Hi All,
We are developing an encryption decryption utility by creating a mini filter driver based on sample code (Scanner, SwapBuffer) provided with IFS Kit.
At first we were ignoring IRP_MJ_READ in case of PAGING_IO & Nested calls(This approach is taken after observing IRPs & associated IrpFlags in FileSpy to make it work for wordpad) and it works well with wordpad which issues non memory mapped read, although this approach fails completely with notepad which issues memory mapped read.
After reading a reply of “Andrey Gunko” posted at “http://www.osronline.com/showthread.cfm?link=97408”, I have changed my read operation to decrypt only if IrpFlags has IRP_NOCACHE or IRP_PAGING_IO or IRP_SYNCHRONOUS_PAGING_IO bit set.
Now if I try to read an encrypted file using notepad I indeed get the desired output i.e. decrypted data at notepad, but it also changes actual file i.e. after reading file from notepad actual data on disk get decrypted.
Kindly suggest what exactly i am missing.
Thanks in advance
It is changed because decrypted data from cache which you can see in notepad
is written to disk using paging i/o. You must do encryption on paging i/o
write operation.
Andrey Gunko
soft Xpansion GmbH & Co.KG
Programmer
Powered by eKnow-how
Konigsallee 45 D-44789 Bochum Tel: +49 234 2984171 Fax: +49 234
2984172 Internet: [www.maus-soft.com]
|-----Original Message-----
|From: xxxxx@lists.osr.com [mailto:bounce-265030-
|xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
|Sent: Thursday, October 05, 2006 12:08 PM
|To: Windows File Systems Devs Interest List
|Subject: [ntfsd] Handling Paging IO Read change actual data on disk
|
|Hi All,
|
|We are developing an encryption decryption utility by creating a mini
|filter driver based on sample code (Scanner, SwapBuffer) provided with IFS
|Kit.
|
|At first we were ignoring IRP_MJ_READ in case of PAGING_IO & Nested
|calls(This approach is taken after observing IRPs & associated IrpFlags in
|FileSpy to make it work for wordpad) and it works well with wordpad which
|issues non memory mapped read, although this approach fails completely with
|notepad which issues memory mapped read.
|
|After reading a reply of “Andrey Gunko” posted at
|“http://www.osronline.com/showthread.cfm?link=97408”, I have changed my
|read operation to decrypt only if IrpFlags has IRP_NOCACHE or IRP_PAGING_IO
|or IRP_SYNCHRONOUS_PAGING_IO bit set.
|
|Now if I try to read an encrypted file using notepad I indeed get the
|desired output i.e. decrypted data at notepad, but it also changes actual
|file i.e. after reading file from notepad actual data on disk get
|decrypted.
|
|Kindly suggest what exactly i am missing.
|
|Thanks in advance
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua
|To unsubscribe send a blank email to xxxxx@lists.osr.com
> Now if I try to read an encrypted file using notepad I indeed get the
desired output i.e. decrypted data at notepad, but it also changes actual
file i.e. after reading file from notepad actual data on disk get
decrypted.
If an application mapped a file and did not write in the memory mapping the
file, but then there were write requests, then there is a serious bug in
your filter. Your filter changes the dirty bit for the page frames and the
Mapped Page Writer tries to flush the modified pages.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> We are developing an encryption decryption utility by creating a mini
> filter driver based on sample code (Scanner, SwapBuffer) provided with IFS
> Kit.
>
> At first we were ignoring IRP_MJ_READ in case of PAGING_IO & Nested
> calls(This approach is taken after observing IRPs & associated IrpFlags in
> FileSpy to make it work for wordpad) and it works well with wordpad which
> issues non memory mapped read, although this approach fails completely
> with notepad which issues memory mapped read.
>
> After reading a reply of “Andrey Gunko” posted at
> “http://www.osronline.com/showthread.cfm?link=97408”, I have changed my
> read operation to decrypt only if IrpFlags has IRP_NOCACHE or
> IRP_PAGING_IO or IRP_SYNCHRONOUS_PAGING_IO bit set.
>
> Now if I try to read an encrypted file using notepad I indeed get the
> desired output i.e. decrypted data at notepad, but it also changes actual
> file i.e. after reading file from notepad actual data on disk get
> decrypted.
>
> Kindly suggest what exactly i am missing.
>
> Thanks in advance
>
—>You must do encryption on paging i/o write operation.
I am not recieving any IRP_MJ_WRITE operation after reading file from notepad. I have checked this in FileSpy & did not get a single write IRP.
I also want to mention that we are not ignoring any write call.
Any suggestion?
>I am not recieving any IRP_MJ_WRITE operation after reading file from
notepad
If so describe how data on a disk gets changed. You wrote “if I try to read
an encrypted file using notepad I indeed get the desired output i.e.
decrypted data at notepad, but it also changes actual file i.e. after
reading file from notepad actual data on disk get decrypted.”
Clarify such a magic thing - changing data on a disk without sending
IRP_MJ_WRITE.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> —>You must do encryption on paging i/o write operation.
> I am not recieving any IRP_MJ_WRITE operation after reading file from
> notepad. I have checked this in FileSpy & did not get a single write IRP.
>
> I also want to mention that we are not ignoring any write call.
>
> Any suggestion?
>
DbgPrint the first 10 bytes of buffer which you receive on IRP_MJ_WRITE on
each paging i/o and maybe you will see when data is written to disk.
Andrey Gunko
soft Xpansion GmbH & Co.KG
Programmer
Powered by eKnow-how
Konigsallee 45 D-44789 Bochum Tel: +49 234 2984171 Fax: +49 234
2984172 Internet: [www.maus-soft.com]
|-----Original Message-----
|From: xxxxx@lists.osr.com [mailto:bounce-265040-
|xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
|Sent: Thursday, October 05, 2006 12:51 PM
|To: Windows File Systems Devs Interest List
|Subject: RE:[ntfsd] Handling Paging IO Read change actual data on disk
|
|—>You must do encryption on paging i/o write operation.
|I am not recieving any IRP_MJ_WRITE operation after reading file from
|notepad. I have checked this in FileSpy & did not get a single write IRP.
|
|I also want to mention that we are not ignoring any write call.
|
|Any suggestion?
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua
|To unsubscribe send a blank email to xxxxx@lists.osr.com
Well I am realy sorry for asking this unusual scenario, I was also amazed when i found this, but yes i have reverified it & its same. There is no Write IRP generated as I read a file with notepad but still actual file data get changed.
Does it have any thing to relate with IRP_MJ_ACQUIRE_FOR_CC_FLUSH?
Does your file have NTFS encrypted/compressed attribute set? How do you
know that there is no IRP_MJ_WRITE send, how you determine that? As I wrote
before try to print some part of buffer for each irp_mj_write with
IRP_PAGING_IO flag set.
Actually FSD can read data from cache and write it to disk by its own
need and don’t send any IRP to highest driver (your filter driver) but send
it to the lower driver (disk driver). That’s why you can’t see them. It
could be happened on NTFS when your file is encrypted or compressed but also
it can be truth in many other cases.
Andrey Gunko
soft Xpansion GmbH & Co.KG
Programmer
Powered by eKnow-how
Konigsallee 45 D-44789 Bochum Tel: +49 234 2984171 Fax: +49 234
2984172 Internet: [www.maus-soft.com]
|-----Original Message-----
|From: xxxxx@lists.osr.com [mailto:bounce-265043-
|xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
|Sent: Thursday, October 05, 2006 1:40 PM
|To: Windows File Systems Devs Interest List
|Subject: RE:[ntfsd] Handling Paging IO Read change actual data on disk
|
|Well I am realy sorry for asking this unusual scenario, I was also amazed
|when i found this, but yes i have reverified it & its same. There is no
|Write IRP generated as I read a file with notepad but still actual file
|data get changed.
|
|Does it have any thing to relate with IRP_MJ_ACQUIRE_FOR_CC_FLUSH?
|
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua
|To unsubscribe send a blank email to xxxxx@lists.osr.com
You miss the IRP_MJ_WRITE.
Note that the file object that is used to back a data segment might be a
stream file object. You must use the FileObject->FsContext field not the
File Object pointer.
Does it have any thing to relate with IRP_MJ_ACQUIRE_FOR_CC_FLUSH?
No.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Well I am realy sorry for asking this unusual scenario, I was also amazed
> when i found this, but yes i have reverified it & its same. There is no
> Write IRP generated as I read a file with notepad but still actual file
> data get changed.
>
> Does it have any thing to relate with IRP_MJ_ACQUIRE_FOR_CC_FLUSH?
>
>
> Actually FSD can read data from cache and write it to disk by its own
need and don’t send any IRP to highest driver (your filter driver) but send
it to the lower driver (disk driver).
This is not appropriate for reading a data stream. The request is sent to
the top of the stack. Actually, the common FSDs never do the read ahead and
lazy write the Cache Manager does this.
–
Slava Imameyev, xxxxx@hotmail.com
“Gunko Andrey” wrote in message news:xxxxx@ntfsd…
> Does your file have NTFS encrypted/compressed attribute set? How do you
> know that there is no IRP_MJ_WRITE send, how you determine that? As I
> wrote
> before try to print some part of buffer for each irp_mj_write with
> IRP_PAGING_IO flag set.
> Actually FSD can read data from cache and write it to disk by its own
> need and don’t send any IRP to highest driver (your filter driver) but
> send
> it to the lower driver (disk driver). That’s why you can’t see them. It
> could be happened on NTFS when your file is encrypted or compressed but
> also
> it can be truth in many other cases.
>
>
> Andrey Gunko
> soft Xpansion GmbH & Co.KG
> Programmer
> Powered by eKnow-how
> Konigsallee 45 D-44789 Bochum Tel: +49 234 2984171 Fax: +49 234
> 2984172 Internet: [www.maus-soft.com]
>
>
> |-----Original Message-----
> |From: xxxxx@lists.osr.com [mailto:bounce-265043-
> |xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> |Sent: Thursday, October 05, 2006 1:40 PM
> |To: Windows File Systems Devs Interest List
> |Subject: RE:[ntfsd] Handling Paging IO Read change actual data on disk
> |
> |Well I am realy sorry for asking this unusual scenario, I was also amazed
> |when i found this, but yes i have reverified it & its same. There is no
> |Write IRP generated as I read a file with notepad but still actual file
> |data get changed.
> |
> |Does it have any thing to relate with IRP_MJ_ACQUIRE_FOR_CC_FLUSH?
> |
> |
> |—
> |Questions? First check the IFS FAQ at
> |https://www.osronline.com/article.cfm?id=17
> |
> |You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua
> |To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> How do you know that there is no IRP_MJ_WRITE send, how you determine that?
By this i actually mean that there is no write IRPs traped by either FileSpy or my minifilter driver, hence printing first few bytes of buffer may not help.
Actually FSD can read data from cache and write it to disk by its own need and don’t send any IRP to highest driver (your filter driver) but send it to the lower driver (disk driver).
In this scenario how can I help my self if write IRP is bypassing my filter & going straight away to disk driver. Also if this is the case,(which it seems to be) than is it possible that file spy skip this write call, as filespy itself is a filter driver.
Kindly clear one thing,
Currently we are basically handling following IRPs, CREATE, READ, WRITE for & are doing encryption & decryption in write & read respectively it the fileobject belongs to a specific folder, i.e. we are not handling any calls out of our folder.
Does this problem expect us to handle any thing other than this?
> In this scenario how can I help my self if write IRP is bypassing my
filter
Data stream writing never bypasses filters.
Also if this is the case,(which it seems to be)
No, this is not the case( or else you have a buggy FSD under your filter ).
The real case is one of the following
- the file has not been encrypted
- you skipped the paging write request because you did not recognize a File
Object as one related with this file, this case also means that your filter
changes the dirty bit for the page frames.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
>> How do you know that there is no IRP_MJ_WRITE send, how you determine
>> that?
>
> By this i actually mean that there is no write IRPs traped by either
> FileSpy or my minifilter driver, hence printing first few bytes of buffer
> may not help.
>
>>Actually FSD can read data from cache and write it to disk by its own need
>>and don’t send any IRP to highest driver (your filter driver) but send it
>>to the lower driver (disk driver).
>
> In this scenario how can I help my self if write IRP is bypassing my
> filter & going straight away to disk driver. Also if this is the
> case,(which it seems to be) than is it possible that file spy skip this
> write call, as filespy itself is a filter driver.
>
> Kindly clear one thing,
> Currently we are basically handling following IRPs, CREATE, READ, WRITE
> for & are doing encryption & decryption in write & read respectively it
> the fileobject belongs to a specific folder, i.e. we are not handling any
> calls out of our folder.
>
> Does this problem expect us to handle any thing other than this?
>
Hi Slava,
No, this is not the case( or else you have a buggy FSD under your filter ). The real case is one of >the following - the file has not been encrypted
I got your point i have verified that file is encrypted, i have stopped my filter after copying file to the specific folder & found that it is correctly encrypted. So as per your last mail only points pending to check are
>you skipped the paging write request because you did not recognize a File Object as one related >>with this file,
I have print a debug message in my write callback start, which i never recieves in my DbgView. Also FileSpy is also not capturing any IRP_MJ_WRITE.( I have not imposed any path or process filter i.e. FileSpy is capturing systemwide IRPs)
>this case also means that your filter changes the dirty bit for the page frames.
Here is what I am doing in my read callbacks.
When I get a pre read callback for Paging IO, I first modifying actual byte offset & read length after performing some calculation based on our cryptography logic and than we replace the actual buffer with mine allocated buffer. later I fetch data originally asked from mine buffer & copy that to original buffer & reset the byte offset & read length again as required.
Is it possible that this functionality changes the dirty bit of frames & if it does than what will exactly happens?
Just an update on my previous message
as i said
later I fetch data originally asked from mine buffer & copy that to original buffer & reset the byte offset & read length again as required.
I do this in Post read callback.
Any suggestion from anyone, It seems that slave is absent in forum for past few days.
Thanks
Thanks Slava & Andrey.
I found the problem, its just need a restart my machine before i want to see the encryptd text & now i am able to see encrypted files on disk. It means that windows is keeping that file in its cache untill system boots.