Encrypt/Decrypt a doc file in a filter driver

hi all,

I am new to this forum and need your help. I am developing a filter driver
to
encrypt/decrypt all files under a specified folder. I encrypt the data while

receiving none-cache write irp and decrypt the data in both read and write
irps’ completion routine. It works well except for word documents. When I
open and save a doc file, the driver writes a dummy 4k bytes in the first 4k
bytes of the doc file, and the rest part of the file is same as the original
file
(encrypted data). I really don’t know why and need your advice. Any comment

will be appreciated. Thanks.

Jiang

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

Jiang,

First of all, the mode you are using have potential problem.
Suppose 2 applications are sharing a piece of memory. A use the memory to
write file. B is accessing memory contents simultaneously. The B may get
corrupted data during A is writting data.

And, you centainly missed some of write requests, according to your desc.

best regards,
lu0
TTC Senior engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Jiang”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 13, 2005 7:35 PM
Subject: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

>
> hi all,
>
> I am new to this forum and need your help. I am developing a filter driver
> to
> encrypt/decrypt all files under a specified folder. I encrypt the data
> while
>
> receiving none-cache write irp and decrypt the data in both read and write
> irps’ completion routine. It works well except for word documents. When I
> open and save a doc file, the driver writes a dummy 4k bytes in the first
> 4k
> bytes of the doc file, and the rest part of the file is same as the
> original
> file
> (encrypted data). I really don’t know why and need your advice. Any
> comment
>
> will be appreciated. Thanks.
>
>
> Jiang
>
> __________________________________________________
> Do You Yahoo!?
> ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
> http://cn.mail.yahoo.com/?id=77071
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: lulinsha@163.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

hi lu0,

Thanks for your reply.
I don’t allocate memory by myself. I just make use of the buffers
IRPs pass to my driver.Of course A and B will use different
IRPs. So I think there wouldn’t be any potential confliction problem.
I also didn’t miss write requests but got an extra write_irp which
confused me.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lu0
Sent: Wednesday, September 14, 2005 12:03 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Jiang,

First of all, the mode you are using have potential problem.
Suppose 2 applications are sharing a piece of memory. A use the memory to
write file. B is accessing memory contents simultaneously. The B may get
corrupted data during A is writting data.

And, you centainly missed some of write requests, according to your desc.

best regards,
lu0
TTC Senior engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Jiang”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 13, 2005 7:35 PM
Subject: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

>
> hi all,
>
> I am new to this forum and need your help. I am developing a filter driver
> to
> encrypt/decrypt all files under a specified folder. I encrypt the data
> while
>
> receiving none-cache write irp and decrypt the data in both read and write
> irps’ completion routine. It works well except for word documents. When I
> open and save a doc file, the driver writes a dummy 4k bytes in the first
> 4k
> bytes of the doc file, and the rest part of the file is same as the
> original
> file
> (encrypted data). I really don’t know why and need your advice. Any
> comment
>
> will be appreciated. Thanks.
>
>
> Jiang
>
>
> Do You Yahoo!?
> ?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
> http://cn.mail.yahoo.com/?id=77071
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: lulinsha@163.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?idw071

Your assumption is that these two applications are not sharing memory but in fact that isn’t true - memory mapped files (of which the cache manager is one example) share the same pieces of memory. Thus, encryption cannot safely be done “in place” because you are encrypting a version that is visible to application programs.

This is the most common access pattern - but even if we were just talking about one application with two threads, the application might not be written to assume the data contents of that buffer change just because the I/O is being written. So, even in a single application case this isn’t safe.

Encryption needs to be done into a different buffer.

Welcome to the “how hard could it be to write an encryption filter?” club. It may not make you feel better, but you are merely the latest in a string of people asking these same questions for the past 10+ years here in NTFSD… I strongly suggest you look back through the archives.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jiang
Sent: Tuesday, September 13, 2005 11:52 PM
To: ntfsd redirect
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

hi lu0,

Thanks for your reply.
I don’t allocate memory by myself. I just make use of the buffers
IRPs pass to my driver.Of course A and B will use different
IRPs. So I think there wouldn’t be any potential confliction problem.
I also didn’t miss write requests but got an extra write_irp which
confused me.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lu0
Sent: Wednesday, September 14, 2005 12:03 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Jiang,

First of all, the mode you are using have potential problem.
Suppose 2 applications are sharing a piece of memory. A use the memory to
write file. B is accessing memory contents simultaneously. The B may get
corrupted data during A is writting data.

And, you centainly missed some of write requests, according to your desc.

best regards,
lu0
TTC Senior engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Jiang”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 13, 2005 7:35 PM
Subject: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

>
> hi all,
>
> I am new to this forum and need your help. I am developing a filter driver
> to
> encrypt/decrypt all files under a specified folder. I encrypt the data
> while
>
> receiving none-cache write irp and decrypt the data in both read and write
> irps’ completion routine. It works well except for word documents. When I
> open and save a doc file, the driver writes a dummy 4k bytes in the first
> 4k
> bytes of the doc file, and the rest part of the file is same as the
> original
> file
> (encrypted data). I really don’t know why and need your advice. Any
> comment
>
> will be appreciated. Thanks.
>
>
> Jiang
>
>
> Do You Yahoo!?
> ?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
> http://cn.mail.yahoo.com/?id=77071
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: lulinsha@163.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

seems like your problem is due to memory mapped files…

• Amitrajit

> Encryption needs to be done into a different buffer.

Not only encryption. In general, every buffes that needs
to be modified defore passing down, must be created new
and set into the IRP’s appropriate place.

This is because the buffer passed to the IRP does not
belong to the filter/FSD that eceives the IRP, but it
belongs to the caller. And the caller often does not
expect the buffer to be changed by someone else.

L.

Tony,

You are right. The problem should be caused by the memory mapped files. As
you suggested , I did read through the achives when I wrote this driver.
But I didn’t know where MDL buffer came from. That is the problem. I will
review and rewrite my code. Thanks again for your help! Also thanks to
others that pointed out my problem.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, September 14, 2005 1:26 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Your assumption is that these two applications are not sharing memory but in
fact that isn’t true - memory mapped files (of which the cache manager is
one example) share the same pieces of memory. Thus, encryption cannot
safely be done “in place” because you are encrypting a version that is
visible to application programs.

This is the most common access pattern - but even if we were just talking
about one application with two threads, the application might not be written
to assume the data contents of that buffer change just because the I/O is
being written. So, even in a single application case this isn’t safe.

Encryption needs to be done into a different buffer.

Welcome to the “how hard could it be to write an encryption filter?” club.
It may not make you feel better, but you are merely the latest in a string
of people asking these same questions for the past 10+ years here in
NTFSD… I strongly suggest you look back through the archives.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Jiang
Sent: Tuesday, September 13, 2005 11:52 PM
To: ntfsd redirect
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

hi lu0,

Thanks for your reply.
I don’t allocate memory by myself. I just make use of the buffers
IRPs pass to my driver.Of course A and B will use different
IRPs. So I think there wouldn’t be any potential confliction problem.
I also didn’t miss write requests but got an extra write_irp which
confused me.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lu0
Sent: Wednesday, September 14, 2005 12:03 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Jiang,

First of all, the mode you are using have potential problem.
Suppose 2 applications are sharing a piece of memory. A use the memory to
write file. B is accessing memory contents simultaneously. The B may get
corrupted data during A is writting data.

And, you centainly missed some of write requests, according to your desc.

best regards,
lu0
TTC Senior engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Jiang”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 13, 2005 7:35 PM
Subject: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

>
> hi all,
>
> I am new to this forum and need your help. I am developing a filter driver
> to
> encrypt/decrypt all files under a specified folder. I encrypt the data
> while
>
> receiving none-cache write irp and decrypt the data in both read and write
> irps’ completion routine. It works well except for word documents. When I
> open and save a doc file, the driver writes a dummy 4k bytes in the first
> 4k
> bytes of the doc file, and the rest part of the file is same as the
> original
> file
> (encrypted data). I really don’t know why and need your advice. Any
> comment
>
> will be appreciated. Thanks.
>
>
> Jiang
>
>
> Do You Yahoo!?
> ?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
> http://cn.mail.yahoo.com/?id=77071
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: lulinsha@163.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd

__________________________________________________
Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?idw071

Well, I rewrited my code to use a seperate buffer to do encrypt/decrypt, and
I send this encrypted buffer to the lower driver
when writing, and restore the IRP UserBuffer and MdlAddress with the
original ones in completion routine.I only deal with
IRP_PAGING_IO | IRP_NOCACHE | IRP_SYNCHRONOUS_PAGING_IO. I checked other
parts of my driver and there are no
other IRP buffer moification operations.
But the same problem still occurs. The first write IRP was received twice. I
mean the first and the second wite IRP my driver
received have the same buffer address. So my encrpted doc file get
corrupted. BTW, I test my driver on WindowsXP with Office2003
installed.
Again I need your help. Thanks in advance.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jiang
Sent: Wednesday, September 14, 2005 4:03 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Tony,

You are right. The problem should be caused by the memory mapped files. As
you suggested , I did read through the achives when I wrote this driver.
But I didn’t know where MDL buffer came from. That is the problem. I will
review and rewrite my code. Thanks again for your help! Also thanks to
others that pointed out my problem.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, September 14, 2005 1:26 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Your assumption is that these two applications are not sharing memory but in
fact that isn’t true - memory mapped files (of which the cache manager is
one example) share the same pieces of memory. Thus, encryption cannot
safely be done “in place” because you are encrypting a version that is
visible to application programs.

This is the most common access pattern - but even if we were just talking
about one application with two threads, the application might not be written
to assume the data contents of that buffer change just because the I/O is
being written. So, even in a single application case this isn’t safe.

Encryption needs to be done into a different buffer.

Welcome to the “how hard could it be to write an encryption filter?” club.
It may not make you feel better, but you are merely the latest in a string
of people asking these same questions for the past 10+ years here in
NTFSD… I strongly suggest you look back through the archives.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Jiang
Sent: Tuesday, September 13, 2005 11:52 PM
To: ntfsd redirect
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

hi lu0,

Thanks for your reply.
I don’t allocate memory by myself. I just make use of the buffers IRPs pass
to my driver.Of course A and B will use different IRPs. So I think there
wouldn’t be any potential confliction problem.
I also didn’t miss write requests but got an extra write_irp which confused
me.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lu0
Sent: Wednesday, September 14, 2005 12:03 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Jiang,

First of all, the mode you are using have potential problem.
Suppose 2 applications are sharing a piece of memory. A use the memory to
write file. B is accessing memory contents simultaneously. The B may get
corrupted data during A is writting data.

And, you centainly missed some of write requests, according to your desc.

best regards,
lu0
TTC Senior engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Jiang”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 13, 2005 7:35 PM
Subject: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

>
> hi all,
>
> I am new to this forum and need your help. I am developing a filter
> driver to encrypt/decrypt all files under a specified folder. I
> encrypt the data while
>
> receiving none-cache write irp and decrypt the data in both read and
> write irps’ completion routine. It works well except for word
> documents. When I open and save a doc file, the driver writes a dummy
> 4k bytes in the first 4k bytes of the doc file, and the rest part of
> the file is same as the original file (encrypted data). I really don’t
> know why and need your advice. Any comment
>
> will be appreciated. Thanks.
>
>
> Jiang
>
>
> Do You Yahoo!?
> ?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
> http://cn.mail.yahoo.com/?id=77071
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: lulinsha@163.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?idw071

There is something wrong with your specific implementation - the general technique does work properly. Unfortunately, nobody on the list is likely to be able to debug your specific implementation from a general description of how you have implemented it.

You could post your source code to the list for comments or you could use the debugger to figure out the flow of control.

An area in a file may be read or written multiple times. If you are saying that you receive the *same* IRP twice then it suggests you are calling your own driver or you have some other component on the system that is changing the normal operation.

I’ve seen more and more people recently doing development on systems with 3rd party filters installed (e.g., anti-virus). I strongly discourage this because it makes getting your own driver working substantially more difficult. If your IT department mandates this, disconnect the machine from your network or take other steps so that you won’t violate this policy - but do your initial development on a clean system with nothing but Windows components and your driver. Once you have that working then you can start working with other 3rd party products.

I don’t know if this is an issue for your specific environment, of course.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jiang
Sent: Thursday, September 15, 2005 12:22 AM
To: ntfsd redirect
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Well, I rewrited my code to use a seperate buffer to do encrypt/decrypt, and
I send this encrypted buffer to the lower driver
when writing, and restore the IRP UserBuffer and MdlAddress with the
original ones in completion routine.I only deal with
IRP_PAGING_IO | IRP_NOCACHE | IRP_SYNCHRONOUS_PAGING_IO. I checked other
parts of my driver and there are no
other IRP buffer moification operations.
But the same problem still occurs. The first write IRP was received twice. I
mean the first and the second wite IRP my driver
received have the same buffer address. So my encrpted doc file get
corrupted. BTW, I test my driver on WindowsXP with Office2003
installed.
Again I need your help. Thanks in advance.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jiang
Sent: Wednesday, September 14, 2005 4:03 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Tony,

You are right. The problem should be caused by the memory mapped files. As
you suggested , I did read through the achives when I wrote this driver.
But I didn’t know where MDL buffer came from. That is the problem. I will
review and rewrite my code. Thanks again for your help! Also thanks to
others that pointed out my problem.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, September 14, 2005 1:26 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Your assumption is that these two applications are not sharing memory but in
fact that isn’t true - memory mapped files (of which the cache manager is
one example) share the same pieces of memory. Thus, encryption cannot
safely be done “in place” because you are encrypting a version that is
visible to application programs.

This is the most common access pattern - but even if we were just talking
about one application with two threads, the application might not be written
to assume the data contents of that buffer change just because the I/O is
being written. So, even in a single application case this isn’t safe.

Encryption needs to be done into a different buffer.

Welcome to the “how hard could it be to write an encryption filter?” club.
It may not make you feel better, but you are merely the latest in a string
of people asking these same questions for the past 10+ years here in
NTFSD… I strongly suggest you look back through the archives.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Jiang
Sent: Tuesday, September 13, 2005 11:52 PM
To: ntfsd redirect
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

hi lu0,

Thanks for your reply.
I don’t allocate memory by myself. I just make use of the buffers IRPs pass
to my driver.Of course A and B will use different IRPs. So I think there
wouldn’t be any potential confliction problem.
I also didn’t miss write requests but got an extra write_irp which confused
me.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lu0
Sent: Wednesday, September 14, 2005 12:03 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Jiang,

First of all, the mode you are using have potential problem.
Suppose 2 applications are sharing a piece of memory. A use the memory to
write file. B is accessing memory contents simultaneously. The B may get
corrupted data during A is writting data.

And, you centainly missed some of write requests, according to your desc.

best regards,
lu0
TTC Senior engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Jiang”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 13, 2005 7:35 PM
Subject: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

>
> hi all,
>
> I am new to this forum and need your help. I am developing a filter
> driver to encrypt/decrypt all files under a specified folder. I
> encrypt the data while
>
> receiving none-cache write irp and decrypt the data in both read and
> write irps’ completion routine. It works well except for word
> documents. When I open and save a doc file, the driver writes a dummy
> 4k bytes in the first 4k bytes of the doc file, and the rest part of
> the file is same as the original file (encrypted data). I really don’t
> know why and need your advice. Any comment
>
> will be appreciated. Thanks.
>
>
> Jiang
>
>
> Do You Yahoo!?
> ?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
> http://cn.mail.yahoo.com/?id=77071
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: lulinsha@163.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1216 (20050913) Information

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?idw071

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Tony

Thank you very much! I will try to debug my driver.

Regards,

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 15, 2005 10:00 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

There is something wrong with your specific implementation - the general
technique does work properly. Unfortunately, nobody on the list is likely
to be able to debug your specific implementation from a general description
of how you have implemented it.

You could post your source code to the list for comments or you could use
the debugger to figure out the flow of control.

An area in a file may be read or written multiple times. If you are saying
that you receive the *same* IRP twice then it suggests you are calling your
own driver or you have some other component on the system that is changing
the normal operation.

I’ve seen more and more people recently doing development on systems with
3rd party filters installed (e.g., anti-virus). I strongly discourage this
because it makes getting your own driver working substantially more
difficult. If your IT department mandates this, disconnect the machine from
your network or take other steps so that you won’t violate this policy - but
do your initial development on a clean system with nothing but Windows
components and your driver. Once you have that working then you can start
working with other 3rd party products.

I don’t know if this is an issue for your specific environment, of course.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

Until now my driver can work properly for non-MS office documents like txt
or bmp, but still has problems with office documents.
My driver does folder-based encryption. That is to say, when a file was
copied to a “protected folder”, it got encrypted, when
copied out of the folder, it got decrypted.If I copy a doc file into the
“protected folder”, it is encrypted properly. Then I open
the file and save it in the folder without any other operations, the file
gets corrupted. I compared the two files before open and
after save, and found there are few differences. The file after save has the
first 4k byte and some bytes at the end of file in plain data.
The rests are exactly as same as the file before open. It seems MS-Word
saved those parts of the document to somewhere and
didn’t pass them to my driver. Has anybody ever seen this behavior before?
Does this behavior have relation to “metadata” or
“byte range locking”?
Thanks very much.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 15, 2005 10:00 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

There is something wrong with your specific implementation - the general
technique does work properly. Unfortunately, nobody on the list is likely
to be able to debug your specific implementation from a general description
of how you have implemented it.

You could post your source code to the list for comments or you could use
the debugger to figure out the flow of control.

An area in a file may be read or written multiple times. If you are saying
that you receive the *same* IRP twice then it suggests you are calling your
own driver or you have some other component on the system that is changing
the normal operation.

I’ve seen more and more people recently doing development on systems with
3rd party filters installed (e.g., anti-virus). I strongly discourage this
because it makes getting your own driver working substantially more
difficult. If your IT department mandates this, disconnect the machine from
your network or take other steps so that you won’t violate this policy - but
do your initial development on a clean system with nothing but Windows
components and your driver. Once you have that working then you can start
working with other 3rd party products.

I don’t know if this is an issue for your specific environment, of course.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

> The rests are exactly as same as the file before open. It seems MS-Word

saved those parts of the document to somewhere and
didn’t pass them to my driver.

No. This seems that you have implemented your driver
incorrectly. I guess (but it’s just a guess) that you
encrypt the file’s content during cached I/O,
which will work sequential copy, but will not work
with memory mapped files.

L.

Thanks for reply.I do deal with non-cache IO only, My code as following:
WriteDispatchXXX{
if file in protected folder {
if (Irp->Flags&(IRP_PAGING_IO | IRP_NOCACHE |
IRP_SYNCHRONOUS_PAGING_IO)) {
if (Irp->MdlAddress)
OldBuffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
HighPagePriority);
else
OldBuffer = Irp->UserBuffer;
Length = IrpSp->Parameters.Write.Length;
CompletionCtx =
ExAllocateFromNPagedLookasideList(&gReadWriteCompletionCtxLookAsideList);
MyBuffer = ExAllocatePoolWithTag(NonPagedPool,
IrpSp->Parameters.Write.Length, SFLT_POOL_TAG);

CompletionCtx->OldMdl = Irp->MdlAddress;
CompletionCtx->OldUserBuffer = Irp->UserBuffer;
CompletionCtx->OldSystemBuffer = Irp->AssociatedIrp.SystemBuffer;
CompletionCtx->OldBuffer = OldBuffer;
CompletionCtx->MyBuffer = MyBuffer;
CompletionCtx->Length = Length;

Irp->MdlAddress = IoAllocateMdl(MyBuffer,
IrpSp->Parameters.Write.Length, FALSE, TRUE, NULL);

RtlCopyMemory(MyBuffer, OldBuffer, Length);
Encrypt(IrpSp->FileObject, MyBuffer, Length,
IrpSp->Parameters.Write.ByteOffset);

MmBuildMdlForNonPagedPool(Irp->MdlAddress);
Irp->UserBuffer = MmGetMdlVirtualAddress(Irp->MdlAddress);

KeInitializeEvent( &CompletionCtx->Event, NotificationEvent, FALSE
);

IoCopyCurrentIrpStackLocationToNext( Irp );
IoSetCompletionRoutine( Irp, WriteCompletionRoutine, CompletionCtx,
TRUE, TRUE, TRUE );
status = IoCallDriver( ((PAEGISfsf_DEVICE_EXTENSION)
DeviceObject->DeviceExtension)->AttachedToDeviceObject, Irp );

if (STATUS_PENDING == status) {
NTSTATUS localStatus =
KeWaitForSingleObject(&CompletionCtx->Event, Executive, KernelMode, FALSE,
NULL);
ASSERT(STATUS_SUCCESS == localStatus);

}
ExFreeToNPagedLookasideList(&gReadWriteCompletionCtxLookAsideList,
CompletionCtx);

status = Irp->IoStatus.Status;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return status;
}
}
}

WriteCompletionRoutine{
if (Irp->PendingReturned)
IoMarkIrpPending(Irp);

IoFreeMdl(Irp->MdlAddress);

Irp->MdlAddress = CompletionCtx->OldMdl;
Irp->UserBuffer = CompletionCtx->OldUserBuffer;
Irp->AssociatedIrp.SystemBuffer = CompletionCtx->OldSystemBuffer;

ExFreePoolWithTag(CompletionCtx->MyBuffer, SFLT_POOL_TAG);

KeSetEvent(&CompletionCtx->Event, IO_NO_INCREMENT, FALSE);

return STATUS_MORE_PROCESSING_REQUIRED;

}

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Wednesday, September 21, 2005 4:26 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

The rests are exactly as same as the file before open. It seems
MS-Word saved those parts of the document to somewhere and didn’t pass
them to my driver.

No. This seems that you have implemented your driver incorrectly. I guess
(but it’s just a guess) that you encrypt the file’s content during cached
I/O, which will work sequential copy, but will not work with memory mapped
files.

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.1227 (20050921) Information __________

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

I have one question - how do you check whether the file is encrypted during the
read/write?
A very basic encryption driver’s developer’s oversight is checking vs the file
object - paging I/O will (if ever in my experience) go through the original FO that
was used to open the file rather than the stream file object.
You would need to decide based on the FCB or some other way. FCBs are only valid
and have a common header for FSes that support the cache manager, but any other FSes
would require a completely different approach anyway.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

hi Dejan,

Thanks for advice.
I check the filename to see if the file is in a specified folder. If it is,
I take it as encrypted file.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Wednesday, September 21, 2005 8:41 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

I have one question - how do you check whether the file is encrypted
during the read/write?
A very basic encryption driver’s developer’s oversight is checking vs
the file object - paging I/O will (if ever in my experience) go through the
original FO that was used to open the file rather than the stream file
object.
You would need to decide based on the FCB or some other way. FCBs are
only valid and have a common header for FSes that support the cache manager,
but any other FSes would require a completely different approach anyway.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com Alfa Transparent File
Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.1228 (20050921) Information __________

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

Jiang,

Be aware that a file may be in a folder you have marked but you won’t be able to detect it from the name. Here are some examples:

• Services for Unix (SFU) and Services for Macintosh (SFM) use handle-based schemes that embed the “internal ID” (file ID) and open the file by file ID. If you use Ladislav’s test tool you can generate these independently - they aren’t restricted to kernel mode callers so applications can use this interface as well.

• Hard links in NTFS mean that the containing directory of a file is not unique. The API for creating hard linked files was introduced in Windows Server 2003 (Platform SDK) but has been available for use since NT 3.1 - and is used by Services for UNIX (for example) as well as the POSIX subsystem.

Each of these will create cases that can happen in the “real world” and for which you must be prepared to handle.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jiang
Sent: Wednesday, September 21, 2005 8:18 AM
To: ntfsd redirect
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

hi Dejan,

Thanks for advice.
I check the filename to see if the file is in a specified folder. If it is,
I take it as encrypted file.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Wednesday, September 21, 2005 8:41 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

I have one question - how do you check whether the file is encrypted
during the read/write?
A very basic encryption driver’s developer’s oversight is checking vs
the file object - paging I/O will (if ever in my experience) go through the
original FO that was used to open the file rather than the stream file
object.
You would need to decide based on the FCB or some other way. FCBs are
only valid and have a common header for FSes that support the cache manager,
but any other FSes would require a completely different approach anyway.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com Alfa Transparent File
Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.1228 (20050921) Information __________

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd

Do You Yahoo!?
?Ż???G???䣭?й???һ???ʼ?ɧ?ų???
http://cn.mail.yahoo.com/?id=77071

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes, but where do you do the check - checking the file name during the read/write
is not the right way as the file name will not be present always and you cannot query
the file system during paging I/O.

Jiang wrote:

hi Dejan,

Thanks for advice.
I check the filename to see if the file is in a specified folder. If it is,
I take it as encrypted file.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

I have solved this problem. The reason is that FileObjects were not tracked
properly.
Thanky you all for helping me. But I have another problem, I can read/write
in the
protected folder now, but each time I write in the protected folder, after
next boot,
I cannot access the folder being told the file or folder is corrupted. Then
I reboot again
and OS will run chkdsk automatically. After that, the folder can be opened
again.
Of cource if I write in the folder again, it will got “corrupted” again. Any
suggestion
will be greatly appreciated.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Thursday, September 22, 2005 9:45 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Yes, but where do you do the check - checking the file name during the
read/write is not the right way as the file name will not be present always
and you cannot query the file system during paging I/O.

Jiang wrote:

hi Dejan,

Thanks for advice.
I check the filename to see if the file is in a specified folder. If
it is, I take it as encrypted file.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com Alfa Transparent File
Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.1229 (20050921) Information __________

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

I found only when a sub-folder is created in the protected folder, the sub
folder will have the
following behavior. If I copy a folder from outside to the protected folder,
everything is OK.
So what’s the difference between creating a new sub folder and copying a
existing one?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jiang
Sent: Monday, September 26, 2005 6:04 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

I have solved this problem. The reason is that FileObjects were not tracked
properly.
Thanky you all for helping me. But I have another problem, I can read/write
in the protected folder now, but each time I write in the protected folder,
after next boot, I cannot access the folder being told the file or folder is
corrupted. Then I reboot again and OS will run chkdsk automatically. After
that, the folder can be opened again.
Of cource if I write in the folder again, it will got “corrupted” again. Any
suggestion will be greatly appreciated.

Jiang

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Thursday, September 22, 2005 9:45 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Encrypt/Decrypt a doc file in a filter driver

Yes, but where do you do the check - checking the file name during the
read/write is not the right way as the file name will not be present always
and you cannot query the file system during paging I/O.

Jiang wrote:

hi Dejan,

Thanks for advice.
I check the filename to see if the file is in a specified folder. If
it is, I take it as encrypted file.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com Alfa Transparent File
Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.1229 (20050921) Information __________

This message was checked by NOD32 antivirus system.
http://canon-sol.jp/product/nd

Do You Yahoo!?
QE;"Cb7QGSJOd#-VP9z5ZR;>xN^@,;xSJ<~I’HE3,4sSJOd
http://cn.mail.yahoo.com/?id=77071

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com.cn To
unsubscribe send a blank email to xxxxx@lists.osr.com

Do You Yahoo!?
ÑÅ»¢Ãâ·ÑGÓÊÏ䣭ÖйúµÚÒ»¾øÎÞÀ¬»øÓʼþɧÈų¬´óÓÊÏä
http://cn.mail.yahoo.com/?id=77071

Yes, this is caused by your driver encrypting the DIRECTORY file object as well
(C:\Encrypted Folder or C:\Encrypted Folder).
I should write an FAQ on these matters

BTW, it seems I am able to do proper headers without a layered FS, I need to iron
out some memory issues and I will know for sure.

Jiang wrote:

I have solved this problem. The reason is that FileObjects were not tracked
properly. Thanky you all for helping me. But I have another problem, I can
read/write in the protected folder now, but each time I write in the protected
folder, after next boot, I cannot access the folder being told the file or folder
is corrupted. Then I reboot again
and OS will run chkdsk automatically. After that, the folder can be opened
again. Of cource if I write in the folder again, it will got “corrupted” again. Any
suggestion will be greatly appreciated.

–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.