How to realize encrypt/decrypt name of direcrory or file on-fly?

As we all know, we can encrypt data in IRP_MJ_WRITE, and decrypt data in IRP_MJ_READ, on-fly;

Now, I do not want to encrypt or decrypt the data, but the name of direcrory or file on-fly.

I have realized encrypt name of direcrory or file via filtering IRP_MJ_SET_INFORMATION, now I do not know how to decrypt the encrypted name on-fly.

for example:
if there are a folder named “3333” and a file named “3333.txt”(both are encrypted names) in partition “D:”.When we open “D:”, we see the decrypted names,such as “2222” and “2222-sws”.here we used simple decryped algrithm(ASIIC CODE -1). Which IRP should I filtering inorder to do it or other ways? Thank U!

> I have realized encrypt name of direcrory or file via filtering

IRP_MJ_SET_INFORMATION, now I do not know how to decrypt the encrypted name on-fly.

You cannot tamper with the file/dir names, they must stay
as they are.

L.

why? But I think I can encrypt/decrypt file/dir names.
Suppose they are all encrypted file/dir names in a partition, now I can make a FS minifilter driver to decrypt all the names, so as to I can see decrypted names. Is it any wrong ?

Try to trap IRP_MJ_DIRECTORY_CONTROL. You will get the calls whenever user level applications tries to make FindFirstFile, FindNextFile API’s. So I feel your problem would be solved.

Thanks & Regards
Aishwary Bhashkar
R Systems International Ltd

Aishwary Bhashkar, 3ks.
Well,like U said I had trapped IRP_MJ_DIRECTORY_CONTROL, and I had realized decrypted file/dir names, such as, if I would open “D:”, then I can see all decrypted file/dir names. But another problem appeard, that is, I can not rename the file/dir then, when I want to rename a file/dir, system said: cannot find source file! I have no idea now! I had tried to trap IRP_MJ_SET_INFORMATION, but my driver can not receive THIS IRP.

Well for Opening that file you need to capture IRP_MJ_CREATE as now the create request is generated for the logical name you are showing so map it to the name that is the original name of the file. For rename operation you have to track IRP_MJ_SET_INFORMATION with FileInformationClass == FileRenameInformation. So rule is first do IRP_MJ_CREATE then do IRP_MJ_SET_INFORMATION.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

Aishwary Bhashkar,THANK YOU!
Well, actually, I Had tracked IRP_MJ_CREATE and IRP_MJ_SET_INFORMATION.

First of all, I want to talk about how I decrypt dir/file names: I capture IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY, and get the
CBD->Iopb->Parameters.QueryDirectory.DirectoryBuffer, and
CBD->Iopb->Parameters.QueryDirectory.FileInformationClass==FileBothDirectoryInformation,
so I can get FileName in FileBothDirectoryInformation. Then I modify the FileName, so modified dir/file names(that is, decrypted names) are showed on. For example, I attach my driver at volume “D:”, and there are a folder named “aaaa” and a file named “bbbb.txt”, when I open “D:”, I see a folder named “AAAA” and a file named “BBBB.txt”, which are decrypted dir/file names.

In IRP_MJ_CREATE dispach function, I mapped CBD->Iopb->TargetFileObject->FileName to original name.(for example, CBD->Iopb->TargetFileObject->FileName=“AAAA”, I mapped it to “aaaa”), so I believe FSD has received original name. But when I RENAME or DELETE “aaaa”, system said:“Cannot Rename File: Cannot read from source file or disk” or “Cannot Delete File: Cannot read from source file or disk”. I have tracked IRP_MJ_SET_INFORMATION, but when RENAME, my driver CANNOT received IRP_MJ_SET_INFORMATION; but when DELETE, my driver CAN received IRP_MJ_SET_INFORMATION.

You just said:“in IRP_MJ_CREATE, map logical name showing to the name
that is the original name of the file”, I just modified the CBD->Iopb->TargetFileObject->FileName,
Is it enough?

Best Wishes!

Hi,

Let me know one thing can u open that file or folder you have mapped? i.e. double click and open. And moreover you are tracking only “FileBothDirectoryInformation”. In vista you would get “FileIdBothDirectoryInformation”. So I would suggest you to map all before making your software commercial. And I hope in IRP_MJ_CREATE you are mapping this in PreCreate.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

Hi,

Yes, I can open the file or folder that are showing in explore(decrypted names) .
I realize it like this: in PreCreate I modified CBD->Iopb->TargetFileObject->FileName to orignal file/dir name, so I’m sure FSD received orignal file/dir name.

Best wishes!

Check in pre IRP_MJ_SET_INFORMATION and file Information class == FileRenameInformation. Try DbgPrint there and then Rename, I am sure you will get IRP_MJ_SET_INFORMATION whenever there is rename operation. Check in pre set info first are you getting the event.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

But being unlucky, when I have decrypted file/dir names, I CANNOT rename the file or folder with decrypted names. Actually, when I renaming, I CANNOT receive IRP_MJ_SET_INFORMATION, so I cannot track it.

Hi,

Well as per Windows OS it is not possible to rename a file without generating IRP_MJ_SET_INFORMATION. Please check your code.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

Hi
In IRP_MJ_SET_INFORMATION track
Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation, i am sure u will be able to find it

Thanks & Regards
Sameer Shukla
Software Engineer
R Systems International Ltd

Hi
Well, I had tracked normal REANME: for example, if I RENAME folder “aaaa” to “3333”, before generating IRP_MJ_SET_INFORMATION, a special IRP_MJ_CREATE will appear, in this IRP_MJ_CREATE, CBD->Iopb->TargetFileObject->FileName=3333.

Back to my driver now, but after I decrypted file/dir names, i.e. I can see folder named “AAAA”(orignal name is “aaaa”) in explore. Then if I try to RENAME “AAAA” to “3333”, there is not special IRP_MJ_CREATE appearing, I mean I tracked all IRP_MJ_CREATE, there is no “CBD->Iopb->TargetFileObject->FileName=3333”, so I CANNOT receive IRP_MJ_SET_INFORMATION.

I guess there is problem with my decryption in IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY.
By the way, I did not handle IRP_MN_NOTIFY_CHANGE_DIRECTORY. Does it matter?

Best Wishes!

Hi,

Now I got your problem. You haven’t written IRP_MJ_DIRECTORY_CONTROL correctly. In PreDirCtrl if the Filename is other than wild card(*) like “AAAA”. Map that name to the original name(the name your file system driver understands) in predirctrl. and In post again change the name as per you must be doing.

I hope now the things would work.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

Hi, Aishwary Bhashkar,
First of all, thank you for your patience.

Actually, I have tracked “preDirCtrl” and “postDirCtrl”,
and “CBD->Iopb->TargetFileObject->FileName” is the original name(the name my file system driver understands). I think it is because I have mapped the “CBD->Iopb->TargetFileObject->FileName” in preCreate(in IRP_MJ_CRETE), so in the IRPs following IRP_MJ_CREATE(such as, CLEANUP, CLOSE, QUERY_INFORMATION, DIR_CONTROL, etc.), I can get the orignal name WITHOUT mapping it again.

By the way, DDK says “Cbd->Iopb->Parameters.QueryDirectory.FileName” is: Pointer to a UNICODE_STRING structure that contains the name of a file within the specified directory.
But When I have tracked the postDirCtrl, it is (*) or NULL. Is it important? In my driver,
“CBD->Iopb->TargetFileObject->FileName” is used.

Best Wiishes!

Hi,

Track on PreDirCtrl try to print the buffer of the Filename you will see * i.e. wild card. In case of rename operations The file system queries for that file name does it exists or not? So you get the logical name in PreDirCtrl. You have to map it here to the original name otherwise u will get NULL in postdirctrl and u cann’t rename it. For that in predirctrl, create a OriginalBuffer(PUnicode_string) in NonPagedPool Memory and create buffer of that in NonPagedPool Memory. Now exchange that buffer from the filname buffer u got from OS. put it in your completion context so that u can exchange that buffer again in post and can release the buffer u have created. Now u wont get null in Postdirctrl.
I think seeing your implementation there would be another problem that you can’t see the file name that you have created until u refresh it.
If U handle dirctrl correctly all ur problems would be solved.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

Hi,
Yes, until I refresh(F5), I can see new file name. Does my filter driver can control this?

Handle dirctrl correctly as I said in previous post, all ur problems would be solved.

Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.

Hi,
First of all, Thank U very much. It works now.
I mean that I can RENAME or DEL now. But the problem U just said appears, for example, when I open “D:”, decrypted names (for example ,“AAAA”)are showing, its orignal name is “aaaa”; when I rename it to “GGGG” , until I refresh(F5), I can see “gggg”, not “GGGG”. Because I modify the FileRenameInformation in preSetInfo(“GGGG” map to “gggg”), i.e. name received by FSD is “gggg”,
then via DIR_CTRL, once more mapping("gggg—>“GGGG”), so I think I should see “GGGG”, not “gggg”. Do u think SO?