How can I do in encryption/decryption filter without purging Cc?

Hello everyone,

I have a question when doing encryption/decryption filter, it is as follows:

(1)Before starting my filter, the sensitive file exsited in disk with ciphertext form.
(2)Start up my filter.
(3)Open a file first time (with notepad.exe), it shows plain text.
(4)Modify the file data in app and save it. After saving the file, Cc was filled with the encrypted file data.
(5)Open the same file second time, it shows cypher text as notepad process read data from Cc directly instead of real disk.

What can I do if I want to get the plain text without purging Cc in my filter?

Any suggestion will be welcome, Thanks.

Stephen Li

>>(4)Modify the file data in app and save it. After saving the file, Cc was filled with the encrypted file data.

No, Cache should have normal data it you are encrypting it on correct path. It means you did something incorrect here.

Do all your encryption/decrpytion for paging/non cached IO. Than on second time when notepad will read the file from cache, it will see normal data.

I have intercepted all noncached IO(include paging IO). when using notepad.exe to save a modified .txt file,take E:\testFolder\text1.txt as an example, the FileSpy tracking result is as follows:

1 13:36:13.658 0 notepad.exe 857B04B0 IRP_MJ_CREATE 00000884 860FD408 E:\testFolder\test1.txt
FILE_OPEN_IF CreOpts: 0x00000060 Access: 0x0012019F Share: 0x00000001 Attrib: 0x00000080 Result: FILE_OPENED
3 13:36:13.658 0 notepad.exe 85B29B28 IRP_MJ_WRITE 00000A00 860FD408 E:\testFolder\test1.txt
Offset 00000000-00000000 ToWrite 3C Written 3C
2 13:36:13.658 0 System 85B90630 IRP_MJ_CLOSE 00000404 85A6F238 E52490D0 00044040 E:\testFolder\test1.txt
4 13:36:13.658 10 notepad.exe 85B97B80 IRP_MJ_CLEANUP 00000404 860FD408 E52490D0 00040042 E:\testFolder\test1.txt
5 13:36:13.818 0 System 86149DE0 IRP_MJ_WRITE 00000043 860FD408 E52490D0 00044042 E:\testFolder\test1.txt Offset
00000000-00000000 ToWrite 1000 Written 3C

My filter will intercept the No.3 and No.5 IRP_MJ_WRITE,the No.3 IRP_MJ_WRITE is cached IRP with flags=0xA00,my fillter doesn’t encrypt the file data so Cc is filled with plain text first;
But the No.5 IRP_MJ_WRITE,which was caused Cc’s Lazy write operation(Paging IO) due to file modification,my filter will encrypt the file data,and send the encrypted file data to FSD;
During the process of the No.5 IRP_MJ_WRITE in FSD,the encrypted file data will also be CACHED (regardless of what type of IO, cached,noncached,or paging)in Cc to ensure Cache Coherency,
Then open the file again, FSD will return the Cc’s encrypted file data directly. Am I right?

If I’m right, what should I do if I want to get the plain text of the file with Cc purging operation?

Thanks.

Stephen Li

Sorry, what should I do without purging Cc?

Stephen

> During the process of the No.5 IRP_MJ_WRITE in FSD,the encrypted file

data will also be CACHED (regardless of what type of IO,
cached,noncached,or paging)in Cc to ensure Cache Coherency,

What makes you say that? The file was cached during write 3 (which you
ignored)

Then open the file again, FSD will return the Cc’s encrypted file data
directly. Am I right?

No.

If your cache is getting polluted with encrypted data, its because you are
doing the ecnryption or because you are missing a pagefault. Your *are*
using Stream Contexts (and not stream handle contexts) aren’t you.

>During the process of the No.5 IRP_MJ_WRITE in FSD,the encrypted file data

will also be CACHED (regardless of what type >of IO, cached,noncached,or
paging)in Cc to ensure Cache Coherency,

Are you trying to encrypt in place? You can’t do that, you have to double
buffer.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntfsd…
> I have intercepted all noncached IO(include paging IO). when using
> notepad.exe to save a modified .txt file,take E:\testFolder\text1.txt as
> an example, the FileSpy tracking result is as follows:
>
> 1 13:36:13.658 0 notepad.exe 857B04B0 IRP_MJ_CREATE 00000884 860FD408
> E:\testFolder\test1.txt
> FILE_OPEN_IF CreOpts: 0x00000060 Access: 0x0012019F
> Share: 0x00000001 Attrib: 0x00000080 Result: FILE_OPENED
> 3 13:36:13.658 0 notepad.exe 85B29B28 IRP_MJ_WRITE 00000A00 860FD408
> E:\testFolder\test1.txt
> Offset 00000000-00000000 ToWrite 3C Written 3C
> 2 13:36:13.658 0 System 85B90630 IRP_MJ_CLOSE 00000404 85A6F238 E52490D0
> 00044040 E:\testFolder\test1.txt
> 4 13:36:13.658 10 notepad.exe 85B97B80 IRP_MJ_CLEANUP 00000404 860FD408
> E52490D0 00040042 E:\testFolder\test1.txt
> 5 13:36:13.818 0 System 86149DE0 IRP_MJ_WRITE 00000043 860FD408 E52490D0
> 00044042 E:\testFolder\test1.txt Offset
> 00000000-00000000 ToWrite 1000 Written 3C
>
> My filter will intercept the No.3 and No.5 IRP_MJ_WRITE,the No.3
> IRP_MJ_WRITE is cached IRP with flags=0xA00,my fillter doesn’t encrypt the
> file data so Cc is filled with plain text first;
> But the No.5 IRP_MJ_WRITE,which was caused Cc’s Lazy write
> operation(Paging IO) due to file modification,my filter will encrypt the
> file data,and send the encrypted file data to FSD;
> During the process of the No.5 IRP_MJ_WRITE in FSD,the encrypted file data
> will also be CACHED (regardless of what type of IO, cached,noncached,or
> paging)in Cc to ensure Cache Coherency,
> Then open the file again, FSD will return the Cc’s encrypted file data
> directly. Am I right?
>