Cache problem!

OSR_Community_User · November 23, 2001, 4:28am

Could anyone help me with a problem with Filemon? I want to make a custom
decryption driver, which decrypts specific file extensions to specific
process only (for software protection of the ASP files for
example).
I am using Filemon as template, and all is ok, the files are decrypted
ok,
but when they are already cached - all other processes can open them
decrypted. I have hooked FastIO, but it seems not to going through my
hook
in this case? Please, help me. I’ve read about the Cache Manager, about
the
need to my filter driver to be at the top of stack, e.t.c. Some reads
are
intercepted ok via FastIORead hook, but no one from these are
interesting
for me!!!

How can I prevent a file from being cached in IRP_MJ_CREATE (e.g. to be
read
from disk)?

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 23, 2001, 8:38am

> I am using Filemon as template, and all is ok, the files are decrypted

ok,
but when they are already cached - all other processes can open them
decrypted. I have hooked FastIO, but it seems not to going through my
hook
in this case?

You will always have either an IRP or FastIo call for reads.

Max

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Alexei_Jelvis-2 · November 23, 2001, 2:31pm

Hi,
Application can always access content of the file directly in cache via
CreateFileMapping API. If data already in the cache there will be no
activity in file system. Probably you need to prevent file being opened for
read access from the process that not supposed to see the data.

Bye,
Alexei.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 24, 2001, 4:22am

May be I’m mistaken, but in “Inside Windows 2000”(www.sysinternals.com)
mentioned:“Mapped files don’t go through the cache manager, nor do files
opened with the FILE_FLAG_NO_BUFFERING flag set.” Does it mean that cache is
not used for CreateFileMapping call?

I would expect that all calls to file must be intercepted by filter driver,
but looks like no… May be one of the guru’s could shed some light here?

BR,

Vadim

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@mondenet.com
Sent: Friday, November 23, 2001 2:00 PM
To: File Systems Developers
Subject: [ntfsd] Re: Cache problem!

Hi,
Application can always access content of the file directly in cache via
CreateFileMapping API. If data already in the cache there will be no
activity in file system. Probably you need to prevent file being opened for
read access from the process that not supposed to see the data.

Bye,
Alexei.

You are currently subscribed to ntfsd as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 24, 2001, 1:40pm

> May be I’m mistaken, but in “Inside Windows 2000”(www.sysinternals.com)

mentioned:“Mapped files don’t go through the cache manager, nor do files
opened with the FILE_FLAG_NO_BUFFERING flag set.” Does it mean that cache is
not used for CreateFileMapping call?

Yes.

Both CreateFileMapping and Cc use the “control area” structure hanging off the file (see SECTION_OBJECT_POINTERS - DataSectionObject
is a control area - MmCa - pointer).
Control area is a MM’s structure which describes the physical pages hanging off this file.

The section object itself is nothing more than a (protection flags, control area pointer) thing.

If CcInitializeCacheMap was called second after CreateFileMapping - then it reuses the control area created by CreateFileMapping,
otherwise, it creates a new control area.
If CreateFileMapping was called second after CcInitializeCacheMap - then it reuses the control area created by CcInitializeCacheMap,
otherwise, it creates a new control area.

So, both the cache and the MM use the same set of physical pages.

I would expect that all calls to file must be intercepted by filter driver,
but looks like no… May be one of the guru’s could shed some light here?

IO operations to a file arrive to filesystem via a) usual IRPs b) FastIo callbacks.
FastIo callbacks are used for cached files only and do not use IRPs.

Note that there are several Zw/Ntxxx routines which query some information from a file given its name (not like
NtQueryInformationFile which requires a handle). These routines can use FastIoQueryOpen and FastIoQueryNetworkOpenInfo callbacks.
FastIoQueryOpen is, in fact, a brief version of CREATE dispatch.

Max

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com