Double buffer transparent encryption and decryption driven course paper + project source code based on minifilter framework

Catalog
FOKS-TROT Developing documents 1
introduction ： 1
brief introduction ： 1
Compiling and using methods ： 1
Design part ： 3
Test part ： 18
Unrepaired bug: 18
end ： 18
introduction ：
This project is an experimental project , And the author's understanding of the file system will inevitably be biased , So it can be misleading , I hope readers can learn dialectically , And please follow the relevant open source agreements .
Because I wrote one before minifilter Transparent encryption and decryption driver , But the level was really limited , There are a lot of problems , No reason found , Just evaded , This leads to errors on the basis of errors , So on the basis of previous project development experience , Wrote this project .
This project is also intended to be a bi design , any similarity , It's exactly the same s(- -)b
brief introduction ：
This project is a use minifilter The transparent encryption and decryption filter driver of the framework , When a process has a specific file extension written to it （ such as txt,docx） Files tend to be automatically encrypted . The authorization process automatically decrypts the ciphertext file when it wants to read it , Unauthorized processes do not decrypt , Show ciphertext , And it is not allowed to modify the ciphertext , The encryption or decryption here is only for NonCachedIo. The desktop can also send privileged encryption and decryption commands , Implement separate encryption or decryption .
1. This project uses double buffering , Authorized process and unauthorized process use plaintext buffer and ciphertext buffer respectively ;
2. Use StreamContext Store the file information when the driver is running , How to use the tail of the file identification , At the end of the file 4KB Store the decryption information required for the file ;
3. Use AES 128-ECB Pattern , And use ciphertext to misappropriate （Ciphertext stealing） Methods , Avoid that plaintext must be block aligned (padding) The problem of ;
4.Write and Read Use SwapBuffers Transparent encryption and decryption ;
5. Privileged encryption and privileged decryption use reentry （Reentry） The way , Make the driver encrypt and decrypt files ;
6. solve FileRenameInformationEx and FileRenameInformation problem , Therefore, it can automatically encrypt and decrypt docx,doc,pptx,ppt,xlsx,xls Etc tmp File rename read / write file ;
7. Register process related callbacks , Use linked lists to manage authorized and unauthorized processes ; Register process and thread object callbacks , Protection process EPROCESS,ETHREAD object ; Check the integrity of the code segment of the authorization process .
Compiling and using methods ：
1. install CNG library ：
https://www.microsoft.com/en-us/download/details.aspx?id=30688
It needs to be downloaded on Microsoft's official website Cryptographic Provider Development Kit,
project -> Attribute VC++ The directory contains the directory , Set the corresponding location for the library directory
General of linker -> Additional Library Directory C:\Windows Kits\10\Cryptographic Provider Development Kit\Lib\x64
Input -> Additional dependencies must be set to ksecdd.lib
2. stay Utils.c-> PocBypassIrrelevantFileExtension Set file extensions to filter ,Process.c->PocIsUnauthorizedProcess Set up unauthorized processes
3. Use Visual Studio 2019 compile Debug x64 drive , compile User、UserDll and
UserPanel
4. It is suggested that Windows 10 x64,NTFS Environment is running （ This is mainly FltFlushBuffers2
Of IRP_MN_FLUSH_AND_PURGE Only support NTFS）,