Hello everyone, when I was developing transparent encryption and decryption, I used notepad.exe as an example for verification. However, when I verified it on Windows XP platform, I found that notepad.exe always triggered two page writes (according to my observation, other platforms only triggered one page write), causing the plain text to be written into the file. My filter working logic is to only intercept page writes and disable fastio.
this my code,welcome to communicate or help me ,hhh!
if (FLT_IS_FASTIO_OPERATION(Data))
{
return FLT_PREOP_DISALLOW_FSFILTER_IO;
}
if (BooleanFlagOn(Data->Iopb->IrpFlags, (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO)))
{
encode.....
}else{
pass........
}