This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 75%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
iam trying to make a mini-filter driver to enctypt data before it is written on the disk and decrypt it before it is passed to the user but even after changing the data buffer that is passed to me in the pre-write operation, the data that is written on the disk is still the original data. this is my pre-write operation:
FLT_PREOP_CALLBACK_STATUS
SwapPreWriteBuffers(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID* CompletionContext
)
{
//check if iam writing to a file
if (FltObjects->Instance == NULL || FltObjects->Filter == NULL || FltObjects->FileObject->FileName.Buffer == NULL || FltObjects->FileObject->FsContext2 == NULL)
return FLT_PREOP_SUCCESS_NO_CALLBACK;
// check if iam writing to file header or content
LONGLONG writeOffset = ((LONGLONG)Data->Iopb->Parameters.Write.ByteOffset.HighPart << 32) |
(LONGLONG)Data->Iopb->Parameters.Write.ByteOffset.LowPart;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
NTSTATUS status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo);
if (NT_SUCCESS(status))
{
if (nameInfo->Extension.Buffer != NULL && !(_wcsicmp(nameInfo->Extension.Buffer, L".txt") == 0))
{
if (writeOffset == 0) {
FltReleaseFileNameInformation(nameInfo);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
}
FltReleaseFileNameInformation(nameInfo);
}
PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb;
FLT_PREOP_CALLBACK_STATUS retValue = FLT_PREOP_SUCCESS_NO_CALLBACK;
PVOID newBuf = NULL;
PMDL newMdl = NULL;
PVOID origBuf;
ULONG writeLen = iopb->Parameters.Write.Length;
try {
if (writeLen == 0) {
leave;
}
newBuf = FltAllocatePoolAlignedWithTag(FltObjects->Instance,
NonPagedPool,
(SIZE_T)writeLen,
BUFFER_SWAP_TAG);
if (newBuf == NULL) {
leave;
}
if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_IRP_OPERATION)) {
newMdl = IoAllocateMdl(newBuf,
writeLen,
FALSE,
FALSE,
NULL);
if (newMdl == NULL) {
leave;
}
MmBuildMdlForNonPagedPool(newMdl);
}
if (iopb->Parameters.Write.MdlAddress != NULL) {
FLT_ASSERT(((PMDL)iopb->Parameters.Write.MdlAddress)->Next == NULL);
origBuf = MmGetSystemAddressForMdlSafe(iopb->Parameters.Write.MdlAddress,
NormalPagePriority | MdlMappingNoExecute);
if (origBuf == NULL) {
Data->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
Data->IoStatus.Information = 0;
retValue = FLT_PREOP_SUCCESS_NO_CALLBACK;
leave;
}
}
else {
origBuf = iopb->Parameters.Write.WriteBuffer;
}
try {
RtlCopyMemory(newBuf,
origBuf,
writeLen);
} except(EXCEPTION_EXECUTE_HANDLER) {
Data->IoStatus.Status = GetExceptionCode();
Data->IoStatus.Information = 0;
retValue = FLT_PREOP_SUCCESS_NO_CALLBACK;
leave;
}
if (!MmIsAddressValid(origBuf))
return FLT_PREOP_SUCCESS_NO_CALLBACK;
for (int i = 0; i < writeLen; i++) {
((PCHAR)newBuf)[i] = ((PCHAR)origBuf)[i] ^ 255;
}
RtlCopyMemory(origBuf,
newBuf,
writeLen);
iopb->Parameters.Write.WriteBuffer = newBuf;
iopb->Parameters.Write.MdlAddress = newMdl;
Data->IoStatus.Information = writeLen;
FltSetCallbackDataDirty(Data);
retValue = FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
finally {
if (retValue != FLT_PREOP_SUCCESS_WITH_CALLBACK) {
if (newBuf != NULL) {
FltFreePoolAlignedWithTag(FltObjects->Instance,
newBuf,
BUFFER_SWAP_TAG);
}
if (newMdl != NULL) {
IoFreeMdl(newMdl);
}
}
}
return retValue;
}