The "big orange cloud" in Figure 1 represents the collection of OSR-supplied FESF Kernel Mode Components. These comprise a series of file system mini-filters and their associated libraries. There are a total of four FESF kernel-mode components that are installed as part of FESF: OsrIsolate.sys, OsrDt2.sys, OsrDs2.sys, and OsrSupport.sys.
The FESF Kernel Mode Components are responsible for intercepting file operations (such as CreateFile, ReadFile, and WriteFile) on supported file systems, implementing Client Solution-specified Policies, managing provision of the correct "view" (encrypted/decrypted or raw) of a given file's data based on the Client-specified Policy, and also for performing the actual encryption/decryption operations via Microsoft's CNG kernel-mode library.
Source code for the kernel-mode portions of FESF is not provided as part of the standard FESF kit license.