1

Topic: Mini-Filter, MMF and - secrets, secrets

Good afternoon, Colleagues! Tell please, whether probably forcedly to drop on a disk (flush) section contents in a case with a projected file (memory mapped file)? Where at examples to look? To esteem. Here something more or less real - how to drop contents  on a disk, for normal (not MMF) a file? Osr, Russinovich, rsdn - read. It is amusing that on OSR our foreign "partners" practically do not tell anything, and at once suggest to buy their product. The subject far not the freshest, for certain is available a wide experience on the given subjects. Implementation on-the-fly encryption means mini-filter causes many questions in me. Source code TruCrypt showed that there refused minifilters.

2

Re: Mini-Filter, MMF and - secrets, secrets

Hello, eight, you wrote: E> Tell please, whether probably forcedly to drop on a disk (flush) section contents in a case with a projected file (memory mapped file)? Where at examples to look? To esteem. E> here something more or less real - how to drop contents  on a disk, for normal (not MMF) a file? If from the minifilter, than FltFlushBuffers (...) Does not arrange? On-the-fly encryption did not implement, but function should flush' all data, including  through section. From the unusual: at projection of a file record comes on some FILE_OBJECT from all opened and  for a target file, instead of is mandatory for what is specified in parameters FltFlushBuffers (that, basically, is expected). E> Implementation on-the-fly encryption means mini-filter causes many questions in me. Source code TruCrypt showed that there refused minifilters. TrueCrypt was able to cipher once at file system level, instead of at volume level?

3

Re: Mini-Filter, MMF and - secrets, secrets

Hello, eight, you wrote: E> Tell please, whether probably forcedly to drop on a disk (flush) section contents in a case with a projected file (memory mapped file)? At once a counter question: and what for it was required to do it? There should be a weighty reason to "disconnect" file caching. Perhaps there is any other, more correct way... If any application is active, in a cycle, is constant mappit/anmappit a file, you on a disk will drop its each time? Same  productivity of file system on a root. On a subject: is ZwFlushVirtualMemory, for example. Provided that the basic address and the size of region of the data is known. And still (undocumented!) In Windows Vista and above it is possible NtSetSystemInformation with code SystemMemoryListInformation (0x50) forcedly to drop MemoryFlushModifiedList (3), MemoryPurgeStandbyList (4) and MemoryPurgeLowPriorityStandbyList (5). In user mode privilege SE_PROF_SINGLE_PROCESS_NAME is required. E> the Subject far not the freshest, for certain is available a wide experience on the given subjects. E> implementation on-the-fly encryption means mini-filter causes many questions in me. For example, what questions? E> source code TruCrypt showed that there refused minifilters. They as a result and too refused enciphering

4

Re: Mini-Filter, MMF and - secrets, secrets

Hello, eight, you wrote: E> Implementation on-the-fly encryption means mini-filter causes many questions in me. E> source code TruCrypt showed that there refused minifilters. And generally, yes, it agree, enciphering at file system level - a thing wildly difficult if to try to do all correctly, , observing guidelines etc. Normally enciphering do at level of storage-drivers, i.e. at access level to disk sectors/klasteram.

5

Re: Mini-Filter, MMF and - secrets, secrets

Hello, eight, you wrote: E> Good afternoon, Colleagues! E> tell please, whether probably forcedly to drop on a disk (flush) section contents in a case with a projected file (memory mapped file)? Where at examples to look? To esteem. E> here something more or less real - how to drop contents  on a disk, for normal (not MMF) a file? There are variations on subject FlushFile, but they do not give any warranty, since it is all only  for MM, and whether there will be it really given  and the most important thing when this  ends - to learn is almost unreal. But I support a question - what for it was required? Since at the correct implementation you will have two view for a file, upward plain text and downwards cipher text, everyone with the FileObject and, accordingly with the circuit .

6

Re: Mini-Filter, MMF and - secrets, secrets

Hello, okman, you wrote: O> Hello, eight, you wrote: E>> Tell please, whether probably forcedly to drop on a disk (flush) section contents in a case with a projected file (memory mapped file)? O> At once a counter question: and what for it was required to do it? There should be a weighty reason that O> to "disconnect" file caching. Perhaps there is any other, more correct way... O> If any application is active, in a cycle, is constant mappit/anmappit a file, you O> each time on a disk will drop it? Same  productivity of file system on a root. O> on a subject: is ZwFlushVirtualMemory, for example. Provided that the basic address and the size of region of the data is known. O> and still (undocumented!) In Windows Vista and above it is possible NtSetSystemInformation with code SystemMemoryListInformation (0x50) O> forcedly to drop MemoryFlushModifiedList (3), MemoryPurgeStandbyList (4) and MemoryPurgeLowPriorityStandbyList (5). O> In user mode privilege SE_PROF_SINGLE_PROCESS_NAME is required. E>> the Subject far not the freshest, for certain is available a wide experience on the given subjects. E>> implementation on-the-fly encryption means mini-filter causes many questions in me. O> for example, what questions? E>> source code TruCrypt showed that there refused minifilters. O> they as a result and too refused enciphering O> Idea is simple, there is a data access demarcation on a disk - files, folders, volumes. And here now it is necessary to make all cryptography of transparent - enciphering on the fly. At data reading authorized users (applications) obtain the decrypted data, at record all accordingly falls on a disk already in the ciphered type. Operation with a system cache strongly becomes simpler - or you have access possibility, otherwise - access denied. If application has access to a protected resource and uses mmf,  input \conclusion - it is not important, it can fairly use a cache, on the discretion. The task, consists in that the data in system cache got in an open type (or generally it not to use). It and is clear from the existing logic - if you have access, it is possible to read all - from a disk, storage. Disk operations filter manager allows to process absolutely fairly, and here storage is not present. * - at enciphering the size of a file \block of the data - does not change. In Post output agent IRP_MJ_READ the data is decrypted and returned upward - Notepad ++ sees them fairly, well and accordingly read requests from it come in the course of reading. Standard  the notepad because of usage mmf and data reading from  displays encrypted the text. With record the same song, already coded data gets to a cache. Whether probably to add flag IRP_NOCACHE to reading \record operations to pass a cache? On rsdn many children faced the similar, found a good post, but the author preferred to be anonymous.

7

Re: Mini-Filter, MMF and - secrets, secrets

Hello, eight, you wrote: E> Disk operations filter manager allows to process absolutely fairly, and here storage is not present. If operations are implied by storage with  files (MMF), this statement not absolutely truth (see more low). E> the Task, consists in that the data in system cache got in an open type (or generally it not to use). Perhaps, I not absolutely understood the task but why it is simple not   input-output, leaving enciphering and decoding only for those operations which work with a disk (i.e. where flags IRP_NOCACHE and-or IRP_PAGING_IO/IRP_SYNCHRONOUS_PAGING_IO are installed)? In this case in a cache always will be plaintext. For example: * comes "normal" (without flags nocache/paging) IRP_MJ_READ/IRP_MJ_WRITE - we pass it downwards as is. * comes IRP_MJ_WRITE with flags nocache or paging - we cipher contents (a-lja SwapBuffers sample). * comes IRP_MJ_READ with flags nocache or paging - we fulfill decoding. * etc. (reading and change of files is not only IRP_MJ_READ and IRP_MJ_WRITE, there are also other requests which too should be supported for a coordination). It works irrespectively, whether the cache or not (FILE_FLAG_NO_BUFFERING) is used, whether files by means of ReadFile/WriteFile or through MMF, etc. With MMF, of course, a bit separate "song" are read: 1. The Read and write in  the buffer will be visible in the minifilter as paging read and paging write accordingly, and FILE_OBJECT can be at all what was expected, in particular it concerns record (and disk writing can fulfill, for example, mapped page writer - selected  a system flow). 2. After application creates section and  file contents in storage, it can close  the source file, and also  sections then to work with a file only through the  the buffer. I.e. it is not necessary to think that, for example, after IRP_MJ_CLEANUP file "life" comes to an end and in it anybody cannot write down anything any more. 3. If application does not cause FlushViewOfFile explicitly, paging write in MMF can not come hours and in the days, as well as IRP_MJ_CLOSE. This normal behavior, system is not present any need "simply so" to drop  on a disk, it is normal  it at disk extraction, end of operation or if there are no resources. Whether E> probably to add flag IRP_NOCACHE to reading \record operations to pass a cache? Hardly it is possible. No, well i.e. you, of course, can add a flag, but it does not give desirable effect or leads to absolutely other effects By the way, for some types of files the given flag generally is ignored. I mean compressed, and also scrambled (EFS) files.