ZwQueryFileInformation/ZwQueryObject
in [Win32 Kernel]
|
Prev: Add custom file information class?
Next: Freeze process
From: William on 21 Oct 2006 05:50 Hi, (Usually I work in C#.) I am writing a driver to hook ZwCreateFile. The driver works correctly but in my personal ZwCreateFile function I want to get the file name. I try with ZwQueryObject and ZwQueryInformationFile but each times I have return STATUS_INVALID_HANDLE. Here my code with ZwQueryInformationFile call. Can somebody help me please ? Tanks. NTSTATUS MyZwCreateFile(PHANDLE FileHandle,ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes,PIO_STATUS_BLOCK IoStatusBlock,PLARGE_INTEGER AllocationSize,ULONG FileAttributes,ULONG ShareAccess,ULONG CreateDisposition,ULONG CreateOptions,PVOID EaBuffer,ULONG EaLength) { NTSTATUS rc; NTSTATUS ntret; WCHAR wszFileName[] = L\\??\\C:\\ZwCreateFile.txt; UNICODE_STRING usPath; OBJECT_ATTRIBUTES obja; IO_STATUS_BLOCK iosb; IO_STATUS_BLOCK psb; FILE_NAME_INFORMATION fni; NTSTATUS rv; HANDLE hin; FILE_STANDARD_INFORMATION fsi; FILE_POSITION_INFORMATION fpi; RtlInitUnicodeString(&usPath, wszFileName); InitializeObjectAttributes(&obja, &usPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); ntret = ((NTCREATEFILE)(OldZwCreateFile))(&hfl, GENERIC_WRITE, &obja, &iosb, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, 0, 0); // FILE_OPEN if(ntret != STATUS_SUCCESS) goto err; //my log file ZwQueryInformationFile(hfl, &iosb, &fsi, sizeof(fsi), FileStandardInformation); fpi.CurrentByteOffset.QuadPart = fsi.EndOfFile.QuadPart; ZwSetInformationFile(hfl, &iosb, &fpi, sizeof(fpi), FilePositionInformation); //get file name of the zwcreatefile parameter rv=ZwQueryInformationFile(*FileHandle,&psb,&fni,sizeof(fni),FileNameInformation); switch(rv) { case STATUS_SUCCESS: ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_SUCCESS \r\n",40,0,0); break; case STATUS_INVALID_HANDLE: ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_INVALID_HANDLE \r\n",40,0,0); break; case STATUS_INVALID_INFO_CLASS: ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_INVALID_INFO_CLASS \r\n",40,0,0); break; case STATUS_INFO_LENGTH_MISMATCH: ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_INFO_LENGTH_MISMATCH \r\n",40,0,0); break; }; ZwClose(hfl); err: rc = ((NTCREATEFILE)(OldZwCreateFile))(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); return rc; }
From: anton bassov on 21 Oct 2006 11:46 Hi mate First of all, kernel hooking should be your very last resort. In my opinion, you can use it when there is absolutely, absolutely no way to do what you want by "supported" means ( in the opinion of most participants of this NG you should not *EVER* do it, no matter what). When it comes to ZwCreateFile(), there is no need to hook it whatsoever - you can achieve what you want simply by writing FS filter driver. Concerning you question, you can get the file name from its handle by calling ObReferenceObjectByHandle() in order to get corresponding PFILE_OBJECT, from which file name is available (like file->FileName). This name does not include the drive letter. In order to obtain one, you need to pass file->DeviceObject to IoVolumeDeviceToDosName (or to RtlVolumeDeviceToDosName(), if you need to run your code on some OS prior to XP). Anton Bassov William wrote: > Hi, > (Usually I work in C#.) > I am writing a driver to hook ZwCreateFile. The driver works correctly but > in my personal ZwCreateFile function I want to get the file name. > I try with ZwQueryObject and ZwQueryInformationFile but each times I have > return STATUS_INVALID_HANDLE. > > Here my code with ZwQueryInformationFile call. > Can somebody help me please ? > Tanks. > > > NTSTATUS MyZwCreateFile(PHANDLE FileHandle,ACCESS_MASK DesiredAccess, > POBJECT_ATTRIBUTES ObjectAttributes,PIO_STATUS_BLOCK > IoStatusBlock,PLARGE_INTEGER AllocationSize,ULONG FileAttributes,ULONG > ShareAccess,ULONG CreateDisposition,ULONG CreateOptions,PVOID EaBuffer,ULONG > EaLength) > { > > NTSTATUS rc; > NTSTATUS ntret; > WCHAR wszFileName[] = L\\??\\C:\\ZwCreateFile.txt; > UNICODE_STRING usPath; > OBJECT_ATTRIBUTES obja; > IO_STATUS_BLOCK iosb; > IO_STATUS_BLOCK psb; > FILE_NAME_INFORMATION fni; > NTSTATUS rv; > HANDLE hin; > FILE_STANDARD_INFORMATION fsi; > FILE_POSITION_INFORMATION fpi; > > RtlInitUnicodeString(&usPath, wszFileName); > InitializeObjectAttributes(&obja, &usPath, OBJ_CASE_INSENSITIVE | > OBJ_KERNEL_HANDLE, NULL, NULL); > > ntret = ((NTCREATEFILE)(OldZwCreateFile))(&hfl, GENERIC_WRITE, &obja, > &iosb, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, > FILE_SYNCHRONOUS_IO_NONALERT, 0, 0); // FILE_OPEN > if(ntret != STATUS_SUCCESS) goto err; > > //my log file > ZwQueryInformationFile(hfl, &iosb, &fsi, sizeof(fsi), > FileStandardInformation); > fpi.CurrentByteOffset.QuadPart = fsi.EndOfFile.QuadPart; > ZwSetInformationFile(hfl, &iosb, &fpi, sizeof(fpi), > FilePositionInformation); > > //get file name of the zwcreatefile parameter > rv=ZwQueryInformationFile(*FileHandle,&psb,&fni,sizeof(fni),FileNameInformation); > > switch(rv) > { > case STATUS_SUCCESS: > ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_SUCCESS \r\n",40,0,0); > break; > case STATUS_INVALID_HANDLE: > ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_INVALID_HANDLE \r\n",40,0,0); > break; > case STATUS_INVALID_INFO_CLASS: > ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_INVALID_INFO_CLASS > \r\n",40,0,0); > break; > case STATUS_INFO_LENGTH_MISMATCH: > ZwWriteFile(hfl,0,0,0,&iosb, "STATUS_INFO_LENGTH_MISMATCH > \r\n",40,0,0); > break; > }; > > ZwClose(hfl); > > err: > rc = ((NTCREATEFILE)(OldZwCreateFile))(FileHandle, DesiredAccess, > ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, > ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); > return rc; > }
From: William on 21 Oct 2006 15:38 Thanks for your answer but for a file-system filter driver I don't have the IFSKit and I have no way to start. I have no experience in C programming and/or driver. :( "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message news:1161445616.558733.107850(a)i3g2000cwc.googlegroups.com... > Hi mate > > First of all, kernel hooking should be your very last resort. In my > opinion, you can use it > when there is absolutely, absolutely no way to do what you want by > "supported" means > ( in the opinion of most participants of this NG you should not *EVER* > do it, no matter what). > When it comes to ZwCreateFile(), there is no need to hook it whatsoever > - you can achieve what you want simply by writing FS filter driver. > > Concerning you question, you can get the file name from its handle by > calling ObReferenceObjectByHandle() in order to get corresponding > PFILE_OBJECT, from which > file name is available (like file->FileName). This name does not > include the drive letter. In order to obtain one, you need to pass > file->DeviceObject to IoVolumeDeviceToDosName (or to > RtlVolumeDeviceToDosName(), if you need to run your code on some OS > prior to XP). > > Anton Bassov
From: Don Burn on 21 Oct 2006 15:47 "William" <zititeuf(a)voila-nospam.fr> wrote in message news:%23PUmwfU9GHA.3280(a)TK2MSFTNGP02.phx.gbl... > Thanks for your answer but for a file-system filter driver I don't have > the IFSKit and I have no way to start. > I have no experience in C programming and/or driver. :( > Then definitely avoid hooking, since if you don't know your way around the kernel hooking will crash. You are going to have problems until you are more experienced, in this case the reason your code fails is you try to use FileHandle but the open has not occured yet. Wait a few weeks and get the WDK for Vista. It has the IFS kit in it, and has an example that shows how to get the file name. You will be doing yourself and anyone who comes in contact with your software a favor. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting http://www.windrvr.com Remove StopSpam from the email to reply
From: anton bassov on 21 Oct 2006 18:53 >I don't have the > IFSKit and I have no way to start. Who holds you back from downloading WDK??? The latest available version is RC2, which is more than enough for development. When it comes to the final release, WDK will be already available, so that you will be able to build a release verson of your driver with WDK (as Don pointed out, final release of WDK is due shortly) >> I have no experience in C programming and/or driver. Interesting....... How are you going to write your hooking code then???? I know that FS filters are, probably, the most complex drivers in existence, but, in order to do hooking *PROPERLY* you have to know all ins and outs, so that you just cannot avoid learning these things. It does save you from writing a lot of code which is totally unrelated to your actual task, but it does not save you from knowing all these things. In other words, no matter how you look at it, you have to start learning - if you think of hooking as of easy solution, you are *DEFINITELY* wrong. Anton Bassov William wrote: > Thanks for your answer but for a file-system filter driver I don't have the > IFSKit and I have no way to start. > I have no experience in C programming and/or driver. :( > > "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message > news:1161445616.558733.107850(a)i3g2000cwc.googlegroups.com... > > Hi mate > > > > First of all, kernel hooking should be your very last resort. In my > > opinion, you can use it > > when there is absolutely, absolutely no way to do what you want by > > "supported" means > > ( in the opinion of most participants of this NG you should not *EVER* > > do it, no matter what). > > When it comes to ZwCreateFile(), there is no need to hook it whatsoever > > - you can achieve what you want simply by writing FS filter driver. > > > > Concerning you question, you can get the file name from its handle by > > calling ObReferenceObjectByHandle() in order to get corresponding > > PFILE_OBJECT, from which > > file name is available (like file->FileName). This name does not > > include the drive letter. In order to obtain one, you need to pass > > file->DeviceObject to IoVolumeDeviceToDosName (or to > > RtlVolumeDeviceToDosName(), if you need to run your code on some OS > > prior to XP). > > > > Anton Bassov
|
Pages: 1 Prev: Add custom file information class? Next: Freeze process |