SecureVol Project Part 3.1 Managing Dispatch Routines (Read/Query)
Read requests (FsDispatchRead) - Reads data from disk sectors
Every time we call ReadFile (kernel32.dll) or ZwReadFile (ntdll.dll) the system produces the IRP_MJ_READ request.
The first conditional checks if the access mask is set up for reading and the file size in bytes is not empty. Also the function aligns the byte offset to read at the beginning of file. After this checks we can safely call FatReadFileInternal to read the disk sectors and storing the data in the Buffer variable. If it fails there is no point in keep going, so we exit the function as fast as possible.
In the previous picture, we need to check the Encrypted flag directly from the Parent File Control Block, if the flag is activated, then the file we are reading is encrypted, perform the decryption, lock pages for the user-mode caller and copy the decrypted data to OutBuffer.
We also need to copy the file size in bytes to the Information member from the IO_STATUS_BLOCK structure.
Query requests (FsDispatchQueryInformation) - Query file information
This request stores all the query activities, every time we call GetFileInformationByHandle (kernel32.dll) or NtQueryInformationFile (ntdll.dll) the system produces the IRP_MJ_QUERY_INFORMATION call.
We reference the variable that will store the file information in user-mode. Right now for testing purposes SecureVol only supports FileStandardInformation class.
From user-mode when we want to retrieve data from the file system, we create the path \\Device\\SecureVol\\[filename][file extension]. The previous path works for files inside the FAT root folder.
After specifying in ZwCreateFile read attributes, we gather its size with ZwQueryInformationFile as we commented earlier. In file moving operations, we always need to allocate memory, that is why we use the bytes of the file for.
Comments
Post a Comment