Microsoft Word 2003

Daniel_Van_Der_Werken · November 6, 2006, 12:11pm

I’m trying to encrypt/decrypt the buffer for MS Word 2003.

Is this the same deal like as notepad.exe? I can’t see any of the buffers. It’s either garbage or other useless junk, but none of it is the read/write buffers.

I was able to do this with WordPad.exe. I was able to encrypt with notepad.exe but not decrypt with notepad.

What is the deal with the screwy memory buffering stuff? Where can I find out more inofrmation about how to use notepad, etc?

Thanks guys. I’m wanting to contribute to the forums too, but I’m such a noob at the ntfsd stuff. I tried to joni the windbg forum, but it won’t work. I might be able to contribute there…

—Dan—

Daniel_Van_Der_Werken · November 6, 2006, 1:30pm

I still plan to move to the filter manager and a minidriver, but I’ve decided it’ll have to wait until after my demo.

Too much to learn too fast.

Anyway, the IFS kit has two “legacy” drivers. The “smaller” one, has this in it:

//
// VERSION NOTE:
//
// There are 6 FastIO routines for which file system filters are bypassed as
// the requests are passed directly to the base file system. These 6 routines
// are AcquireFileForNtCreateSection, ReleaseFileForNtCreateSection,
// AcquireForModWrite, ReleaseForModWrite, AcquireForCcFlush, and
// ReleaseForCcFlush.
//
// In Windows XP and later, the FsFilter callbacks were introduced to allow
// filters to safely hook these operations. See the IFS Kit documentation for
// more details on how these new interfaces work.
//
// MULTIVERSION NOTE:
//
// If built for Windows XP or later, this driver is built to run on
// multiple versions. When this is the case, we will test
// for the presence of FsFilter callbacks registration API. If we have it,
// then we will register for those callbacks, otherwise, we will not.
//

#if WINVER >= 0x0501

{
FS_FILTER_CALLBACKS fsFilterCallbacks;

if (NULL != gRRDynamicFunctions.RegisterFileSystemFilterCallbacks) {

//
// Setup the callbacks for the operations we receive through
// the FsFilter interface.
//
// NOTE: You only need to register for those routines you really
// need to handle. SFilter is registering for all routines
// simply to give an example of how it is done.
//

fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof( FS_FILTER_CALLBACKS );
fsFilterCallbacks.PreAcquireForSectionSynchronization = RRPreFsFilterPassThrough;
fsFilterCallbacks.PostAcquireForSectionSynchronization = RRPostFsFilterPassThrough;
fsFilterCallbacks.PreReleaseForSectionSynchronization = RRPreFsFilterPassThrough;
fsFilterCallbacks.PostReleaseForSectionSynchronization = RRPostFsFilterPassThrough;
fsFilterCallbacks.PreAcquireForCcFlush = RRPreFsFilterPassThrough;
fsFilterCallbacks.PostAcquireForCcFlush = RRPostFsFilterPassThrough;
fsFilterCallbacks.PreReleaseForCcFlush = RRPreFsFilterPassThrough;
fsFilterCallbacks.PostReleaseForCcFlush = RRPostFsFilterPassThrough;
fsFilterCallbacks.PreAcquireForModifiedPageWriter = RRPreFsFilterPassThrough;
fsFilterCallbacks.PostAcquireForModifiedPageWriter = RRPostFsFilterPassThrough;
fsFilterCallbacks.PreReleaseForModifiedPageWriter = RRPreFsFilterPassThrough;
fsFilterCallbacks.PostReleaseForModifiedPageWriter = RRPostFsFilterPassThrough;

status = (gRRDynamicFunctions.RegisterFileSystemFilterCallbacks)( DriverObject,
&fsFilterCallbacks );

if (!NT_SUCCESS( status )) {

DriverObject->FastIoDispatch = NULL;
ExFreePoolWithTag( fastIoDispatch, RRLT_POOL_TAG_FASTIO );
IoDeleteDevice( gRRFilterControlDeviceObject );
return status;
}
}
}

is this what you’re talking about concerning how the file system will do stuff without passing down an IRP that I can trap?

is this the way to capture notepad?

What did you mean by using a FCB in conjunction with the FILE_OBJECT->FsContext1? I understand each file is uniquely defined by FsContext1, but I don’t understand anything about FCB’s and how they relate.

Thanks.

OSR_Community_User · November 6, 2006, 2:16pm

This is in the FAQ, actually.

The problem you have is with memory mapped files (notepad, word '03 plus
other apps).

When you do encryption it is best to do it on non-cached I/O. In that
way the data that goes into VM will be decrypted and the system will
work for paging I/O. If you can restrict to NTFS (at least for demo)
the best thing to do is stick any encryption header into a separate
stream and the encrypted data into the main data stream (ignore
alternate streams for a demo…) Then just encrypt and decrypt the
relevant non-cached I/O.

For IRP_MJ_WRITE you need to encrypt in a DIFFERENT buffer (the MDL you
get is the data in VM so if you encrypt it in place the encrypted stuff
becomes visible immediately to memory mapped applications) for
IRP_MJ_READ you can decrypt in place (the memory has not yet become
visible to the caller until the read completes.)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Daniel_Van_Der_Werken · November 6, 2006, 4:47pm

Thanks Tony. I’m assumng you mean I should cast the FsContext member of the FILE_OBJECT as an FSD and then use the main stream?

OSR_Community_User · November 6, 2006, 5:05pm

I’m not even sure what you mean when you say “… I should cast the
FsContext member of the FILE_OBJECT as an FSD …”

You can use a stream context (FsRtlxxx for the various stream context
manipulation functions) and ignore anything that has a : in its name
that isn’t “::$DATA” (the “default data stream” on NTFS).

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, November 06, 2006 1:46 PM
To: ntfsd redirect
Subject: RE:[ntfsd] Microsoft Word 2003

Thanks Tony. I’m assumng you mean I should cast the FsContext member of
the FILE_OBJECT as an FSD and then use the main stream?

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Daniel_Van_Der_Werken · November 6, 2006, 7:05pm

Well, I was reading this: http://www.osronline.com/article.cfm?article=457

Traditionally, a file system associated a specific file state with the file object using the FsContext field of the FILE_OBJECT. This is often referred to either as the File Control Block or the Stream Control Block. The latter name reflects the support of streams as a first-class entity within the file system. This is important because normally (e.g., in a filter driver) we associate two FILE_OBJECTs together if they have the same FsContext pointer value. However, if the underlying file system supports streams, then these two values really represent the same stream and not the same file.

Knowing very little, I assumed you could cast the FsContext value (which is typically a PVOID I believe) as an File Control Block (FCB) to get the stream stuff.

I’m still using the legacy model because I don’t really have time to look at the minidriver stuff yet. I didn’t even know FSRtlXXX existed until you mentioned it.

I’ve been looking at the functions in the IFS Kit help file.

Anyway, what I’ve noted is the sfilter driver example has RRPreFsFilterPassThrough and a post one too.

I’m guessing, from what I can read, these both are the functions used via the memory manager when proper IRP’s are not generated from user-space. As a result, I’m thinking I can use PFS_FILTER_CALLBACK_DATA Data pointer and get the File Object from that and put that into FsRtlGetPerStreamContextPointer and if there is a stream, I can assume that stream is the buffer I’m interested in?

I spent the last three freaking hours trying to figure out why my sfilter implementation hung when I booted. Of course, it was something stupid. Now, I’m trying to figure out the rest…

Thanks