Hi,
I’m working on an encryption minifilter, based on swapbuffers.
I start the driver at boot time.
Is there anyway to ensure that my encrypted files are read after I load the driver?
Thanks you.
If you are a boot time loaded filter then there can be no file access
via standard file based APIs to any files within the name space of the
instance you are loaded until your filter is fully loaded in the stack.
Therefore you can be certain that access to the files you are concerned
about will be accessed after you load.
That said, there are system files which are directly accessed by other
kernel components not using the file system stack. For instance the
system registry hive is loaded by the system loader prior to much of the
system getting loaded. Thus if you are attempting to perform encryption
on these system files, then you won’t succeed at a file system filter level.
Pete
On 5/7/2012 10:16 AM, xxxxx@gmail.com wrote:
Hi,
I’m working on an encryption minifilter, based on swapbuffers.
I start the driver at boot time.
Is there anyway to ensure that my encrypted files are read after I load the driver?Thanks you.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
At boot start typically only the kernel, HAL, driver files and registry
hives are being read before a boot start driver can start. So as long
as those are not part of the encryption you are fine. The challenges
for encryption are in all the other things you have to deal with.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> Hi,
> I’m working on an encryption minifilter, based on swapbuffers.
> I start the driver at boot time.
> Is there anyway to ensure that my encrypted files are read after I load the driver?
>
> Thanks you.
Thanks for the quick answers, Peter, Don.
After rebooting, all my encrypted files are decrypted. Lasttime, I received
the answer that it was due to the Cache.
I tried to use flush and purce cache in PreCleanup but nothing happened. So
I think I must have the encrypted files are read after I load the driver.
Is it correct? Would you give me some clues?
Thanks a lot.
–
Regards,
Nhat
As Don pointed out, it’s all the ‘other’ things that are troublesome in
an encryption filter. There are so many things which could result in
decrypted files or corrupted files after a reboot. If you are encrypting
on the non-cached/paging pathways then encrypted data must be getting to
disk. So if your files are coming up fully decrypted after a reboot then
you are never encrypting them prior to the reboot. Again, there can be
so many issues causing this, read the previous threads on this forum
about encryption filters, there are many of them, and you might find
something wrong in your design.
If you can provide more information on your design, we may be able to
give you a better area to focus on.
Pete
On 5/7/2012 10:37 AM, Nhat Hoang wrote:
Thanks for the quick answers, Peter, Don.
After rebooting, all my encrypted files are decrypted. Lasttime, I
received the answer that it was due to the Cache.
I tried to use flush and purce cache in PreCleanup but nothing happened.
So I think I must have the encrypted files are read after I load the driver.Is it correct? Would you give me some clues?
Thanks a lot.–
Regards,
Nhat— NTFSD is sponsored by OSR For our schedule of debugging and file
system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Thanks a lot, Peter.
My minifilter design is based on swapbuffer:
Post/Pre Create, Post/Pre Read, Post/Pre Write
in PostCreate, I check the filename and pass it to the context to the read
and write.
in PreRead and PreWrite, I return FLT_PREOP_DISALLOW_FASTIO if it’s fastio.
I get the context to make sure that it’s the file need encrypted.
Encrypting/Decrypting is performing in PostRead, PostReadWhenSafe and
PreWrite.
I’ve just added PreCleanup to perform flush/purge cache.
On Tue, May 8, 2012 at 12:04 AM, Peter Scott wrote:
>
> As Don pointed out, it’s all the ‘other’ things that are troublesome in an
> encryption filter. There are so many things which could result in decrypted
> files or corrupted files after a reboot. If you are encrypting on the
> non-cached/paging pathways then encrypted data must be getting to disk. So
> if your files are coming up fully decrypted after a reboot then you are
> never encrypting them prior to the reboot. Again, there can be so many
> issues causing this, read the previous threads on this forum about
> encryption filters, there are many of them, and you might find something
> wrong in your design.
>
> If you can provide more information on your design, we may be able to give
> you a better area to focus on.
>
> Pete
>
>
> On 5/7/2012 10:37 AM, Nhat Hoang wrote:
>
>> Thanks for the quick answers, Peter, Don.
>>
>> After rebooting, all my encrypted files are decrypted. Lasttime, I
>> received the answer that it was due to the Cache.
>> I tried to use flush and purce cache in PreCleanup but nothing happened.
>> So I think I must have the encrypted files are read after I load the
>> driver.
>>
>> Is it correct? Would you give me some clues?
>> Thanks a lot.
>>
>> –
>> Regards,
>> Nhat
>>
>> — NTFSD is sponsored by OSR For our schedule of debugging and file
>> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page. cfm?name=ListServerhttp:
>>
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page. cfm?name=ListServerhttp:
>
–
Regards,
Nhat
Hoang Xuan Quang Nhat
Faculty of Information Technology
University of Science - Vietnam National University HCM</http:></http:>
Sorry, Do you mean I must add this code in Preread and Prewrite?
if (!(Data->Iopb->IrpFlags & (IRP_NOCACHE | IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO)))
{
__leave ;
}
When I added them, and loaded the minifilter at boot time, it got an BSOD
with 0xBE bugcheck.
On Tue, May 8, 2012 at 12:16 AM, Nhat Hoang wrote:
> Thanks a lot, Peter.
>
> My minifilter design is based on swapbuffer:
> Post/Pre Create, Post/Pre Read, Post/Pre Write
> in PostCreate, I check the filename and pass it to the context to the read
> and write.
> in PreRead and PreWrite, I return FLT_PREOP_DISALLOW_FASTIO if it’s
> fastio. I get the context to make sure that it’s the file need encrypted.
> Encrypting/Decrypting is performing in PostRead, PostReadWhenSafe and
> PreWrite.
>
> I’ve just added PreCleanup to perform flush/purge cache.
>
> On Tue, May 8, 2012 at 12:04 AM, Peter Scott wrote:
>
>>
>> As Don pointed out, it’s all the ‘other’ things that are troublesome in
>> an encryption filter. There are so many things which could result in
>> decrypted files or corrupted files after a reboot. If you are encrypting on
>> the non-cached/paging pathways then encrypted data must be getting to disk.
>> So if your files are coming up fully decrypted after a reboot then you are
>> never encrypting them prior to the reboot. Again, there can be so many
>> issues causing this, read the previous threads on this forum about
>> encryption filters, there are many of them, and you might find something
>> wrong in your design.
>>
>> If you can provide more information on your design, we may be able to
>> give you a better area to focus on.
>>
>> Pete
>>
>>
>> On 5/7/2012 10:37 AM, Nhat Hoang wrote:
>>
>>> Thanks for the quick answers, Peter, Don.
>>>
>>> After rebooting, all my encrypted files are decrypted. Lasttime, I
>>> received the answer that it was due to the Cache.
>>> I tried to use flush and purce cache in PreCleanup but nothing happened.
>>> So I think I must have the encrypted files are read after I load the
>>> driver.
>>>
>>> Is it correct? Would you give me some clues?
>>> Thanks a lot.
>>>
>>> –
>>> Regards,
>>> Nhat
>>>
>>> — NTFSD is sponsored by OSR For our schedule of debugging and file
>>> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page. cfm?name=ListServerhttp:
>>>
>>
>> –
>> Kernel Drivers
>> Windows File System and Device Driver Consulting
>> www.KernelDrivers.com
>> 866.263.9295
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page. cfm?name=ListServerhttp:
>>
>
>
>
> –
> Regards,
> Nhat
>
>
> Hoang Xuan Quang Nhat
> Faculty of Information Technology
> University of Science - Vietnam National University HCM
>
>
–
Regards,
Nhat
Hoang Xuan Quang Nhat
Faculty of Information Technology
University of Science - Vietnam National University HCM</http:></http:>
You’ll find plenty of information in previous posts about this topic.
But in general you only want to encrypt/decrypt data which is to/from
the disk. You do not want to process data which will be going to the
system cache. So you want to check for the IRP_NOCACHE flag and if this
is not set, don’t do anything with the IO. Note that when requests have
either the IRP_PAGING_IO or IRP_SYNCHRONOUS_PAGING_IO they also have the
IRP_NOCACHE flag set … but your check is right below.
If things are crashing it’s because you have a bug in your code.
Pete
On 5/7/2012 11:43 AM, Nhat Hoang wrote:
Sorry, Do you mean I must add this code in Preread and Prewrite?
if (!(Data->Iopb->IrpFlags & (IRP_NOCACHE | IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO)))
{
__leave ;
}When I added them, and loaded the minifilter at boot time, it got an
BSOD with 0xBE bugcheck.On Tue, May 8, 2012 at 12:16 AM, Nhat Hoang > mailto:xxxxx> wrote:
>
> Thanks a lot, Peter.
>
> My minifilter design is based on swapbuffer:
> Post/Pre Create, Post/Pre Read, Post/Pre Write
> in PostCreate, I check the filename and pass it to the context to
> the read and write.
> in PreRead and PreWrite, I return FLT_PREOP_DISALLOW_FASTIO if it’s
> fastio. I get the context to make sure that it’s the file need
> encrypted. Encrypting/Decrypting is performing in PostRead,
> PostReadWhenSafe and PreWrite.
>
> I’ve just added PreCleanup to perform flush/purge cache.
>
> On Tue, May 8, 2012 at 12:04 AM, Peter Scott
> > wrote:
>
>
> As Don pointed out, it’s all the ‘other’ things that are
> troublesome in an encryption filter. There are so many things
> which could result in decrypted files or corrupted files after a
> reboot. If you are encrypting on the non-cached/paging pathways
> then encrypted data must be getting to disk. So if your files
> are coming up fully decrypted after a reboot then you are never
> encrypting them prior to the reboot. Again, there can be so many
> issues causing this, read the previous threads on this forum
> about encryption filters, there are many of them, and you might
> find something wrong in your design.
>
> If you can provide more information on your design, we may be
> able to give you a better area to focus on.
>
> Pete
>
>
> On 5/7/2012 10:37 AM, Nhat Hoang wrote:
>
> Thanks for the quick answers, Peter, Don.
>
> After rebooting, all my encrypted files are decrypted.
> Lasttime, I
> received the answer that it was due to the Cache.
> I tried to use flush and purce cache in PreCleanup but
> nothing happened.
> So I think I must have the encrypted files are read after I
> load the driver.
>
> Is it correct? Would you give me some clues?
> Thanks a lot.
>
> –
> Regards,
> Nhat
>
> — NTFSD is sponsored by OSR For our schedule of debugging
> and file
> system seminars visit: http://www.osr.com/seminars To
> unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page. __cfm?name=ListServer
> http:
>
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com http:
> 866.263.9295
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.__ cfm?name=ListServer
> http:
>
>
>
>
> –
> Regards,
> Nhat
> *
> *
> Hoang Xuan Quang Nhat
> Faculty of Information Technology
> University of Science - Vietnam National University HCM
>
>
>
>
> –
> Regards,
> Nhat
> *
> *
> Hoang Xuan Quang Nhat
> Faculty of Information Technology
> University of Science - Vietnam National University HCM
>
> — NTFSD is sponsored by OSR For our schedule of debugging and file
> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295</http:></http:></http:></mailto:xxxxx>
> At boot start typically only the kernel, HAL, driver files and registry
hives
.NLS tables too.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com