list database for similar cases but none is useful
    for me. I have found this thread:
    http://www.osronline.com/lists_archive/ntfsd/thread782.html, whose code
    is very similar to mine. I see that he copies the buffer at
    Irp->MdlAddress to a non paged pool, encrypts/decrypts the pool, and
    then he copies the pool to the buffer. Is this necessary? Cannot work
    with the user buffer at MdlAddress directly?


    Rafa.

    David J. Craig wrote:
    > Did I write "Safe Boot" mode? I put it in quotes as "SafeBoot" as a fairly
    > too subtle hint you should search Google for it. Or maybe just try
    > www.safeboot.com. If you look at that product, which I have no relationship
    > too, you can find your proof of concept. If it works and yours doesn't,
    > then it leads me to believe that the problem is in your code.
    >
    > "Rafa" <[email protected]> wrote in message news:[email protected]
    >
    >>Hi David,
    >>
    >>Do you mean the "Safe Boot" mode? I don't understand how that could be
    >>useful.
    >>
    >>I'm sorry, if I've misunderstood you.
    >>
    >>Oh, when I'm talking about the proof of concept I'm referring to include
    >>very simple cases of partitions. As much, four primary partitions but the
    >>part relative to encryption/decryption must be accomplished.
    >>
    >>In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
    >>works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
    >>correct this approach?
    >>
    >>It seems that some kind of writing (reading?), that my filter does not
    >>treat correctly, introduces corruption in the filesystem but I cannot see
    >>why. Any suggestions?
    >>
    >>Thanks in advance,
    >>
    >>Rafa.
    >>
    >>
    >>David J. Craig wrote:
    >>
    >>>Why not just look for "SafeBoot"? That is a good proof of concept as it
    >>>works and has for several years.
    >>>
    >>>"Rafa" <[email protected]> wrote in message news:[email protected]
    >>>
    >>>
    >>>>Hi Maxim,
    >>>>
    >>>>I think that's not a problem because the Partition Table (really, the
    >>>>sector 0) at the MBR is not encrypted and the filter driver does not
    >>>>encrypt/decrypt the accesses to the sector 0.
    >>>>
    >>>>Besides, the harddisk that I'm talking about has only one primary
    >>>>partition. I'm not interested in logic partitions because this is a
    >>>>concept-proof driver (at least, for now ;) ).
    >>>>
    >>>>Maxim S. Shatskih wrote:
    >>>>
    >>>>
    >>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
    >>>>>the disk
    >>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
    >>>>>
    >>>>>Maxim Shatskih, Windows DDK MVP
    >>>>>StorageCraft Corporation
    >>>>>[email protected]
    >>>>>http://www.storagecraft.com
    >>>>>
    >>>>>---
    >>>>>Questions? First check the Kernel Driver FAQ at
    >>>>>http://www.osronline.com/article.cfm?id=256
    >>>>>
    >>>>>You are currently subscribed to ntdev as: [email protected]
    >>>>>To unsubscribe send a blank email to [email protected]
    >>>>>
    >>>>
    >>>>
    >>>
    >>>
    >>>---
    >>>Questions? First check the Kernel Driver FAQ at
    >>>http://www.osronline.com/article.cfm?id=256
    >>>
    >>>You are currently subscribed to ntdev as: [email protected]
    >>>To unsubscribe send a blank email to [email protected]
    >>>
    >>
    >>
    >
    >
    >
    > ---
    > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
    >
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to [email protected]
    >
  • David_J._CraigDavid_J._Craig Member Posts: 1,885
    Asking for free advise for something several people depend upon for their
    living might not get many answers. I would suggest you run windbg and trace
    each read/write that comes in. See if the buffer contains plaintext or
    encrypted data at the wrong time. I would add displays at the entry to the
    reads and writes so you can tell what sector is being accessed. Duplicating
    the hard disk and putting it as a slave in the host computer would permit
    you to use winhex to view each sector as it is being accessed on the target
    system. It will also give you a master drive for you to restore from when
    it goes wrong. This is a slow process requiring several days, weeks or
    months until you find the problems. You might also want to use the debug
    version of disk.sys and see what it is requesting.

    P.S. What you want is not a 'proof of concept', but a proof of your ability
    to implement that which others have done. I think it could be if you are
    trying to attach at a new place in the storage stack. Most probably attach
    as a lower filter to disk.sys or that is where I would begin my work since
    after disk.sys it can go to the SCSI or ATAPI stack on most workstations.
    Most will be IDE/ATAPI, but there are some workstations that use SCSI. I
    would like a 15,000 RPM Ultra 320 SCSI system with RAID 1 or, even better
    RAID 5.

    "Rafa" wrote in message news:[email protected]
    >
    > I know that the problem is in my code, but I am looking for some hint or
    > advice from someone that has developed something similar.
    >
    > SafeBoot surely works fine, and Secuware, and SafeGuard, ... I know that's
    > possible to develop this kind of filter driver. But the problem it's that
    > my filter is not working and I'm asking for help in this list because I
    > don't know why is failing.
    >
    > I have reviewed the list database for similar cases but none is useful for
    > me. I have found this thread:
    > http://www.osronline.com/lists_archive/ntfsd/thread782.html, whose code is
    > very similar to mine. I see that he copies the buffer at Irp->MdlAddress
    > to a non paged pool, encrypts/decrypts the pool, and then he copies the
    > pool to the buffer. Is this necessary? Cannot work with the user buffer at
    > MdlAddress directly?
    >
    >
    > Rafa.
    >
    > David J. Craig wrote:
    >> Did I write "Safe Boot" mode? I put it in quotes as "SafeBoot" as a
    >> fairly too subtle hint you should search Google for it. Or maybe just
    >> try www.safeboot.com. If you look at that product, which I have no
    >> relationship too, you can find your proof of concept. If it works and
    >> yours doesn't, then it leads me to believe that the problem is in your
    >> code.
    >>
    >> "Rafa" wrote in message news:[email protected]
    >>
    >>>Hi David,
    >>>
    >>>Do you mean the "Safe Boot" mode? I don't understand how that could be
    >>>useful.
    >>>
    >>>I'm sorry, if I've misunderstood you.
    >>>
    >>>Oh, when I'm talking about the proof of concept I'm referring to include
    >>>very simple cases of partitions. As much, four primary partitions but the
    >>>part relative to encryption/decryption must be accomplished.
    >>>
    >>>In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
    >>>works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
    >>>correct this approach?
    >>>
    >>>It seems that some kind of writing (reading?), that my filter does not
    >>>treat correctly, introduces corruption in the filesystem but I cannot see
    >>>why. Any suggestions?
    >>>
    >>>Thanks in advance,
    >>>
    >>>Rafa.
    >>>
    >>>
    >>>David J. Craig wrote:
    >>>
    >>>>Why not just look for "SafeBoot"? That is a good proof of concept as it
    >>>>works and has for several years.
    >>>>
    >>>>"Rafa" wrote in message news:[email protected]
    >>>>
    >>>>
    >>>>>Hi Maxim,
    >>>>>
    >>>>>I think that's not a problem because the Partition Table (really, the
    >>>>>sector 0) at the MBR is not encrypted and the filter driver does not
    >>>>>encrypt/decrypt the accesses to the sector 0.
    >>>>>
    >>>>>Besides, the harddisk that I'm talking about has only one primary
    >>>>>partition. I'm not interested in logic partitions because this is a
    >>>>>concept-proof driver (at least, for now ;) ).
    >>>>>
    >>>>>Maxim S. Shatskih wrote:
    >>>>>
    >>>>>
    >>>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
    >>>>>> the disk
    >>>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
    >>>>>>
    >>>>>>Maxim Shatskih, Windows DDK MVP
    >>>>>>StorageCraft Corporation
    >>>>>>[email protected]
    >>>>>>http://www.storagecraft.com
    >>>>>>
    >>>>>>---
    >>>>>>Questions? First check the Kernel Driver FAQ at
    >>>>>>http://www.osronline.com/article.cfm?id=256
    >>>>>>
    >>>>>>You are currently subscribed to ntdev as: [email protected]
    >>>>>>To unsubscribe send a blank email to [email protected]
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>>---
    >>>>Questions? First check the Kernel Driver FAQ at
    >>>>http://www.osronline.com/article.cfm?id=256
    >>>>
    >>>>You are currently subscribed to ntdev as: [email protected]
    >>>>To unsubscribe send a blank email to [email protected]
    >>>>
    >>>
    >>>
    >>
    >>
    >>
    >> ---
    >> Questions? First check the Kernel Driver FAQ at
    >> http://www.osronline.com/article.cfm?id=256
    >>
    >> You are currently subscribed to ntdev as: [email protected]
    >> To unsubscribe send a blank email to [email protected]
    >>
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Make a new buffer for the write (then make an MDL for it). Copy callers
    buffer to this new buffer. Encrypt this buffer and not the original caller's
    buffer; you are trashing the caller's data with the encrypted data

    Jamey

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of Rafa
    Sent: Sunday, August 22, 2004 7:47 AM
    To: Windows System Software Devs Interest List
    Subject: Re: [ntdev] Problems with a disk encryption filter driver

    Hi Maxim,

    I think that's not a problem because the Partition Table (really,
    the
    sector 0) at the MBR is not encrypted and the filter driver does not
    encrypt/decrypt the accesses to the sector 0.

    Besides, the harddisk that I'm talking about has only one primary
    partition. I'm not interested in logic partitions because this is a
    concept-proof driver (at least, for now ;) ).

    Maxim S. Shatskih wrote:
    > Note: IoReadPartitionTable is not subject to filtering. It ignores the
    disk
    > upper filters. Possibly this is a bug, but nevertheless it is so.
    >
    > Maxim Shatskih, Windows DDK MVP
    > StorageCraft Corporation
    > [email protected]
    > http://www.storagecraft.com
    >
    > ---
    > Questions? First check the Kernel Driver FAQ at
    http://www.osronline.com/article.cfm?id=256
    >
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to [email protected]
    >


    ---
    Questions? First check the Kernel Driver FAQ at
    http://www.osronline.com/article.cfm?id=256

    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to [email protected]

    __________ NOD32 1.848 (20040820) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.nod32.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    It is a buffer problem.

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of David J. Craig
    Sent: Sunday, August 22, 2004 3:40 PM
    To: Windows System Software Devs Interest List
    Subject: Re:[ntdev] Problems with a disk encryption filter driver

    Asking for free advise for something several people depend upon for their
    living might not get many answers. I would suggest you run windbg and trace

    each read/write that comes in. See if the buffer contains plaintext or
    encrypted data at the wrong time. I would add displays at the entry to the
    reads and writes so you can tell what sector is being accessed. Duplicating

    the hard disk and putting it as a slave in the host computer would permit
    you to use winhex to view each sector as it is being accessed on the target
    system. It will also give you a master drive for you to restore from when
    it goes wrong. This is a slow process requiring several days, weeks or
    months until you find the problems. You might also want to use the debug
    version of disk.sys and see what it is requesting.

    P.S. What you want is not a 'proof of concept', but a proof of your ability
    to implement that which others have done. I think it could be if you are
    trying to attach at a new place in the storage stack. Most probably attach
    as a lower filter to disk.sys or that is where I would begin my work since
    after disk.sys it can go to the SCSI or ATAPI stack on most workstations.
    Most will be IDE/ATAPI, but there are some workstations that use SCSI. I
    would like a 15,000 RPM Ultra 320 SCSI system with RAID 1 or, even better
    RAID 5.

    "Rafa" <[email protected]> wrote in message news:[email protected]
    >
    > I know that the problem is in my code, but I am looking for some hint or
    > advice from someone that has developed something similar.
    >
    > SafeBoot surely works fine, and Secuware, and SafeGuard, ... I know that's

    > possible to develop this kind of filter driver. But the problem it's that
    > my filter is not working and I'm asking for help in this list because I
    > don't know why is failing.
    >
    > I have reviewed the list database for similar cases but none is useful for

    > me. I have found this thread:
    > http://www.osronline.com/lists_archive/ntfsd/thread782.html, whose code is

    > very similar to mine. I see that he copies the buffer at Irp->MdlAddress
    > to a non paged pool, encrypts/decrypts the pool, and then he copies the
    > pool to the buffer. Is this necessary? Cannot work with the user buffer at

    > MdlAddress directly?
    >
    >
    > Rafa.
    >
    > David J. Craig wrote:
    >> Did I write "Safe Boot" mode? I put it in quotes as "SafeBoot" as a
    >> fairly too subtle hint you should search Google for it. Or maybe just
    >> try www.safeboot.com. If you look at that product, which I have no
    >> relationship too, you can find your proof of concept. If it works and
    >> yours doesn't, then it leads me to believe that the problem is in your
    >> code.
    >>
    >> "Rafa" <[email protected]> wrote in message news:[email protected]
    >>
    >>>Hi David,
    >>>
    >>>Do you mean the "Safe Boot" mode? I don't understand how that could be
    >>>useful.
    >>>
    >>>I'm sorry, if I've misunderstood you.
    >>>
    >>>Oh, when I'm talking about the proof of concept I'm referring to include
    >>>very simple cases of partitions. As much, four primary partitions but the

    >>>part relative to encryption/decryption must be accomplished.
    >>>
    >>>In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
    >>>works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
    >>>correct this approach?
    >>>
    >>>It seems that some kind of writing (reading?), that my filter does not
    >>>treat correctly, introduces corruption in the filesystem but I cannot see

    >>>why. Any suggestions?
    >>>
    >>>Thanks in advance,
    >>>
    >>>Rafa.
    >>>
    >>>
    >>>David J. Craig wrote:
    >>>
    >>>>Why not just look for "SafeBoot"? That is a good proof of concept as it

    >>>>works and has for several years.
    >>>>
    >>>>"Rafa" <[email protected]> wrote in message news:[email protected]
    >>>>
    >>>>
    >>>>>Hi Maxim,
    >>>>>
    >>>>>I think that's not a problem because the Partition Table (really, the
    >>>>>sector 0) at the MBR is not encrypted and the filter driver does not
    >>>>>encrypt/decrypt the accesses to the sector 0.
    >>>>>
    >>>>>Besides, the harddisk that I'm talking about has only one primary
    >>>>>partition. I'm not interested in logic partitions because this is a
    >>>>>concept-proof driver (at least, for now ;) ).
    >>>>>
    >>>>>Maxim S. Shatskih wrote:
    >>>>>
    >>>>>
    >>>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
    >>>>>> the disk
    >>>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
    >>>>>>
    >>>>>>Maxim Shatskih, Windows DDK MVP
    >>>>>>StorageCraft Corporation
    >>>>>>[email protected]
    >>>>>>http://www.storagecraft.com
    >>>>>>
    >>>>>>---
    >>>>>>Questions? First check the Kernel Driver FAQ at
    >>>>>>http://www.osronline.com/article.cfm?id=256
    >>>>>>
    >>>>>>You are currently subscribed to ntdev as: [email protected]
    >>>>>>To unsubscribe send a blank email to [email protected]
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>>---
    >>>>Questions? First check the Kernel Driver FAQ at
    >>>>http://www.osronline.com/article.cfm?id=256
    >>>>
    >>>>You are currently subscribed to ntdev as: [email protected]
    >>>>To unsubscribe send a blank email to [email protected]
    >>>>
    >>>
    >>>
    >>
    >>
    >>
    >> ---
    >> Questions? First check the Kernel Driver FAQ at
    >> http://www.osronline.com/article.cfm?id=256
    >>
    >> You are currently subscribed to ntdev as: [email protected]
    >> To unsubscribe send a blank email to [email protected]
    >>
    >
    >



    ---
    Questions? First check the Kernel Driver FAQ at
    http://www.osronline.com/article.cfm?id=256

    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to [email protected]

    __________ NOD32 1.848 (20040820) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.nod32.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE