Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Access denied while opening file with FILE_OPEN_BY_FILE_ID, NtCreateFIle, ObjectID

hdk123hdk123 Member Posts: 2
in NTFSD

Here I am trying to get a file handle by opening the fine by objectID, this open call is returning in access denied but the calling process has fill write access to the volume. Same call is working on some particular machine and getting access denied always on other.

FILE_OBJECTID_BUFFER ObjId
UNICODESTRING findstr;
findstr.Buffer = (WCHAR)&(ObjId->ObjectId);

OBJECT_ATTRIBUTES ObjAttribute = {0};
InitializeObjectAttributes (&ObjAttribute,
&fidstr,
OBJ_CASE_INSENSITIVE,
VolumeHandle,
NULL);

ULONG iosb[2];

ULONG status = NtCreatefile(&targethandle,
GENERIC_ALL,
&ObjAttribute,
iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_OPEN_BY_FILE_ID | FILE_NON_DIRECTORY_FILE,
NULL, 0);

Is some flag is missing here? Or Is there any other way to open the file handle by ObjectID? I am using FSCTL_GET_OBJECT_ID to get the file objectid.

fsutil objectid query

· Share on Facebook

Comments

  • 0xrepnz0xrepnz Member Posts: 41
    edited October 9

    findstr.Buffer = (WCHAR)&(ObjId->ObjectId);

    Seems like you cast the ObjectId pointer to WCHAR which truncates the value to the first 2 bytes of the pointer. Try to use PWCHAR instead.

    Also, regarding this

    ULONG iosb[2];

    why don't you use IO_STATUS_BLOCK? I think the size is incorrect in x64 systems. (The .Information member is not ULONG but ULONG_PTR. Which makes the size of this structure 16 and not 8.)

    Both of these issues could cause STATUS_ACCESS_VIOLATION because the kernel invokes ProbeForRead before accessing the buffers.

    - Ori Damari
    · Share on Facebook
  • hdk123hdk123 Member Posts: 2

    findstr.Buffer = (PWCHAR)&(ObjId->ObjectId);
    findstr.Length = sizeof(ObjId->ObjectId);
    findstr.MaximumLength = sizeof(ObjId->ObjectId);

    OBJECT_ATTRIBUTES ObjAttribute = {0};
    InitializeObjectAttributes (&ObjAttribute,
    &fidstr,
    OBJ_CASE_INSENSITIVE,
    VolumeHandle,
    NULL);

    IO_STATUS_BLOCK iosb = {0};

    I am initializing attributes as above, still the same issue getting access denied.
    If the file is not present in the volume it should return file_not_found in nt_status, but in this case as well I am getting access denied.

    · Share on Facebook
  • 0xrepnz0xrepnz Member Posts: 41
    edited October 9

    Hmm, sounds weird.

    - Ori Damari
    · Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE

Categories