File Filter Driver Development

File filter Driver One, file transparency and decryption

Keywords: transparent, file filter driver, encryption ID, cache

The most important two points of file filtering drive is to take care of encryption identity and cache management

1, the concept of transparency:

Transparent refers to the user at the time of operation, although the background in the automatic decryption, but users do not know the existence of encryption, like a layer of transparent glass in the interval.

The advantage of transparency is that it does not change the user's operation, everything is the same as before encryption, even if some enterprises install encryption without notifying all employees, just as the encryption does not exist, just encrypt the file to the enterprise security environment outside to find that the file cannot be opened.

The degree of transparency is also an important aspect of encryption software, such as: When editing a Word file, can copy or use other programs to read this file, if not so it is not transparent, In some PDM document management software, a file is checked in by another application when one application is open. The higher the degree of transparency, the more the user will be in the same way as unencrypted, the lower the transparency program, the more restrictions the user can find, and the greater the difference before encryption.

2. Encryption Type:

Encryption type	Encryption principle	Example
Static encryption	Encrypt the entire file, or encrypt the entire file.
Dynamic encryption	The whole of the file is the encryption state, need to decrypt how much to decrypt how much, write how much encryption, and do not need to decrypt the entire file.
Active encryption	The user is required to encrypt the file into an encrypted state called active encryption.	Active encryption, such as using WinRAR to compress and define a password, or to a Word, Excel file Open or modified password, so that other people must be used by the correct password to open, which is the user's active encryption, If the consumer does not encrypt, the file is not in the encrypted state. The way you encrypt only certain folders can also be understood as active encryption. Active encryption is primarily applied to personal File protection.
Passive encryption	The user does not know or does not want the file to become encrypted state, the system automatically encrypts the file, called passive encryption.	Passive encryption is mainly used to prevent file leaks inside the enterprise, even if the user does not want the file to be encrypted, the system will encrypt the file according to the definition, so that the file is copied and other methods out of the enterprise environment, because the file in the encrypted state can not be opened. Passive encryption has another feature is the transparent operation, that is, the user does not need to encrypt and decrypt operations, everything is done automatically in the background, the user can not know the existence of encryption. Passive encryption is independent of the author's wishes, and related files are encrypted, and disk encryption and file transparency and decryption belong to this class.

3, file filter drive How to encrypt:

File filter Driver is Microsoft publicly support the technical means of file encryption, in the driver hierarchy definition, Microsoft defines the anti-virus, compression, encryption and other functional levels, the definition of encryption is as follows:
Load Order group:fsfilter encryption, Altitude range:140000-149999

Because the file filtering driver is at the drive level (unlike API hooks in the application layer), you can control more details of the system, have a small association with the application, and are compatible with all applications, and file-filtering drivers are more conducive to dynamic encryption and decryption.

API Hook is mainly to intercept the open and close action, in these 2 actions to do the static encryption and decryption of files, and file filtering to drive the main interception of read and write action, in the 2 IRP request dynamic encryption and decryption processing, processing the content is very accurate (read how much decryption, write how much encryption), Since most of the dynamic decryption process is actually cached, no disk IO operations are faster. Of course, the process of dynamic encryption and decryption in the file filtering drive is much more difficult.

Since the original legacy filter architecture is used in many anti-virus software, Microsoft has introduced the Minifilter architecture in recent years, aiming to reduce the conflict between the drivers, improve the efficiency, is Microsoft vigorously promote the technical framework, can be used in the subsequent new operating systems to use without fear. Minifilter has the advantages of compatibility, high efficiency, standard, stability and so on.

4, File encryption tag:

Encryption tag refers to how to determine whether a file is the key to encryption, but also in the development of dynamic transparency and decryption is the most important link, the correct encryption tag determines whether the file will be lost, damaged, it is necessary to ensure that no problem is a technical key point. Encryption tags can be stored outside the file and inside the file, stored inside the file, and often divided into the file header, file end, compressed in the file, such as three technical methods, related to the following:

Serial number	Tag storage location	Type	File becomes longer	Method
1	In the database	File external	Whether	The encryption state of the file is recorded in the database, the database is read when the file encryption state is judged, the disadvantage is that it is difficult to access the database in the drive, and if the database is lost, all files may not be opened.
2	In the file directory	File external	Whether	The encryption status of the file is recorded in the directory in which it is located, the program needs to process various details when the file belongs to the directory, and there is a possibility that the entire directory file cannot be opened because the record is missing.
3	On the file name	Inside the file	Whether	Add a suffix to the name of the file to identify whether it has been encrypted and use technical means to hide the suffix from the user, the versatility is not good and easy to be accidentally removed the encryption mark.
4	In the file properties	Inside the file	Whether	Change the time or other attributes of the file, such as adding time to 1000 years and hiding the change from the user, which is too generic and the encryption mark is easily lost.
5	Compress in File	Inside the file	Whether	The best way of thinking unfortunately can not be compatible with all files, on the one hand if the file is too small, it may be difficult to compress, for some compression software produced by compressed files can not continue to compress, etc., the generality is very poor.
6	On the file header	Inside the file	Is	Attach a piece of content to the head of the file to record the encryption mark of the file, and the end of the file is shown in Figure 1
7	At the end of the file	Inside the file	Is	Append a piece of content to the end of the file to record the encryption tag of the file, and the file header comparison shown in Figure 1

In fact, considering the stability and manageability of the whole system, the encryption mark of the file is stored inside the file, which can guarantee the reliability, permanence and universality of the tag, while the use of the redirection principle is static and decryption, and the location of the encrypted mark Storage has little effect on such products. Here we compare the file header and the end-of-file technique when using the dynamic encryption principle:

Suppose that the beginning of a file is P1, the end position is P2, the length of the encryption tag is L, with the file header and with the end of the file has a different state, and then need to issue a write operation from the PW1 location to the PW2 location, this will be more than the original end of the write operation p2,1

Figure 1 File header and end-of-file comparison during dynamic encryption and decryption

File header Tag Processing method: Only change the Write location parameter will pw1= Pw1+l then encrypt pw2-pw1 this content and pass it down.
There are two ways to handle the end-of-file tag: One method is to copy the L-segment encryption tag into memory, then encrypt the PW2-PW1 and pass it to the original location, and then go to the PW2 position to connect the L-segment encryption tag; the other method is to go to the PW2 location and copy the L-segment encryption tag. Then encrypt the PW2-PW1 and pass it to the original location.

From the above analysis can be seen, in the end of the file markup will lead to the extension of the file when the software to perform an action, that is, the movement of the tail encryption tag action, if the first action after the completion of a power failure or other reasons failed to complete the second action, then the file will be damaged. Whether it's a long write file or a shortened write file, you need to keep the encryption tag moving, which can be performed hundreds of times in a single save operation of a document.
Of course, the computer power-down can cause damage to the file, but the use of the file header tag does not cause unnecessary action, it means that the use of the file header to store the encryption tag is the probability of file corruption and the file is not encrypted is equal, there is no increase in the probability of file corruption.

5. file encryption logic, file suffix

There are 2 ways to encrypt the file

1. Encrypt the specified suffix:

By specifying the suffix encryption means that the secret program encrypts one of the generated documents, while the other suffixes still use clear text. The advantage is to encrypt only the type of document, without affecting the other files, the encryption range is relatively small, the stability of the system is easy to improve; The disadvantage is that it is possible to generate a "Save as other type of document" Disclosure vulnerability, because the result is not the specified encrypted file type. Even if the program may produce a suffix format is not used, because there are many ways to save it, for example, in Word you can click Save As and then enter 2 double quotation marks (") in the File Name field, and then enter an arbitrary suffix between the 2 double quotes (for example, test.123), then the saved file is clear text , copying the file name back to the doc suffix can cause the document to leak.
And some of the program's file format is not fixed, and can even be saved as any suffix, such as Notepad, so that the encryption of the specified file suffix introduces a security vulnerability.

2, encryption does not distinguish between suffixes:

Encryption does not differentiate between suffixes, which means that all files generated are encrypted by a secret program. This encryption is ensured by encrypting any files that are generated by the specified process and thereby blocking the "Save as other types of documents" vulnerability, which ensures that no plaintext files appear regardless of how the user saves the file. It works as long as the specified process encrypts the written file whenever a write occurs, and any intermediate files and temporary files will be encrypted. There is a greater degree of security and technical difficulty without distinguishing between file suffixes.

Encryption does not distinguish between the suffix of transparent encryption product development level has two: the application layer and the driving layer, the application layer basically uses the redirection principle + encryption to specify the suffix; The driver layer may be a 2x2 combination of 4 modes, as shown in the following table:

	Encrypt specified suffix	Encryption does not differentiate between suffixes
Redirection principle	Redirection principle + encryption designation suffix (1)	Redirection principle + Encryption-not-differentiated suffix (2)
Dynamic encryption and decryption principle	Dynamic encryption and decryption principle + encryption designation suffix (3)	Dynamic encryption and decryption principle + encryption without distinction suffix (4)

It is difficult to implement mode 2 technology in the table above, so actually the drive layer encryption generally adopts the pattern (1)-mode (3)-mode (4).
The addition and decryption operations may also be mixed in the application layer and the drive layer, the drive layer interception file opened and then passed to the application layer decryption, this method and pure application layer development is only the same mode (1).

Ii. Document encryption Process 1, basic knowledge to explain the basic process 1, read process 2, write process

Description of the IRP logo to be judged:

1,irp_mn_mdl

IoStatus.Information field indicates the number of bytes written to MDL

The main is that the caller needs fsd enough to write the MDL,FSD to the file to allocate and construct the MDL

2,Irp_mn_mdl_complete

Indicates that the caller has finished processing the MDL created by FSD, and the MDL is cleared and released

3,irp_mn_dpc

Indicates that the caller's context is DPC,FSD must return status_pending and complete this process in the worker thread

2. Main data structure

FileObject, open a file, the IO Manager creates a file object structure for it. FCB, a file may be opened simultaneously by multiple programs, resulting in multiple fileobject, but only one FCB segment object pointer exists

File_context

2, encryption and decryption algorithm

RC4 Stream Encryption

Key is a static key

3. Reading and writing process

Read filter conditions

A, Filter flag g_bstartfilter whether to start

B, determine whether Pfileobj->fscontext exists

C, irpsp->minorfunction to determine whether it is irp_mn_complete_mdl

D. Whether it is a directory operation

Gets the reading length of the read file, starting position, reading content:

Length of File:

Length= irpsp->parameters.read.length;

Offset of File:

Offser.quadpart= Irpsp->parameters.read.byteoffset.quadpart

File contents:

Irp-> mdladdress is not empty, use irp-> mdladdress, buffer position is Mmgetsystemaddressformdlsafe (irp-> mdladdres), otherwise direct use Irp- > UserBuffer

#define Cdmapuserbuffer (IC, UB) {\

* (UB) = (PVOID) ((IC)->mdladdress = = NULL)? \

(IC)->userbuffer: \

(Mmgetsystemaddressformdlsafe (IC)->mdladdress,highpagepriority)); \

}

Write Filter conditions

E, Filter flag g_bstartfilter whether to start

F, determine whether Pfileobj->fscontext exists

G, irpsp->minorfunction judge whether it is irp_mn_mdl

H, whether it is a directory operation

 

Length of File:

Length= Irpsp->parameters.write.length

Offset of File:

large_integerlnoffset=irpsp->parameters.write.byteoffset;

File contents:

Irp-> mdladdress is not empty, use irp-> mdladdress, buffer position is Mmgetsystemaddressformdlsafe (irp-> mdladdres), otherwise direct use Irp- > UserBuffer

#define Cdmapuserbuffer (IC, UB) {\

* (UB) = (PVOID) ((IC)->mdladdress = = NULL)? \

(IC)->userbuffer: \

(Mmgetsystemaddressformdlsafe (IC)->mdladdress, highpagepriority));

Cache Management

Single cache "1, the legal process to open the existence of files, close the document, clear text is saved in the cache, when the cache does not brush

To the hard disk, nor does it empty the in-memory resources. The illegal process then opens the document,

The Irp_mj_create routine refreshes the cache operation, so the illegal process is opened as garbled

"2, the legal process to open the existence of files, plaintext saved in the cache, when the cache is not brushed to the hard disk, also

The resources in memory are not emptied. At this time the illegal process to open the document, if it is word such a sentence

Handle does not close the document, judging as illegal process, forbidden to open; if it is notedpad with memory

The way the file is mapped, the handle closes, the illegal process opens the document that is being opened by a legitimate process, and the Irp_mj_create routine refreshes the cache operation, so the illegal process is opened as garbled

"3, illegal process open an open encrypted document, ciphertext. The legitimate process then opens the encrypted document, and the cache is refreshed first. "4, the legal process to open the encrypted document, when closed in the Irp_mj_cleanup routine to the new

Files are not refreshed until the cache is created

Get the order of cached resources: File system resources are the first to get the Cache manager resource and get the VMM resource last received: ¢minifilter related information

http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID= b54730cf-8850-4531-b52b-bf28b324c662

Http://www.microsoft.com/taiwan/whdc/driver/filterdrv/alt-range.mspx

Http://www.microsoft.com/whdc/driver/filterdrv/default.mspx

Reference ¢ "File System Internals" ¢ "Windows FileSystem Filter Driver Development tutorial"----CHU Madman ¢ "Cold River alone fishing-----Windows Kernel Security Programming" ¢OSR doc¢http:// bbs.driverdevelop.com¢http://www.osronlne.com¢http://www.rootkit.com¢http://bbs.pediy.com¢http:// www.codeproject.com Reference: http://www.cnblogs.com/adylee/archive/2013/03/20/2971544.html

File Filter Driver Development