Reading a file only by using IofCallDriver

NTFSD
1

I’ve been researching a small program that reads files from the hard drive without using Zw/Flt API. The program manually parses the filesystem, and eventually gets to the target file. From there it creates an IRP and an MDL, and finally calls IofCallDriver to read the contents of the file to the buffer described by the MDL.

The strange part is, the IRP has no reference to the target file (or at least I couldn’t find one). I’ll describe the API calls in order -

  1. IoGetDeviceObjectPointer - gets “\Device\0000006e” as ObjectName
  2. IoGetBaseFileSystemDeviceObject - gets the PFILE_OBJECT returned from previous
  3. ExAllocatePool - for the contents of the file
  4. IoAllocateIrp
  5. IoAllocateMdl - provided with the virtual address from step 3
  6. IRP setup -
    * Add reference of the MDL to the IRP.
    * flags = 5.
    * UserBuffer = NULL.
    * Overlay->CurrentStackLocation-> Major and minor functions are both 0.
    * Overlay->OriginalFileObject-> NULL
  7. Call IofCallDriver and the contents of the file are copied to VA described by the MDL.

So my question is, how is the data read when there are no references to the file in the IRP? What am I missing here?

2

I would guess they are retrieving the on disk extents for the file and
sending Irps for those regions to the underlying storage device. No need
for a file object in that case, you are below the file system talking
directly to the device.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 10/12/2016 3:20:42 PM
Subject: [ntfsd] Reading a file only by using IofCallDriver

>I’ve been researching a small program that reads files from the hard
>drive without using Zw/Flt API. The program manually parses the
>filesystem, and eventually gets to the target file. From there it
>creates an IRP and an MDL, and finally calls IofCallDriver to read the
>contents of the file to the buffer described by the MDL.
>
>The strange part is, the IRP has no reference to the target file (or at
>least I couldn’t find one). I’ll describe the API calls in order -
>
>1) IoGetDeviceObjectPointer - gets “\Device\0000006e” as ObjectName
>2) IoGetBaseFileSystemDeviceObject - gets the PFILE_OBJECT returned
>from previous
>3) ExAllocatePool - for the contents of the file
>4) IoAllocateIrp
>5) IoAllocateMdl - provided with the virtual address from step 3
>6) IRP setup -
> * Add reference of the MDL to the IRP.
> * flags = 5.
> * UserBuffer = NULL.
> * Overlay->CurrentStackLocation-> Major and minor functions are both
>0.
> * Overlay->OriginalFileObject-> NULL
>7) Call IofCallDriver and the contents of the file are copied to VA
>described by the MDL.
>
>So my question is, how is the data read when there are no references to
>the file in the IRP? What am I missing here?
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

3

So I’m wondering what information is getting passed along in the IRP? Something must tell the device where to go and what to get. Where does this information go in the IRP?