minifilter encryption dealing with .doc files

Bryan_G · June 2, 2013, 2:48am

First of all, sorry for noob and repeating question i’ve asked.
My encryption last time was bypassed by notepad cuz my routine wasn’t
able to get the right fcb, which has been solved by placing the
fcb-catching function at post-create – I’m not sure if it is
reasonable, and if it is the cause of my following problems.
Next step for me is including MS office series, they are save by .tmp
first and then renamed to .doc. I chose encrypting .tmp as well to
avoid further problems as disscused before; Besides, my encryption is
quit simple by XOR the buffer depends on the length of:
writeLen = iopb->Parameters.Write.Length // if IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO
writeLen = (ULONG)ROUND_TO_SIZE(writeLen,volCtx->SectorSize); // if IRP_NOCACHE

As my test input is always smaller than 1024, so the writeLen i
observed is always 1024.

But when I saved the file, the minifilter seems to be unstable. It
either works ok or shows some permission denied fault. To the later
one, sometime is the file it self, but sometime is normal.dot. To the
office 2007, it simply fails to encrypt the file T_T. I start the
filter, open word and input something, reopen, fails, stop the filter,
reopen , everything goes ok.

I searched some achieves on osr, which indicate that permission denied
fault may caused by offset or file length changes, but why my filter
isn’t stable? Does it overwrite something like ‘EOF’?

Scott_Noone_OSR · June 3, 2013, 10:12am

Turn off your filter. Run FileSpy:

http://www.zezula.net/en/fstools/filespy.html

Or Process Monitor:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Open Word and save a document. Save the FileSpy/Process Monitor log and
clear the display.

Enable your filter and repeat the steps above.

You now have two logs: one that succeeds and one that fails. Compare the
logs and try to figure out what your filter is changing to mess up the
result (while keeping in mind that the differences might not actually be
captured by either of these utilities).

Note that you should expect the project that you’ve started to take years,
not months. There is a steep learning curve and many tedious days and nights
ahead. No one ever said the job was glamorous!

Good luck!

-scott
OSR

“gst fish” wrote in message news:xxxxx@ntfsd…

First of all, sorry for noob and repeating question i’ve asked.
My encryption last time was bypassed by notepad cuz my routine wasn’t
able to get the right fcb, which has been solved by placing the
fcb-catching function at post-create – I’m not sure if it is
reasonable, and if it is the cause of my following problems.
Next step for me is including MS office series, they are save by .tmp
first and then renamed to .doc. I chose encrypting .tmp as well to
avoid further problems as disscused before; Besides, my encryption is
quit simple by XOR the buffer depends on the length of:
writeLen = iopb->Parameters.Write.Length // if IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO
writeLen = (ULONG)ROUND_TO_SIZE(writeLen,volCtx->SectorSize); // if
IRP_NOCACHE

As my test input is always smaller than 1024, so the writeLen i
observed is always 1024.

But when I saved the file, the minifilter seems to be unstable. It
either works ok or shows some permission denied fault. To the later
one, sometime is the file it self, but sometime is normal.dot. To the
office 2007, it simply fails to encrypt the file T_T. I start the
filter, open word and input something, reopen, fails, stop the filter,
reopen , everything goes ok.

I searched some achieves on osr, which indicate that permission denied
fault may caused by offset or file length changes, but why my filter
isn’t stable? Does it overwrite something like ‘EOF’?

Bryan_G · June 4, 2013, 2:52am

A lot of thanks scott.

I’m on it and had 3 logs actually:no filter, filter without
encryption, filter with encryption. I set the FileSpy path filter to
only include *.doc, *.xls, *.ppt and *.tmp, which seems like not
enough because I couldn’t find write op yet ( probably I need to
change my glasses either :P). Given the fact that my filter was
failing to encrypt .xls and .ppt but decrypt successfully, there must
be somewhere I ignored.

This project is basically not a project.I want to have a deeper grasp
of NT kernel and FS but maybe I chose the wrong start? Whatever. I’m
coding it by myself, and deadline is closing.Aka, I just want to see
how much i can get under time pressure.
Thanks again for your patience scott, I must say I’ve read a dozen of
your replies, which is very helpful for newbies like me.

2013/6/3 Scott Noone :
> Turn off your filter. Run FileSpy:
>
> http://www.zezula.net/en/fstools/filespy.html
>
> Or Process Monitor:
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
> Open Word and save a document. Save the FileSpy/Process Monitor log and
> clear the display.
>
> Enable your filter and repeat the steps above.
>
> You now have two logs: one that succeeds and one that fails. Compare the
> logs and try to figure out what your filter is changing to mess up the
> result (while keeping in mind that the differences might not actually be
> captured by either of these utilities).
>
> Note that you should expect the project that you’ve started to take years,
> not months. There is a steep learning curve and many tedious days and nights
> ahead. No one ever said the job was glamorous!
>
> Good luck!
>
> -scott
> OSR
>
>
>
> “gst fish” wrote in message news:xxxxx@ntfsd…
>
>
> First of all, sorry for noob and repeating question i’ve asked.
> My encryption last time was bypassed by notepad cuz my routine wasn’t
> able to get the right fcb, which has been solved by placing the
> fcb-catching function at post-create – I’m not sure if it is
> reasonable, and if it is the cause of my following problems.
> Next step for me is including MS office series, they are save by .tmp
> first and then renamed to .doc. I chose encrypting .tmp as well to
> avoid further problems as disscused before; Besides, my encryption is
> quit simple by XOR the buffer depends on the length of:
> writeLen = iopb->Parameters.Write.Length // if IRP_PAGING_IO |
> IRP_SYNCHRONOUS_PAGING_IO
> writeLen = (ULONG)ROUND_TO_SIZE(writeLen,volCtx->SectorSize); // if
> IRP_NOCACHE
>
> As my test input is always smaller than 1024, so the writeLen i
> observed is always 1024.
>
> But when I saved the file, the minifilter seems to be unstable. It
> either works ok or shows some permission denied fault. To the later
> one, sometime is the file it self, but sometime is normal.dot. To the
> office 2007, it simply fails to encrypt the file T_T. I start the
> filter, open word and input something, reopen, fails, stop the filter,
> reopen , everything goes ok.
>
> I searched some achieves on osr, which indicate that permission denied
> fault may caused by offset or file length changes, but why my filter
> isn’t stable? Does it overwrite something like ‘EOF’?
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · June 4, 2013, 9:59am

You’re likely missing something. The best thing to do is put a secondary
drive in your machine (can be a USB drive), attach the FileSpy filter to it,
and save the Word document to that drive. Then you can view all activity to
the drive without having to sift through the noise of I/O on your boot
volume.

-scott
OSR

“gst fish” wrote in message news:xxxxx@ntfsd…

A lot of thanks scott.

I’m on it and had 3 logs actually:no filter, filter without
encryption, filter with encryption. I set the FileSpy path filter to
only include *.doc, *.xls, *.ppt and *.tmp, which seems like not
enough because I couldn’t find write op yet ( probably I need to
change my glasses either :P). Given the fact that my filter was
failing to encrypt .xls and .ppt but decrypt successfully, there must
be somewhere I ignored.

This project is basically not a project.I want to have a deeper grasp
of NT kernel and FS but maybe I chose the wrong start? Whatever. I’m
coding it by myself, and deadline is closing.Aka, I just want to see
how much i can get under time pressure.
Thanks again for your patience scott, I must say I’ve read a dozen of
your replies, which is very helpful for newbies like me.

2013/6/3 Scott Noone :
> Turn off your filter. Run FileSpy:
>
> http://www.zezula.net/en/fstools/filespy.html
>
> Or Process Monitor:
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
> Open Word and save a document. Save the FileSpy/Process Monitor log and
> clear the display.
>
> Enable your filter and repeat the steps above.
>
> You now have two logs: one that succeeds and one that fails. Compare the
> logs and try to figure out what your filter is changing to mess up the
> result (while keeping in mind that the differences might not actually be
> captured by either of these utilities).
>
> Note that you should expect the project that you’ve started to take years,
> not months. There is a steep learning curve and many tedious days and
> nights
> ahead. No one ever said the job was glamorous!
>
> Good luck!
>
> -scott
> OSR
>
>
>
> “gst fish” wrote in message news:xxxxx@ntfsd…
>
>
> First of all, sorry for noob and repeating question i’ve asked.
> My encryption last time was bypassed by notepad cuz my routine wasn’t
> able to get the right fcb, which has been solved by placing the
> fcb-catching function at post-create – I’m not sure if it is
> reasonable, and if it is the cause of my following problems.
> Next step for me is including MS office series, they are save by .tmp
> first and then renamed to .doc. I chose encrypting .tmp as well to
> avoid further problems as disscused before; Besides, my encryption is
> quit simple by XOR the buffer depends on the length of:
> writeLen = iopb->Parameters.Write.Length // if IRP_PAGING_IO |
> IRP_SYNCHRONOUS_PAGING_IO
> writeLen = (ULONG)ROUND_TO_SIZE(writeLen,volCtx->SectorSize); // if
> IRP_NOCACHE
>
> As my test input is always smaller than 1024, so the writeLen i
> observed is always 1024.
>
> But when I saved the file, the minifilter seems to be unstable. It
> either works ok or shows some permission denied fault. To the later
> one, sometime is the file it self, but sometime is normal.dot. To the
> office 2007, it simply fails to encrypt the file T_T. I start the
> filter, open word and input something, reopen, fails, stop the filter,
> reopen , everything goes ok.
>
> I searched some achieves on osr, which indicate that permission denied
> fault may caused by offset or file length changes, but why my filter
> isn’t stable? Does it overwrite something like ‘EOF’?
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 5, 2013, 6:25am

> This project is basically not a project.I want to have a deeper grasp

of NT kernel and FS but maybe I chose the wrong start? Whatever. I’m
coding it by myself, and deadline is closing.

What deadline is closing? deadline for a deeper grasp?

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Bryan_G · June 5, 2013, 7:12am

Actually I’m learning about Win Kernel, and there was an -
competition-like stuff? I do not know the exactly description about it
– maybe held by my school, or other holder, whatever. There were
several kind of stuff for us to choose, of course I chose this one as
a time race for me. In addition, the *deadline is closing* is also
because I have some other important things to deal with, i.e GRE (
maybe you has already realized my English is somewhat strange huh?)
and go abroad, hopefully

OK back to this topic, additional thanks to Scott ( sorry for my
word-base, I’m improving it too), I guess that probably means
Office-style read and write operation could only happens in a single
drive (without considering the temporary folder of WIN), and following
this advice, I think I’ve got some new problems to solve and I’m on it

2013/6/5 Maxim S. Shatskih :
>> This project is basically not a project.I want to have a deeper grasp
>> of NT kernel and FS but maybe I chose the wrong start? Whatever. I’m
>> coding it by myself, and deadline is closing.
>
> What deadline is closing? deadline for a deeper grasp?
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 6, 2013, 4:14am

Hi!
may you share your experience in minifilters development?
I’m exploring SwapBuffers minifilter now, but I even can’t decrypt data in txt-files by simple XOR algorithm.
I find example of XORing at another orsonline thread:

char* pp=p2pCtx->SwappedBuffer;
unsigned int i=0;
// We have a encrypted, we may decrypt the newBuf now!
DbgPrint(“SwappedBuffers found a DRMS file but not-safe!\n”);
for(i=0;iIoStatus.Information;i++)
{
pp[i]=pp[i]^‘Z’;
}

can you share your code of encryption and place where you use it?
maybe my basis SwapBuffers minifilter is not the best example?

Bryan_G · June 8, 2013, 2:42am

My encryption algorithm is also simply XOR, or sometimes like these:
(char *)(p++); (char *)(p–) to see whether I had succeed in filtering
paging io only. As for encryption/decryption place, I put decryption
in post read and encryption in pre write - just imagine how it works
will give you a better answer of this. By the way, i tested my filter
with single function test case first, such as fread/fwrite, Notepad
use memory mapping so additional works may be necessary.

2013/6/6 :
> Hi!
> may you share your experience in minifilters development?
> I’m exploring SwapBuffers minifilter now, but I even can’t decrypt data in txt-files by simple XOR algorithm.
> I find example of XORing at another orsonline thread:
>
> char* pp=p2pCtx->SwappedBuffer;
> unsigned int i=0;
> // We have a encrypted, we may decrypt the newBuf now!
> DbgPrint(“SwappedBuffers found a DRMS file but not-safe!\n”);
> for(i=0;iIoStatus.Information;i++)
> {
> pp[i]=pp[i]^‘Z’;
> }
>
> can you share your code of encryption and place where you use it?
> maybe my basis SwapBuffers minifilter is not the best example?
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 10, 2013, 11:10am

Hi! Thank U very mach for Ur response.

as U said: for encryption-decryption may be used logic:
(char *)(p++); (char *)(p–) // your option
or
char* p = p ^ ‘Z’; //my option

As for encryption/decryption place, I put decryption in post read and encryption in pre write
Post Read - is the last point where we have encrypted data buffer to read from File System, decrypt it and put to process original data,
Pre Write - is the first point where we have encrypt data, and put encrypted data to HDD.
Correct understanding?

One more question to you: can U post here or send me the simple code with XOR-ing data in Post read and deXOR-ing it in Pre Write?(even your variant of encrypting-decrypting) I can give U my e-mail fedotDOTfedotovATgmailDOTcom. If it is easy for U: can U send the simple code of callbacks?

the last one position:
I have already hear about memory mapping and paging during work with File System by some processes. So notepad.exe - is a special process. And I have to process it’s responces in special way?

and the lastest one:

i tested my filter with single function test case first, such as fread/fwrite
what about your opinion, next code will be good enought for testing my minifilter driver? (read part)

char* buffer;
long lSize = 1000;
int nResult = 0;

buffer = (char*) malloc (sizeof(char)*lSize);

FILE *fileWithData;
fileWithData = fopen(“D:\file.bmp”, “rb”);
do
{
nResult = fread(buffer, 1, lSize, fileWithData);
} while(nResult > 0);

fclose(fileWithData);

OSR_Community_User · June 11, 2013, 1:49am

R U under the impression we are all 12 years old and like texting? Drop
the cutesy “U”.

I presume the XOR example is proof of concept, because, as long as we are
talking about 12-year-olds, note that a reasonably clever 12-year-old
could crack this easily. Anyone with serious crypto experience could
crack it in an hour. If you are serious about encryption, you would know
that serious encryption requires something like PKI encryption or one of
equal power. You could try something like the Enigma encryption used by
the Germans in WW II, but note that this apparently powerful encryption
could be broken by a machine with rotating motors and relays (there is one
on exhibit at the Museum of Cryptology located near the NSA headquarters
outside Washington, DC). So it is fine to use your XOR algorithm to test
your metalogic and architecture, but you can’t expect to use it in
production.
joe

Hi! Thank U very mach for Ur response.

as U said: for encryption-decryption may be used logic:
(char *)(p++); (char *)(p–) // your option
or
char* p = p ^ ‘Z’; //my option

>As for encryption/decryption place, I put decryption in post read and
> encryption in pre write
Post Read - is the last point where we have encrypted data buffer to read
from File System, decrypt it and put to process original data,
Pre Write - is the first point where we have encrypt data, and put
encrypted data to HDD.
Correct understanding?

One more question to you: can U post here or send me the simple code with
XOR-ing data in Post read and deXOR-ing it in Pre Write?(even your variant
of encrypting-decrypting) I can give U my e-mail
fedotDOTfedotovATgmailDOTcom. If it is easy for U: can U send the simple
code of callbacks?

the last one position:
I have already hear about memory mapping and paging during work with File
System by some processes. So notepad.exe - is a special process. And I
have to process it’s responces in special way?

and the lastest one:
>i tested my filter with single function test case first, such as
> fread/fwrite
what about your opinion, next code will be good enought for testing my
minifilter driver? (read part)

char* buffer;
long lSize = 1000;
int nResult = 0;

buffer = (char*) malloc (sizeof(char)*lSize);

FILE *fileWithData;
fileWithData = fopen(“D:\file.bmp”, “rb”);
do
{
nResult = fread(buffer, 1, lSize, fileWithData);
} while(nResult > 0);

fclose(fileWithData);

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 11, 2013, 8:24am

>under the impression we are all 12 years old and like texting?
seriously? not! I’m not a native speaker, so I thought that say sometimes “U” instead of “you” - it is awesome or cool

that a reasonably clever 12-year-old could crack this easily
I understand this. XOR - is only for example and for understanding the whole mechanism of accessing the data (this forum more related to File System drivers, than to crypto-algorithms).

So it is fine to use your XOR algorithm to test your metalogic and architecture, but you can’t expect to use it in production.
Thank you, Cap!

More useful will be your comments about file system regarding to original post.