>> You can encrypt EXE files as long as they are not used during the early
> phase of booting the machine. Of course you have to get all your EXE
> files encrypted in the first place which can’t be done if the EXE is
> in use (same goes for any other file type). If you really need to
I want to encrypt/decrypt On Access.
Yes, but if the files are already there in plaintext you will
need to get them encrypted before you start doing transparent
encryption/decryption.
I suppose you could have a means to track which parts of each
file are encrypted and only encrypt them as they are accessed,
but this would be horrible to get working.
>
> Why do you want to encrypt the EXEs? Most people want to protect their
> data, not the programs.
>
Yea coz we have to go according Extension as i told before. Instead of going
full HardDisk Encryption.
Okay so you want to encrypt all files of some particular extension.
Personally I would exclude EXE, DLL, SYS etc (and probably everything
in the Windows directory too) and just let them encrypt
the ones with data in e.g. doc, txt, exl etc.
Shaun
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >I want to encrypt/decrypt On Access.
Yes, but if the files are already there in plaintext you will
need to get them encrypted before you start doing transparent
encryption/decryption.
I suppose you could have a means to track which parts of each
file are encrypted and only encrypt them as they are accessed,
but this would be horrible to get working.
>>
My Plane is If the file is accessed and If it is encrypt i will decrypt and
i will give it to user. While Writing the contents to Disk I will check for
Encrypt. If No i will Encrypt and i will store in Disk. Can u suggest me the
better way to identify wheather it is encrypted or not ?
Regards,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Satish wrote:
>> >I want to encrypt/decrypt On Access.
>>
>> Yes, but if the files are already there in plaintext you will
>> need to get them encrypted before you start doing transparent
>> encryption/decryption.
>>
>> I suppose you could have a means to track which parts of each
>> file are encrypted and only encrypt them as they are accessed,
>> but this would be horrible to get working.
>>
>> >>
>
>My Plane is If the file is accessed and If it is encrypt i will decrypt and
>i will give it to user. While Writing the contents to Disk I will check for
>Encrypt. If No i will Encrypt and i will store in Disk. Can u suggest me the
>better way to identify wheather it is encrypted or not ?
>
The problem with this method is that you have to wait for something to
write to your files before they become encrypted. For an EXE file it
is unlikely that it will be written to in normal operation so it
will never become encrypted. For other files it maybe that only part
of the file is written to, so not only would you have to track which
files are encrypted but which bytes ranges within the file are
encrypted. It is better to have an encryption stage which goes through
and reads the files and writes them back encrypted (a user mode app
could do this). But this can’t be done if the file is in use. It maybe
possible for you filter use the file object of the application that
has the file locked and then write to the whole file from within the
driver, but I can see many difficulties with doing that.
As for how you track which file are encrypted, you can either add a
header to the file (and get your filter to transparently remove it)
or just keep a database of file names that should be encrypted.
Shaun
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> The problem with this method is that you have to wait for something to
write to your files before they become encrypted. For an EXE file it
is unlikely that it will be written to in normal operation so it
will never become encrypted. For other files it maybe that only part
of the file is written to, so not only would you have to track which
files are encrypted but which *bytes ranges* within the file are
encrypted. It is better to have an encryption stage which goes through
and reads the files and writes them back encrypted (a user mode app
could do this). But this can’t be done if the file is in use. It maybe
possible for you filter use the file object of the application that
has the file locked and then write to the whole file from within the
driver, but I can see many difficulties with doing that.
My whole idea in writing Encryption/Decryption in Driver is. Other cant
Debug Driver live. If i do in Application Level. He will have option ( Both
Live Debug and Dis-Asm ).
I think If user access the first time .EXE file ? I will Encrypt while file
by Creating seperate thread in Systen Context. Does any problem comes in
this ? I mean Performance problem ?
As for how you track which file are encrypted, you can either add a
header to the file (and get your filter to transparently remove it)
or just keep a database of file names that should be encrypted.
I think Better idea is Adding Header to that file.
Regards,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> I think If user access the first time .EXE file ? I will
Encrypt while file
by Creating seperate thread in Systen Context. Does any
problem comes in
this ? I mean Performance problem ?
A performance hit here is probably unavoidable, buts it only a ‘one time’
hit.
Beware, you may not actually have access to the file in system context,
but could in the context of the original operation.
> As for how you track which file are encrypted, you can either add a
> header to the file (and get your filter to transparently remove it)
> or just keep a database of file names that should be encrypted.
>
I think Better idea is Adding Header to that file.
This is the method I have used.
Rob Linegar
Software Engineer
Data Encryption Systems Limited
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > I think If user access the first time .EXE file ? I will
> Encrypt while file
> by Creating seperate thread in Systen Context. Does any
> problem comes in
> this ? I mean Performance problem ?
A performance hit here is probably unavoidable, buts it only a ‘one time’
hit.
If users tryies to open a EXE file. I think in IRP_MJ_CREATE i have to open
file and encrypt once then giving back control to caller( So that later
while reading the EXE file i can decrypt ). coz If i create seperate thread
to encrypt a EXE file. OS may access file in middle of EXE for some reason
right ?
In this case i should not encrypt the files which loads before my driver.
How do i do this ?
Regards,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > > I think If user access the first time .EXE file ? I will
> > Encrypt while file
> > by Creating seperate thread in Systen Context. Does any
> > problem comes in
> > this ? I mean Performance problem ?
>
> A performance hit here is probably unavoidable, buts it
only a ‘one time’
> hit.
If users tryies to open a EXE file. I think in IRP_MJ_CREATE
i have to open
file and encrypt once then giving back control to caller( So
that later
while reading the EXE file i can decrypt ). coz If i create
seperate thread
to encrypt a EXE file. OS may access file in middle of EXE
for some reason
right ?
Sounds good.
In this case i should not encrypt the files which loads
before my driver.
Yes
How do i do this ?
This really depends on your product and its goals.
Rob Linegar
Software Engineer
Data Encryption Systems Limited
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> If users tryies to open a EXE file. I think in IRP_MJ_CREATE
> i have to open
> file and encrypt once then giving back control to caller( So
> that later
> while reading the EXE file i can decrypt ). coz If i create
> seperate thread
> to encrypt a EXE file. OS may access file in middle of EXE
> for some reason
> right ?
Sounds good.
> In this case i should not encrypt the files which loads
> before my driver.
Yes
> How do i do this ?
This really depends on your product and its goals.
How do i identify these files? for excluding from Encryption ? i mean files
like Ntoskrnl.exe, hal.dll etc…
Regards,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>My whole idea in writing Encryption/Decryption in Driver is. Other cant
Debug Driver live. If i do in Application Level. He will have option ( Both
Live Debug and Dis-Asm ).
Softice does a good job of debugging drivers “live”. Drivers are
standard PE files so can be disassembled just like an EXE file given the
right tools - it doesn’t really matter that they are supposed to run
in “kernel mode”. In other words, just because your code is running
as a driver doesn’t make it much harder to debug as long as you have
full access to the machine.
Who are you trying to prevent debugging your driver and why?
Shaun
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Shaun has written encryption drivers, so listen to him. If you need secrecy
and obsfucation to do encryption, you are not doing it right.
----- Original Message -----
From: “Shaun”
To: “File Systems Developers”
Sent: Sunday, April 29, 2001 4:10 AM
Subject: [ntfsd] Re: Encryption Driver
> >My whole idea in writing Encryption/Decryption in Driver is. Other cant
> >Debug Driver live. If i do in Application Level. He will have option
Both
> >Live Debug and Dis-Asm ).
> >
>
> Softice does a good job of debugging drivers “live”. Drivers are
> standard PE files so can be disassembled just like an EXE file given the
> right tools - it doesn’t really matter that they are supposed to run
> in “kernel mode”. In other words, just because your code is running
> as a driver doesn’t make it much harder to debug as long as you have
> full access to the machine.
>
> Who are you trying to prevent debugging your driver and why?
>
> Shaun
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@mindspring.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> Softice does a good job of debugging drivers “live”. Drivers are
standard PE files so can be disassembled just like an EXE file given the
right tools - it doesn’t really matter that they are supposed to run
in “kernel mode”. In other words, just because your code is running
as a driver doesn’t make it much harder to debug as long as you have
full access to the machine.
Please explain me the procedure to do that.
In Driver some Some User defined function will be there. For ex : I want to
debug some Driver name TestDrv.Sys.
How do i identify what all functions are their in this driver and How to
debug those functions Live?
Who are you trying to prevent debugging your driver and why?
If i know the debugging live technique i will make further complication for
debugging.
Regards,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>Please explain me the procedure to do that.
In Driver some Some User defined function will be there. For ex : I want to
debug some Driver name TestDrv.Sys.
How do i identify what all functions are their in this driver and How to
debug those functions Live?
Unless you leave the debug symbols in you won’t get any function names
or source code, but you will be able to step through the code
at assembler level. You can easily get the exported function addresses
(e.g. DriverEntry), and the IRP processing function addresses can be
found in the driver object.
If i know the debugging live technique i will make further complication for
debugging.
The point here is that you are relying on “complications” rather than
true security. It depends on what you are trying to achieve, but if
you are resorting to encryption, I assume that you are trying to prevent
unauthorised users from accessing certain files. If so, the encryption
key (e.g. password) should be the only thing that need be secret - you
should be able to give the complete source to your driver and encryption
algorithm to someone and they should still not be able to access the
protected files without the key.
Shaun
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >Please explain me the procedure to do that.
>In Driver some Some User defined function will be there. For ex : I want
to
>debug some Driver name TestDrv.Sys.
>How do i identify what all functions are their in this driver and How to
>debug those functions Live?
Unless you leave the debug symbols in you won’t get any function names
or source code, but you will be able to step through the code
at assembler level. You can easily get the exported function addresses
(e.g. DriverEntry), and the IRP processing function addresses can be
found in the driver object.
Can I identify wheather BreakPoint has set in B/W range for ex : 0xFEEE
0xFFFF memory location in my driver ?
If some one is set any breakpoints in these range i should know. Any methods
?
Regards,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
One of the simpliest methods is to apply a summing algo on the memory range
which you want to protect and periodicaly check it. This wont work for
hardware breakpoints. But if you write a encryption driver , focus first on
implementing it , and leave those details to the end of development cycle.
Anti -debugging is not so immportant for
encryption purposes , because if a user can decrypt a file by “debugging”
your driver , the design you choosed is plain wrong.
----- Original Message -----
From: “Satish”
To: “File Systems Developers”
Sent: Wednesday, May 02, 2001 11:35 AM
Subject: [ntfsd] Re: Encryption Driver
>
> > >Please explain me the procedure to do that.
> > >In Driver some Some User defined function will be there. For ex : I
want
> to
> > >debug some Driver name TestDrv.Sys.
> > >How do i identify what all functions are their in this driver and How
to
> > >debug those functions Live?
> >
> > Unless you leave the debug symbols in you won’t get any function names
> > or source code, but you will be able to step through the code
> > at assembler level. You can easily get the exported function addresses
> > (e.g. DriverEntry), and the IRP processing function addresses can be
> > found in the driver object.
> >
>
> Can I identify wheather BreakPoint has set in B/W range for ex : 0xFEEE
> 0xFFFF memory location in my driver ?
> If some one is set any breakpoints in these range i should know. Any
methods
> ?
>
>
> Regards,
> Satish K.S
>
>
> —
> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> One of the simpliest methods is to apply a summing algo on the memory
range
which you want to protect and periodicaly check it. This wont work for
hardware breakpoints. But if you write a encryption driver , focus first
on
implementing it , and leave those details to the end of development cycle.
Anti -debugging is not so immportant for
encryption purposes , because if a user can decrypt a file by “debugging”
your driver , the design you choosed is plain wrong.
Fine.
Now I have question in Data Encryption Logic in Driver. Can u point me or
some link which starts from Basic ?
Thanks in Advance,
Satish K.S
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
How to Exclude the system files like ntoskrnl.exe, hal.dll or any other .exe
or .dll which loads before my driver ? Any idea ?
Regards,
Satish K.S
One of the simpliest methods is to apply a summing algo on the memory
range
which you want to protect and periodicaly check it. This wont work for
hardware breakpoints. But if you write a encryption driver , focus first
on
implementing it , and leave those details to the end of development cycle.
Anti -debugging is not so immportant for
encryption purposes , because if a user can decrypt a file by “debugging”
your driver , the design you choosed is plain wrong.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Hi all,
Can i get any File Encryption/Decryption Sample from anywhere ?
Thanks in Advance,
Satish K.S
How to Exclude the system files like ntoskrnl.exe, hal.dll or any other
.exe
or .dll which loads before my driver ? Any idea ?
Regards,
Satish K.S
> One of the simpliest methods is to apply a summing algo on the memory
range
> which you want to protect and periodicaly check it. This wont work for
> hardware breakpoints. But if you write a encryption driver , focus
first
on
> implementing it , and leave those details to the end of development
cycle.
> Anti -debugging is not so immportant for
> encryption purposes , because if a user can decrypt a file by
“debugging”
> your driver , the design you choosed is plain wrong.
>
You are currently subscribed to ntfsd as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Yes you can…
http://www.scramdisk.clara.net
http://www.stack.nl/~galactus/remailers/index-diskcrypt.html
http://phystechsoft.com/en/StrongDisk/
http://www.v-disk.com/index1.htm
Virtual disk device drivers:
http://www.storagecraft.com, look for SvcDisk
http://www.acc.umu.se/~bosse/, look for FileDisk
Linux 
http://linux01.gwdg.de/~alatham/ppdd.html
Have fun.
Bartjan.
At 01:45 PM 5/7/01 +0530, you wrote:
Hi all,
Can i get any File Encryption/Decryption Sample from anywhere ?
Thanks in Advance,
Satish K.S
>
> How to Exclude the system files like ntoskrnl.exe, hal.dll or any other
.exe
> or .dll which loads before my driver ? Any idea ?
>
> Regards,
> Satish K.S
>
> > One of the simpliest methods is to apply a summing algo on the memory
> range
> > which you want to protect and periodicaly check it. This wont work for
> > hardware breakpoints. But if you write a encryption driver , focus
first
> on
> > implementing it , and leave those details to the end of development
cycle.
> > Anti -debugging is not so immportant for
> > encryption purposes , because if a user can decrypt a file by
“debugging”
> > your driver , the design you choosed is plain wrong.
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Thanks a lot. I will try those links.
Regards,
Satish K.S
----- Original Message -----
From: “Bartjan Wattel”
To: “File Systems Developers”
Sent: Monday, May 07, 2001 2:04 PM
Subject: [ntfsd] Re: Encryption Driver
> Yes you can…
>
> http://www.scramdisk.clara.net
> http://www.stack.nl/~galactus/remailers/index-diskcrypt.html
> http://phystechsoft.com/en/StrongDisk/
> http://www.v-disk.com/index1.htm
>
> Virtual disk device drivers:
> http://www.storagecraft.com, look for SvcDisk
> http://www.acc.umu.se/~bosse/, look for FileDisk
>
> Linux
> http://linux01.gwdg.de/~alatham/ppdd.html
>
>
> Have fun.
> –
> Bartjan.
>
>
> At 01:45 PM 5/7/01 +0530, you wrote:
> >Hi all,
> >
> >Can i get any File Encryption/Decryption Sample from anywhere ?
> >
> >Thanks in Advance,
> >Satish K.S
> >
> >
> > >
> > > How to Exclude the system files like ntoskrnl.exe, hal.dll or any
other
> >.exe
> > > or .dll which loads before my driver ? Any idea ?
> > >
> > > Regards,
> > > Satish K.S
> > >
> > > > One of the simpliest methods is to apply a summing algo on the
memory
> > > range
> > > > which you want to protect and periodicaly check it. This wont work
for
> > > > hardware breakpoints. But if you write a encryption driver , focus
> >first
> > > on
> > > > implementing it , and leave those details to the end of development
> >cycle.
> > > > Anti -debugging is not so immportant for
> > > > encryption purposes , because if a user can decrypt a file by
> >“debugging”
> > > > your driver , the design you choosed is plain wrong.
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
> >To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Hi,
Can i have Sample source code for File Encryption/Decryption Druver in NT.
Regards,
Satish K.S
Yes you can…
http://www.scramdisk.clara.net
http://www.stack.nl/~galactus/remailers/index-diskcrypt.html
http://phystechsoft.com/en/StrongDisk/
http://www.v-disk.com/index1.htm
Virtual disk device drivers:
http://www.storagecraft.com, look for SvcDisk
http://www.acc.umu.se/~bosse/, look for FileDisk
Linux
http://linux01.gwdg.de/~alatham/ppdd.html
Have fun.
Bartjan.
At 01:45 PM 5/7/01 +0530, you wrote:
>Hi all,
>
>Can i get any File Encryption/Decryption Sample from anywhere ?
>
>Thanks in Advance,
>Satish K.S
>
>
> >
> > How to Exclude the system files like ntoskrnl.exe, hal.dll or any
other
>.exe
> > or .dll which loads before my driver ? Any idea ?
> >
> > Regards,
> > Satish K.S
> >
> > > One of the simpliest methods is to apply a summing algo on the
memory
> > range
> > > which you want to protect and periodicaly check it. This wont work
for
> > > hardware breakpoints. But if you write a encryption driver , focus
>first
> > on
> > > implementing it , and leave those details to the end of development
>cycle.
> > > Anti -debugging is not so immportant for
> > > encryption purposes , because if a user can decrypt a file by
>“debugging”
> > > your driver , the design you choosed is plain wrong.
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com