Hey, I am exerimenting a little bit. What i am basically doing is encrypting a hello.txt text file that contains “Hello World” during my Read Post Operation routine using a simple XOR.
Although I start the filter during system boot i see the Hello.txt still showing “Hello World” when opening in notepad, while Wordpad shows the correct XOR’ed content.
I cant understand it. I tried everything: Encrypting always, encrypting only on IRP_NOCACHE and IRP_PAGING_IO, encrypting only if we have no CACHE or PAGING_IO…
But none of them seems to work.
Could anyone please tell me what i am doing wrong? Am I doing the wrong approach? And how could I also make notepad display the correct content.
Note: I have read every single thread concerning this topic, but non of the suggestions worked! I hope you can help me out.
Yes and thats the problem, I tried everything…Encrypting PagedIO, Cached IO only, no Cached IO, all IO…I really tried everything, but it just does not work. And I start the Filter on Boot time, so even it Windows prefetches this file it should become scrambled in notepad…
…but it isnt.
What im searching for is basically a hint how to deal with the problem correctly.
Invalidating SectionObjectpointers on IRP_MJ_CREATE completion routine, and running CCPurgeCacheSection on SectionObjectPointer on CLEANUP Completion, as well as adding Intermediate Buffering Option on Create Dispatch AND completely disallowing fASTio on the file still had no desired results…
I have absolutely no idea how to make notepad read from disk
Wow, I was just about to post a question about this.
If you open the file in Notepad, close it, and open it again you will not get an IRP_MJ_READ after the second open when Notepad wants to get the data to paint on the screen.
FileSpy or FileMon will show you :
IRP_MJ_CREATE
FASTIO_NETWORK_QUERY_OPEN
IRP_MJ_CREATE
FASTIO_QUERY_INFORMATION
IRP_MJ_CLEANUP
IRP_MJ_CLOSE
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
IRP_MJ_ACQUIRE_FOR_CC_FLUSH
IRP_MJ_RELEASE_FOR_CC_FLUSH
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION
IRP_MJ_CLEANUP
IRP_MJ_CLOSE
But, you will not see an IRP_MJ_READ the second time you open the file.
Does anyone know how to intercept the memory mapped reads or cause the system to read from the file again?
"Before calling CcPurgeCacheSection, the caller must acquire the file exclusively and ensure that no thread, including the caller, has mapped or pinned any byte range in the file. "
I have a small routine that I use for accomplishing this and determines which routine to use if it is an image section or data section object. Reading from notepad is one thing, but if you start catching executables / dll files / etc you may need to pay attention to image section objects as well of which you will need to look at MmFlushImageSection, and look at how it interacts in the FASTFAT code.
