SecureVol Project Part 3.2 Managing Dispatch Routines (Lock/Unlock)

  Lock requests     (FsDispatchLockControl) - Locks specified file bytes

Every time we call ZwLockFile (ntdll.dll) or LockFile (kernel32.dll) the system generates the following IRP's

MajorIrp = IRP_MJ_LOCK_CONTROL
MinorIrp = IRP_MN_LOCK

Right now, for testing purposes SecureVol does not offer the option to set up some specific Byte Offset. Instead it automatically sets it to 0, so entire file size will be locked. We use ZwLockFile instead of LockFile, because the first one has an extra field which is Key. Windows specifies this value should always be 0, but in our case, we will give the Key value some use.


The following picture shows the call from SecureVol.exe

As said before, the Key field will store the current file index. After calling ZwLockFile from user-mode the driver will trigger the FsDispatchLockControl function and the following will happen.

1) returns STATUS_LOCK_NOT_GRANTED if the file is already locked
2) Allocate memory from the look aside list, copy elements and insert in list
4) set the File Control Block flag to locked status


  Unlock requests     (FsDispatchUnLockControl) - Unlocks a specified range of bytes

For the unlocking we call ZwUnlockFile, again using the Key parameter to identify the file parsing the locking double linked list. If the Key is found in the list, we remove the entry and the locked flag from the File Control Block. If there are no locks on the specified file, function in user-mode returns STATUS_RANGE_NOT_LOCKED

How it works from user-mode










 

 

 

 



Comments

Popular Posts