Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Memory mapped I/O in minifilter driver

Rohit_MagdumRohit_Magdum Member - All Emails Posts: 11
Hello Folks,

I am working on on-the fly encryption/decryption minifilter driver and facing very popular memory mapped file IO issue for notepad.exe. I went through almost all
posts on NTFSD about this and did not get exact solution for solving this issue.

As per my understanding, I am encrypting data in PreWrite callback only if IRP_NOCACHE flag is present and decrypting it in PostRead or PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This sometimes works and sometimes does not work with notepad.
In process monitor logs, i see IRP_MJ_READ request and the same IRP_MJ_READ operation gets triggered in my minifilter. But this operation does not contain IRP_PAGING_IO flag so i don't decrypt it. But later i see IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I understood that minifilter can't track data read from cache. But what i am expecting is, to map or cache file data one has to get it from actual file first and then onwards it will be used from cache. My question is why i can't see that first read operation (which is to cache data from file) or is it something that its not compulsory to have IRP_PAGING_IO flag when data from file gets cached?

I know this is very popular problem and lot has been discussed about this on this list. But i tried my best and made some progress. Please help me to understand above issue.

Thanks.

Comments

  • Mike_BoucherMike_Boucher Member - All Emails Posts: 13
    This is my first attempt to reply to a question, so a simple "no, man, stop
    helping" will suffice if this answer sucks.

    >In process monitor logs, i see IRP_MJ_READ request and the same
    IRP_MJ_READ operation gets triggered in my minifilter.

    Does the IRP_MJ_READ come from Notepad? One can imagine Notepad opening
    the file and having someone else see the open and do their own open,
    perhaps to scan the file. If that happens, the file data could be cached
    before Notepad tries its first read.

    >what i am expecting is, to map or cache file data one has to get it from
    actual file first and then onwards it will be used from cache.

    Someone has to cache it, that is true. But there is no rule that Notepad
    has to be the one that cached it, nor that Notepad can only read data that
    Notepad has cached. Even if nobody else saw Notepad's open and read ahead
    of Notepad, it may still be in the cache from when it was originally
    created. If you run a program to create the file, close the file, then
    exit that program, the data could be cached from the creation unless the
    creator took steps to avoid the cache. In that case, Notepad could see the
    data left over from the creation.

    You may be assuming that if Notepad opens the file then nobody else will
    read the file between Notepad's open and read. I think this is not right
    in this particular case, it is not generally right. Even if it is right,
    you may be assuming that the data is not in cache from some previous
    operation that is completely independent of Notepad. One could imagine
    something like indexer loading the file (although I don't know whether
    indexer takes care to avoid polluting the cache, so take my reference to
    indexer as an example that may not reflect what could actually happen), in
    which case the data would be cached with no action from Notepad.

    That's the best I got. Let the downvoting begin. ;-)


    On Thu, Aug 30, 2018 at 9:04 AM, [email protected] wrote:

    > Hello Folks,
    >
    > I am working on on-the fly encryption/decryption minifilter driver and
    > facing very popular memory mapped file IO issue for notepad.exe. I went
    > through almost all
    > posts on NTFSD about this and did not get exact solution for solving this
    > issue.
    >
    > As per my understanding, I am encrypting data in PreWrite callback only if
    > IRP_NOCACHE flag is present and decrypting it in PostRead or
    > PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
    > sometimes works and sometimes does not work with notepad.
    > In process monitor logs, i see IRP_MJ_READ request and the same
    > IRP_MJ_READ operation gets triggered in my minifilter. But this operation
    > does not contain IRP_PAGING_IO flag so i don't decrypt it. But later i see
    > IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
    > understood that minifilter can't track data read from cache. But what i am
    > expecting is, to map or cache file data one has to get it from actual file
    > first and then onwards it will be used from cache. My question is why i
    > can't see that first read operation (which is to cache data from file) or
    > is it something that its not compulsory to have IRP_PAGING_IO flag when
    > data from file gets cached?
    >
    > I know this is very popular problem and lot has been discussed about this
    > on this list. But i tried my best and made some progress. Please help me to
    > understand above issue.
    >
    > Thanks.
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • Don_BurnDon_Burn Member - All Emails Posts: 1,707
    Take a look at http://www.osronline.com/article.cfm?article=17 from Q56:

    For a file system filter driver that wishes to modify the data in some way,
    it is important to keep in mind the use of that memory. For example, a
    traditional mistake for an encryption filter is to trap the IRP_MJ_WRITE
    where the IRP_NOCACHE bit is set (which catches both user non-cached I/O as
    well as paging I/O) and, using the provided MDL or user buffer, encrypt the
    data in-place. The risk here is that some other thread will gain access to
    that memory in its encrypted state. For example, if the file is memory
    mapped, the application will observe the modified data, rather than the
    original, cleartext data. Thus, there are a few rules that need to be
    observed by file system filter drivers that choose to modify the data
    buffers associated with a given IRP


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com


    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of
    [email protected]
    Sent: Thursday, August 30, 2018 11:04 AM
    To: Windows File Systems Devs Interest List <[email protected]>
    Subject: [ntfsd] Memory mapped I/O in minifilter driver

    Hello Folks,

    I am working on on-the fly encryption/decryption minifilter driver and
    facing very popular memory mapped file IO issue for notepad.exe. I went
    through almost all posts on NTFSD about this and did not get exact solution
    for solving this issue.

    As per my understanding, I am encrypting data in PreWrite callback only if
    IRP_NOCACHE flag is present and decrypting it in PostRead or
    PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
    sometimes works and sometimes does not work with notepad.
    In process monitor logs, i see IRP_MJ_READ request and the same IRP_MJ_READ
    operation gets triggered in my minifilter. But this operation does not
    contain IRP_PAGING_IO flag so i don't decrypt it. But later i see
    IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
    understood that minifilter can't track data read from cache. But what i am
    expecting is, to map or cache file data one has to get it from actual file
    first and then onwards it will be used from cache. My question is why i
    can't see that first read operation (which is to cache data from file) or is
    it something that its not compulsory to have IRP_PAGING_IO flag when data
    from file gets cached?

    I know this is very popular problem and lot has been discussed about this on
    this list. But i tried my best and made some progress. Please help me to
    understand above issue.

    Thanks.

    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars&gt;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer&gt;
  • Peter_ScottPeter_Scott Member - All Emails Posts: 749
    You should make sure no other process accesses the file before what you
    think is the first access.

    Pete

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    -----Original Message-----
    From: [email protected]osr.com <[email protected]>
    On Behalf Of [email protected]
    Sent: Thursday, August 30, 2018 9:04 AM
    To: Windows File Systems Devs Interest List <[email protected]>
    Subject: [ntfsd] Memory mapped I/O in minifilter driver

    Hello Folks,

    I am working on on-the fly encryption/decryption minifilter driver and
    facing very popular memory mapped file IO issue for notepad.exe. I went
    through almost all posts on NTFSD about this and did not get exact solution
    for solving this issue.

    As per my understanding, I am encrypting data in PreWrite callback only if
    IRP_NOCACHE flag is present and decrypting it in PostRead or
    PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
    sometimes works and sometimes does not work with notepad.
    In process monitor logs, i see IRP_MJ_READ request and the same IRP_MJ_READ
    operation gets triggered in my minifilter. But this operation does not
    contain IRP_PAGING_IO flag so i don't decrypt it. But later i see
    IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
    understood that minifilter can't track data read from cache. But what i am
    expecting is, to map or cache file data one has to get it from actual file
    first and then onwards it will be used from cache. My question is why i
    can't see that first read operation (which is to cache data from file) or is
    it something that its not compulsory to have IRP_PAGING_IO flag when data
    from file gets cached?

    I know this is very popular problem and lot has been discussed about this on
    this list. But i tried my best and made some progress. Please help me to
    understand above issue.

    Thanks.

    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars&gt;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer&gt;

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA