Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Access denied while opening file with FILE_OPEN_BY_FILE_ID, NtCreateFIle, ObjectID
Here I am trying to get a file handle by opening the fine by objectID, this open call is returning in access denied but the calling process has fill write access to the volume. Same call is working on some particular machine and getting access denied always on other.
FILE_OBJECTID_BUFFER ObjId
UNICODESTRING findstr;
findstr.Buffer = (WCHAR)&(ObjId->ObjectId);
OBJECT_ATTRIBUTES ObjAttribute = {0};
InitializeObjectAttributes (&ObjAttribute,
&fidstr,
OBJ_CASE_INSENSITIVE,
VolumeHandle,
NULL);
ULONG iosb[2];
ULONG status = NtCreatefile(&targethandle,
GENERIC_ALL,
&ObjAttribute,
iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_OPEN_BY_FILE_ID | FILE_NON_DIRECTORY_FILE,
NULL, 0);
Is some flag is missing here? Or Is there any other way to open the file handle by ObjectID? I am using FSCTL_GET_OBJECT_ID to get the file objectid.
fsutil objectid query
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Writing WDF Drivers | 7 Dec 2020 | LIVE ONLINE |
| Internals & Software Drivers | 25 Jan 2021 | LIVE ONLINE |
| Developing Minifilters | 8 March 2021 | LIVE ONLINE |
Comments
Seems like you cast the ObjectId pointer to WCHAR which truncates the value to the first 2 bytes of the pointer. Try to use PWCHAR instead.
Also, regarding this
why don't you use IO_STATUS_BLOCK? I think the size is incorrect in x64 systems. (The .Information member is not ULONG but ULONG_PTR. Which makes the size of this structure 16 and not 8.)
Both of these issues could cause STATUS_ACCESS_VIOLATION because the kernel invokes ProbeForRead before accessing the buffers.
findstr.Buffer = (PWCHAR)&(ObjId->ObjectId);
findstr.Length = sizeof(ObjId->ObjectId);
findstr.MaximumLength = sizeof(ObjId->ObjectId);
OBJECT_ATTRIBUTES ObjAttribute = {0};
InitializeObjectAttributes (&ObjAttribute,
&fidstr,
OBJ_CASE_INSENSITIVE,
VolumeHandle,
NULL);
IO_STATUS_BLOCK iosb = {0};
I am initializing attributes as above, still the same issue getting access denied.
If the file is not present in the volume it should return file_not_found in nt_status, but in this case as well I am getting access denied.
Hmm, sounds weird.