First of all, sorry for noob and repeating question i’ve asked.
My encryption last time was bypassed by notepad cuz my routine wasn’t
able to get the right fcb, which has been solved by placing the
fcb-catching function at post-create – I’m not sure if it is
reasonable, and if it is the cause of my following problems.
Next step for me is including MS office series, they are save by .tmp
first and then renamed to .doc. I chose encrypting .tmp as well to
avoid further problems as disscused before; Besides, my encryption is
quit simple by XOR the buffer depends on the length of:
writeLen = iopb->Parameters.Write.Length // if IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO
writeLen = (ULONG)ROUND_TO_SIZE(writeLen,volCtx->SectorSize); // if IRP_NOCACHE
As my test input is always smaller than 1024, so the writeLen i
observed is always 1024.
But when I saved the file, the minifilter seems to be unstable. It
either works ok or shows some permission denied fault. To the later
one, sometime is the file it self, but sometime is normal.dot. To the
office 2007, it simply fails to encrypt the file T_T. I start the
filter, open word and input something, reopen, fails, stop the filter,
reopen , everything goes ok.
I searched some achieves on osr, which indicate that permission denied
fault may caused by offset or file length changes, but why my filter
isn’t stable? Does it overwrite something like ‘EOF’?