Search code examples
windowsfilesystemsminifilter

Distinction between copy paste and file read on MiniFilter

I'm planning to make a MiniFilter do make some file encryption, add some meta-data on files.

I think I understand what I need to do, in my MiniFilter, to make that files are stored in their encrypted form but can be read by the system with no problems.

If an application ask a read on the file, I need to query the encrypted part, dechiper and send it back to the system.

If I try to copy the file, I need to copy the whole file, with meta-data and encrypted payload.

But I think I may have a problem with meta-data : as I cannot find a way to know if the IRP_MJ_READ i got is from an app trying to read the file or a copy-paste request, I will never be able to read the meta-data and either copy them.

Is there some informations, in the IRP_MJ_READ or the IRP_MJ_CREATE, that is specific from a copy paste action ?

Solution

  • Your task will not be easy or trivial by any means. Making an encryption filesystem filter in Windows is hard.

    1. First of all I will give you a few hints and pointers. The best thing you could to is parse OSR NTFSD list for posts and threads about this. It is a gold mine when it comes to these kinds of filters.
    2. Check out the swapbuffers sample from Microsoft. They show how you can replace data in the Read/Write I/O path with your own. In this case as you described your scenario encrypt on the Write and decrypt on the Read
    3. For starters filter only the read/writes that have IRP_NO_CACHE flag set. Make sure all your Read/Write are volume sector size multiples in size. See more information about this flag here
    4. Use a block cipher that aligns with the volume sector size, all the popular ones should. See CNG

    Explore from there on. Modifying only this should be pretty straight forward. Make sure you will be using a VM and snapshots as well as try to monitor a particular file only and encrypt/decrypt only that file as it will take you many tries until you succeed.

    Is there some informations, in the IRP_MJ_READ or the IRP_MJ_CREATE, that is specific from a copy paste action ?

    None whatsoever. The kernel is blind to this. Even the Copy/Paste itself at the end of the day if you think about it will result in explorer.exe doing a file open, reading from a source file, and writing to the destination file using system calls. The OS is there to make sure the system calls work and do their job, it does not know nor it needs to know that the Read of the data or metadata came from you copy/pasting, right clicking Properties on explorer.exe or who knows, you might use Total Commander and do copy paste from there and this one could implement its copy totally different or use xcopy or robocopy. You need to think in a more abstract way in the kernel.

    Good luck.