EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Changing Buffer content in WriteFileC

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 10/30/2014 18:02:19
by Gregoir Lebrun (Basic support level)
Joined: 10/09/2014
Posts: 7


I try to achieve the following scenario using CallbackFilter:

1) A user opens a text file (say "test.txt") using Notepad.
2) A user changes the content of the file and saves the file.
3) CallbackFilter intercepts WriteFileC, and changes the data to be written into a fixed string of characters ("Fixed").
4) The file is closed, and contains the fixed string of characters.

My code for WriteFileC is as follows:

void CbFltWriteFileC(...)
        printf("\nFile to write:            %ws", FileName);
        printf("\nCached write?             %d", CachedWrite);
   printf("\nBytes to write:           %s", (BYTE*) Buffer);
   printf("\nNumber of bytes to write: %d", *BytesToWrite);
   if (CachedWrite)
       BYTE newBuffer[5] = {'F', 'i', 'x', 'e', 'd'};
      memcpy((BYTE*)(Buffer), newBuffer, 5);
        *BytesToWrite = 5;

            printf("\nBytes to write:           %s", (BYTE*) Buffer);
            printf("\nNumber of bytes to write: %d", *BytesToWrite);

When I open the file "test.txt" and attempt to write "Test" to it, I get following output:

File to write: C:\test\test.txt
Cached write? 1
Bytes to write: Test
Number of bytes to write: 4
Bytes to write: Fixed
Number of bytes to write: 5

File to write: C:\test\test.txt
Cached write? 0
Bytes to write: Fixe
Number of bytes to write: 4096

In other words, CallbackFilter intercepts two WriteFileC events. The first one is a write from the application to the system cache, and the second one is a write from the system cache to the filesystem (I assume).

The first write operation seems to write "Fixed" to the system cache, which is what I want. However, the second write operation (to the filesystem) writes only "Fixe"; it uses the length of the input of the user (4 characters because "Test" has length 4) and truncates "Fixed" to "Fixe". This is not what I want.

Would it be possible to point out what I'm doing wrong?

Many thanks,

Posted: 10/31/2014 02:49:44
by Vladimir Cherniga (EldoS Corp.)

The problem is in the Valid Data Length (VDL) value, that is used to determine the data ranged valid for read from the storage. You may use AddBytesToWriteBuffer CallbackFilter api to get an extra buffer in write callback that allow to extend current VDL value. EncryptWithHeader sample demonstrates that technique.



Topic viewed 2134 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!