I am working about file protection driver, based on FileMon source of
systeminternals.
almost done. but incomplete.
It has critical problems.
one is that it can’t decrypt irregularly some blocks. (I treat only
decryption, not encryption)
I modified FilemonHookDone function. when ‘IrpSp->MajorFunction’ is
IRP_MJ_READ then check and decrypt ‘Irp->UserBuffer’.
strange thing is
in FilemonHookDone function, sometimes, some passed data was already
decrypted.
I guess it caused by cache. but it’s just my guess.
Does anyone know this reason?
Any feedback is greatly appreciated.
If anyone give me the encryption/decryption driver sample? that’s best for
me.
my sample code>
NTSTATUS
IEFFHookDone(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
IrpSp = IoGetCurrentIrpStackLocation( Irp );
if( g_bStartService ) {
switch( IrpSp->MajorFunction )
{
case IRP_MJ_READ:
if (Irp->UserBuffer)
{
pBuff = Irp->UserBuffer;
}
if (pBuff != NULL)
{
SetCode( // <– decrypting fuction
IEFFGetFilenamePtrFromPath(fullPathName),
pBuff, // <– sometimes this buffer got already decrypted data.
what’s wrong?
IrpSp->Parameters.Read.Length,
IrpSp->Parameters.Read.ByteOffset.LowPart);
// .
}