ZwCreateFile

So, if there was a thread on ZwOpenFile(), why not one on ZwCreateFile()?

Code is:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramLogFile = L"\??\Global\C:\somefile.log";

LARGE_INTEGER AllocationSize;
UNICODE_STRING LogFileName;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;

NTSTATUS Status;

//
// Open the Log File for writing.
//
RtlInitUnicodeString(&LogFileName, ProgramLogFile);
InitializeObjectAttributes(
&ObjectAttributes,
&LogFileName,
OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
NULL,
NULL
);
AllocationSize.QuadPart = 64 * 1024;
Status = ZwCreateFile(
&LogFileHandle,
GENERIC_ALL | SYNCHRONIZE | FILE_ANY_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
&AllocationSize,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
FILE_SUPERSEDE,
FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT|
FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE,
NULL,
0
);
if (NT_ERROR(Status)) {

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Status returned is 0xC000000D (STATUS_INVALID_PARAMETER). *What* is the
invalid parameter? I have been tweaking them for a couple of hours now!

In the same piece of software, the following code using ZwOpenFile() works!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramInputFile = L"\??\Global\C:\somefile.dat"

HANDLE InputFile;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectName;
NTSTATUS Status;

RtlInitUnicodeString(&ObjectName, ProgramInputFile);

InitializeObjectAttributes(
&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL, NULL
);

Status = ZwOpenFile(
&InputFile,
GENERIC_ALL | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT
);

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why does the code with ZwOpenFile() work but the code with ZwCreateFile()
fail? What can I do to it to make it work? I no longer have any ideas.

Thanks,


Aram Hăvărneanu

If you look at the definition of OBJECT_ATTRIBUTES you will see that ObjectName should be the address of a UNICODE_STRING. You are passing the address of a WCHAR to InitializeObjectAttributes in the ZwCreateFile example.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Aram Havarneanu
Sent: Monday, February 15, 2010 6:05 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwCreateFile

So, if there was a thread on ZwOpenFile(), why not one on ZwCreateFile()?

Code is:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramLogFile = L"\??\Global\C:\somefile.log";

LARGE_INTEGER AllocationSize;
UNICODE_STRING LogFileName;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;

NTSTATUS Status;

//
// Open the Log File for writing.
//
RtlInitUnicodeString(&LogFileName, ProgramLogFile);
InitializeObjectAttributes(
&ObjectAttributes,
&LogFileName,
OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
NULL,
NULL
);
AllocationSize.QuadPart = 64 * 1024;
Status = ZwCreateFile(
&LogFileHandle,
GENERIC_ALL | SYNCHRONIZE | FILE_ANY_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
&AllocationSize,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
FILE_SUPERSEDE,
FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT|
FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE,
NULL,
0
);
if (NT_ERROR(Status)) {

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Status returned is 0xC000000D (STATUS_INVALID_PARAMETER). *What* is the
invalid parameter? I have been tweaking them for a couple of hours now!

In the same piece of software, the following code using ZwOpenFile() works!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramInputFile = L"\??\Global\C:\somefile.dat"

HANDLE InputFile;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectName;
NTSTATUS Status;

RtlInitUnicodeString(&ObjectName, ProgramInputFile);

InitializeObjectAttributes(
&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL, NULL
);

Status = ZwOpenFile(
&InputFile,
GENERIC_ALL | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT
);

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why does the code with ZwOpenFile() work but the code with ZwCreateFile()
fail? What can I do to it to make it work? I no longer have any ideas.

Thanks,


Aram Hăvărneanu


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature database 4869 (20100215) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature database 4869 (20100215) __________

The message was checked by ESET Smart Security.

http://www.eset.com

“Gary G. Little” wrote in message
news:xxxxx@ntdev…
> If you look at the definition of OBJECT_ATTRIBUTES you will see that
> ObjectName should be the address of a UNICODE_STRING. You are passing the
> address of a WCHAR to InitializeObjectAttributes in the ZwCreateFile
> example.
>

I do not think I am. Am I?

> WCHAR *ProgramLogFile = L"\??\Global\C:\somefile.log";
>
> LARGE_INTEGER AllocationSize;
> UNICODE_STRING LogFileName;
> IO_STATUS_BLOCK IoStatusBlock;
> OBJECT_ATTRIBUTES ObjectAttributes;
>
> RtlInitUnicodeString(&LogFileName, ProgramLogFile);
> InitializeObjectAttributes(
> &ObjectAttributes,
> &LogFileName,
> OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
> NULL,
> NULL
> );

I am passing the address of LogFileName, that is of UNICODE_STRING type.
LogFileName was initialized by RtlInitUnicodeString(&LogFileName,
ProgramLogFile).

Thanks,


Aram Hăvărneanu

One that is wrong is OBJ_PERMANENT. This does not apply to files. Also
OBJ_OPENIF is defined in the disposition (FILE_OPEN_IF) not the object
attributes.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Aram Havarneanu
Sent: Monday, February 15, 2010 7:05 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwCreateFile

So, if there was a thread on ZwOpenFile(), why not one on ZwCreateFile()?

Code is:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramLogFile = L"\??\Global\C:\somefile.log";

LARGE_INTEGER AllocationSize;
UNICODE_STRING LogFileName;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;

NTSTATUS Status;

//
// Open the Log File for writing.
//
RtlInitUnicodeString(&LogFileName, ProgramLogFile);
InitializeObjectAttributes(
&ObjectAttributes,
&LogFileName,
OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
NULL,
NULL
);
AllocationSize.QuadPart = 64 * 1024;
Status = ZwCreateFile(
&LogFileHandle,
GENERIC_ALL | SYNCHRONIZE | FILE_ANY_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
&AllocationSize,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
FILE_SUPERSEDE,
FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT|
FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE,
NULL,
0
);
if (NT_ERROR(Status)) {

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Status returned is 0xC000000D (STATUS_INVALID_PARAMETER). *What* is the
invalid parameter? I have been tweaking them for a couple of hours now!

In the same piece of software, the following code using ZwOpenFile() works!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WCHAR *ProgramInputFile = L"\??\Global\C:\somefile.dat"

HANDLE InputFile;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectName;
NTSTATUS Status;

RtlInitUnicodeString(&ObjectName, ProgramInputFile);

InitializeObjectAttributes(
&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL, NULL
);

Status = ZwOpenFile(
&InputFile,
GENERIC_ALL | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT
);

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why does the code with ZwOpenFile() work but the code with ZwCreateFile()
fail? What can I do to it to make it work? I no longer have any ideas.

Thanks,


Aram H?v?rneanu


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Why are you not opening a kernel handle?

d

tiny phone keyboard + fat thumbs = you do the muth

-----Original Message-----
From: Aram H?v?rneanu
Sent: Monday, February 15, 2010 4:59 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] ZwCreateFile

“Gary G. Little” wrote in message
news:xxxxx@ntdev…
> If you look at the definition of OBJECT_ATTRIBUTES you will see that
> ObjectName should be the address of a UNICODE_STRING. You are passing the
> address of a WCHAR to InitializeObjectAttributes in the ZwCreateFile
> example.
>

I do not think I am. Am I?

> WCHAR *ProgramLogFile = L"\??\Global\C:\somefile.log";
>
> LARGE_INTEGER AllocationSize;
> UNICODE_STRING LogFileName;
> IO_STATUS_BLOCK IoStatusBlock;
> OBJECT_ATTRIBUTES ObjectAttributes;
>
> RtlInitUnicodeString(&LogFileName, ProgramLogFile);
> InitializeObjectAttributes(
> &ObjectAttributes,
> &LogFileName,
> OBJ_CASE_INSENSITIVE | OBJ_PERMANENT | OBJ_OPENIF,
> NULL,
> NULL
> );

I am passing the address of LogFileName, that is of UNICODE_STRING type.
LogFileName was initialized by RtlInitUnicodeString(&LogFileName,
ProgramLogFile).

Thanks,


Aram H?v?rneanu


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

“Bill Wandel” wrote in message news:xxxxx@ntdev…
> One that is wrong is OBJ_PERMANENT. This does not apply to files. Also
> OBJ_OPENIF is defined in the disposition (FILE_OPEN_IF) not the object
> attributes.

You are of course, right. After 24 hours of continuous work without sleep
it’s easy to screw up like this.

Thank you!


Aram Hăvărneanu

“Doron Holan” wrote in message
news:xxxxx@ntdev…
> Why are you not opening a kernel handle?
>

Because this is actually user mode. Native app executing at BootExecute.
Application works, I decided to implement logging. Seems to work now with
Bill’s fix :-).

Thanks,


Aram Hăvărneanu