Hi Folks
I have two more question
- Is is really possible to create on fly solution using minifilter or i need to make isolated driver is only the solution.
- I read this post Handling Paging IO Read change actual data on disk where Aditya has mentioned he changed his read operation to decrypt only if IrpFlags has IRP_NOCACHE or IRP_PAGING_IO or IRP_SYNCHRONOUS_PAGING_IO bit set. And he was able to decrypt encrypted data. But i was not able to do so. Below is my pseudo code for same, please suggest if this is what aditya has done or any changes needed.
FLT_PREOP_CALLBACK_STATUS PreReadCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_opt_ PVOID CompletionContext
)
{
ULONG flag = Data->Iopb->IrpFlags;
KdPrint(("Pre Read"));
if (FlagOn(IRP_NOCACHE, flag)) {
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
if (FlagOn(IRP_PAGING_IO, flag)) {
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
if(FlagOn(IRP_SYNCHRONOUS_PAGING_IO, flag)) {
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS
PostReadCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_opt_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
)
{
UNREFERENCED_PARAMETER(Flags);
UNREFERENCED_PARAMETER(CompletionContext);
UNREFERENCED_PARAMETER(FltObjects);
if (!NT_SUCCESS(Data->IoStatus.Status) || Data->IoStatus.Information == 0 || Data->Iopb->Parameters.Read.ReadBuffer == NULL) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
PUCHAR buffer = (PUCHAR)Data->Iopb->Parameters.Read.ReadBuffer;
ULONG bytesRead = (ULONG)Data->IoStatus.Information;
CHAR dummy[] = "This is dummy content";
SIZE_T toCopy = min(sizeof(dummy) - 1, bytesRead);
RtlCopyMemory(buffer, dummy, toCopy);
Data->IoStatus.Information = (ULONG)toCopy;
return FLT_POSTOP_FINISHED_PROCESSING;
}