Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How to use FltCreateFileEx open physical Disk

Jehoshua_JJehoshua_J Member Posts: 5
edited August 2019 in NTFSD

i want to open physical disk to read MBR form and write something in here.But this disk have minifilter so i decide use FltCreateFile to open this disk. But i try use \\.\PhysicalDrive1 to path parameter the return status is STATUS_OBJECT_NAME_INVALID,and i try to use \??\PhysicalDrive1 or "\Device\Harddisk1\DR2" the return status is STATUS_INVALID_DEVICE_OBJECT_PARAMETER .could you help me
my code is here .When i set bypassThreadID and use zwcreateFile i can open the phydisk

` g_dwBypassThreadID = PsGetCurrentThreadId();
InitializeObjectAttributes(&oa, &pInstanceContext->ustrPhyDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
ntStatus = ZwCreateFile(&hFileHandle, GENERIC_READ | GENERIC_WRITE, &oa, &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
g_dwBypassThreadID = 0;
if (STATUS_SUCCESS != ntStatus)
{
break;
}
if (hFileHandle != NULL)
{
ZwClose(hFileHandle);
hFileHandle = NULL;
}

    InitializeObjectAttributes(&oa, &pInstanceContext->ustrPhyDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
    ntStatus = FltCreateFileEx(g_pFilterObj, pRetInstance, &hFileHandle, &pFileObject, GENERIC_READ | GENERIC_WRITE, &oa, &IoStatus, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT | FILE_WRITE_THROUGH | FILE_NO_INTERMEDIATE_BUFFERING, NULL, 0, 0);//
    if (STATUS_SUCCESS != ntStatus)
    {
        break;
    }`

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    pRetInstance is NULL?

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    The other thing to observe of course is that with the handle being open to the physical device nothing will be going down the file system stack and so it could be said that using FltXXXX operations is inappropriate.

    Just make sure to close FltCreate handles with FltClose and Zw handles with NtClose...

  • Jehoshua_JJehoshua_J Member Posts: 5

    @rod_widdowson said:
    pRetInstance is NULL?

    the pRetInstance in not NULL ,but i user volumename such as /??/E: get this instance,so i distrust this is volume instance not physical instance.i think maybe use physical instance can use it

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    Having a filesystem instance when creating a handle to a physical volume makes no sense - they are on different stacks.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA