Writing data to the root directory

NTDEV
1

I am trying to write data to the root directory using the ZwWriteFile function, but this function is ignored. Although I can read the data from the root directory. Why is this happening and how can this be fixed?

2

Alexey_Yerakhavets wrote:

I am trying to write data to the root directory using the ZwWriteFile function, but this function is ignored. Although I can read the data from the root directory. Why is this happening and how can this be fixed?

It is obviously not being ignored.  It’s more likely that your
ZwCreateFile call failed.  Are you checking for errors?  Is this in a
user-mode app or a kernel driver?  From user-mode, you need
administrator privileges to write into the root.

3

@Tim_Roberts said:

It is obviously not being ignored. It’s more likely that your
ZwCreateFile call failed. Are you checking for errors? Is this in a
user-mode app or a kernel driver? From user-mode, you need
administrator privileges to write into the root.
Hi, Tim. I’m trying to use ZwWriteFile in the upper disk filter driver (kernel mode). I get the error code 0xC0000022 STATUS_ACCESS_DENIED.
InitializeObjectAttributes(&oa, &PhysDrvName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);

	status = ZwOpenFile(&pPhysDiskHandle,
		GENERIC_READ | SYNCHRONIZE | GENERIC_WRITE,
		&oa, &iost,
		FILE_SHARE_READ | FILE_SHARE_WRITE,
		FILE_SYNCHRONOUS_IO_NONALERT);

status = ZwReadFile(pPhysDiskHandle, NULL, NULL, NULL, &iost, CryptSector, sizeof(CryptSector), &position, NULL);
{
DbgPrint(“error code %x”, status);
}
ChangeSectors(&devCont->Filter.CryptKey, CryptSector, CryptSector, position, 1, FALSE);
status = ZwWriteFile(pPhysDiskHandle, NULL, NULL, NULL, &iost, CryptSector, sizeof(CryptSector), &position, NULL);
if (!NT_SUCCESS(status))
{
DbgPrint(“error code %x”, status);
}
ZwReadFile works correctly.

4

And the value of “status” for ZwWriteFile is?
Mark Roddy

5

Alexey_Yerakhavets wrote:

Hi, Tim. I’m trying to use ZwWriteFile in the disk filter driver. I get the error code 0xC0000022 STATUS_ACCESS_DENIED.

What I’m saying here is that you are doing something wrong.  We can’t
help you without seeing the code, and you’re not showing us nearly
enough.  Where did you get pPhysDiskHandle?  Are you calling
ZwCreateFile?  If so, show it to us, including all the structures that
lead up to it.

pPhysDiskHandle is a deceptive name.  If you have called ZwCreateFile,
then it’s not a pointer to handle at all.  It’s a handle,  Further, it’s
not a physical disk handle, unless you actually opened a
\.\PhysicalDriveX file, and in that case there are no directories
involved.  It’s raw sectors.

Are you accessing a disk other than the one you’re filtering?  If it’s
the same drive, that seems like a loop just waiting to happen.