SecureVol Project Part 3.1 Managing Dispatch Routines (Read/Query)

 Read requests     (FsDispatchRead) - Reads data from disk sectors

Every time we call ReadFile (kernel32.dll) or ZwReadFile (ntdll.dll) the system produces the IRP_MJ_READ request.


As we do in FsDispatchWriteRequests, the first step is to map the physical pages to system space using the macro MmGetSystemAddressForMdlSafe. Buffer will contain the pre-allocated data we stored from user-mode after gathering the file size.
The first conditional checks if the access mask is set up for reading and the file size in bytes is not empty. Also the function aligns the byte offset to read at the beginning of file. After this checks we can safely call FatReadFileInternal to read the disk sectors and storing the data in the Buffer variable. If it fails there is no point in keep going, so we exit the function as fast as possible.


In the previous picture, we need to check the Encrypted flag directly from the Parent File Control Block, if the flag is activated, then the file we are reading is encrypted, perform the decryption, lock pages for the user-mode caller and copy the decrypted data to OutBuffer.
We also need to copy the file size in bytes to the Information member from the IO_STATUS_BLOCK structure.

 Query requests     (FsDispatchQueryInformation) - Query file information

This request stores all the query activities, every time we call GetFileInformationByHandle (kernel32.dll) or NtQueryInformationFile (ntdll.dll) the system produces the IRP_MJ_QUERY_INFORMATION call.


We reference the variable that will store the file information in user-mode. Right now for testing purposes SecureVol only supports FileStandardInformation class.


Inside FsQueryFile we simply copy the file size bytes to the buffer variable


From user-mode when we want to retrieve data from the file system, we create the path \\Device\\SecureVol\\[filename][file extension]. The previous path works for files inside the FAT root folder.
After specifying in ZwCreateFile read attributes, we gather its size with ZwQueryInformationFile as we commented earlier. In file moving operations, we always need to allocate memory, that is why we use the bytes of the file for.























Comments

Popular Posts