Possibly no paging write over network to shared folder?

Hi all,

I noticed when using the adobe plugin PdfMaker to generate a pdf file into the network shared folder, there is no paging write IRP intercepted. (it is done by click the “convert” button in the toolbar added by installing adobe acrobat professional). I used filespy tool to monitor the IO from local host. It can explain why the pdf file was not encrypted by my mini-filter driver.

However I can see the files saved by excels itself have paging write IRP intercepted.

Anyone can explain how can it happen? thanks…

Wilson Wang

The relative logs pasted as below:

1954 21:16:50.504 70 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_CREATE 00000884 00000000 830413F8 E16346D8 E1634AC0 00000022 00000000 \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS FILE_CREATE CreOpts: 00000064 Access: 00130196 Share: 0 Attrib: 00000020 Result: FILE_CREATED
1955 21:16:50.634 50 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_SET_INFORMATION 00000830 00000000 830413F8 E16346D8 E1634AC0 00040022 82E7F00C \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00006C3F
1956 21:16:50.684 160 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_WRITE 00000A00 00000000 830413F8 E16346D8 E1634AC0 00041022 82E7F00C \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS Offset 00000000-00000000 ToWrite 6C3F Written: 6C3F
1957 21:16:50.844 40 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_SET_INFORMATION 00000830 00000000 830413F8 E16346D8 E1634AC0 00041022 82E7F00C \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS FileBasicInformation Attrib: 0

Lanman overrides the cache manager, at least sometimes, so you cannot use the same technique to encrypt network transfer as you do for local files.

xxxxx@sina.com wrote:

Hi all,

I noticed when using the adobe plugin PdfMaker to generate a pdf file into the network shared folder, there is no paging write IRP intercepted. (it is done by click the “convert” button in the toolbar added by installing adobe acrobat professional). I used filespy tool to monitor the IO from local host. It can explain why the pdf file was not encrypted by my mini-filter driver.

However I can see the files saved by excels itself have paging write IRP intercepted.

Anyone can explain how can it happen? thanks…

Wilson Wang

The relative logs pasted as below:

1954 21:16:50.504 70 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_CREATE 00000884 00000000 830413F8 E16346D8 E1634AC0 00000022 00000000 \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS FILE_CREATE CreOpts: 00000064 Access: 00130196 Share: 0 Attrib: 00000020 Result: FILE_CREATED
1955 21:16:50.634 50 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_SET_INFORMATION 00000830 00000000 830413F8 E16346D8 E1634AC0 00040022 82E7F00C \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00006C3F
1956 21:16:50.684 160 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_WRITE 00000A00 00000000 830413F8 E16346D8 E1634AC0 00041022 82E7F00C \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS Offset 00000000-00000000 ToWrite 6C3F Written: 6C3F
1957 21:16:50.844 40 EXCEL.EXE 2904 82EF9C00 IRP 82E86008 IRP_MJ_SET_INFORMATION 00000830 00000000 830413F8 E16346D8 E1634AC0 00041022 82E7F00C \Device\LanmanRedirector\192.168.0.117\share\vvvvvvvvv.pdf STATUS_SUCCESS FileBasicInformation Attrib: 0


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

I am not sure if Access: 00130196 is hex or decimal, but one of the rule is :
For write-only handles lanman miniredirector bypasses cache and writes directly to the server.

-bg

Thanks!

Yes, the 00130196 is hex formatted and it is write only. Can I trust this rule to always modify data in this situation?

>Can I trust this rule

to always modify data in this situation?

Who knows? My experience is that this rule is applied, but criteria might be more difficult. I wouldn’t say you can rely on it in encryption filter. Sometimes non-cached writes are cached and FO is modified so writes are write-through, but who knows how many rules there are. Take look on SmbMRx sample.

My opinion is that at this level is impossible to have reliable solution for encryption of (mini)redirectors since Vista. Up to Vista you can inspect FCB, so you know if write is cached or not (Lookup for an article at osronline about it). Since vista the FCB is undocumented. I guess it is related to improved cooperation of mini-redirs with CSS (Client Side Cache). It means also that RDBSS in WDK 6000/6001 differs from RDBSS incorporated in Vista/WLH OS. MSFT has two pending patents regarding CCS. It might be also source of the info, although little bit encrypted. :slight_smile:

-bg