SecureVol Project Part 3.2 Managing Dispatch Routines (Lock/Unlock)
Lock requests (FsDispatchLockControl) - Locks specified file bytes Every time we call ZwLockFile (ntdll.dll) or LockFile (kernel32.dll) the system generates the following IRP's MajorIrp = IRP_MJ_LOCK_CONTROL MinorIrp = IRP_MN_LOCK Right now, for testing purposes SecureVol does not offer the option to set up some specific Byte Offset. Instead it automatically sets it to 0, so entire file size will be locked. We use ZwLockFile instead of LockFile , because the first one has an extra field which is Key. Windows specifies this value should always be 0, but in our case, we will give the Key value some use. The following picture shows the call from SecureVol.exe As said before, the Key field will store the current file index. After calling ZwLockFile from user-mode the driver will trigger the FsDispatchLockControl function and the following will happen. 1) returns STATUS_LOCK_NOT_GRANTED if the file is already locked 2) Allocate memory from the look aside list, copy elemen
