Memory mapped I/O in minifilter driver

Hello Folks,

I am working on on-the fly encryption/decryption minifilter driver and facing very popular memory mapped file IO issue for notepad.exe. I went through almost all
posts on NTFSD about this and did not get exact solution for solving this issue.

As per my understanding, I am encrypting data in PreWrite callback only if IRP_NOCACHE flag is present and decrypting it in PostRead or PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This sometimes works and sometimes does not work with notepad.
In process monitor logs, i see IRP_MJ_READ request and the same IRP_MJ_READ operation gets triggered in my minifilter. But this operation does not contain IRP_PAGING_IO flag so i don’t decrypt it. But later i see IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I understood that minifilter can’t track data read from cache. But what i am expecting is, to map or cache file data one has to get it from actual file first and then onwards it will be used from cache. My question is why i can’t see that first read operation (which is to cache data from file) or is it something that its not compulsory to have IRP_PAGING_IO flag when data from file gets cached?

I know this is very popular problem and lot has been discussed about this on this list. But i tried my best and made some progress. Please help me to understand above issue.

Thanks.

This is my first attempt to reply to a question, so a simple “no, man, stop
helping” will suffice if this answer sucks.

In process monitor logs, i see IRP_MJ_READ request and the same
IRP_MJ_READ operation gets triggered in my minifilter.

Does the IRP_MJ_READ come from Notepad? One can imagine Notepad opening
the file and having someone else see the open and do their own open,
perhaps to scan the file. If that happens, the file data could be cached
before Notepad tries its first read.

what i am expecting is, to map or cache file data one has to get it from
actual file first and then onwards it will be used from cache.

Someone has to cache it, that is true. But there is no rule that Notepad
has to be the one that cached it, nor that Notepad can only read data that
Notepad has cached. Even if nobody else saw Notepad’s open and read ahead
of Notepad, it may still be in the cache from when it was originally
created. If you run a program to create the file, close the file, then
exit that program, the data could be cached from the creation unless the
creator took steps to avoid the cache. In that case, Notepad could see the
data left over from the creation.

You may be assuming that if Notepad opens the file then nobody else will
read the file between Notepad’s open and read. I think this is not right
in this particular case, it is not generally right. Even if it is right,
you may be assuming that the data is not in cache from some previous
operation that is completely independent of Notepad. One could imagine
something like indexer loading the file (although I don’t know whether
indexer takes care to avoid polluting the cache, so take my reference to
indexer as an example that may not reflect what could actually happen), in
which case the data would be cached with no action from Notepad.

That’s the best I got. Let the downvoting begin. :wink:

On Thu, Aug 30, 2018 at 9:04 AM, xxxxx@gmail.com > wrote:

> Hello Folks,
>
> I am working on on-the fly encryption/decryption minifilter driver and
> facing very popular memory mapped file IO issue for notepad.exe. I went
> through almost all
> posts on NTFSD about this and did not get exact solution for solving this
> issue.
>
> As per my understanding, I am encrypting data in PreWrite callback only if
> IRP_NOCACHE flag is present and decrypting it in PostRead or
> PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
> sometimes works and sometimes does not work with notepad.
> In process monitor logs, i see IRP_MJ_READ request and the same
> IRP_MJ_READ operation gets triggered in my minifilter. But this operation
> does not contain IRP_PAGING_IO flag so i don’t decrypt it. But later i see
> IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
> understood that minifilter can’t track data read from cache. But what i am
> expecting is, to map or cache file data one has to get it from actual file
> first and then onwards it will be used from cache. My question is why i
> can’t see that first read operation (which is to cache data from file) or
> is it something that its not compulsory to have IRP_PAGING_IO flag when
> data from file gets cached?
>
> I know this is very popular problem and lot has been discussed about this
> on this list. But i tried my best and made some progress. Please help me to
> understand above issue.
>
> Thanks.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Take a look at http://www.osronline.com/article.cfm?article=17 from Q56:

For a file system filter driver that wishes to modify the data in some way,
it is important to keep in mind the use of that memory. For example, a
traditional mistake for an encryption filter is to trap the IRP_MJ_WRITE
where the IRP_NOCACHE bit is set (which catches both user non-cached I/O as
well as paging I/O) and, using the provided MDL or user buffer, encrypt the
data in-place. The risk here is that some other thread will gain access to
that memory in its encrypted state. For example, if the file is memory
mapped, the application will observe the modified data, rather than the
original, cleartext data. Thus, there are a few rules that need to be
observed by file system filter drivers that choose to modify the data
buffers associated with a given IRP

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, August 30, 2018 11:04 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Memory mapped I/O in minifilter driver

Hello Folks,

I am working on on-the fly encryption/decryption minifilter driver and
facing very popular memory mapped file IO issue for notepad.exe. I went
through almost all posts on NTFSD about this and did not get exact solution
for solving this issue.

As per my understanding, I am encrypting data in PreWrite callback only if
IRP_NOCACHE flag is present and decrypting it in PostRead or
PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
sometimes works and sometimes does not work with notepad.
In process monitor logs, i see IRP_MJ_READ request and the same IRP_MJ_READ
operation gets triggered in my minifilter. But this operation does not
contain IRP_PAGING_IO flag so i don’t decrypt it. But later i see
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
understood that minifilter can’t track data read from cache. But what i am
expecting is, to map or cache file data one has to get it from actual file
first and then onwards it will be used from cache. My question is why i
can’t see that first read operation (which is to cache data from file) or is
it something that its not compulsory to have IRP_PAGING_IO flag when data
from file gets cached?

I know this is very popular problem and lot has been discussed about this on
this list. But i tried my best and made some progress. Please help me to
understand above issue.

Thanks.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>

You should make sure no other process accesses the file before what you
think is the first access.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

-----Original Message-----
From: xxxxx@lists.osr.com
On Behalf Of xxxxx@gmail.com
Sent: Thursday, August 30, 2018 9:04 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Memory mapped I/O in minifilter driver

Hello Folks,

I am working on on-the fly encryption/decryption minifilter driver and
facing very popular memory mapped file IO issue for notepad.exe. I went
through almost all posts on NTFSD about this and did not get exact solution
for solving this issue.

As per my understanding, I am encrypting data in PreWrite callback only if
IRP_NOCACHE flag is present and decrypting it in PostRead or
PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
sometimes works and sometimes does not work with notepad.
In process monitor logs, i see IRP_MJ_READ request and the same IRP_MJ_READ
operation gets triggered in my minifilter. But this operation does not
contain IRP_PAGING_IO flag so i don’t decrypt it. But later i see
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
understood that minifilter can’t track data read from cache. But what i am
expecting is, to map or cache file data one has to get it from actual file
first and then onwards it will be used from cache. My question is why i
can’t see that first read operation (which is to cache data from file) or is
it something that its not compulsory to have IRP_PAGING_IO flag when data
from file gets cached?

I know this is very popular problem and lot has been discussed about this on
this list. But i tried my best and made some progress. Please help me to
understand above issue.

Thanks.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>