Hi,
I’m building a minifilter for simple on-the-fly decryption. I’ve done already with the decryption.
Now I’m facing with a problem: when my minifilter starts, I copy the encrypted file to another new one. When I stop the minifiter, that new file is decrypted!
I think when I copy to a new file, it has to read up to the buffer, and it’s decrypted here, after that, that decrypted buffer will be write down to the new file, so I get the decrypted, right?
So what must I do for dealing with this? Do I need to notice the parameter “FltObjects->FileObject->WriteAccess”?
Thanks so much.
I’ve searched the archives and figured out that the Copy will have the first two Create File and after that are multiple read. Maybe this is the good way for detecting file copy? Are there any others ways?
Have you ever studied logic? You have observed that in a terribly limited
single experiment, X is true, and from this you conclude that for all
conditions, X must be true. Do you see the failure here?
If we let “E” stands for “there exists” and “A” stand for “for all”, let
“|” mean “such that” and “=>” means “implies”, and p(x) is some predicate
which is true, you have just come up with the syllogism
Ex | p(x) => Ax, p(x)
Congratulations. You have just failed Philosophy 101.
Trivial counterexample: I am going to display a sorted list of word
counts. I open the input file. I create the output file. I do multiple
ReadFiles. By your logic, I am doing a copy. Huh?
I know of no way to reliably determine that a copy operation is being
done. Even if you did something as insane as hook the CopyFile API (and
you shouldn’t, and it won’t work in modern versions of Windows), you would
not catch every attempt to copy a file.
joe
I’ve searched the archives and figured out that the Copy will have the
first two Create File and after that are multiple read. Maybe this is the
good way for detecting file copy? Are there any others ways?
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You can’t generically detect file copy. You can detect some cases but there is no way to do this generically for all possible cases and without false positives.
The scenario you are describing sounds valid. Basically your policy is “file c:\foo\bar.txt should be encrypted” and when you copy it to some other file it is not, which is expected. You could change your policy (all files on C:\ are to be encrypted or all files under c:\foo …) and then you would also encrypt the file in the write path depending on the target location.
Thanks,
Alex.
Thanks for all your replies, I’ll check it out!