Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

ZwCreateFile

Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
So, if there was a thread on ZwOpenFile(), why not one on ZwCreateFile()?

Code is:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramLogFile = L"\\??\\Global\\C:\\somefile.log";

LARGE_INTEGER AllocationSize;
UNICODE_STRING LogFileName;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;

NTSTATUS Status;

//
// Open the Log File for writing.
//
RtlInitUnicodeString(&LogFileName, ProgramLogFile);
InitializeObjectAttributes(
&ObjectAttributes,
&LogFileName,
OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
NULL,
NULL
);
AllocationSize.QuadPart = 64 * 1024;
Status = ZwCreateFile(
&LogFileHandle,
GENERIC_ALL | SYNCHRONIZE | FILE_ANY_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
&AllocationSize,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
FILE_SUPERSEDE,
FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT|
FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE,
NULL,
0
);
if (NT_ERROR(Status)) {
...


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Status returned is 0xC000000D (STATUS_INVALID_PARAMETER). *What* is the
invalid parameter? I have been tweaking them for a couple of hours now!

In the same piece of software, the following code using ZwOpenFile() works!


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramInputFile = L"\\??\\Global\\C:\\somefile.dat"

HANDLE InputFile;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectName;
NTSTATUS Status;

RtlInitUnicodeString(&ObjectName, ProgramInputFile);

InitializeObjectAttributes(
&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL, NULL
);

Status = ZwOpenFile(
&InputFile,
GENERIC_ALL | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT
);

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why does the code with ZwOpenFile() work but the code with ZwCreateFile()
fail? What can I do to it to make it work? I no longer have any ideas.

Thanks,

--
Aram Hăvărneanu

Comments

  • Gary_Little-3Gary_Little-3 Member Posts: 1,208
    If you look at the definition of OBJECT_ATTRIBUTES you will see that ObjectName should be the address of a UNICODE_STRING. You are passing the address of a WCHAR to InitializeObjectAttributes in the ZwCreateFile example.

    Gary G. Little
    H (952) 223-1349
    C (952) 454-4629
    xxxxx@comcast.net



    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Aram Havarneanu
    Sent: Monday, February 15, 2010 6:05 PM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] ZwCreateFile

    So, if there was a thread on ZwOpenFile(), why not one on ZwCreateFile()?

    Code is:

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    WCHAR *ProgramLogFile = L"\\??\\Global\\C:\\somefile.log";

    LARGE_INTEGER AllocationSize;
    UNICODE_STRING LogFileName;
    IO_STATUS_BLOCK IoStatusBlock;
    OBJECT_ATTRIBUTES ObjectAttributes;

    NTSTATUS Status;

    //
    // Open the Log File for writing.
    //
    RtlInitUnicodeString(&LogFileName, ProgramLogFile);
    InitializeObjectAttributes(
    &ObjectAttributes,
    &LogFileName,
    OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
    NULL,
    NULL
    );
    AllocationSize.QuadPart = 64 * 1024;
    Status = ZwCreateFile(
    &LogFileHandle,
    GENERIC_ALL | SYNCHRONIZE | FILE_ANY_ACCESS,
    &ObjectAttributes,
    &IoStatusBlock,
    &AllocationSize,
    FILE_ATTRIBUTE_NORMAL,
    FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
    FILE_SUPERSEDE,
    FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT|
    FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE,
    NULL,
    0
    );
    if (NT_ERROR(Status)) {
    ...


    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Status returned is 0xC000000D (STATUS_INVALID_PARAMETER). *What* is the
    invalid parameter? I have been tweaking them for a couple of hours now!

    In the same piece of software, the following code using ZwOpenFile() works!


    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    WCHAR *ProgramInputFile = L"\\??\\Global\\C:\\somefile.dat"

    HANDLE InputFile;
    IO_STATUS_BLOCK IoStatusBlock;
    OBJECT_ATTRIBUTES ObjectAttributes;
    UNICODE_STRING ObjectName;
    NTSTATUS Status;

    RtlInitUnicodeString(&ObjectName, ProgramInputFile);

    InitializeObjectAttributes(
    &ObjectAttributes,
    &ObjectName,
    OBJ_CASE_INSENSITIVE,
    NULL, NULL
    );

    Status = ZwOpenFile(
    &InputFile,
    GENERIC_ALL | SYNCHRONIZE,
    &ObjectAttributes,
    &IoStatusBlock,
    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT
    );

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Why does the code with ZwOpenFile() work but the code with ZwCreateFile()
    fail? What can I do to it to make it work? I no longer have any ideas.

    Thanks,

    --
    Aram Hăvărneanu


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


    __________ Information from ESET Smart Security, version of virus signature database 4869 (20100215) __________

    The message was checked by ESET Smart Security.

    http://www.eset.com



    __________ Information from ESET Smart Security, version of virus signature database 4869 (20100215) __________

    The message was checked by ESET Smart Security.

    http://www.eset.com
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    "Gary G. Little" <xxxxx@comcast.net> wrote in message
    news:xxxxx@ntdev...
    > If you look at the definition of OBJECT_ATTRIBUTES you will see that
    > ObjectName should be the address of a UNICODE_STRING. You are passing the
    > address of a WCHAR to InitializeObjectAttributes in the ZwCreateFile
    > example.
    >

    I do not think I am. Am I?

    > WCHAR *ProgramLogFile = L"\\??\\Global\\C:\\somefile.log";
    >
    > LARGE_INTEGER AllocationSize;
    > UNICODE_STRING LogFileName;
    > IO_STATUS_BLOCK IoStatusBlock;
    > OBJECT_ATTRIBUTES ObjectAttributes;
    >
    > RtlInitUnicodeString(&LogFileName, ProgramLogFile);
    > InitializeObjectAttributes(
    > &ObjectAttributes,
    > &LogFileName,
    > OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
    > NULL,
    > NULL
    > );

    I am passing the address of LogFileName, that is of UNICODE_STRING type.
    LogFileName was initialized by RtlInitUnicodeString(&LogFileName,
    ProgramLogFile).

    Thanks,

    --
    Aram Hăvărneanu
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    One that is wrong is OBJ_PERMANENT. This does not apply to files. Also
    OBJ_OPENIF is defined in the disposition (FILE_OPEN_IF) not the object
    attributes.

    Bill Wandel

    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
    On Behalf Of Aram Havarneanu
    Sent: Monday, February 15, 2010 7:05 PM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] ZwCreateFile

    So, if there was a thread on ZwOpenFile(), why not one on ZwCreateFile()?

    Code is:

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    WCHAR *ProgramLogFile = L"\\??\\Global\\C:\\somefile.log";

    LARGE_INTEGER AllocationSize;
    UNICODE_STRING LogFileName;
    IO_STATUS_BLOCK IoStatusBlock;
    OBJECT_ATTRIBUTES ObjectAttributes;

    NTSTATUS Status;

    //
    // Open the Log File for writing.
    //
    RtlInitUnicodeString(&LogFileName, ProgramLogFile);
    InitializeObjectAttributes(
    &ObjectAttributes,
    &LogFileName,
    OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
    NULL,
    NULL
    );
    AllocationSize.QuadPart = 64 * 1024;
    Status = ZwCreateFile(
    &LogFileHandle,
    GENERIC_ALL | SYNCHRONIZE | FILE_ANY_ACCESS,
    &ObjectAttributes,
    &IoStatusBlock,
    &AllocationSize,
    FILE_ATTRIBUTE_NORMAL,
    FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
    FILE_SUPERSEDE,
    FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT|
    FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE,
    NULL,
    0
    );
    if (NT_ERROR(Status)) {
    ...


    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Status returned is 0xC000000D (STATUS_INVALID_PARAMETER). *What* is the
    invalid parameter? I have been tweaking them for a couple of hours now!

    In the same piece of software, the following code using ZwOpenFile() works!


    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    WCHAR *ProgramInputFile = L"\\??\\Global\\C:\\somefile.dat"

    HANDLE InputFile;
    IO_STATUS_BLOCK IoStatusBlock;
    OBJECT_ATTRIBUTES ObjectAttributes;
    UNICODE_STRING ObjectName;
    NTSTATUS Status;

    RtlInitUnicodeString(&ObjectName, ProgramInputFile);

    InitializeObjectAttributes(
    &ObjectAttributes,
    &ObjectName,
    OBJ_CASE_INSENSITIVE,
    NULL, NULL
    );

    Status = ZwOpenFile(
    &InputFile,
    GENERIC_ALL | SYNCHRONIZE,
    &ObjectAttributes,
    &IoStatusBlock,
    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT
    );

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Why does the code with ZwOpenFile() work but the code with ZwCreateFile()
    fail? What can I do to it to make it work? I no longer have any ideas.

    Thanks,

    --
    Aram H?v?rneanu


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,435
    Why are you not opening a kernel handle?

    d

    tiny phone keyboard + fat thumbs = you do the muth



    -----Original Message-----
    From: Aram H?v?rneanu <xxxxx@mgk.ro>
    Sent: Monday, February 15, 2010 4:59 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: Re:[ntdev] ZwCreateFile


    "Gary G. Little" <xxxxx@comcast.net> wrote in message
    news:xxxxx@ntdev...
    > If you look at the definition of OBJECT_ATTRIBUTES you will see that
    > ObjectName should be the address of a UNICODE_STRING. You are passing the
    > address of a WCHAR to InitializeObjectAttributes in the ZwCreateFile
    > example.
    >

    I do not think I am. Am I?

    > WCHAR *ProgramLogFile = L"\\??\\Global\\C:\\somefile.log";
    >
    > LARGE_INTEGER AllocationSize;
    > UNICODE_STRING LogFileName;
    > IO_STATUS_BLOCK IoStatusBlock;
    > OBJECT_ATTRIBUTES ObjectAttributes;
    >
    > RtlInitUnicodeString(&LogFileName, ProgramLogFile);
    > InitializeObjectAttributes(
    > &ObjectAttributes,
    > &LogFileName,
    > OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
    > NULL,
    > NULL
    > );

    I am passing the address of LogFileName, that is of UNICODE_STRING type.
    LogFileName was initialized by RtlInitUnicodeString(&LogFileName,
    ProgramLogFile).

    Thanks,

    --
    Aram H?v?rneanu


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    "Bill Wandel" <xxxxx@bwandel.com> wrote in message news:xxxxx@ntdev...
    > One that is wrong is OBJ_PERMANENT. This does not apply to files. Also
    > OBJ_OPENIF is defined in the disposition (FILE_OPEN_IF) not the object
    > attributes.

    You are of course, right. After 24 hours of continuous work without sleep
    it's easy to screw up like this.

    Thank you!

    --
    Aram Hăvărneanu
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    "Doron Holan" <xxxxx@microsoft.com> wrote in message
    news:xxxxx@ntdev...
    > Why are you not opening a kernel handle?
    >

    Because this is actually user mode. Native app executing at BootExecute.
    Application works, I decided to implement logging. Seems to work now with
    Bill's fix :-).

    Thanks,

    --
    Aram Hăvărneanu
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA