hi,everyone
I’m working on a file filter driver about encrypt/decrypt the particular
file data. As a test, I wrote my driver based on Filemon. and now, I meet
some problems and hope someone can give me some advices, thanks.
In my test driver, I only hook IRP_MJ_READ and IRP_MJ_WRITE, and if
Irp->flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO), I
hook it and deal with it.
In my mind, I want to catch all the file data in particular directory
translated between File system and harddisk and encrypt/decrypt the data. To
IRP_MJ_READ, I only set a complete routine where decrypt the data, then
IoCallDriver; and to IRP_MJ_WRITE, I save the original
Irp->MdlAddress/systembuffer/userbuffer to a structure defined by myself,
then copy the data that will be writen to a temp buffer and encrypt it,
setup a new mdladdress/modify the original Irp at last befor set complete
routine and then call IoCallDriver .
The code looks simple, but can’t work fine:(
The main problem is the system often die, or the programs such as
Winrar/Windows paint/exploer would stay on one status and can’t response
input any more.
I set DbgPrint in the driver and use DriverMoniter to check the output.
I find that when I copy a directory including many files to the particular
folder which I care for,the WRITE IRP are sent by System, but there are many
READ IRPs sent by explorer which have same offset (0) and Length (4096).
When the prior problem appear, the drivermoniter can’t display any
information.
I’m sorry for my poor English and hope you can understand what I say. If
you have experience or advice, please tell me, thanks a lot!!