ZwMapViewOfSection question

Leonid · May 3, 2004, 11:46am

I am trying to use Protect parameter to prevent file modification on the
disk. I add value PAGE_WRITECOPY to Protect parameter when
ZwMapViewOfSection gets called. It doesn’t work. I still have disk file
modified. Any idea about what is wrong in this approach?

Thank you

Leonid

OSR_Community_User · May 3, 2004, 12:01pm

In kernel mode, write-copy cannot work. This is due to x86 CPU feature -
the Ring 0 overrides the read-only bits on PTEs.

You can switch this off by writing to some MSR, possibly breaking Windows
at all in the progress

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Leonid Meyerovich”
To: “Windows File Systems Devs Interest List”
Sent: Monday, May 03, 2004 7:45 PM
Subject: [ntfsd] ZwMapViewOfSection question

>
> I am trying to use Protect parameter to prevent file modification on the
> disk. I add value PAGE_WRITECOPY to Protect parameter when
> ZwMapViewOfSection gets called. It doesn’t work. I still have disk file
> modified. Any idea about what is wrong in this approach?
>
> Thank you
>
> Leonid
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 3, 2004, 12:10pm

Well, actually I am intercepting NtMapViewOfSection, not
ZwMapViewOfSection. So how can I protect disk file against modification,
I still need to modify file in memory (to decrypt it, for example)?
Where write-copy can be used then?

Thank you
Leonid

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Monday, May 03, 2004 11:01 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] ZwMapViewOfSection question

In kernel mode, write-copy cannot work. This is due to x86 CPU
feature -
the Ring 0 overrides the read-only bits on PTEs.

You can switch this off by writing to some MSR, possibly breaking
Windows
at all in the progress

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Leonid Meyerovich”
To: “Windows File Systems Devs Interest List”
Sent: Monday, May 03, 2004 7:45 PM
Subject: [ntfsd] ZwMapViewOfSection question

>
> I am trying to use Protect parameter to prevent file modification on
the
> disk. I add value PAGE_WRITECOPY to Protect parameter when
> ZwMapViewOfSection gets called. It doesn’t work. I still have disk
file
> modified. Any idea about what is wrong in this approach?
>
> Thank you
>
> Leonid
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@trustededge.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 4, 2004, 7:52am

Sorry, I am repeating my question because it is very important for my
project and I cannot fine right solution:

I am trying to modify parameters while opening memory-mapped file to
protect disk file against modification. I was trying to use
copy-on-write flag but Maxim explained that it doesn’t work in kernel
mode (BTW, in this case it doesn’t work at all, because this flag is
sending down from NtMapViewOfSection to ZwMapViewOfSection - I am
wrong?).
Is there any way to implement it in kernel/user mode?
How read-only file is implemented?
When the dirty pages are flushed to the disk, in ZwUnmapViewOfSection
function?

Thank you
Leonid

Alexey_Logachyov · May 4, 2004, 4:38pm

You may write a file system filter driver which redirects write request to
selected files to some other storage. This is not an easy solution.

–htfv

“Leonid Meyerovich” wrote in message
news:xxxxx@ntfsd…
Sorry, I am repeating my question because it is very important for my
project and I cannot fine right solution:

I am trying to modify parameters while opening memory-mapped file to
protect disk file against modification. I was trying to use
copy-on-write flag but Maxim explained that it doesn’t work in kernel
mode (BTW, in this case it doesn’t work at all, because this flag is
sending down from NtMapViewOfSection to ZwMapViewOfSection - I am
wrong?).
Is there any way to implement it in kernel/user mode?
How read-only file is implemented?
When the dirty pages are flushed to the disk, in ZwUnmapViewOfSection
function?

Thank you
Leonid