How to clear the content of a memory-mapped file that is already closed

NTFSD
1

Dear NTFSD,

I’m writing an on-fly-encryption file system filter driver. There is a
problem with memory-mapped files. It occurs in the following situation. The
filter encrypts the á file on the fly. The filter is not launched yet. The
user edits this file using Notepad. After that he starts the filter and
opens the same file in Notepad again, but no disk operation is carried out,
the content of the file is taken from the memory. The question is how to
clear the content of a memory-mapped file that is already closed from the
memory?

Regards,
Vitaliy Perepelkin

2

There is no guaranteed way to achieve this - the file might still be in use, for example. However, if you open a file and the file object has a section associated with it (FileObject->SectionObjectPointers->DataSectionObject or FileObject->SectionObjectPointers->ImageSectionObject) then the data is in memory already. You can try to force that out at that point (MmFlushImageSection) or you can try to force the old section to “go away” (MmForceSectionClosed).

If the file is also cached (FileObject->SectionObjectPointers->SharedCacheMap is non-zero) then you will want to purge the cache (CcPurgeCacheSection) before trying to get rid of the section objects.

However, all of these calls have the possibility of failure. For example, if the file is still IN USE then there’s nothing you are going to do that will get rid of these sections - and you are stuck with the stale information.

Note: it is not a sound implementation practice to start a file system filter driver, particularly an on-the-fly encryption driver, after access has been granted to the system. Some OS components (e.g., LanManager) store away information about the underlying file system and ignore subsequent filter loads for certain operations.

If you use the OSR filter kit (which uses a helper-driver model similar to the Filter Manager model) the base filter installs and may load very early on, but neither our kit, nor the newer filter manager, can do anything about data that is in memory…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Vitaliy Perepelkin
Sent: Saturday, March 26, 2005 2:11 AM
To: ntfsd redirect
Subject: [ntfsd] How to clear the content of a memory-mapped file that is already closed

Dear NTFSD,

I’m writing an on-fly-encryption file system filter driver. There is a
problem with memory-mapped files. It occurs in the following situation. The
filter encrypts the ? file on the fly. The filter is not launched yet. The
user edits this file using Notepad. After that he starts the filter and
opens the same file in Notepad again, but no disk operation is carried out,
the content of the file is taken from the memory. The question is how to
clear the content of a memory-mapped file that is already closed from the
memory?

Regards,
Vitaliy Perepelkin

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Maybe avoid the “filter not started” situation and make it Boot start?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vitaliy Perepelkin”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Saturday, March 26, 2005 10:10 AM
Subject: [ntfsd] How to clear the content of a memory-mapped file that is
already closed

> Dear NTFSD,
>
> I’m writing an on-fly-encryption file system filter driver. There is a
> problem with memory-mapped files. It occurs in the following situation. The
> filter encrypts the á file on the fly. The filter is not launched yet. The
> user edits this file using Notepad. After that he starts the filter and
> opens the same file in Notepad again, but no disk operation is carried out,
> the content of the file is taken from the memory. The question is how to
> clear the content of a memory-mapped file that is already closed from the
> memory?
>
> Regards,
> Vitaliy Perepelkin
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

4

> The filter encrypts the file on the fly. The filter is not launched yet.

Strange - which one sentence is true ? ;-))

opens the same file in Notepad again, but no disk operation is carried
out,
the content of the file is taken from the memory. The question is how to
clear the content of a memory-mapped file that is already closed from the
memory?

You must install the encryption filter at the boot time.
This ensures that all file I/O will be catched by it.

L.

5

Dear Tony Mason and others,

Thank you very much for your replies. It is getting clearer now.
But probably I incorrectly asked my question last time:
The driver is launched in BOOT time, but I need to have the opportunity to
enable/disable encryption on the fly for a certain folder specified by the
user.
As far as I understand, it cannot be implemented completely, for example,
if the file is still in USE (FileMapped).
So here is my question - is it possible to exactly determine the moment
when the file is mapped into the memory and also the moment when this
mapping is closed?

Regards,
Vitaliy Perepelkin

“Tony Mason” wrote in message news:xxxxx@ntfsd…
There is no guaranteed way to achieve this - the file might still be in use,
for example. However, if you open a file and the file object has a section
associated with it (FileObject->SectionObjectPointers->DataSectionObject or
FileObject->SectionObjectPointers->ImageSectionObject) then the data is in
memory already. You can try to force that out at that point
(MmFlushImageSection) or you can try to force the old section to “go away”
(MmForceSectionClosed).

If the file is also cached
(FileObject->SectionObjectPointers->SharedCacheMap is non-zero) then you
will want to purge the cache (CcPurgeCacheSection) before trying to get rid
of the section objects.

However, all of these calls have the possibility of failure. For example,
if the file is still IN USE then there’s nothing you are going to do that
will get rid of these sections - and you are stuck with the stale
information.

Note: it is not a sound implementation practice to start a file system
filter driver, particularly an on-the-fly encryption driver, after access
has been granted to the system. Some OS components (e.g., LanManager) store
away information about the underlying file system and ignore subsequent
filter loads for certain operations.

If you use the OSR filter kit (which uses a helper-driver model similar to
the Filter Manager model) the base filter installs and may load very early
on, but neither our kit, nor the newer filter manager, can do anything about
data that is in memory…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Vitaliy Perepelkin
Sent: Saturday, March 26, 2005 2:11 AM
To: ntfsd redirect
Subject: [ntfsd] How to clear the content of a memory-mapped file that is
already closed

Dear NTFSD,

I’m writing an on-fly-encryption file system filter driver. There is a
problem with memory-mapped files. It occurs in the following situation. The
filter encrypts the á file on the fly. The filter is not launched yet. The
user edits this file using Notepad. After that he starts the filter and
opens the same file in Notepad again, but no disk operation is carried out,
the content of the file is taken from the memory. The question is how to
clear the content of a memory-mapped file that is already closed from the
memory?

Regards,
Vitaliy Perepelkin


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com