Very Strange And Interesting mini-filter SwapBuffer Problem

NTFSD
1

Hi every one:

My name is wang xiao zhen.
Welcome to read my post question, and really hope onesome could give me some
suggesion.

I just installed DDK at C:\WINDDK\3790.1830 learn how to write mini-filter
driver.
In the src directory have a swapbuffers sample.
In my machine,it store at
C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.

It’s quite symmetry, hooked PreReadBuffer , PostRreadBuffer, PreWriteBuffer,
PostWriteBuffer, …

My purpose is :
Files are saving to directory at c:\test , all bit do xor with ‘a’.
Files are reading from directory at c:\test , all bit do xor with ‘a’.

If these data modification can be property performed,
a simple custom encryption decryption on-the-fly filter driver will be
implemented.

So I do the follow things based on this swapbuffer sample.

  1. First i wrote “IsProtectedDir” function to check FLT_CALLBACK_DATA
    FileNameInformation Parent Dir name is \test\ or not.
    If not , return the call back function successfully.

  2. A simple function XorBuffer operation when got the swapped buffer
    address.

Some interesting things happened.

when i use the notepad.exe to test it. i type 0123 then save it to
c:\test\a.txt.
And I open a.txt file again , it display QPSR.

Deos this means 0123 is be XORed and saved.

I guess is this cache the xored buffer on cache. So i reboot my debug
machine,
load and start my driver angain, and use notpad.exe to open c:\test\a.txt
again.
It still display QPSR

But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
actually display 0123 !

This means , notepad and wordpad do the I/O operation differently.

why this happens ?

Also I have there Question

  1. Does every write or read disk operation can be intercepted by mini-filter
    driver ?
  2. If it does, Does every write or read disk data can be symmetrically
    replaced ?

If these two condition is OK and just do encryption and decryption on disk,
i think i can ignore the Cache issue.

Because Cache data is loaded either from disk or memory,
and memory data is also loaded form disk as well.

So does this idea OK ?

There are some place i added or modified code in swapbuffers.c files

In function “SwapPreWriteBuffers” , at first try

try {

if( IsProtectedDir(Data)== FALSE )
{
leave;
}

//and when got the new buffer address, i just change the data for write

RtlCopyMemory( newBuf,
origBuf,
writeLen );
XorBuffer(newBuf,writeLen);

//In function “SwapPreReadBuffers”, at first try

try {
// just process file parent are \test\
if( IsProtectedDir(Data)== FALSE )
{
leave;
}

//In function “SwapPostReadBuffers” ,

//
// We either have a system buffer or this is a fastio operation
// so we are in the proper context. Copy the data handling an
// exception.
//

try {

XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);

RtlCopyMemory( origBuf,
p2pCtx->SwappedBuffer,
Data->IoStatus.Information );

} except (EXCEPTION_EXECUTE_HANDLER) {

In function “SwapPostReadBuffersWhenSafe”

//
// Copy the data back to the original buffer. Note that we
// don’t need a try/except because we will always have a system
// buffer address.
//

XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);

RtlCopyMemory( origBuf,
p2pCtx->SwappedBuffer,
Data->IoStatus.Information );

VOID XorBuffer(PUCHAR Byte,ULONG length)
{
ULONG byteCount;
for(byteCount = 0;byteCount < length; byteCount ++)
{
Byte[byteCount] ^= ‘a’;
}
}

BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
{
PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
NTSTATUS status ;

status =
FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);

if ( NT_SUCCESS(status))
{
status= FltParseFileNameInformation(FileNameInformation);

if( NT_SUCCESS(status) )
{
//KdPrint((“Parent Dir is %S\n”, FileNameInformation->ParentDir.Buffer));
if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
&ProtectedDirName,FALSE) == 0)
{
FltReleaseFileNameInformation(FileNameInformation);
return TRUE;
}

if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
{
KdPrint((" !!! sTARt with test \n"));
FltReleaseFileNameInformation(FileNameInformation);
return TRUE;
}

FltReleaseFileNameInformation(FileNameInformation);
}
else
{
KdPrint(("swapbuffers!IsProtectedDir : Error FltParseFileNameInformation
"));
}
}
else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
{
KdPrint(("swapbuffers!IsProtectedDir : Error
STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
}
else if( status == STATUS_INSUFFICIENT_RESOURCES )
{
KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INSUFFICIENT_RESOURCES
return by FltGetFileNameInformation "));
}
else if( status == STATUS_INVALID_PARAMETER )
{
KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
return by FltGetFileNameInformation "));
}
return FALSE;
}

Could some one could give me some suggestion can solve this problem ?

Thanks a lots

Regards!

2
  1. I expect you need to think about memory mapped files
  2. Please do not cross post

“sa_sa_jerry” wrote in message news:xxxxx@ntfsd…
>
>
> Hi every one:
>
> My name is wang xiao zhen.
> Welcome to read my post question, and really hope onesome could give me
> some suggesion.
>
> I just installed DDK at C:\WINDDK\3790.1830 learn how to write mini-filter
> driver.
> In the src directory have a swapbuffers sample.
> In my machine,it store at
> C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.
>
> It’s quite symmetry, hooked PreReadBuffer , PostRreadBuffer,
> PreWriteBuffer, PostWriteBuffer, …
>
> My purpose is :
> Files are saving to directory at c:\test , all bit do xor with ‘a’.
> Files are reading from directory at c:\test , all bit do xor with ‘a’.
>
> If these data modification can be property performed,
> a simple custom encryption decryption on-the-fly filter driver will be
> implemented.
>
>
> So I do the follow things based on this swapbuffer sample.
>
> 1. First i wrote “IsProtectedDir” function to check FLT_CALLBACK_DATA
> FileNameInformation Parent Dir name is \test\ or not.
> If not , return the call back function successfully.
>
> 2. A simple function XorBuffer operation when got the swapped buffer
> address.
>
>
>
> Some interesting things happened.
>
> when i use the notepad.exe to test it. i type 0123 then save it to
> c:\test\a.txt.
> And I open a.txt file again , it display QPSR.
>
> Deos this means 0123 is be XORed and saved.
>
> I guess is this cache the xored buffer on cache. So i reboot my debug
> machine,
> load and start my driver angain, and use notpad.exe to open c:\test\a.txt
> again.
> It still display QPSR
>
> But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
> actually display 0123 !
>
> This means , notepad and wordpad do the I/O operation differently.
>
> why this happens ?
>
> Also I have there Question
>
> 1. Does every write or read disk operation can be intercepted by
> mini-filter driver ?
> 2. If it does, Does every write or read disk data can be symmetrically
> replaced ?
>
> If these two condition is OK and just do encryption and decryption on
> disk,
> i think i can ignore the Cache issue.
>
> Because Cache data is loaded either from disk or memory,
> and memory data is also loaded form disk as well.
>
> So does this idea OK ?
>
> ----------------------------------------------------------------------------------
>
> There are some place i added or modified code in swapbuffers.c files
>
> ----------------------------------------------------------------------------------
>
>
> In function “SwapPreWriteBuffers” , at first try
>
> try {
>
>
> if( IsProtectedDir(Data)== FALSE )
> {
> leave;
> }
>
> …
>
> //and when got the new buffer address, i just change the data for write
>
> RtlCopyMemory( newBuf,
> origBuf,
> writeLen );
> XorBuffer(newBuf,writeLen);
>
> ----------------------------------------------------------------------------------
>
>
> //In function “SwapPreReadBuffers”, at first try
>
> try {
> // just process file parent are \test<br>> if( IsProtectedDir(Data)== FALSE )
> {
> leave;
> }
> …
> ----------------------------------------------------------------------------------
>
> //In function “SwapPostReadBuffers” ,
>
> //
> // We either have a system buffer or this is a fastio operation
> // so we are in the proper context. Copy the data handling an
> // exception.
> //
>
> try {
>
> XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>
> RtlCopyMemory( origBuf,
> p2pCtx->SwappedBuffer,
> Data->IoStatus.Information );
>
> } except (EXCEPTION_EXECUTE_HANDLER) {
>
> …
> ----------------------------------------------------------------------------------
> In function “SwapPostReadBuffersWhenSafe”
>
> //
> // Copy the data back to the original buffer. Note that we
> // don’t need a try/except because we will always have a
> system
> // buffer address.
> //
>
> XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>
> RtlCopyMemory( origBuf,
> p2pCtx->SwappedBuffer,
> Data->IoStatus.Information );
> …
>
> ----------------------------------------------------------------------------------
>
>
>
> VOID XorBuffer(PUCHAR Byte,ULONG length)
> {
> ULONG byteCount;
> for(byteCount = 0;byteCount < length; byteCount ++)
> {
> Byte[byteCount] ^= ‘a’;
> }
> }
>
> BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
> {
> PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
> NTSTATUS status ;
>
> status =
> FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);
>
> if ( NT_SUCCESS(status))
> {
> status= FltParseFileNameInformation(FileNameInformation);
>
> if( NT_SUCCESS(status) )
> {
> //KdPrint((“Parent Dir is %S\n”,
> FileNameInformation->ParentDir.Buffer));
> if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
> &ProtectedDirName,FALSE) == 0)
> {
> FltReleaseFileNameInformation(FileNameInformation);
> return TRUE;
> }
>
> if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
> ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
> {
> KdPrint((" !!! sTARt with test \n"));
> FltReleaseFileNameInformation(FileNameInformation);
> return TRUE;
> }
>
>
> FltReleaseFileNameInformation(FileNameInformation);
> }
> else
> {
> KdPrint(("swapbuffers!IsProtectedDir : Error FltParseFileNameInformation
> "));
> }
> }
> else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
> {
> KdPrint(("swapbuffers!IsProtectedDir : Error
> STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
> }
> else if( status == STATUS_INSUFFICIENT_RESOURCES )
> {
> KdPrint(("swapbuffers!IsProtectedDir : Error
> STATUS_INSUFFICIENT_RESOURCES return by FltGetFileNameInformation "));
> }
> else if( status == STATUS_INVALID_PARAMETER )
> {
> KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
> return by FltGetFileNameInformation "));
> }
> return FALSE;
> }
>
> ----------------------------------------------------------------------------------
>
> Could some one could give me some suggestion can solve this problem ?
>
> Thanks a lots
>
>
> Regards!
>
>
>
>
>
>
>
>

3

Since English isn’t his primary language - I’ll define “cross posting”
for him.

Wang, welcome to the list, but as Lyndon pointed out, please don’t
cross-post. Meaning, please don’t
post a duplicate question to NTDEV and NTFSD. Many people here that
could help you subscribe to
both list, and your ‘cross-posting’ results in them getting 2 duplicate
emails. That will discourage them
from helping you out - if your question regards filesystems, please only
post it to the NTFSD list.

Second, Lyndon is correct, you need to read about memory mapped files,
they are treated differently.

Third, you asked:

“1. Does every write or read disk operation can be intercepted by mini-filter driver?”

Yes, they can all be intercepted in a minifilter, IRP based IO or fastIO.

“2. If it does, Does every write or read disk data can be symmetrically replaced?”

If you messing with the callback data, you need to read about FltSetCallbackDataDirty.

m

Lyndon J. Clarke wrote:

  1. I expect you need to think about memory mapped files
  2. Please do not cross post

“sa_sa_jerry” wrote in message news:xxxxx@ntfsd…
>
>
>>Hi every one:
>>
>>My name is wang xiao zhen.
>>Welcome to read my post question, and really hope onesome could give me
>>some suggesion.
>>
>>I just installed DDK at C:\WINDDK\3790.1830 learn how to write mini-filter
>>driver.
>>In the src directory have a swapbuffers sample.
>>In my machine,it store at
>>C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.
>>
>>It’s quite symmetry, hooked PreReadBuffer , PostRreadBuffer,
>>PreWriteBuffer, PostWriteBuffer, …
>>
>>My purpose is :
>>Files are saving to directory at c:\test , all bit do xor with ‘a’.
>>Files are reading from directory at c:\test , all bit do xor with ‘a’.
>>
>>If these data modification can be property performed,
>>a simple custom encryption decryption on-the-fly filter driver will be
>>implemented.
>>
>>
>>So I do the follow things based on this swapbuffer sample.
>>
>>1. First i wrote “IsProtectedDir” function to check FLT_CALLBACK_DATA
>>FileNameInformation Parent Dir name is \test\ or not.
>> If not , return the call back function successfully.
>>
>>2. A simple function XorBuffer operation when got the swapped buffer
>>address.
>>
>>
>>
>>Some interesting things happened.
>>
>>when i use the notepad.exe to test it. i type 0123 then save it to
>>c:\test\a.txt.
>>And I open a.txt file again , it display QPSR.
>>
>>Deos this means 0123 is be XORed and saved.
>>
>>I guess is this cache the xored buffer on cache. So i reboot my debug
>>machine,
>>load and start my driver angain, and use notpad.exe to open c:\test\a.txt
>>again.
>>It still display QPSR
>>
>>But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
>>actually display 0123 !
>>
>>This means , notepad and wordpad do the I/O operation differently.
>>
>>why this happens ?
>>
>>Also I have there Question
>>
>>1. Does every write or read disk operation can be intercepted by
>>mini-filter driver ?
>>2. If it does, Does every write or read disk data can be symmetrically
>>replaced ?
>>
>>If these two condition is OK and just do encryption and decryption on
>>disk,
>>i think i can ignore the Cache issue.
>>
>>Because Cache data is loaded either from disk or memory,
>>and memory data is also loaded form disk as well.
>>
>>So does this idea OK ?
>>
>>----------------------------------------------------------------------------------
>>
>>There are some place i added or modified code in swapbuffers.c files
>>
>>----------------------------------------------------------------------------------
>>
>>
>>In function “SwapPreWriteBuffers” , at first try
>>
>> try {
>>
>>
>> if( IsProtectedDir(Data)== FALSE )
>> {
>> leave;
>> }
>>
>>…
>>
>>//and when got the new buffer address, i just change the data for write
>>
>> RtlCopyMemory( newBuf,
>> origBuf,
>> writeLen );
>> XorBuffer(newBuf,writeLen);
>>
>>----------------------------------------------------------------------------------
>>
>>
>>//In function “SwapPreReadBuffers”, at first try
>>
>> try {
>> // just process file parent are \test<br>>> if( IsProtectedDir(Data)== FALSE )
>> {
>> leave;
>> }
>>…
>>----------------------------------------------------------------------------------
>>
>>//In function “SwapPostReadBuffers” ,
>>
>>//
>> // We either have a system buffer or this is a fastio operation
>> // so we are in the proper context. Copy the data handling an
>> // exception.
>> //
>>
>> try {
>>
>>XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>
>> RtlCopyMemory( origBuf,
>> p2pCtx->SwappedBuffer,
>> Data->IoStatus.Information );
>>
>>} except (EXCEPTION_EXECUTE_HANDLER) {
>>
>>…
>>----------------------------------------------------------------------------------
>>In function “SwapPostReadBuffersWhenSafe”
>>
>> //
>> // Copy the data back to the original buffer. Note that we
>> // don’t need a try/except because we will always have a
>>system
>> // buffer address.
>> //
>>
>> XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>
>> RtlCopyMemory( origBuf,
>> p2pCtx->SwappedBuffer,
>> Data->IoStatus.Information );
>>…
>>
>>----------------------------------------------------------------------------------
>>
>>
>>
>>VOID XorBuffer(PUCHAR Byte,ULONG length)
>>{
>>ULONG byteCount;
>>for(byteCount = 0;byteCount < length; byteCount ++)
>>{
>> Byte[byteCount] ^= ‘a’;
>>}
>>}
>>
>>BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
>>{
>>PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
>>NTSTATUS status ;
>>
>>status =
>>FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);
>>
>>if ( NT_SUCCESS(status))
>>{
>> status= FltParseFileNameInformation(FileNameInformation);
>>
>> if( NT_SUCCESS(status) )
>> {
>> //KdPrint((“Parent Dir is %S\n”,
>>FileNameInformation->ParentDir.Buffer));
>> if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
>>&ProtectedDirName,FALSE) == 0)
>> {
>> FltReleaseFileNameInformation(FileNameInformation);
>> return TRUE;
>> }
>>
>> if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
>> ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
>> {
>> KdPrint((" !!! sTARt with test \n"));
>> FltReleaseFileNameInformation(FileNameInformation);
>> return TRUE;
>> }
>>
>>
>> FltReleaseFileNameInformation(FileNameInformation);
>> }
>> else
>> {
>> KdPrint((“swapbuffers!IsProtectedDir : Error FltParseFileNameInformation
>>”));
>> }
>>}
>>else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
>>}
>>else if( status == STATUS_INSUFFICIENT_RESOURCES )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>STATUS_INSUFFICIENT_RESOURCES return by FltGetFileNameInformation "));
>>}
>>else if( status == STATUS_INVALID_PARAMETER )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
>>return by FltGetFileNameInformation "));
>>}
>>return FALSE;
>>}
>>
>>----------------------------------------------------------------------------------
>>
>>Could some one could give me some suggestion can solve this problem ?
>>
>>Thanks a lots
>>
>>
>>Regards!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

4

Thanks MM and Lyndon J. Clarke !

I check the IFS FAQ, and i know that notepad use the mapped file in memory.
So what i should do next step ?

And I also want to study these request:

IRP_MJ_ACQUIRE_FOR_CC_FLUSH
IRP_MJ_ACQUIRE_FOR_MOD_WRITE
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION

IRP_MJ_RELEASE_FOR_CC_FLUSH
IRP_MJ_RELEASE_FOR_MOD_WRITE
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION

IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE

Is it right for solve this problem that notepad.exe read data correct ?

And Do you mind tell me how to read memory mapped files ?

And If wordpad.exe and notpad.exe can work correct
when read and write file in c:\test directroy that filter dirver hooked.

Does big application like Office word can work correctly as well ?

“MM” ???:xxxxx@ntfsd…
> Since English isn’t his primary language - I’ll define “cross posting” for
> him.
>
> Wang, welcome to the list, but as Lyndon pointed out, please don’t
> cross-post. Meaning, please don’t
> post a duplicate question to NTDEV and NTFSD. Many people here that could
> help you subscribe to
> both list, and your ‘cross-posting’ results in them getting 2 duplicate
> emails. That will discourage them
> from helping you out - if your question regards filesystems, please only
> post it to the NTFSD list.
>
> Second, Lyndon is correct, you need to read about memory mapped files,
> they are treated differently.
>
> Third, you asked:
>
> “1. Does every write or read disk operation can be intercepted by
> mini-filter driver?”
>
> Yes, they can all be intercepted in a minifilter, IRP based IO or fastIO.
>
> “2. If it does, Does every write or read disk data can be symmetrically
> replaced?”
> If you messing with the callback data, you need to read about
> FltSetCallbackDataDirty.
> m
>
>
> Lyndon J. Clarke wrote:
>
>>1. I expect you need to think about memory mapped files
>>2. Please do not cross post
>>
>>“sa_sa_jerry” wrote in message
>>news:xxxxx@ntfsd…
>>
>>>Hi every one:
>>>
>>>My name is wang xiao zhen.
>>>Welcome to read my post question, and really hope onesome could give me
>>>some suggesion.
>>>
>>>I just installed DDK at C:\WINDDK\3790.1830 learn how to write
>>>mini-filter driver.
>>>In the src directory have a swapbuffers sample.
>>>In my machine,it store at
>>>C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.
>>>
>>>It’s quite symmetry, hooked PreReadBuffer , PostRreadBuffer,
>>>PreWriteBuffer, PostWriteBuffer, …
>>>
>>>My purpose is :
>>>Files are saving to directory at c:\test , all bit do xor with ‘a’.
>>>Files are reading from directory at c:\test , all bit do xor with ‘a’.
>>>
>>>If these data modification can be property performed,
>>>a simple custom encryption decryption on-the-fly filter driver will be
>>>implemented.
>>>
>>>
>>>So I do the follow things based on this swapbuffer sample.
>>>
>>>1. First i wrote “IsProtectedDir” function to check FLT_CALLBACK_DATA
>>>FileNameInformation Parent Dir name is \test\ or not.
>>> If not , return the call back function successfully.
>>>
>>>2. A simple function XorBuffer operation when got the swapped buffer
>>>address.
>>>
>>>
>>>
>>>Some interesting things happened.
>>>
>>>when i use the notepad.exe to test it. i type 0123 then save it to
>>>c:\test\a.txt.
>>>And I open a.txt file again , it display QPSR.
>>>
>>>Deos this means 0123 is be XORed and saved.
>>>
>>>I guess is this cache the xored buffer on cache. So i reboot my debug
>>>machine,
>>>load and start my driver angain, and use notpad.exe to open c:\test\a.txt
>>>again.
>>>It still display QPSR
>>>
>>>But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
>>>actually display 0123 !
>>>
>>>This means , notepad and wordpad do the I/O operation differently.
>>>
>>>why this happens ?
>>>
>>>Also I have there Question
>>>
>>>1. Does every write or read disk operation can be intercepted by
>>>mini-filter driver ?
>>>2. If it does, Does every write or read disk data can be symmetrically
>>>replaced ?
>>>
>>>If these two condition is OK and just do encryption and decryption on
>>>disk,
>>>i think i can ignore the Cache issue.
>>>
>>>Because Cache data is loaded either from disk or memory,
>>>and memory data is also loaded form disk as well.
>>>
>>>So does this idea OK ?
>>>
>>>----------------------------------------------------------------------------------
>>>
>>>There are some place i added or modified code in swapbuffers.c files
>>>
>>>----------------------------------------------------------------------------------
>>>
>>>
>>>In function “SwapPreWriteBuffers” , at first try
>>>
>>> try {
>>>
>>>
>>> if( IsProtectedDir(Data)== FALSE )
>>> {
>>> leave;
>>> }
>>>
>>>…
>>>
>>>//and when got the new buffer address, i just change the data for write
>>>
>>> RtlCopyMemory( newBuf,
>>> origBuf,
>>> writeLen );
>>> XorBuffer(newBuf,writeLen);
>>>
>>>----------------------------------------------------------------------------------
>>>
>>>
>>>//In function “SwapPreReadBuffers”, at first try
>>>
>>> try {
>>> // just process file parent are \test<br>>>> if( IsProtectedDir(Data)== FALSE )
>>> {
>>> leave;
>>> }
>>>…
>>>----------------------------------------------------------------------------------
>>>
>>>//In function “SwapPostReadBuffers” ,
>>>
>>>//
>>> // We either have a system buffer or this is a fastio operation
>>> // so we are in the proper context. Copy the data handling an
>>> // exception.
>>> //
>>>
>>> try {
>>>
>>>XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>>
>>> RtlCopyMemory( origBuf,
>>> p2pCtx->SwappedBuffer,
>>> Data->IoStatus.Information );
>>>
>>>} except (EXCEPTION_EXECUTE_HANDLER) {
>>>
>>>…
>>>----------------------------------------------------------------------------------
>>>In function “SwapPostReadBuffersWhenSafe”
>>>
>>> //
>>> // Copy the data back to the original buffer. Note that we
>>> // don’t need a try/except because we will always have a
>>> system
>>> // buffer address.
>>> //
>>>
>>> XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>>
>>> RtlCopyMemory( origBuf,
>>> p2pCtx->SwappedBuffer,
>>> Data->IoStatus.Information );
>>>…
>>>
>>>----------------------------------------------------------------------------------
>>>
>>>
>>>
>>>VOID XorBuffer(PUCHAR Byte,ULONG length)
>>>{
>>>ULONG byteCount;
>>>for(byteCount = 0;byteCount < length; byteCount ++)
>>>{
>>> Byte[byteCount] ^= ‘a’;
>>>}
>>>}
>>>
>>>BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
>>>{
>>>PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
>>>NTSTATUS status ;
>>>
>>>status =
>>>FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);
>>>
>>>if ( NT_SUCCESS(status))
>>>{
>>> status= FltParseFileNameInformation(FileNameInformation);
>>>
>>> if( NT_SUCCESS(status) )
>>> {
>>> //KdPrint((“Parent Dir is %S\n”,
>>> FileNameInformation->ParentDir.Buffer));
>>> if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
>>> &ProtectedDirName,FALSE) == 0)
>>> {
>>> FltReleaseFileNameInformation(FileNameInformation);
>>> return TRUE;
>>> }
>>>
>>> if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
>>> ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
>>> {
>>> KdPrint((" !!! sTARt with test \n"));
>>> FltReleaseFileNameInformation(FileNameInformation);
>>> return TRUE;
>>> }
>>>
>>>
>>> FltReleaseFileNameInformation(FileNameInformation);
>>> }
>>> else
>>> {
>>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>> FltParseFileNameInformation "));
>>> }
>>>}
>>>else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
>>>{
>>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>> STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
>>>}
>>>else if( status == STATUS_INSUFFICIENT_RESOURCES )
>>>{
>>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>> STATUS_INSUFFICIENT_RESOURCES return by FltGetFileNameInformation "));
>>>}
>>>else if( status == STATUS_INVALID_PARAMETER )
>>>{
>>> KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
>>> return by FltGetFileNameInformation "));
>>>}
>>>return FALSE;
>>>}
>>>
>>>----------------------------------------------------------------------------------
>>>
>>>Could some one could give me some suggestion can solve this problem ?
>>>
>>>Thanks a lots
>>>
>>>
>>>Regards!
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>—
>>Questions? First check the IFS FAQ at
>>https://www.osronline.com/article.cfm?id=17
>>
>>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>

5

Thanks MM and Lyndon J. Clarke !

I check the IFS FAQ, and i know that notepad use the mapped file in memory.
So what i should do next step ?

And I also want to study these request:

IRP_MJ_ACQUIRE_FOR_CC_FLUSH
IRP_MJ_ACQUIRE_FOR_MOD_WRITE
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION

IRP_MJ_RELEASE_FOR_CC_FLUSH
IRP_MJ_RELEASE_FOR_MOD_WRITE
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION

IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE

Is it right for solve this problem that notepad.exe read data correct ?

And Do you mind tell me how to read memory mapped files ?

And If wordpad.exe and notpad.exe can work correct
when read and write file in c:\test directroy that filter dirver hooked.

Does big application like Office word can work correctly as well ?

Second, Lyndon is correct, you need to read about memory mapped files,
they are treated differently.

Third, you asked:

“1. Does every write or read disk operation can be intercepted by
mini-filter driver?”

Yes, they can all be intercepted in a minifilter, IRP based IO or fastIO.

“2. If it does, Does every write or read disk data can be symmetrically
replaced?”

If you messing with the callback data, you need to read about
FltSetCallbackDataDirty.

m

Lyndon J. Clarke wrote:

  1. I expect you need to think about memory mapped files
  2. Please do not cross post

“sa_sa_jerry” wrote in message
>news:xxxxx@ntfsd…
>
>
>>Hi every one:
>>
>>My name is wang xiao zhen.
>>Welcome to read my post question, and really hope onesome could give me
>>some suggesion.
>>
>>I just installed DDK at C:\WINDDK\3790.1830 learn how to write mini-filter
>>driver.
>>In the src directory have a swapbuffers sample.
>>In my machine,it store at
>>C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.
>>
>>It’s quite symmetry, hooked PreReadBuffer , PostRreadBuffer,
>>PreWriteBuffer, PostWriteBuffer, …
>>
>>My purpose is :
>>Files are saving to directory at c:\test , all bit do xor with ‘a’.
>>Files are reading from directory at c:\test , all bit do xor with ‘a’.
>>
>>If these data modification can be property performed,
>>a simple custom encryption decryption on-the-fly filter driver will be
>>implemented.
>>
>>
>>So I do the follow things based on this swapbuffer sample.
>>
>>1. First i wrote “IsProtectedDir” function to check FLT_CALLBACK_DATA
>>FileNameInformation Parent Dir name is \test\ or not.
>> If not , return the call back function successfully.
>>
>>2. A simple function XorBuffer operation when got the swapped buffer
>>address.
>>
>>
>>
>>Some interesting things happened.
>>
>>when i use the notepad.exe to test it. i type 0123 then save it to
>>c:\test\a.txt.
>>And I open a.txt file again , it display QPSR.
>>
>>Deos this means 0123 is be XORed and saved.
>>
>>I guess is this cache the xored buffer on cache. So i reboot my debug
>>machine,
>>load and start my driver angain, and use notpad.exe to open c:\test\a.txt
>>again.
>>It still display QPSR
>>
>>But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
>>actually display 0123 !
>>
>>This means , notepad and wordpad do the I/O operation differently.
>>
>>why this happens ?
>>
>>Also I have there Question
>>
>>1. Does every write or read disk operation can be intercepted by
>>mini-filter driver ?
>>2. If it does, Does every write or read disk data can be symmetrically
>>replaced ?
>>
>>If these two condition is OK and just do encryption and decryption on
>>disk,
>>i think i can ignore the Cache issue.
>>
>>Because Cache data is loaded either from disk or memory,
>>and memory data is also loaded form disk as well.
>>
>>So does this idea OK ?
>>
>>----------------------------------------------------------------------------------
>>
>>There are some place i added or modified code in swapbuffers.c files
>>
>>----------------------------------------------------------------------------------
>>
>>
>>In function “SwapPreWriteBuffers” , at first try
>>
>> try {
>>
>>
>> if( IsProtectedDir(Data)== FALSE )
>> {
>> leave;
>> }
>>
>>…
>>
>>//and when got the new buffer address, i just change the data for write
>>
>> RtlCopyMemory( newBuf,
>> origBuf,
>> writeLen );
>> XorBuffer(newBuf,writeLen);
>>
>>----------------------------------------------------------------------------------
>>
>>
>>//In function “SwapPreReadBuffers”, at first try
>>
>> try {
>> // just process file parent are \test<br>>> if( IsProtectedDir(Data)== FALSE )
>> {
>> leave;
>> }
>>…
>>----------------------------------------------------------------------------------
>>
>>//In function “SwapPostReadBuffers” ,
>>
>>//
>> // We either have a system buffer or this is a fastio operation
>> // so we are in the proper context. Copy the data handling an
>> // exception.
>> //
>>
>> try {
>>
>>XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>
>> RtlCopyMemory( origBuf,
>> p2pCtx->SwappedBuffer,
>> Data->IoStatus.Information );
>>
>>} except (EXCEPTION_EXECUTE_HANDLER) {
>>
>>…
>>----------------------------------------------------------------------------------
>>In function “SwapPostReadBuffersWhenSafe”
>>
>> //
>> // Copy the data back to the original buffer. Note that we
>> // don’t need a try/except because we will always have a
>>system
>> // buffer address.
>> //
>>
>> XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>
>> RtlCopyMemory( origBuf,
>> p2pCtx->SwappedBuffer,
>> Data->IoStatus.Information );
>>…
>>
>>----------------------------------------------------------------------------------
>>
>>
>>
>>VOID XorBuffer(PUCHAR Byte,ULONG length)
>>{
>>ULONG byteCount;
>>for(byteCount = 0;byteCount < length; byteCount ++)
>>{
>> Byte[byteCount] ^= ‘a’;
>>}
>>}
>>
>>BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
>>{
>>PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
>>NTSTATUS status ;
>>
>>status =
>>FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);
>>
>>if ( NT_SUCCESS(status))
>>{
>> status= FltParseFileNameInformation(FileNameInformation);
>>
>> if( NT_SUCCESS(status) )
>> {
>> //KdPrint((“Parent Dir is %S\n”,
>>FileNameInformation->ParentDir.Buffer));
>> if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
>>&ProtectedDirName,FALSE) == 0)
>> {
>> FltReleaseFileNameInformation(FileNameInformation);
>> return TRUE;
>> }
>>
>> if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
>> ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
>> {
>> KdPrint((" !!! sTARt with test \n"));
>> FltReleaseFileNameInformation(FileNameInformation);
>> return TRUE;
>> }
>>
>>
>> FltReleaseFileNameInformation(FileNameInformation);
>> }
>> else
>> {
>> KdPrint((“swapbuffers!IsProtectedDir : Error FltParseFileNameInformation
>>”));
>> }
>>}
>>else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
>>}
>>else if( status == STATUS_INSUFFICIENT_RESOURCES )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>STATUS_INSUFFICIENT_RESOURCES return by FltGetFileNameInformation "));
>>}
>>else if( status == STATUS_INVALID_PARAMETER )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
>>return by FltGetFileNameInformation "));
>>}
>>return FALSE;
>>}
>>
>>----------------------------------------------------------------------------------
>>
>>Could some one could give me some suggestion can solve this problem ?
>>
>>Thanks a lots
>>
>>
>>Regards!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

6

Second, Lyndon is correct, you need to read about memory mapped files,
they are treated differently.

Third, you asked:

“1. Does every write or read disk operation can be intercepted by
mini-filter driver?”

Yes, they can all be intercepted in a minifilter, IRP based IO or fastIO.

“2. If it does, Does every write or read disk data can be symmetrically
replaced?”

If you messing with the callback data, you need to read about
FltSetCallbackDataDirty.

m

Lyndon J. Clarke wrote:

  1. I expect you need to think about memory mapped files
  2. Please do not cross post

“sa_sa_jerry” wrote in message
>news:xxxxx@ntfsd…
>
>
>>Hi every one:
>>
>>My name is wang xiao zhen.
>>Welcome to read my post question, and really hope onesome could give me
>>some suggesion.
>>
>>I just installed DDK at C:\WINDDK\3790.1830 learn how to write mini-filter
>>driver.
>>In the src directory have a swapbuffers sample.
>>In my machine,it store at
>>C:\WINDDK\3790.1830\src\filesys\minifilter\swapbuffers.
>>
>>It’s quite symmetry, hooked PreReadBuffer , PostRreadBuffer,
>>PreWriteBuffer, PostWriteBuffer, …
>>
>>My purpose is :
>>Files are saving to directory at c:\test , all bit do xor with ‘a’.
>>Files are reading from directory at c:\test , all bit do xor with ‘a’.
>>
>>If these data modification can be property performed,
>>a simple custom encryption decryption on-the-fly filter driver will be
>>implemented.
>>
>>
>>So I do the follow things based on this swapbuffer sample.
>>
>>1. First i wrote “IsProtectedDir” function to check FLT_CALLBACK_DATA
>>FileNameInformation Parent Dir name is \test\ or not.
>> If not , return the call back function successfully.
>>
>>2. A simple function XorBuffer operation when got the swapped buffer
>>address.
>>
>>
>>
>>Some interesting things happened.
>>
>>when i use the notepad.exe to test it. i type 0123 then save it to
>>c:\test\a.txt.
>>And I open a.txt file again , it display QPSR.
>>
>>Deos this means 0123 is be XORed and saved.
>>
>>I guess is this cache the xored buffer on cache. So i reboot my debug
>>machine,
>>load and start my driver angain, and use notpad.exe to open c:\test\a.txt
>>again.
>>It still display QPSR
>>
>>But suddenly i found that i use wordpad.exe to open c:\test\a.txt file it
>>actually display 0123 !
>>
>>This means , notepad and wordpad do the I/O operation differently.
>>
>>why this happens ?
>>
>>Also I have there Question
>>
>>1. Does every write or read disk operation can be intercepted by
>>mini-filter driver ?
>>2. If it does, Does every write or read disk data can be symmetrically
>>replaced ?
>>
>>If these two condition is OK and just do encryption and decryption on
>>disk,
>>i think i can ignore the Cache issue.
>>
>>Because Cache data is loaded either from disk or memory,
>>and memory data is also loaded form disk as well.
>>
>>So does this idea OK ?
>>
>>----------------------------------------------------------------------------------
>>
>>There are some place i added or modified code in swapbuffers.c files
>>
>>----------------------------------------------------------------------------------
>>
>>
>>In function “SwapPreWriteBuffers” , at first try
>>
>> try {
>>
>>
>> if( IsProtectedDir(Data)== FALSE )
>> {
>> leave;
>> }
>>
>>…
>>
>>//and when got the new buffer address, i just change the data for write
>>
>> RtlCopyMemory( newBuf,
>> origBuf,
>> writeLen );
>> XorBuffer(newBuf,writeLen);
>>
>>----------------------------------------------------------------------------------
>>
>>
>>//In function “SwapPreReadBuffers”, at first try
>>
>> try {
>> // just process file parent are \test<br>>> if( IsProtectedDir(Data)== FALSE )
>> {
>> leave;
>> }
>>…
>>----------------------------------------------------------------------------------
>>
>>//In function “SwapPostReadBuffers” ,
>>
>>//
>> // We either have a system buffer or this is a fastio operation
>> // so we are in the proper context. Copy the data handling an
>> // exception.
>> //
>>
>> try {
>>
>>XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>
>> RtlCopyMemory( origBuf,
>> p2pCtx->SwappedBuffer,
>> Data->IoStatus.Information );
>>
>>} except (EXCEPTION_EXECUTE_HANDLER) {
>>
>>…
>>----------------------------------------------------------------------------------
>>In function “SwapPostReadBuffersWhenSafe”
>>
>> //
>> // Copy the data back to the original buffer. Note that we
>> // don’t need a try/except because we will always have a
>>system
>> // buffer address.
>> //
>>
>> XorBuffer(p2pCtx->SwappedBuffer,Data->IoStatus.Information);
>>
>> RtlCopyMemory( origBuf,
>> p2pCtx->SwappedBuffer,
>> Data->IoStatus.Information );
>>…
>>
>>----------------------------------------------------------------------------------
>>
>>
>>
>>VOID XorBuffer(PUCHAR Byte,ULONG length)
>>{
>>ULONG byteCount;
>>for(byteCount = 0;byteCount < length; byteCount ++)
>>{
>> Byte[byteCount] ^= ‘a’;
>>}
>>}
>>
>>BOOLEAN IsProtectedDir(PFLT_CALLBACK_DATA Data)
>>{
>>PFLT_FILE_NAME_INFORMATION FileNameInformation=NULL;
>>NTSTATUS status ;
>>
>>status =
>>FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED,&FileNameInformation);
>>
>>if ( NT_SUCCESS(status))
>>{
>> status= FltParseFileNameInformation(FileNameInformation);
>>
>> if( NT_SUCCESS(status) )
>> {
>> //KdPrint((“Parent Dir is %S\n”,
>>FileNameInformation->ParentDir.Buffer));
>> if( RtlCompareUnicodeString(&FileNameInformation->ParentDir,
>>&ProtectedDirName,FALSE) == 0)
>> {
>> FltReleaseFileNameInformation(FileNameInformation);
>> return TRUE;
>> }
>>
>> if( RtlCompareMemory(FileNameInformation->ParentDir.Buffer,
>> ProtectedDirName.Buffer, sizeof(WCHAR) * 4) == 0)
>> {
>> KdPrint((" !!! sTARt with test \n"));
>> FltReleaseFileNameInformation(FileNameInformation);
>> return TRUE;
>> }
>>
>>
>> FltReleaseFileNameInformation(FileNameInformation);
>> }
>> else
>> {
>> KdPrint((“swapbuffers!IsProtectedDir : Error FltParseFileNameInformation
>>”));
>> }
>>}
>>else if( status == STATUS_FLT_INVALID_NAME_REQUEST )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>STATUS_FLT_INVALID_NAME_REQUEST return by FltGetFileNameInformation "));
>>}
>>else if( status == STATUS_INSUFFICIENT_RESOURCES )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error
>>STATUS_INSUFFICIENT_RESOURCES return by FltGetFileNameInformation "));
>>}
>>else if( status == STATUS_INVALID_PARAMETER )
>>{
>> KdPrint(("swapbuffers!IsProtectedDir : Error STATUS_INVALID_PARAMETER
>>return by FltGetFileNameInformation "));
>>}
>>return FALSE;
>>}
>>
>>----------------------------------------------------------------------------------
>>
>>Could some one could give me some suggestion can solve this problem ?
>>
>>Thanks a lots
>>
>>
>>Regards!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

7

> And I also want to study these request:

IRP_MJ_ACQUIRE_FOR_CC_FLUSH
IRP_MJ_ACQUIRE_FOR_MOD_WRITE
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION

IRP_MJ_RELEASE_FOR_CC_FLUSH
IRP_MJ_RELEASE_FOR_MOD_WRITE
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION

IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE

There are no such IRPs, only the FastIo calls.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com