Hi,
I am developing a FS minifilter encryption/decryption driver on-fly. But I do NOT want to encrypt/decrypt the metadata files in NTFS, such as $Mft, $Logfile, and so on. I use FileObject->Flags to filter them, that is, if FlagOn(FileObject->Flags, FO_STREAM_FILE), then I do NOT encrypt/decrypt the file. But in test, when I have installed a programme to my encrypted directory, I find many files were NOT encrypted via the filtering, because their FO_STREAM_FILE flags are set. So when I finished installing, the programme does NOT work. Hope your help, Thank U!
Best Wishes!
FO_STREAM_FILE has nothing to do with metadata.
You need to query the Internal ID of the file, and if it’s <16 assume it’s metadata. (I think this is extended to <32, but I’ve not seen ID 16-32 yet!)
xxxxx@yahoo.com.cn wrote:
Hi,
I am developing a FS minifilter encryption/decryption driver on-fly. But I do NOT want to encrypt/decrypt the metadata files in NTFS, such as $Mft, $Logfile, and so on. I use FileObject->Flags to filter them, that is, if FlagOn(FileObject->Flags, FO_STREAM_FILE), then I do NOT encrypt/decrypt the file. But in test, when I have installed a programme to my encrypted directory, I find many files were NOT encrypted via the filtering, because their FO_STREAM_FILE flags are set. So when I finished installing, the programme does NOT work. Hope your help, Thank U!
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Hi,
Thank U! Do u mean FILE_ID, not FileObject ID?
I mean issuing IRP_MJ_QUERY_INFORMATION with FileInternalInformation class.
xxxxx@yahoo.com.cn wrote:
Hi,
Thank U! Do u mean FILE_ID, not FileObject ID?
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.