Problems with a disk encryption filter driver

Hi all,

I am developing a filter driver for xp. It encrypts/decrypts the whole
disk except the MBR.

My filter driver is an upper filter over the DiskDrive and FloppyDisk
devices, with SERVICE_BOOT_START StartType.

First, I have tested the driver with the floppy device and it works
perfectly :smiley:

Then, I installed the driver attaching it, additionally, to the
harddisk device and rebooted the machine.

At boot, the MBR loads two sectors (not encrypted) containing some code
that hooks the int 13h. This code processes CHS and LBA reads decrypting
the resulting buffers. The writings are not allowed.

Additionally, in the first boot, this code (the-two-sectors-code)
encrypts the whole disk except the MBR. Then, it loads the boot sector
and jumps to this code (boot sector code). Now, the boot sector will
continue loading the needed sectors and the int 13h will decrypt them
transparently.

Windows XP boots and shows the login screen. I enter in the session and
the “new hardware wizard” appears saying someting about new hardware
found ¿?. Then, it says that the new hardware is configured and that it
is necessary to reboot the system.

In the next boot (and the next, …), there are possibilities around
80% that scandisk appears due coherency problems in the filesystem.

Why? I suppose that this two weird things (new hardware and coherency
problem) arise because some data corruption in the readings/writings in
the disk. I am lost. I’ve reviewed the code but this is my first driver
and all seems ok, at least for me :slight_smile:

I am including the code relative to IRP_MJ_READ and IRP_MJ_WRITE
process and the encryption procedure (a simple dword xor) but if someone
needs more info, please, ask me:

<------------------------------------------------------------------------------->

//
// FCifradorReadWrite
//
NTSTATUS
FCifradorReadWrite(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
PIO_STACK_LOCATION NextIrpS = IoGetNextIrpStackLocation (Irp);
PDEVICE_EXTENSION deviceExtension;
BOOLEAN enter = TRUE;
PUCHAR address;
PMDL ptr;

deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;

// IRP_MJ_WRITE -> Cipher
if ((IrpS->MajorFunction == IRP_MJ_WRITE) && IrpS->Parameters.Write.Length)
{
for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
{
address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);

// The pages couldn’t be mapped
if (address == NULL)
{
DbgPrint(“filtro_cifrador: FCifradorReadWrite - No pudo mapearse
MdlAddress.\n”);
return STATUS_INSUFFICIENT_RESOURCES;
}

// The sector 0 (MBR) must not be ciphered
if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
{
enter = FALSE;
FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
}
else
{
FCifradorCipher (address, MmGetMdlByteCount (ptr));
}
}
}

//
// Copy current stack to next stack.
//
*NextIrpS = *IrpS;

// Add the completion routine
IoSetCompletionRoutine (Irp, FCifradorCompletion, DeviceObject, TRUE,
TRUE, TRUE);

//
// Return the results of the call to the disk driver.
//
return IoCallDriver(deviceExtension->TargetDeviceObject, Irp);
}

//
// FCifradorCompletion
//
NTSTATUS
FCifradorCompletion(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
BOOLEAN enter = TRUE;
PUCHAR address;
PMDL ptr;

UNREFERENCED_PARAMETER (Context);

// Tratar el IRP
if (IrpS->MajorFunction == IRP_MJ_READ)
{
if (IrpS->Parameters.Read.Length)
{
for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
{
address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);

// The pages couldn’t be mapped
if (address == NULL)
return STATUS_INSUFFICIENT_RESOURCES;

// The sector 0 (MBR) must not be deciphered
if (enter && ((IrpS->Parameters.Read.ByteOffset.QuadPart / 512) == 0))
{
enter = FALSE;
FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
}
else
{
FCifradorCipher (address, MmGetMdlByteCount (ptr));
}
}
}
}
else // IRP_MJ_WRITE //
{
if (IrpS->Parameters.Write.Length)
{
for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
{
address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);

// The pages couldn’t be mapped
if (address == NULL)
return STATUS_INSUFFICIENT_RESOURCES;

// The sector 0 (MBR) must not be deciphered
if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
{
enter = FALSE;
FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
}
else
{
FCifradorCipher (address, MmGetMdlByteCount (ptr));
}
}
}
}

// Check IrPending flag
if (Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}

return STATUS_SUCCESS;
}

//
// FCifradorCipher
//
VOID
FCifradorCipher (
IN PUCHAR address,
IN ULONG bytes
)
{
ULONG i;
DWORD t;

if (bytes == 0)
return;

// XOR one dword with 0x01020304
for (i = 0; i < bytes; i += 4)
{
t = 0x00000000;
t = address[i + 3];
t = (t << 8) | address[i + 2];
t = (t << 8) | address[i + 1];
t = (t << 8) | address[i];
t ^= 0x01020304;

address[i] = (BYTE) t;
address[i + 1] = (BYTE) (t >> 8);
address[i + 2] = (BYTE) (t >> 16);
address[i + 3] = (BYTE) (t >> 24);
}

return;
}

<------------------------------------------------------------------------------->

Thanks in advance,

Rafa.

Note: IoReadPartitionTable is not subject to filtering. It ignores the disk
upper filters. Possibly this is a bug, but nevertheless it is so.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Rafa”
To: “Windows System Software Devs Interest List”
Sent: Sunday, August 22, 2004 6:19 PM
Subject: [ntdev] Problems with a disk encryption filter driver

> Hi all,
>
> I am developing a filter driver for xp. It encrypts/decrypts the whole
> disk except the MBR.
>
> My filter driver is an upper filter over the DiskDrive and FloppyDisk
> devices, with SERVICE_BOOT_START StartType.
>
> First, I have tested the driver with the floppy device and it works
> perfectly :smiley:
>
> Then, I installed the driver attaching it, additionally, to the
> harddisk device and rebooted the machine.
>
> At boot, the MBR loads two sectors (not encrypted) containing some code
> that hooks the int 13h. This code processes CHS and LBA reads decrypting
> the resulting buffers. The writings are not allowed.
>
> Additionally, in the first boot, this code (the-two-sectors-code)
> encrypts the whole disk except the MBR. Then, it loads the boot sector
> and jumps to this code (boot sector code). Now, the boot sector will
> continue loading the needed sectors and the int 13h will decrypt them
> transparently.
>
> Windows XP boots and shows the login screen. I enter in the session and
> the “new hardware wizard” appears saying someting about new hardware
> found ¿?. Then, it says that the new hardware is configured and that it
> is necessary to reboot the system.
>
> In the next boot (and the next, …), there are possibilities around
> 80% that scandisk appears due coherency problems in the filesystem.
>
> Why? I suppose that this two weird things (new hardware and coherency
> problem) arise because some data corruption in the readings/writings in
> the disk. I am lost. I’ve reviewed the code but this is my first driver
> and all seems ok, at least for me :slight_smile:
>
> I am including the code relative to IRP_MJ_READ and IRP_MJ_WRITE
> process and the encryption procedure (a simple dword xor) but if someone
> needs more info, please, ask me:
>
>
<------------------------------------------------------------------------------
->
>
> //
> // FCifradorReadWrite
> //
> NTSTATUS
> FCifradorReadWrite(
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp
> )
> {
> PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
> PIO_STACK_LOCATION NextIrpS = IoGetNextIrpStackLocation (Irp);
> PDEVICE_EXTENSION deviceExtension;
> BOOLEAN enter = TRUE;
> PUCHAR address;
> PMDL ptr;
>
> deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;
>
> // IRP_MJ_WRITE -> Cipher
> if ((IrpS->MajorFunction == IRP_MJ_WRITE) && IrpS->Parameters.Write.Length)
> {
> for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
> {
> address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);
>
> // The pages couldn’t be mapped
> if (address == NULL)
> {
> DbgPrint(“filtro_cifrador: FCifradorReadWrite - No pudo mapearse
> MdlAddress.\n”);
> return STATUS_INSUFFICIENT_RESOURCES;
> }
>
> // The sector 0 (MBR) must not be ciphered
> if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
> {
> enter = FALSE;
> FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
> }
> else
> {
> FCifradorCipher (address, MmGetMdlByteCount (ptr));
> }
> }
> }
>
> //
> // Copy current stack to next stack.
> //
> *NextIrpS = *IrpS;
>
> // Add the completion routine
> IoSetCompletionRoutine (Irp, FCifradorCompletion, DeviceObject, TRUE,
> TRUE, TRUE);
>
> //
> // Return the results of the call to the disk driver.
> //
> return IoCallDriver(deviceExtension->TargetDeviceObject, Irp);
> }
>
> //
> // FCifradorCompletion
> //
> NTSTATUS
> FCifradorCompletion(
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp,
> IN PVOID Context
> )
> {
> PIO_STACK_LOCATION IrpS = IoGetCurrentIrpStackLocation (Irp);
> BOOLEAN enter = TRUE;
> PUCHAR address;
> PMDL ptr;
>
> UNREFERENCED_PARAMETER (Context);
>
> // Tratar el IRP
> if (IrpS->MajorFunction == IRP_MJ_READ)
> {
> if (IrpS->Parameters.Read.Length)
> {
> for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
> {
> address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);
>
> // The pages couldn’t be mapped
> if (address == NULL)
> return STATUS_INSUFFICIENT_RESOURCES;
>
> // The sector 0 (MBR) must not be deciphered
> if (enter && ((IrpS->Parameters.Read.ByteOffset.QuadPart / 512) == 0))
> {
> enter = FALSE;
> FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
> }
> else
> {
> FCifradorCipher (address, MmGetMdlByteCount (ptr));
> }
> }
> }
> }
> else // IRP_MJ_WRITE //
> {
> if (IrpS->Parameters.Write.Length)
> {
> for (ptr = Irp->MdlAddress; ptr != NULL; ptr = ptr->Next)
> {
> address = MmGetSystemAddressForMdlSafe (ptr, HighPagePriority);
>
> // The pages couldn’t be mapped
> if (address == NULL)
> return STATUS_INSUFFICIENT_RESOURCES;
>
> // The sector 0 (MBR) must not be deciphered
> if (enter && ((IrpS->Parameters.Write.ByteOffset.QuadPart / 512) == 0))
> {
> enter = FALSE;
> FCifradorCipher (address + 512, MmGetMdlByteCount (ptr) - 512);
> }
> else
> {
> FCifradorCipher (address, MmGetMdlByteCount (ptr));
> }
> }
> }
> }
>
> // Check IrPending flag
> if (Irp->PendingReturned)
> {
> IoMarkIrpPending(Irp);
> }
>
> return STATUS_SUCCESS;
> }
>
> //
> // FCifradorCipher
> //
> VOID
> FCifradorCipher (
> IN PUCHAR address,
> IN ULONG bytes
> )
> {
> ULONG i;
> DWORD t;
>
> if (bytes == 0)
> return;
>
> // XOR one dword with 0x01020304
> for (i = 0; i < bytes; i += 4)
> {
> t = 0x00000000;
> t = address[i + 3];
> t = (t << 8) | address[i + 2];
> t = (t << 8) | address[i + 1];
> t = (t << 8) | address[i];
> t ^= 0x01020304;
>
> address[i] = (BYTE) t;
> address[i + 1] = (BYTE) (t >> 8);
> address[i + 2] = (BYTE) (t >> 16);
> address[i + 3] = (BYTE) (t >> 24);
> }
>
> return;
> }
>
>
<------------------------------------------------------------------------------
->
>
> Thanks in advance,
>
> Rafa.
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Maxim,

I think that’s not a problem because the Partition Table (really, the
sector 0) at the MBR is not encrypted and the filter driver does not
encrypt/decrypt the accesses to the sector 0.

Besides, the harddisk that I’m talking about has only one primary
partition. I’m not interested in logic partitions because this is a
concept-proof driver (at least, for now :wink: ).

Maxim S. Shatskih wrote:

Note: IoReadPartitionTable is not subject to filtering. It ignores the disk
upper filters. Possibly this is a bug, but nevertheless it is so.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
To unsubscribe send a blank email to xxxxx@lists.osr.com

Why not just look for “SafeBoot”? That is a good proof of concept as it
works and has for several years.

“Rafa” wrote in message news:xxxxx@ntdev…
> Hi Maxim,
>
> I think that’s not a problem because the Partition Table (really, the
> sector 0) at the MBR is not encrypted and the filter driver does not
> encrypt/decrypt the accesses to the sector 0.
>
> Besides, the harddisk that I’m talking about has only one primary
> partition. I’m not interested in logic partitions because this is a
> concept-proof driver (at least, for now :wink: ).
>
> Maxim S. Shatskih wrote:
>> Note: IoReadPartitionTable is not subject to filtering. It ignores
>> the disk
>> upper filters. Possibly this is a bug, but nevertheless it is so.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

Hi David,

Do you mean the “Safe Boot” mode? I don’t understand how that could be
useful.

I’m sorry, if I’ve misunderstood you.

Oh, when I’m talking about the proof of concept I’m referring to
include very simple cases of partitions. As much, four primary
partitions but the part relative to encryption/decryption must be
accomplished.

In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
correct this approach?

It seems that some kind of writing (reading?), that my filter does not
treat correctly, introduces corruption in the filesystem but I cannot
see why. Any suggestions?

Thanks in advance,

Rafa.

David J. Craig wrote:

Why not just look for “SafeBoot”? That is a good proof of concept as it
works and has for several years.

“Rafa” wrote in message news:xxxxx@ntdev…
>
>>Hi Maxim,
>>
>>I think that’s not a problem because the Partition Table (really, the
>>sector 0) at the MBR is not encrypted and the filter driver does not
>>encrypt/decrypt the accesses to the sector 0.
>>
>>Besides, the harddisk that I’m talking about has only one primary
>>partition. I’m not interested in logic partitions because this is a
>>concept-proof driver (at least, for now :wink: ).
>>
>>Maxim S. Shatskih wrote:
>>
>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
>>>the disk
>>>upper filters. Possibly this is a bug, but nevertheless it is so.
>>>
>>>Maxim Shatskih, Windows DDK MVP
>>>StorageCraft Corporation
>>>xxxxx@storagecraft.com
>>>http://www.storagecraft.com
>>>
>>>—
>>>Questions? First check the Kernel Driver FAQ at
>>>http://www.osronline.com/article.cfm?id=256
>>>
>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Did I write “Safe Boot” mode? I put it in quotes as “SafeBoot” as a fairly
too subtle hint you should search Google for it. Or maybe just try
www.safeboot.com. If you look at that product, which I have no relationship
too, you can find your proof of concept. If it works and yours doesn’t,
then it leads me to believe that the problem is in your code.

“Rafa” wrote in message news:xxxxx@ntdev…
> Hi David,
>
> Do you mean the “Safe Boot” mode? I don’t understand how that could be
> useful.
>
> I’m sorry, if I’ve misunderstood you.
>
> Oh, when I’m talking about the proof of concept I’m referring to include
> very simple cases of partitions. As much, four primary partitions but the
> part relative to encryption/decryption must be accomplished.
>
> In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
> works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
> correct this approach?
>
> It seems that some kind of writing (reading?), that my filter does not
> treat correctly, introduces corruption in the filesystem but I cannot see
> why. Any suggestions?
>
> Thanks in advance,
>
> Rafa.
>
>
> David J. Craig wrote:
>> Why not just look for “SafeBoot”? That is a good proof of concept as it
>> works and has for several years.
>>
>> “Rafa” wrote in message news:xxxxx@ntdev…
>>
>>>Hi Maxim,
>>>
>>>I think that’s not a problem because the Partition Table (really, the
>>>sector 0) at the MBR is not encrypted and the filter driver does not
>>>encrypt/decrypt the accesses to the sector 0.
>>>
>>>Besides, the harddisk that I’m talking about has only one primary
>>>partition. I’m not interested in logic partitions because this is a
>>>concept-proof driver (at least, for now :wink: ).
>>>
>>>Maxim S. Shatskih wrote:
>>>
>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
>>>> the disk
>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
>>>>
>>>>Maxim Shatskih, Windows DDK MVP
>>>>StorageCraft Corporation
>>>>xxxxx@storagecraft.com
>>>>http://www.storagecraft.com
>>>>
>>>>—
>>>>Questions? First check the Kernel Driver FAQ at
>>>>http://www.osronline.com/article.cfm?id=256
>>>>
>>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

I know that the problem is in my code, but I am looking for some hint or
advice from someone that has developed something similar.

SafeBoot surely works fine, and Secuware, and SafeGuard, … I know
that’s possible to develop this kind of filter driver. But the problem
it’s that my filter is not working and I’m asking for help in this list
because I don’t know why is failing.

I have reviewed the list database for similar cases but none is useful
for me. I have found this thread:
http://www.osronline.com/lists_archive/ntfsd/thread782.html, whose code
is very similar to mine. I see that he copies the buffer at
Irp->MdlAddress to a non paged pool, encrypts/decrypts the pool, and
then he copies the pool to the buffer. Is this necessary? Cannot work
with the user buffer at MdlAddress directly?

Rafa.

David J. Craig wrote:

Did I write “Safe Boot” mode? I put it in quotes as “SafeBoot” as a fairly
too subtle hint you should search Google for it. Or maybe just try
www.safeboot.com. If you look at that product, which I have no relationship
too, you can find your proof of concept. If it works and yours doesn’t,
then it leads me to believe that the problem is in your code.

“Rafa” wrote in message news:xxxxx@ntdev…
>
>>Hi David,
>>
>>Do you mean the “Safe Boot” mode? I don’t understand how that could be
>>useful.
>>
>>I’m sorry, if I’ve misunderstood you.
>>
>>Oh, when I’m talking about the proof of concept I’m referring to include
>>very simple cases of partitions. As much, four primary partitions but the
>>part relative to encryption/decryption must be accomplished.
>>
>>In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
>>works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
>>correct this approach?
>>
>>It seems that some kind of writing (reading?), that my filter does not
>>treat correctly, introduces corruption in the filesystem but I cannot see
>>why. Any suggestions?
>>
>>Thanks in advance,
>>
>>Rafa.
>>
>>
>>David J. Craig wrote:
>>
>>>Why not just look for “SafeBoot”? That is a good proof of concept as it
>>>works and has for several years.
>>>
>>>“Rafa” wrote in message news:xxxxx@ntdev…
>>>
>>>
>>>>Hi Maxim,
>>>>
>>>>I think that’s not a problem because the Partition Table (really, the
>>>>sector 0) at the MBR is not encrypted and the filter driver does not
>>>>encrypt/decrypt the accesses to the sector 0.
>>>>
>>>>Besides, the harddisk that I’m talking about has only one primary
>>>>partition. I’m not interested in logic partitions because this is a
>>>>concept-proof driver (at least, for now :wink: ).
>>>>
>>>>Maxim S. Shatskih wrote:
>>>>
>>>>
>>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
>>>>>the disk
>>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
>>>>>
>>>>>Maxim Shatskih, Windows DDK MVP
>>>>>StorageCraft Corporation
>>>>>xxxxx@storagecraft.com
>>>>>http://www.storagecraft.com
>>>>>
>>>>>—
>>>>>Questions? First check the Kernel Driver FAQ at
>>>>>http://www.osronline.com/article.cfm?id=256
>>>>>
>>>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>>
>>>>
>>>>
>>>
>>>
>>>—
>>>Questions? First check the Kernel Driver FAQ at
>>>http://www.osronline.com/article.cfm?id=256
>>>
>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Asking for free advise for something several people depend upon for their
living might not get many answers. I would suggest you run windbg and trace
each read/write that comes in. See if the buffer contains plaintext or
encrypted data at the wrong time. I would add displays at the entry to the
reads and writes so you can tell what sector is being accessed. Duplicating
the hard disk and putting it as a slave in the host computer would permit
you to use winhex to view each sector as it is being accessed on the target
system. It will also give you a master drive for you to restore from when
it goes wrong. This is a slow process requiring several days, weeks or
months until you find the problems. You might also want to use the debug
version of disk.sys and see what it is requesting.

P.S. What you want is not a ‘proof of concept’, but a proof of your ability
to implement that which others have done. I think it could be if you are
trying to attach at a new place in the storage stack. Most probably attach
as a lower filter to disk.sys or that is where I would begin my work since
after disk.sys it can go to the SCSI or ATAPI stack on most workstations.
Most will be IDE/ATAPI, but there are some workstations that use SCSI. I
would like a 15,000 RPM Ultra 320 SCSI system with RAID 1 or, even better
RAID 5.

“Rafa” wrote in message news:xxxxx@ntdev…
>
> I know that the problem is in my code, but I am looking for some hint or
> advice from someone that has developed something similar.
>
> SafeBoot surely works fine, and Secuware, and SafeGuard, … I know that’s
> possible to develop this kind of filter driver. But the problem it’s that
> my filter is not working and I’m asking for help in this list because I
> don’t know why is failing.
>
> I have reviewed the list database for similar cases but none is useful for
> me. I have found this thread:
> http://www.osronline.com/lists_archive/ntfsd/thread782.html, whose code is
> very similar to mine. I see that he copies the buffer at Irp->MdlAddress
> to a non paged pool, encrypts/decrypts the pool, and then he copies the
> pool to the buffer. Is this necessary? Cannot work with the user buffer at
> MdlAddress directly?
>
>
> Rafa.
>
> David J. Craig wrote:
>> Did I write “Safe Boot” mode? I put it in quotes as “SafeBoot” as a
>> fairly too subtle hint you should search Google for it. Or maybe just
>> try www.safeboot.com. If you look at that product, which I have no
>> relationship too, you can find your proof of concept. If it works and
>> yours doesn’t, then it leads me to believe that the problem is in your
>> code.
>>
>> “Rafa” wrote in message news:xxxxx@ntdev…
>>
>>>Hi David,
>>>
>>>Do you mean the “Safe Boot” mode? I don’t understand how that could be
>>>useful.
>>>
>>>I’m sorry, if I’ve misunderstood you.
>>>
>>>Oh, when I’m talking about the proof of concept I’m referring to include
>>>very simple cases of partitions. As much, four primary partitions but the
>>>part relative to encryption/decryption must be accomplished.
>>>
>>>In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
>>>works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
>>>correct this approach?
>>>
>>>It seems that some kind of writing (reading?), that my filter does not
>>>treat correctly, introduces corruption in the filesystem but I cannot see
>>>why. Any suggestions?
>>>
>>>Thanks in advance,
>>>
>>>Rafa.
>>>
>>>
>>>David J. Craig wrote:
>>>
>>>>Why not just look for “SafeBoot”? That is a good proof of concept as it
>>>>works and has for several years.
>>>>
>>>>“Rafa” wrote in message news:xxxxx@ntdev…
>>>>
>>>>
>>>>>Hi Maxim,
>>>>>
>>>>>I think that’s not a problem because the Partition Table (really, the
>>>>>sector 0) at the MBR is not encrypted and the filter driver does not
>>>>>encrypt/decrypt the accesses to the sector 0.
>>>>>
>>>>>Besides, the harddisk that I’m talking about has only one primary
>>>>>partition. I’m not interested in logic partitions because this is a
>>>>>concept-proof driver (at least, for now :wink: ).
>>>>>
>>>>>Maxim S. Shatskih wrote:
>>>>>
>>>>>
>>>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
>>>>>> the disk
>>>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
>>>>>>
>>>>>>Maxim Shatskih, Windows DDK MVP
>>>>>>StorageCraft Corporation
>>>>>>xxxxx@storagecraft.com
>>>>>>http://www.storagecraft.com
>>>>>>
>>>>>>—
>>>>>>Questions? First check the Kernel Driver FAQ at
>>>>>>http://www.osronline.com/article.cfm?id=256
>>>>>>
>>>>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>—
>>>>Questions? First check the Kernel Driver FAQ at
>>>>http://www.osronline.com/article.cfm?id=256
>>>>
>>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

Make a new buffer for the write (then make an MDL for it). Copy callers
buffer to this new buffer. Encrypt this buffer and not the original caller’s
buffer; you are trashing the caller’s data with the encrypted data

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rafa
Sent: Sunday, August 22, 2004 7:47 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Problems with a disk encryption filter driver

Hi Maxim,

I think that’s not a problem because the Partition Table (really,
the
sector 0) at the MBR is not encrypted and the filter driver does not
encrypt/decrypt the accesses to the sector 0.

Besides, the harddisk that I’m talking about has only one primary
partition. I’m not interested in logic partitions because this is a
concept-proof driver (at least, for now :wink: ).

Maxim S. Shatskih wrote:

Note: IoReadPartitionTable is not subject to filtering. It ignores the
disk
upper filters. Possibly this is a bug, but nevertheless it is so.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.848 (20040820) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

It is a buffer problem.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David J. Craig
Sent: Sunday, August 22, 2004 3:40 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Problems with a disk encryption filter driver

Asking for free advise for something several people depend upon for their
living might not get many answers. I would suggest you run windbg and trace

each read/write that comes in. See if the buffer contains plaintext or
encrypted data at the wrong time. I would add displays at the entry to the
reads and writes so you can tell what sector is being accessed. Duplicating

the hard disk and putting it as a slave in the host computer would permit
you to use winhex to view each sector as it is being accessed on the target
system. It will also give you a master drive for you to restore from when
it goes wrong. This is a slow process requiring several days, weeks or
months until you find the problems. You might also want to use the debug
version of disk.sys and see what it is requesting.

P.S. What you want is not a ‘proof of concept’, but a proof of your ability
to implement that which others have done. I think it could be if you are
trying to attach at a new place in the storage stack. Most probably attach
as a lower filter to disk.sys or that is where I would begin my work since
after disk.sys it can go to the SCSI or ATAPI stack on most workstations.
Most will be IDE/ATAPI, but there are some workstations that use SCSI. I
would like a 15,000 RPM Ultra 320 SCSI system with RAID 1 or, even better
RAID 5.

“Rafa” wrote in message news:xxxxx@ntdev…
>
> I know that the problem is in my code, but I am looking for some hint or
> advice from someone that has developed something similar.
>
> SafeBoot surely works fine, and Secuware, and SafeGuard, … I know that’s

> possible to develop this kind of filter driver. But the problem it’s that
> my filter is not working and I’m asking for help in this list because I
> don’t know why is failing.
>
> I have reviewed the list database for similar cases but none is useful for

> me. I have found this thread:
> http://www.osronline.com/lists_archive/ntfsd/thread782.html, whose code is

> very similar to mine. I see that he copies the buffer at Irp->MdlAddress
> to a non paged pool, encrypts/decrypts the pool, and then he copies the
> pool to the buffer. Is this necessary? Cannot work with the user buffer at

> MdlAddress directly?
>
>
> Rafa.
>
> David J. Craig wrote:
>> Did I write “Safe Boot” mode? I put it in quotes as “SafeBoot” as a
>> fairly too subtle hint you should search Google for it. Or maybe just
>> try www.safeboot.com. If you look at that product, which I have no
>> relationship too, you can find your proof of concept. If it works and
>> yours doesn’t, then it leads me to believe that the problem is in your
>> code.
>>
>> “Rafa” wrote in message news:xxxxx@ntdev…
>>
>>>Hi David,
>>>
>>>Do you mean the “Safe Boot” mode? I don’t understand how that could be
>>>useful.
>>>
>>>I’m sorry, if I’ve misunderstood you.
>>>
>>>Oh, when I’m talking about the proof of concept I’m referring to include
>>>very simple cases of partitions. As much, four primary partitions but the

>>>part relative to encryption/decryption must be accomplished.
>>>
>>>In my code, when my driver processes an IRP_MJ_READ or IRP_MJ_WRITE, it
>>>works encrypting/decrypting directly the buffer at Irp->MdlAdress. Is
>>>correct this approach?
>>>
>>>It seems that some kind of writing (reading?), that my filter does not
>>>treat correctly, introduces corruption in the filesystem but I cannot see

>>>why. Any suggestions?
>>>
>>>Thanks in advance,
>>>
>>>Rafa.
>>>
>>>
>>>David J. Craig wrote:
>>>
>>>>Why not just look for “SafeBoot”? That is a good proof of concept as it

>>>>works and has for several years.
>>>>
>>>>“Rafa” wrote in message news:xxxxx@ntdev…
>>>>
>>>>
>>>>>Hi Maxim,
>>>>>
>>>>>I think that’s not a problem because the Partition Table (really, the
>>>>>sector 0) at the MBR is not encrypted and the filter driver does not
>>>>>encrypt/decrypt the accesses to the sector 0.
>>>>>
>>>>>Besides, the harddisk that I’m talking about has only one primary
>>>>>partition. I’m not interested in logic partitions because this is a
>>>>>concept-proof driver (at least, for now :wink: ).
>>>>>
>>>>>Maxim S. Shatskih wrote:
>>>>>
>>>>>
>>>>>> Note: IoReadPartitionTable is not subject to filtering. It ignores
>>>>>> the disk
>>>>>>upper filters. Possibly this is a bug, but nevertheless it is so.
>>>>>>
>>>>>>Maxim Shatskih, Windows DDK MVP
>>>>>>StorageCraft Corporation
>>>>>>xxxxx@storagecraft.com
>>>>>>http://www.storagecraft.com
>>>>>>
>>>>>>—
>>>>>>Questions? First check the Kernel Driver FAQ at
>>>>>>http://www.osronline.com/article.cfm?id=256
>>>>>>
>>>>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>—
>>>>Questions? First check the Kernel Driver FAQ at
>>>>http://www.osronline.com/article.cfm?id=256
>>>>
>>>>You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.848 (20040820) Information

This message was checked by NOD32 antivirus system.
http://www.nod32.com