Encryption Filter Driver Using filespy program???

Hi,

I am using the the filespy program included in the IFS Kit to write an
encryption filter driver. Here is what I do in the dispatch function:

I encrypt if Irp->MajorFunction is IRP_MJ_WRITE
a) Get the the CurrentAddress using MmGetSystemAddressForMdlSafe
b) copy the CurrentAddress to a temporary buffer
c) encrypt (just flip the bits for now) the temporary buffer up to
length irpSp->Parameters.Write.Length
d) Create a new PMDL tmpBufferMdl using the encrypted buffer created in step c
e) Set the current Irp->MdlAddress = tmpBufferMdl

On completion

I decrypt if Irp->IoStatus.Status is a success and
irpSp->MajorFunction is IRP_MJ_READ
a) Get the the CurrentAddress using MmGetSystemAddressForMdlSafe
b) decrypt (just flip the bits for now) the CurrentAddress up to
length irpSp->Parameters.Read.Length

Using these steps I tried to encrypt and decrypt a file. I am able to
encrypt and decrypt this file correctly if it contains a few bytes
(i.e. <20 bytes). However if I write a larger number of bytes to the
file (i.e. >500 bytes or so), and reboot my machine, the file is
partly corrupted.

The file contains correctly decrypted data and periodically contains
corrupted data (encrypted data or something else).

What are the issues in how I encrypt and decrypt this file? Am I
using an incorrect Length? irpSp->Parameters.Read.Length or
irpSp->Parameters.Write.Length?

Thank you,

Marc Cruz

Hello.
Consider the following situation.
You catch IRP_MJ_WRITE request( without Paging flag ), encrypt buffer and
send IRP to underlying file system driver, but this buffer may be written
either to the cache or to the disk. If the buffer will be written to the
cache it( cache ) will contain invalid data, and this invalid data will be
written to disk and encrypted by your filter driver.

“Marc Cruz” wrote in message news:xxxxx@ntfsd…
Hi,

I am using the the filespy program included in the IFS Kit to write an
encryption filter driver. Here is what I do in the dispatch function:

I encrypt if Irp->MajorFunction is IRP_MJ_WRITE
a) Get the the CurrentAddress using MmGetSystemAddressForMdlSafe
b) copy the CurrentAddress to a temporary buffer
c) encrypt (just flip the bits for now) the temporary buffer up to
length irpSp->Parameters.Write.Length
d) Create a new PMDL tmpBufferMdl using the encrypted buffer created in step
c
e) Set the current Irp->MdlAddress = tmpBufferMdl

On completion

I decrypt if Irp->IoStatus.Status is a success and
irpSp->MajorFunction is IRP_MJ_READ
a) Get the the CurrentAddress using MmGetSystemAddressForMdlSafe
b) decrypt (just flip the bits for now) the CurrentAddress up to
length irpSp->Parameters.Read.Length

Using these steps I tried to encrypt and decrypt a file. I am able to
encrypt and decrypt this file correctly if it contains a few bytes
(i.e. <20 bytes). However if I write a larger number of bytes to the
file (i.e. >500 bytes or so), and reboot my machine, the file is
partly corrupted.

The file contains correctly decrypted data and periodically contains
corrupted data (encrypted data or something else).

What are the issues in how I encrypt and decrypt this file? Am I
using an incorrect Length? irpSp->Parameters.Read.Length or
irpSp->Parameters.Write.Length?

Thank you,

Marc Cruz

For filesystem noncached IRPs, Irp->UserBuffer must be the same as
MmGetMdlVirtualAddress(Irp->MdlAddress). This fact is used within the FSD to
split the IRP against the file runlist.

Be sure you provide this guarantee.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Marc Cruz”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, July 20, 2005 6:48 AM
Subject: [ntfsd] Encryption Filter Driver Using filespy program???

Hi,

I am using the the filespy program included in the IFS Kit to write an
encryption filter driver. Here is what I do in the dispatch function:

I encrypt if Irp->MajorFunction is IRP_MJ_WRITE
a) Get the the CurrentAddress using MmGetSystemAddressForMdlSafe
b) copy the CurrentAddress to a temporary buffer
c) encrypt (just flip the bits for now) the temporary buffer up to
length irpSp->Parameters.Write.Length
d) Create a new PMDL tmpBufferMdl using the encrypted buffer created in step c
e) Set the current Irp->MdlAddress = tmpBufferMdl

On completion

I decrypt if Irp->IoStatus.Status is a success and
irpSp->MajorFunction is IRP_MJ_READ
a) Get the the CurrentAddress using MmGetSystemAddressForMdlSafe
b) decrypt (just flip the bits for now) the CurrentAddress up to
length irpSp->Parameters.Read.Length

Using these steps I tried to encrypt and decrypt a file. I am able to
encrypt and decrypt this file correctly if it contains a few bytes
(i.e. <20 bytes). However if I write a larger number of bytes to the
file (i.e. >500 bytes or so), and reboot my machine, the file is
partly corrupted.

The file contains correctly decrypted data and periodically contains
corrupted data (encrypted data or something else).

What are the issues in how I encrypt and decrypt this file? Am I
using an incorrect Length? irpSp->Parameters.Read.Length or
irpSp->Parameters.Write.Length?

Thank you,

Marc Cruz


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com