2K Filter Driver Encrypted Data Written Twice

NTFSD
1

I have developed a Windows 2000 filter driver which does all of its
functions correctly except for when it is suppose to encrypt the data
being written to the “filtered” drive.

The driver intercepts the MajorFunction[IRP_MJ_WRITE], when it determines
that encryption is needed, it allocates its own data buffer from the non-
paged pool, copies the user data to this buffer, performs the encryption,
updates the IRP to use this buffer, sets a completion routine, and passes
the IRP down via IoCallDriver. Then, when the completion routine is
called, it frees the data buffer that it allocated for writing the
encrypted data, and restores the IRP UserBuffer and MdlAddress values with
the original ones which it had saved off.

This all seems to work just fine, but somehow the OS knows I have mucked
with the user data and sends another IRP for the exact same portion of
file data, but this time it sends me a copy of the encrypted data which I
just got done writing!

How do I prevent the OS from doing this multiple write when I am trying to
do data encryption?

Thanks,
Doug

2

The second time around, you’re probably seeing the “paging” Writes the Cache
Manager issues when it is ready to write cached user data to disk. Look at
these flags in your Write IRP handler:

// if this is Paging I/O …
if ((irp->Flags & (IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))

On the first Write (when you do the encryption), the data you sent down to
the file system is usually just handed off to the Cache Manager – it
doesn’t go straight to disk unless the file is deliberately opened in “write
through” mode. A few seconds later, you’ll see the second Write for the
same data (with one of the PAGING flags set), which tells the file system to
write this data to the disk – and in that Irp, you’ll see your encrypted
data going by, again.

  • Dale.

-----Original Message-----
From: Doug Fetter [mailto:xxxxx@software-wizardry.com]
Sent: Friday, August 09, 2002 1:38 PM
To: File Systems Developers
Subject: [ntfsd] 2K Filter Driver Encrypted Data Written Twice

I have developed a Windows 2000 filter driver which does all of its
functions correctly except for when it is suppose to encrypt the data
being written to the “filtered” drive.

The driver intercepts the MajorFunction[IRP_MJ_WRITE], when it determines
that encryption is needed, it allocates its own data buffer from the non-
paged pool, copies the user data to this buffer, performs the encryption,
updates the IRP to use this buffer, sets a completion routine, and passes
the IRP down via IoCallDriver. Then, when the completion routine is
called, it frees the data buffer that it allocated for writing the
encrypted data, and restores the IRP UserBuffer and MdlAddress values with
the original ones which it had saved off.

This all seems to work just fine, but somehow the OS knows I have mucked
with the user data and sends another IRP for the exact same portion of
file data, but this time it sends me a copy of the encrypted data which I
just got done writing!

How do I prevent the OS from doing this multiple write when I am trying to
do data encryption?

Thanks,
Doug

You are currently subscribed to ntfsd as: xxxxx@veritas.com
To unsubscribe send a blank email to %%email.unsub%%

3

You can NOT keep encrypted data in the cache. Don’t try it! There are
requests that can be done from ring 3 - application land - that will permit
direct access to the cache buffers created by the cache manager/virtual
memory manager. You, as a file system filter, do not get to see those
requests.

You must only encrypt/decrypt if it is a paging IO or a non-cached request.

----- Original Message -----
From: “Dale Cardin”
To: “File Systems Developers”
Sent: Friday, August 09, 2002 5:34 PM
Subject: [ntfsd] RE: 2K Filter Driver Encrypted Data Written Twice

> The second time around, you’re probably seeing the “paging” Writes the
Cache
> Manager issues when it is ready to write cached user data to disk. Look
at
> these flags in your Write IRP handler:
>
> // if this is Paging I/O …
> if ((irp->Flags & (IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))
>
> On the first Write (when you do the encryption), the data you sent down to
> the file system is usually just handed off to the Cache Manager – it
> doesn’t go straight to disk unless the file is deliberately opened in
“write
> through” mode. A few seconds later, you’ll see the second Write for the
> same data (with one of the PAGING flags set), which tells the file system
to
> write this data to the disk – and in that Irp, you’ll see your encrypted
> data going by, again.
>
> - Dale.
>
>
> -----Original Message-----
> From: Doug Fetter [mailto:xxxxx@software-wizardry.com]
> Sent: Friday, August 09, 2002 1:38 PM
> To: File Systems Developers
> Subject: [ntfsd] 2K Filter Driver Encrypted Data Written Twice
>
>
> I have developed a Windows 2000 filter driver which does all of its
> functions correctly except for when it is suppose to encrypt the data
> being written to the “filtered” drive.
>
> The driver intercepts the MajorFunction[IRP_MJ_WRITE], when it determines
> that encryption is needed, it allocates its own data buffer from the non-
> paged pool, copies the user data to this buffer, performs the encryption,
> updates the IRP to use this buffer, sets a completion routine, and passes
> the IRP down via IoCallDriver. Then, when the completion routine is
> called, it frees the data buffer that it allocated for writing the
> encrypted data, and restores the IRP UserBuffer and MdlAddress values with
> the original ones which it had saved off.
>
> This all seems to work just fine, but somehow the OS knows I have mucked
> with the user data and sends another IRP for the exact same portion of
> file data, but this time it sends me a copy of the encrypted data which I
> just got done writing!
>
> How do I prevent the OS from doing this multiple write when I am trying to
> do data encryption?
>
> Thanks,
> Doug
>
> —
> You are currently subscribed to ntfsd as: xxxxx@veritas.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@yoshimuni.com
> To unsubscribe send a blank email to %%email.unsub%%

4

The OS is certainly not doing that. Re-check your code, to make sure you
are making correct decision based on IRP flags

Doug Fetter wrote:

I have developed a Windows 2000 filter driver which does all of its
functions correctly except for when it is suppose to encrypt the data
being written to the “filtered” drive.

The driver intercepts the MajorFunction[IRP_MJ_WRITE], when it determines
that encryption is needed, it allocates its own data buffer from the non-
paged pool, copies the user data to this buffer, performs the encryption,
updates the IRP to use this buffer, sets a completion routine, and passes
the IRP down via IoCallDriver. Then, when the completion routine is
called, it frees the data buffer that it allocated for writing the
encrypted data, and restores the IRP UserBuffer and MdlAddress values with
the original ones which it had saved off.

This all seems to work just fine, but somehow the OS knows I have mucked
with the user data and sends another IRP for the exact same portion of
file data, but this time it sends me a copy of the encrypted data which I
just got done writing!

How do I prevent the OS from doing this multiple write when I am trying to
do data encryption?

Thanks,
Doug

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to %%email.unsub%%


Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.