decryption problem

hi all,
i have created one filter driver , which decrypt the encrypted pdf file on the fly.
It is working perfectly and it also blocking caching the data.

But here the problem is that, if we attempt to read the pdf file using a new exe file with same name as AcroRd32.exe, we wil get the decrypted copy of file. here i am checking only the process name. so what can i do to prevent reading other exe files named acrord32.exe in reading our encrypted pdf file.

thanks all,
Vaseef

Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.

Hi Vaseef,

I would suggest doing a checksum or hash on the known AcroRd32.exe and then
compute the checksum on the AcroRd32.exe that wants to open your pdf. If
the computed checksum or hash doesn’t match your stored one, then it is an
impostor AcroRd32.exe.

However, you would have to do this for every different version of
AcroRd32.exe and would have to release new code each time Adobe released a
new version.

By they way, would you be able to share how you are blocking the caching of
the data?

Cheers,

Steve

On 5/10/06, vaseef - wrote:
>
> hi all,
> i have created one filter driver , which decrypt the encrypted pdf file
> on the fly.
> It is working perfectly and it also blocking caching the data.
>
> But here the problem is that, if we attempt to read the pdf file using a
> new exe file with same name as AcroRd32.exe, we wil get the decrypted copy
> of file. here i am checking only the process name. so what can i do to
> prevent reading other exe files named acrord32.exe in reading our
> encrypted pdf file.
>
> thanks all,
> Vaseef
>
> ------------------------------
> Blab-away for as little as 1?/min. Make PC-to-Phone Callshttp:using Yahoo! Messenger with Voice. — Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17 You are currently subscribed
> to ntfsd as: xxxxx@gmail.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
></http:>

>I would suggest doing a checksum or hash on the known AcroRd32.exe and

then compute the checksum on the AcroRd32.exe that wants to open your pdf.

Adobe Reader has the self-update feature. So, the user presses Update Now, and
goodbye hash, and goodbye all his/her PDFs

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

hi,
thanks for ur information… But the problem is that how can i get the full path of the process. im getting only the process name as AcroRd32.exe… i want the full path name, other wise how can i check with the checksum… and i want my product to be version independent.

u can prevent the caching of data by using

case IRP_MJ_READ:

Irp->Flags |= IRP_NOCACHE;
it will prevent caching in NT platform. the OS will read from the file each time when there is any reference to it.

bye

Steve Sharman wrote: Hi Vaseef,

I would suggest doing a checksum or hash on the known AcroRd32.exe and then compute the checksum on the AcroRd32.exe that wants to open your pdf. If the computed checksum or hash doesn’t match your stored one, then it is an impostor AcroRd32.exe.

However, you would have to do this for every different version of AcroRd32.exe and would have to release new code each time Adobe released a new version.

By they way, would you be able to share how you are blocking the caching of the data?

Cheers,

Steve

On 5/10/06, vaseef - wrote: hi all,
i have created one filter driver , which decrypt the encrypted pdf file on the fly.
It is working perfectly and it also blocking caching the data.

But here the problem is that, if we attempt to read the pdf file using a new exe file with same name as AcroRd32.exe, we wil get the decrypted copy of file. here i am checking only the process name. so what can i do to prevent reading other exe files named acrord32.exe in reading our encrypted pdf file.

thanks all,

Vaseef

---------------------------------
Blab-away for as little as 1�/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@gmail.com To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.

Access the user-mode PEB under a __try/__except block, or offload this to a
helper user-mode service, which will do the same, but buried into the
documented and stable psapi!GetModuleFileNameEx call

IPNATHLP (the user-mode part of Windows Firewall) relies on
GetModuleFileNameEx in determining the full pathnames of the EXEs started.

I have major doubts that this information is stored anywhere in the kernel
land.

Well, you can also use Ps’s load image notify routine, IIRC it provides you
with a full pathname.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “vaseef -”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, May 13, 2006 8:23 AM
Subject: Re: [ntfsd] decryption problem

>
> hi,
> thanks for ur information… But the problem is that how can i get the full
path of the process. im getting only the process name as AcroRd32.exe… i want
the full path name, other wise how can i check with the checksum… and i want
my product to be version independent.
>
> u can prevent the caching of data by using
>
> case IRP_MJ_READ:
>
> Irp->Flags |= IRP_NOCACHE;
> it will prevent caching in NT platform. the OS will read from the file each
time when there is any reference to it.
>
>
> bye
>
>
> Steve Sharman wrote: Hi Vaseef,
>
> I would suggest doing a checksum or hash on the known AcroRd32.exe and then
compute the checksum on the AcroRd32.exe that wants to open your pdf. If the
computed checksum or hash doesn’t match your stored one, then it is an impostor
AcroRd32.exe.
>
> However, you would have to do this for every different version of
AcroRd32.exe and would have to release new code each time Adobe released a new
version.
>
> By they way, would you be able to share how you are blocking the caching of
the data?
>
> Cheers,
>
> Steve
>
> On 5/10/06, vaseef - wrote: hi all,
> i have created one filter driver , which decrypt the encrypted pdf file on
the fly.
> It is working perfectly and it also blocking caching the data.
>
> But here the problem is that, if we attempt to read the pdf file using a new
exe file with same name as AcroRd32.exe, we wil get the decrypted copy of
file. here i am checking only the process name. so what can i do to prevent
reading other exe files named acrord32.exe in reading our encrypted pdf file.
>
> thanks all,
>
> Vaseef
>
>
>
> ---------------------------------
> Blab-away for as little as 1�/min. Make PC-to-Phone Calls using Yahoo!
Messenger with Voice. — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: xxxxx@gmail.com To unsubscribe send a blank email to
xxxxx@lists.osr.com
>
>
>
> — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to
xxxxx@lists.osr.com
>
>
> ---------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC and save
big.
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com