Hi, All.
I wrote a function to convert the drive letter in a file minifilter. In this function, I use the ZwQuerySymbolicLinkObject function to get the hard disk’s drive letter.
But the function ZwQuerySymbolicLinkObject caused BSOD and the error code 0xC4_f6 means “A driver references a user-mode handle as kernel mode.”
I can’t fig out what caused this bug. Hope you guys can give some advice.
Any word will be appreciated.
Here is my function code:
NTSTATUS QuerySymbolicLink( IN PUNICODE_STRING SymbolicLinkName, OUT PUNICODE_STRING LinkTarget ) { OBJECT_ATTRIBUTES objAttr = { 0 }; NTSTATUS status; HANDLE handle = NULL; InitializeObjectAttributes(&objAttr, SymbolicLinkName, OBJ_CASE_INSENSITIVE, 0, 0); status = ZwOpenSymbolicLinkObject(&handle, GENERIC_READ, &objAttr); if (!NT_SUCCESS(status)) { DbgPrint("open the symbolinkobj failed ..\n"); ZwClose(handle); return status; } if (!LinkTarget->Buffer) { ZwClose(handle); return STATUS_INSUFFICIENT_RESOURCES; } RtlZeroMemory(LinkTarget->Buffer, LinkTarget->MaximumLength); status = ZwQuerySymbolicLinkObject(handle, LinkTarget, NULL); ZwClose(handle); if (!NT_SUCCESS(status)) { DbgPrint(" query the symbolinkObject failed ...\n"); } return status; }