I have a filter driver which transparently encrypts/decrypts all physic=
al
disk io.
It is used in conjunction with a 16-bit int13 hooking module which hand=
les
disk reads during OS boot.
My problem is the optimisations performed in Windows Xp (and apparently=
2k)
during system hibernation,
as the disk writes used for this do not pass through the normal filter
driver mechanism.
My question is:
is it possible to disable the optimisations used during hibernation o=
r
memory dump?
is there any way (apart from hacking the assembly code to insert a ca=
ll
to my filter function) to hook the atapi entry points used for this typ=
e of
disk io?
You can certainly disable hibernation and crash dump facilities, if
that’s what you mean by “disable the optimisations”. However, you can’t
allow hibernation (or crash dumps) and stop using the diskdump facility
because this is inherent in the way that these operations are performed.
There is no documented way to “hook” the atapi entry points.
As for “why not”, this is a design decision by the folks at Microsoft.
You’d have to ask them why they did not consider support for hybernation
and crash file encryption to be necessary in their design and
implementation.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc. http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alan Hodges
Sent: Tuesday, June 22, 2004 1:14 AM
To: ntfsd redirect
Subject: [ntfsd] Filtering hibernation disk writes
Hi all,
I have a filter driver which transparently encrypts/decrypts all
physical disk io.
It is used in conjunction with a 16-bit int13 hooking module which
handles disk reads during OS boot.
My problem is the optimisations performed in Windows Xp (and apparently
2k) during system hibernation, as the disk writes used for this do not
pass through the normal filter driver mechanism.
My question is:
is it possible to disable the optimisations used during hibernation or
memory dump?
is there any way (apart from hacking the assembly code to insert a
call to my filter function) to hook the atapi entry points used for this
type of disk io?
I wonder how system can be restored if hibernation file is encrypted. Your
driver is not in memory yet to do the decryption job. Supporting encrypted
hibernation files (and paging files as well) is a pain on one hand, and not
secure on the other one.
–htfv
“Alan Hodges” wrote in message news:xxxxx@ntfsd… Hi all,
I have a filter driver which transparently encrypts/decrypts all physical disk io. It is used in conjunction with a 16-bit int13 hooking module which handles disk reads during OS boot.
My problem is the optimisations performed in Windows Xp (and apparently 2k) during system hibernation, as the disk writes used for this do not pass through the normal filter driver mechanism.
My question is: - is it possible to disable the optimisations used during hibernation or memory dump? - is there any way (apart from hacking the assembly code to insert a call to my filter function) to hook the atapi entry points used for this type of disk io? - if not why not?
DDK states that during resuming from hibernation,
Ntldr is using the BIOS to perform the I/O
Valery Boronin,
Plesk for Windows Engineer,
SWsoft, Inc.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Alexey Logachyov
Sent: Tuesday, June 22, 2004 8:12 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Filtering hibernation disk writes
I wonder how system can be restored if hibernation file is
encrypted. Your driver is not in memory yet to do the
decryption job. Supporting encrypted hibernation files (and
paging files as well) is a pain on one hand, and not secure
on the other one.
–htfv
“Alan Hodges” wrote in message > news:xxxxx@ntfsd… > Hi all, > > I have a filter driver which transparently encrypts/decrypts > all physical disk io. > It is used in conjunction with a 16-bit int13 hooking module > which handles disk reads during OS boot. > > My problem is the optimisations performed in Windows Xp (and > apparently 2k) during system hibernation, as the disk writes > used for this do not pass through the normal filter driver mechanism. > > My question is: > - is it possible to disable the optimisations used during > hibernation or memory dump? > - is there any way (apart from hacking the assembly code to > insert a call to my filter function) to hook the atapi entry > points used for this type of disk io? > - if not why not? > > Thanks > > Alan > > > > > > > — > Questions? First check the IFS FAQ at > https://www.osronline.com/article.cfm?id=17 > > You are currently subscribed to ntfsd as: xxxxx@plesk.ru > To unsubscribe send a blank email to xxxxx@lists.osr.com >
But I guess, loading driver image is only a part of the job. Aren’t
allocated in-memory structures restored from disk?
–htfv
“Valery Boronin” wrote in message news:xxxxx@ntfsd… > DDK states that during resuming from hibernation, > Ntldr is using the BIOS to perform the I/O > > Valery Boronin, > Plesk for Windows Engineer, > SWsoft, Inc. > > > > -----Original Message----- > > From: xxxxx@lists.osr.com > > [mailto:xxxxx@lists.osr.com] On Behalf Of > > Alexey Logachyov > > Sent: Tuesday, June 22, 2004 8:12 PM > > To: Windows File Systems Devs Interest List > > Subject: Re:[ntfsd] Filtering hibernation disk writes > > > > I wonder how system can be restored if hibernation file is > > encrypted. Your driver is not in memory yet to do the > > decryption job. Supporting encrypted hibernation files (and > > paging files as well) is a pain on one hand, and not secure > > on the other one. > > > > --htfv > > > > > > > > “Alan Hodges” wrote in message > > news:xxxxx@ntfsd… > > Hi all, > > > > I have a filter driver which transparently encrypts/decrypts > > all physical disk io. > > It is used in conjunction with a 16-bit int13 hooking module > > which handles disk reads during OS boot. > > > > My problem is the optimisations performed in Windows Xp (and > > apparently 2k) during system hibernation, as the disk writes > > used for this do not pass through the normal filter driver mechanism. > > > > My question is: > > - is it possible to disable the optimisations used during > > hibernation or memory dump? > > - is there any way (apart from hacking the assembly code to > > insert a call to my filter function) to hook the atapi entry > > points used for this type of disk io? > > - if not why not? > > > > Thanks > > > > Alan > > > > > > > > > > > > > > — > > Questions? First check the IFS FAQ at > > https://www.osronline.com/article.cfm?id=17 > > > > You are currently subscribed to ntfsd as: xxxxx@plesk.ru > > To unsubscribe send a blank email to xxxxx@lists.osr.com > > > >
Yes, ntldr uses the bios via int13, and as i stated in my original post, we
have that covered by hooking this interrupt
in a pre OS-boot 16bit module.
“Alexey Logachyov” wrote in message news:xxxxx@ntfsd… > But I guess, loading driver image is only a part of the job. Aren’t > allocated in-memory structures restored from disk? > > --htfv > > > > “Valery Boronin” wrote in message news:xxxxx@ntfsd… > > DDK states that during resuming from hibernation, > > Ntldr is using the BIOS to perform the I/O > > > > Valery Boronin, > > Plesk for Windows Engineer, > > SWsoft, Inc. > > > > > > > -----Original Message----- > > > From: xxxxx@lists.osr.com > > > [mailto:xxxxx@lists.osr.com] On Behalf Of > > > Alexey Logachyov > > > Sent: Tuesday, June 22, 2004 8:12 PM > > > To: Windows File Systems Devs Interest List > > > Subject: Re:[ntfsd] Filtering hibernation disk writes > > > > > > I wonder how system can be restored if hibernation file is > > > encrypted. Your driver is not in memory yet to do the > > > decryption job. Supporting encrypted hibernation files (and > > > paging files as well) is a pain on one hand, and not secure > > > on the other one. > > > > > > --htfv > > > > > > > > > > > > “Alan Hodges” wrote in message > > > news:xxxxx@ntfsd… > > > Hi all, > > > > > > I have a filter driver which transparently encrypts/decrypts > > > all physical disk io. > > > It is used in conjunction with a 16-bit int13 hooking module > > > which handles disk reads during OS boot. > > > > > > My problem is the optimisations performed in Windows Xp (and > > > apparently 2k) during system hibernation, as the disk writes > > > used for this do not pass through the normal filter driver mechanism. > > > > > > My question is: > > > - is it possible to disable the optimisations used during > > > hibernation or memory dump? > > > - is there any way (apart from hacking the assembly code to > > > insert a call to my filter function) to hook the atapi entry > > > points used for this type of disk io? > > > - if not why not? > > > > > > Thanks > > > > > > Alan > > > > > > > > > > > > > > > > > > > > > — > > > Questions? First check the IFS FAQ at > > > https://www.osronline.com/article.cfm?id=17 > > > > > > You are currently subscribed to ntfsd as: xxxxx@plesk.ru > > > To unsubscribe send a blank email to xxxxx@lists.osr.com > > > > > > > > > >
So do you have a contact at microsoft that I can ask about this gaping
security hole then?
“Tony Mason” wrote in message news:xxxxx@ntfsd… Hi Alan,
You can certainly disable hibernation and crash dump facilities, if that’s what you mean by “disable the optimisations”. However, you can’t allow hibernation (or crash dumps) and stop using the diskdump facility because this is inherent in the way that these operations are performed.
There is no documented way to “hook” the atapi entry points.
As for “why not”, this is a design decision by the folks at Microsoft. You’d have to ask them why they did not consider support for hybernation and crash file encryption to be necessary in their design and implementation.
Regards,
Tony
Tony Mason Consulting Partner OSR Open Systems Resources, Inc. http://www.osr.com
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Alan Hodges Sent: Tuesday, June 22, 2004 1:14 AM To: ntfsd redirect Subject: [ntfsd] Filtering hibernation disk writes
Hi all,
I have a filter driver which transparently encrypts/decrypts all physical disk io. It is used in conjunction with a 16-bit int13 hooking module which handles disk reads during OS boot.
My problem is the optimisations performed in Windows Xp (and apparently 2k) during system hibernation, as the disk writes used for this do not pass through the normal filter driver mechanism.
My question is: - is it possible to disable the optimisations used during hibernation or memory dump? - is there any way (apart from hacking the assembly code to insert a call to my filter function) to hook the atapi entry points used for this type of disk io? - if not why not?
