File filter driver development

File filter driver 1. Transparent file encryption and decryption

Keywords: transparent, file filter driver, encrypted ID, Cache

 

The most important two aspects of the file filter driver are to manage the encrypted identity and cache.

1. concept of transparency:

Transparency means that the user does not know the existence of encryption even though the backend performs automatic encryption and decryption during operations, just as a transparent glass layer is separated.

The advantage of transparency is that it does not change user operations. Everything is the same as before encryption. Even after some enterprises install encryption, they do not need to notify all employees, just as encryption does not exist, files cannot be opened only when they are encrypted outside the enterprise security environment.

The degree of transparency is also a very important aspect of the encryption software. For example, if you want to copy a Word file or use other programs to read the file, if not, it is not transparent, in some PDM documents management software, files are checked in by another application when one application is opened. The higher the degree of transparency, the more users use it, the more unencrypted they are. The lower the transparency program, the more operations they will find restricted, it is significantly different from that before encryption.

2. Encryption type:

Encryption type	Encryption Principle	Example
Static Encryption	Encrypt the entire file or the entire file.
Dynamic Encryption	The entire file is in the encryption state. If you want to decrypt the file, you can decrypt the file as much as you read, and encrypt the file as much as you write, without decrypting the entire file.
Active Encryption	The user requests the file to change to an encrypted state, which is called active encryption.	There are many ways to actively encrypt files. For example, you can use WinRAR to compress files and define a password, or open or modify a password for word or Excel files, in this way, only the correct password can be used by others. This is the user's active encryption. If the user does not encrypt the file, the file will not be encrypted. The encryption method can be understood as the active encryption method only for some folder encryption methods. Active encryption is mainly used for personal file protection.
Passive Encryption	The user does not know or does not want the file to become encrypted. The system automatically encrypts the file, which is called passive encryption.	Passive encryption is mainly used to prevent file leaks within the enterprise. Even if the user does not want the file to be encrypted, the system will still encrypt the file according to the definition so that the file will be copied and other methods will be removed from the enterprise environment, the file cannot be opened because it is encrypted. Passive encryption has another feature: Transparent operations, that is, users do not need to perform encryption and decryption operations, and everything is automatically completed in the background. users do not know the existence of encryption. Passive encryption has nothing to do with the author's will, and related files will be encrypted. disk encryption and transparent file encryption and decryption belong to this category.

3. How to encrypt the file Filter Driver:

The file filter driver is a technical means that Microsoft publicly supports file encryption. In the driver hierarchy definition, Microsoft defines various functional levels such as anti-virus, compression, and encryption. The encryption definition is as follows:
Load order group: fsfilter encryption, altitude range: 140000-149999

Because the file filter driver is at the driver level (unlike the API hook at the application layer), it can control more details of the system. It has little relevance with the application and can be compatible with all applications, the file filter driver is more conducive to dynamic encryption and decryption.

The API hook is mainly used to intercept the Open and Close actions. static file encryption and decryption are performed in these two actions, while the file filter driver mainly blocks the Read and Write actions, dynamic encryption and decryption are performed in these two IRP requests. The processed content is very precise (read, decrypt, write, and encrypt ), because most of the operations processed by dynamic encryption and decryption are cached, no disk I/O operations are faster. Of course, it is much more difficult to perform dynamic encryption and decryption in the file filter driver.

 

Because the legacy filter architecture is used in many anti-virus software, Microsoft has launched the minifilter architecture in recent years to reduce conflicts between drivers and improve work efficiency, it is a technical architecture vigorously promoted by Microsoft and can be used in various new operating systems in the future without worrying about it. Minifilter is compatible, efficient, standard, and stable.

4. file encryption Tag:

Encryption tag is the key to determining whether a file is encrypted. It is also the most important part in dynamic and transparent encryption and decryption development, the correctness of the encryption mark determines whether the file will be lost or damaged. It is a critical technical point to ensure that no problem occurs. Encryption tags can be stored outside and inside a file. When stored inside a file, they are often divided into three types of technical methods: stored on the file header, at the end of the file, and compressed in the file, the introduction is as follows:

Serial number	Mark storage location	Type	Variable Length	Method
1	Database	File external	No	The file encryption status is recorded in the database and read from the database when determining the file encryption status. This is a huge disadvantage and is difficult to access the database in the driver, if the database is lost, all files may not be opened.
2	File directory	File external	No	The encryption status of a file is recorded in the directory where it is located. When the directory of the file changes, the program must handle various details, and there is a possibility that the entire directory file cannot be opened due to the loss of records.
3	File Name	File	No	Add a suffix to the file name to identify whether the file is encrypted and the suffix is hidden from users by technical means. This suffix is not universal and is easy to be accidentally removed.
4	File Attributes	File	No	Change the time of the file or other attributes. For example, add the time to 1000 and hide the change to the user. The versatility is too bad and the encryption mark is very easy to lose.
5	Compressed in files	File	No	It is a pity that the best idea is not compatible with all files. On the one hand, if the file is too small, it may be difficult to compress, and some compressed files generated by compression software cannot be further compressed. The versatility is very poor.
6	File Header	File	Yes	Append a part of content in the file header to record the encrypted tag of the file. The comparison with the end of the file is shown in Figure 1.
7	File tail	File	Yes	Append a piece of content at the end of the file to record the encrypted tag of the file. The comparison with the file header is shown in Figure 1.

In fact, considering the stability and manageability of the entire system, the encrypted tag of a file is stored inside the file, which ensures the reliability, durability, and versatility of the tag, however, due to static encryption and decryption, the storage location of encrypted tags has little impact on such products. Here we will compare the file header and the file tail technology when using the dynamic encryption and decryption principle:

Assume that the starting position of a file is P1, the ending position is P2, and the length of the encrypted mark is L. The state with the file header and the end of the file are different, then, you need to send a write operation from the pw1 position to the pw2 position, and the write operation will exceed the original end position P2, 1

 

Figure 1 Comparison Between the file header and the end of the file during dynamic encryption and decryption

How to handle the file header flag: Change the write location parameter to pw1 = pw1 + L and then encrypt the Pw2-Pw1 and pass it on.
There are two ways to deal with the end mark of the file: one is to copy the L-segment encryption mark to the memory, and then encrypt the Pw2-Pw1 content and pass the original location, then connect the L-segment encryption mark at the position of pw2. Another method is to copy the L-segment encryption mark at the position of pw2 and connect it to it, then encrypt the contents of the Pw2-Pw1 and pass it on to the original location.

From the above analysis, we can see that adding a tag at the end of the file will lead to an additional action for the software to execute when the file is extended, that is, the action of moving the tail encryption tag, if the second action fails due to power failure or other reasons after the first action is completed, the file will be damaged. Encryption tags need to be constantly moved, whether it is to lengthen the Write File or to shorten the Write File. This action may be executed dozens or hundreds of times in one save operation of a document.
Of course, if the computer loses power, it may damage the file, but using the file header mark will not cause unnecessary actions, this means that the file header is used to store encryption labels, and the probability of File Corruption is equal to that of files not encrypted, without increasing the probability of File Corruption.

 

5, File encryption logic, file suffix

There are two methods to encrypt the file Logic

1. Specify the suffix for encryption:

Encryption by specifying a suffix refers to the encryption of a type of documents generated by the confidentiality program, while other suffixes still use plain text. The advantage is that only encrypted document types are supported, without affecting other files. The encryption scope is relatively small and the system stability is easy to improve; the disadvantage is that the "Save as another type of document" vulnerability may occur, because the stored results are not the specified encrypted file type. It is useless even if you specify the suffix format that may be generated by the program, because there are many ways to save it. For example, you can click "Save as" in word and enter two double quotation marks (") in the file name column ("), then, enter any suffix (for example, test.123) between the two double quotation marks. The saved file is in plaintext. If the copied file name is changed back to the doc suffix, the document may be leaked.
In addition, the file format of some programs is not fixed, and can even be stored as any suffix, such as Notepad. In this way, the specified file suffix is encrypted, resulting in a security vulnerability.

 

 

2. encryption is not suffixed:

Encryption without suffixes means that the confidentiality program encrypts all generated files. This encryption method blocks the "Save as another type of document" vulnerability because it encrypts any file generated by the specified process. It ensures that no plaintext file exists no matter how the user saves the file. The working principle is that the specified process encrypts the written files as long as a write operation occurs, and any intermediate and temporary files will be encrypted. Non-differentiated file suffixes provide higher security and are much more technically difficult.

There are two layers for the development of transparent encryption products that do not distinguish between suffixes: the application layer and the driver layer. The application layer basically adopts the redirection principle + encryption to specify the suffix; the driver layer may be a combination of 2x2 or four modes, as shown in the following table:

	Suffix specified for encryption	Encryption is not suffixed
Redirection Principle	Redirection principle + specified suffix for encryption (1)	Redirection principle + encryption without differentiating suffixes (2)
Principle of dynamic encryption and decryption	Dynamic encryption and decryption principle + specified suffix for encryption (3)	Dynamic encryption and decryption principle + encryption without differentiating suffixes (4)

In the above table, Mode 2 is very difficult to implement, so in fact, the driver layer encryption generally uses mode (1)-mode (3)-mode (4 ).
The encryption and decryption operations may also be completed in a mix between the application layer and the driver layer. The interception file on the driver layer is opened and then transmitted to the application layer for encryption and decryption, this method is the same as that for pure application layer development. Only mode (1) can be used ).

 

 

Ii. document encryption process 1. Basic Knowledge 1. Read process 2. Write Process

Description of the irp id to be determined:

 

1,Irp_mn_mdl

Iostatus. Information Field indicates the number of bytes written to MDL.

The caller needs FSD to write the MDL of the file. FSD is used to allocate and construct MDL.

2,Irp_mn_mdl_complete

Indicates that the caller has processed the MDL created by FSD, and MDL is used to clear and release the MDL.

3,Irp_mn_dpc

Indicates that the caller's context is DPC, and FSD must return status_pending and complete the process in the working thread.

 

 

 

 

2. Main Data Structure

 

 

Fileobject: open a file. The IO manager creates a file object structure FCB for the file. A file may be opened by multiple programs at the same time. This will generate multiple fileobjects, however, only one FCB segment Object Pointer exists.

 

File_context

 

 

 

 

2. encryption and decryption algorithms

RC4 Stream Encryption

The key is a static key.

3. read/write process

Read filter conditions

A. Check whether g_bstartfilter is enabled.

B. Determine whether pfileobj-> fscontext exists

C. irpsp-> minorfunction: determines whether it is irp_mn_complete_mdl.

D. Is it a directory operation?

 

Obtain the length, start position, and read content of the read file:

 

File length:

Length = irpsp-> parameters. Read. length;

File offset:

Offser. quadpart = irpsp-> parameters. Read. byteoffset. quadpart

File Content:

If IRP-> mdladdress is not empty, use IRP-> mdladdress. The buffer location is mmgetsystemaddressformdlsafe (IRP-> mdladdres). Otherwise, use IRP-> userbuffer directly.

 

# Define cdmapuserbuffer (IC, UB ){\

* (UB) = (pvoid) (IC)-> mdladdress = NULL )? \

(IC)-> userbuffer :\

(Mmgetsystemaddressformdlsafe (IC)-> mdladdress, highpagepriority )));\

}

 

Write filter conditions

E. Indicates whether g_bstartfilter is enabled.

F. Determine whether pfileobj-> fscontext exists

G, irpsp-> minorfunction determine whether it is irp_mn_mdl

H. Is it a directory operation?

  

File length:

Length = irpsp-> parameters. Write. Length

File offset:

Large_integerlnoffset = irpsp-> parameters. Write. byteoffset;

File Content:

If IRP-> mdladdress is not empty, use IRP-> mdladdress. The buffer location is mmgetsystemaddressformdlsafe (IRP-> mdladdres). Otherwise, use IRP-> userbuffer directly.

 

# Define cdmapuserbuffer (IC, UB ){\

* (UB) = (pvoid) (IC)-> mdladdress = NULL )? \

(IC)-> userbuffer :\

(Mmgetsystemaddressformdlsafe (IC)-> mdladdress, highpagepriority )));

 

Cache Management

 

Single cache... 1. A valid process opens a file and closes the file. The file is cached in plain text.

 

To the hard disk, and the resources in the memory are not cleared. The invalid process then opens the document and

The irp_mj_create routine refresh the cache operation, so the illegal process opening is garbled

2. If a valid process opens a file and the file is cached in plaintext, the cache is not flushed to the hard disk.

Resources in the memory are not cleared. In this case, the invalid process opens the document again.

If the notedpad file is not closed, it is regarded as an illegal process and cannot be opened.

If the handle is closed in the ing file mode, the illegal process opens the document being opened by the legal process. The irp_mj_create routine refreshes the cache operation, so the illegal process is opened with garbled characters.

3. Illegal processes open unopened encryption documents, ciphertext. When the encrypted document is opened for a valid process, the cache is refreshed. 4. Enable the encrypted document for a valid process.

Cache is refreshed only when files are created.

The order in which cache resources are obtained: file system resources are obtained first by the cache manager resources, and vmm resources are obtained. The final information is obtained by using minifilter.

Http://www.microsoft.com/downloads/details.aspx? Displaylang = ZH-CN & familyid = B54730CF-8850-4531-B52B-BF28B324C662

Http://www.microsoft.com/taiwan/whdc/driver/filterdrv/alt-range.mspx

Http://www.microsoft.com/whdc/driver/filterdrv/default.mspx

Reference material: File System internals, Windows file system filter driver development tutorial, Chu crazy man, Han jiangduo fishing, Windows Kernel security programming, and OSR Doc. Upload http: // bbs.driverdevelop.com development http://www.osronlne.com marketing http://www.rootkit.com marketing http://bbs.pediy.com marketing http://www.codeproject.com