Encryption (type of drivers)

Hello,

I’d like to encrypt files (their sectors) from certain folders - but I’m not sure what type of driver(s) I should use.

Upper FSD will check IRP_MJ_CREATE and will set up a stream context (with filename) to FO if the file is from the folder I’ve decided I’ll encrypt.
Lower driver (under file system) will check IRP_MJ_WRITE/READ and Irp->Tail.Overlay.OriginalFileObject leads to FO (and its filename from its context).

This should work, but I found out some similar products have only one driver (lower one, “System Bus Extender” group) and do the same. Yes, it’s possible to query filename from sector-number (there’s a FSCTL, but it’s slow). Or how they work?

Is this solution with such two drivers ok ?

thanks,
Petr

> Lower driver (under file system) will check IRP_MJ_WRITE/READ and Irp-

Tail.Overlay.OriginalFileObject leads to FO (and its filename from its context).

Well, I don’t know if the lower driver is able to encrypt files.
If you receive something within the original file object
at the lower volume filter level, I guess you’ll receive
the volume file object.

And even more, I don’t think you will be able to query
the file system for the file sector from that level,
as calling upper filters from lower filters is always dangerous.

If you want to create a filter driver on file basis,
you have to implement it as FS data modification filter driver.

L.

Never ever use ->Tail.Overlay.OriginalFileObject under a file system. It just does not exists in this context.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Petr Kurtin
Newsgroups: ntfsd
To: Windows File Systems Devs Interest List
Sent: Thursday, May 19, 2005 1:38 AM
Subject: [ntfsd] Encryption (type of drivers)

Hello,

I’d like to encrypt files (their sectors) from certain folders - but I’m not sure what type of driver(s) I should use.

Upper FSD will check IRP_MJ_CREATE and will set up a stream context (with filename) to FO if the file is from the folder I’ve decided I’ll encrypt.
Lower driver (under file system) will check IRP_MJ_WRITE/READ and Irp->Tail.Overlay.OriginalFileObject leads to FO (and its filename from its context).

This should work, but I found out some similar products have only one driver (lower one, “System Bus Extender” group) and do the same. Yes, it’s possible to query filename from sector-number (there’s a FSCTL, but it’s slow). Or how they work?

Is this solution with such two drivers ok ?

thanks,
Petr


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

No. Disk IRPs below the FSD has no file objects. For instance, calling IoIsOperationSynchronous on them causes a BSOD.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Ladislav Zezula
To: Windows File Systems Devs Interest List
Sent: Thursday, May 19, 2005 10:00 AM
Subject: Re: [ntfsd] Encryption (type of drivers)

Lower driver (under file system) will check IRP_MJ_WRITE/READ and Irp-
> Tail.Overlay.OriginalFileObject leads to FO (and its filename from its context).

Well, I don’t know if the lower driver is able to encrypt files.
If you receive something within the original file object
at the lower volume filter level, I guess you’ll receive
the volume file object.

And even more, I don’t think you will be able to query
the file system for the file sector from that level,
as calling upper filters from lower filters is always dangerous.

If you want to create a filter driver on file basis,
you have to implement it as FS data modification filter driver.

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com