encryption filter issue

OSR_Community_User · October 4, 2006, 3:39am

hi everyone
i’m working on encryption filter, at this point i need to watch one file, the driver work just fine in write Irp, but the problem in read, in a certain case when i use the notepad to test my driver sometimes it work sometimes it not, and this depends on how i opened the file with notepad, if i draged and drop the file in notepad the file is decrypted and everything work fine. but if i opened the file using open dialog box the first 1000 byte of the file still undecrypted, although i see in my driver that 2 Irp for reading the first 1000 has been made,
one when i select the file and the other when i click open. both Irp using niether method.
the rest of the file the Irp is paging io and work fine.
and i’m using windows xp sp2.
thanks in advance.

OSR_Community_User · October 4, 2006, 1:40pm

Assuming you are dealing with the non-cached I/O (which includes paging I/O) this situation suggests that you are missing some non-cached I/O and thus the encrypted data is in the cache. You might want to watch the flow of I/O requests using one of the various tools available (filespy or filemon or irptracker) and find the I/O that you are missing.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

OSR_Community_User · October 17, 2006, 3:36am

Hello Tony:
and thanks for the answer, you are true about missing an Irp but, i found two read Irp in the FileSpy (tool from osr) but my filter driver only see one Irp. what i mean the Irp never reachs my driver.
do you know what may cause that.

thanks in advance.

OSR_Community_User · October 17, 2006, 4:43am

Hello every one
i wanted to be more specific about the problem i had so i’ll explain more about the differences between what my driver sees and what FileSpy sees.

first case: openning a file with draging it into notepad and drop there is no difference.
the read request FileSpy sees is:

Process Thread ID DeviceObject IRP Request IRP Flags Nested FileObject FsContext FsContext2 FO Flags Path Status More info
notepad.exe 1636 80FDF240 FFBB5840 IRP_MJ_READ 00000043 No 81062028 E10710D0 E1071228 00044042 C:\a1.txt STATUS_SUCCESS Offset 00000000-00000000 ToRead 1000 Read 2

where i’m trying to read the file “a1.txt” which is only two charachers length.
my driver sees the same Irp:

Irp = ffbb5840
File Object = 81062028 flags = 43
IRP_NOCACHE
IRP_PAGING_IO
IRP_MOUNT_COMPLETION
RP_INPUT_OPERATION
IRP_SYNCHRONOUS_PAGING_IO

the second case using the open file dialog box to open the file “3.txt” which is only one charachers length.
and here where my driver see only one Irp where as FileSpy sees two.
the FileSpy output is:

Process Thread ID DeviceObject IRP Request IRP Flags Nested FileObject FsContext FsContext2 FO Flags Path Status More info
notepad.exe 1636 80FDF240 80F75360 IRP_MJ_READ 00000900 No 81098C60 E1608D90 E1608EE8 00040042 C:\3.txt STATUS_SUCCESS Offset 00000000-00000000 ToRead 400 Read 1
notepad.exe 1636 80FDF240 FFB28880 IRP_MJ_READ 00000043 Yes 81098C60 E1608D90 E1608EE8 00040042 C:\3.txt STATUS_SUCCESS Offset 00000000-00000000 ToRead 1000 Read 1

where as my driver sees one Irp and it is the first one (80f75360):

Irp = 80f75360
File Object = 81098c60 flags = 900
IRP_READ_OPERATION
IRP_DEFER_IO_COMPLETION

i think that is all i can see.

thanks in advance
Wassim Suleiman

OSR_Community_User · October 17, 2006, 6:37am

Three possibilities here that I can think of at the moment:

(1) Notice that the second IRP uses a different file object. This is
normal and I wanted to confirm that you are not tracking I/O based upon
the file object, but rather by the file context.

(2) There is another filter on the stack. Using Device Tree you can see
which drivers are loaded and their relative ordering. It is always
possible that a filter above yours is redirecting the I/O so that it
bypasses your filter.

(3) You are running on NTFS and have forgotten that paging I/O for small
NTFS files is done against the MFT - this is one reason why I generally
suggest that people force the file to grow and be at least 4KB (this
forces it to be “not inline” for all cases.) You might see if this is
the issue by trying the same experiment with a larger file.

Perhaps others can see something that I’m missing.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

OSR_Community_User · November 8, 2006, 7:40am

i don’t know i tried every thing but i still losing the Irp i described later.

thank you Tony for your sugestions but. i check them all nothing wrong i’m using NTFS but the file size is 16 kilobyte.

and i think i have to say this again: the Irp i can’t track is the one with the openfile dialog box open.
i think you didn’t bay attention to that.

thank you all.
Wassim.