Can I encrypt/decrypt $Mft, $LogFile, $Directory...?

OSR_Community_User · May 22, 2007, 10:15am

Hi,

I am developing a FS minifilter driver, that is, encryption/decryption on-fly.

I meet a Problem. I encrypt file when the file being written. For example when I am

writting file named “test.doc” , in preWrite, I track

Cbd->Iopb->TargetFileObject->FileName, and find that,

1st time into preWrite, Cbd->Iopb->TargetFileObject->FileName = “test.doc”,

2nd time into preWrite, Cbd->Iopb->TargetFileObject->FileName = NULL,

BUT later times into preWrite, Cbd->Iopb->TargetFileObject->FileName = $LogFile, or $Mft, or $Directory, Can I encrypt these special files or Not?

3ks!!!

rod_widdowson · May 22, 2007, 12:14pm

Where to start?

First Up, the contents of FileObject->FileName is *only* valid during
FLT_PRE_CREATE. You need to make all your decisions then and store them in
appropriate contexts.

OSR_Community_User · May 23, 2007, 11:43am

Hi,
ThanK U! I tracked the contents of FileObject->FileName in FLT_PRE_CREATE, but I can NOT find the files such as “$Mft, $Directory, $LogFIle, and so on” in NTFS. How can I enctypt/decrypt those files? If I want to encrypt those files in preWrite, and decrypt them in postRead, How can I get name of them?

Best wishes!

OSR_Community_User · May 23, 2007, 12:07pm

You cannot. The file system does not call you to tell you when it is
opening those files. They are opened IN the file system
(IoCreateStreamFileObject and associated functions) so you won’t see an
IRP_MJ_CREATE for them.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

rod_widdowson · May 23, 2007, 12:07pm

> How can I enctypt/decrypt those files?

These are some of NTFS metadata files. Even if it let you, you wouldn’t
want to decrypt them.

OSR_Community_User · May 23, 2007, 11:13pm

Hi，
Well，Thank YOU! Like U said, I can get filename in FLT_PRE_CREATE, such as “\test…doc”, because I will encrypt on-fly in FLT_PRE_WRITE only for IRP_NOCACHE. When I am writting “test.doc” and saving, then I can get into my preWrite manytimes. The 1st time into preWrite IrpFlags is NOT IRP_NOCACHE, but 0xa00, and the remain times into preWrite , IrpFlags = IRP_NOCACHE(0x43), should I encrypt the Cbd->Iopb->Parameters.Write.WriteBuffer each time, but some times I think the $LogFile, $Mft, $Directory is being written. Now that FileObject->FileName is NOT valid in preWrite, which times into preWrite I should encrypt in?