Hi every one:
My name is wang xiao zhen.
Welcome to read my post question, and really hope onesome could give me some
suggesion.
I just installed DDK at C:\WINDDK\3790.1830 learn how to write mini-filter
driver.
In the src directory have a swapbuffers sample.
In my machine,it store at
C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.
It's quite symmetry, hooked PreReadBuffer , PostRreadBuffer, PreWriteBuffer,
PostWriteBuffer, ....
My purpose is :
Files are saving to directory at c:\test , all bit do xor with 'a'.
Files are reading from directory at c:\test , all bit do xor with 'a'.
If these data modification can be property performed,
a simple custom encryption decryption on-the-fly filter driver will be
implemented.
So I do the follow things based on this swapbuffer sample.
-
First i wrote "IsProtectedDir" function to check FLT_CALLBACK_DATA
FileNameInformation Parent Dir name is \test\ or not.
If not , return the call back function successfully. -
A simple function XorBuffer operation when got the swapped buffer
address.
Some interesting things happened.
when i use the notepad.exe to test it. i type 0123 then save it to
c:\test\a.txt.
And I open a.txt file again , it display QPSR.
Deos this means 0123 is be XORed and saved.
I guess is this cache the xored buffer on cache. So i reboot my debug
machine,
load and start my driver angain, and use notpad.exe to open c:\test\a.txt
again.
It still display QPSR
But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
actually display 0123 !
This means , notepad and wordpad do the I/O operation differently.
why this happens ?
Also I have there Question
- Does every write or read disk operation can be intercepted by mini-filter
driver ? - If it does, Does every write or read disk data can be symmetrically
replaced ?
If these two condition is OK and just do encryption and decryption on disk,
i think i can ignore the Cache issue.
Because Cache data is loaded either from disk or memory,
and memory data is also loaded form disk as well.
So does this idea OK ?
There are some place i added or modified code in swapbuffers.c files
In function "SwapPreWriteBuffers" , at first try
try {
if( IsProtectedDir(Data)== FALSE )
{
leave;
}
...
//and when got the new buffer address, i just change the data for write
RtlCopyMemory( newBuf,
origBuf,
writeLen );
XorBuffer(newBuf,writeLen);
//In function "SwapPreReadBuffers", at first try
try {
// just process file parent are \test\
if( IsProtectedDir(Data)== FALSE )
{
leave;
}
...
//In function "SwapPostReadBuffers" ,
//
// We either have a system buffer or this is a fastio operation
// so we are in the proper context. Copy the data handling an
// exception.
//
try {
XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
RtlCopyMemory( origBuf,
p2pCtx->SwappedBuffer,
Data->IoStatus.Information );
} except (EXCEPTION_EXECUTE_HANDLER) {
...
In function "SwapPostReadBuffersWhenSafe"
//
// Copy the data back to the original buffer. Note that we
// don't need a try/except because we will always have a system
// buffer address.
//
XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
RtlCopyMemory( origBuf,
p2pCtx->SwappedBuffer,
Data->IoStatus.Information );
...
VOID XorBuffer(PUCHAR Byte,ULONG length)
{
ULONG byteCount;
for(byteCount = 0;byteCount < length; byteCount ++)
{
Byte[byteCount] ^= 'a';
}
}
BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
{
PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
NTSTATUS status ;
status =
FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);
if ( NT_SUCCESS(status))
{
status= FltParseFileNameInformation(FileNameInformation);
if( NT_SUCCESS(status) )
{
//KdPrint(("Parent Dir is %S\n", FileNameInformation->ParentDir.Buffer));
if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
&ProtectedDirName,FALSE) == 0)
{
FltReleaseFileNameInformation(FileNameInformation);
return TRUE;
}
if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
{
KdPrint((" !!!!! sTARt with test \n"));
FltReleaseFileNameInformation(FileNameInformation);
return TRUE;
}
FltReleaseFileNameInformation(FileNameInformation);
}
else
{
KdPrint(("swapbuffers!IsProtectedDir : Error FltParseFileNameInformation
"));
}
}
else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
{
KdPrint(("swapbuffers!IsProtectedDir : Error
STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
}
else if( status == STATUS_INSUFFICIENT_RESOURCES )
{
KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INSUFFICIENT_RESOURCES
return by FltGetFileNameInformation "));
}
else if( status == STATUS_INVALID_PARAMETER )
{
KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
return by FltGetFileNameInformation "));
}
return FALSE;
}
Could some one could give me some suggestion can solve this problem ?
Thanks a lots
Regards!