Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

I want a way to call FltSetInformationFile () from the network path(shared folder), (err 0xC0000022)

snheosnheo Member Posts: 4

Hi
I have tried to move the detected file in IRP_MJ_CREATE by calling FltSetInformationFile ().
However, I get a STATUS_ACCESS_DENIED (0xC0000022) error.

  • I wonder if there is a way to access the shared folder in the kernel.

Below is my code.

// OriginFilePath : \Device\Mup\192.168.0.4\test\test.txt
// DestFilePath : \Device\Mup\192.168.0.4\test\test.txt.move
NTSTATUS MoveFile(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, WCHAR *OriginFilePath, WCHAR *DestFilePath)
{
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(OriginFilePath);
UNREFERENCED_PARAMETER(DestFilePath);

NTSTATUS Status = STATUS_UNSUCCESSFUL;
UNICODE_STRING OrifileNameUnicodeString = { 0, };
UNICODE_STRING RenfileNameUnicodeString = { 0, };
OBJECT_ATTRIBUTES OriObjAttr = { 0 };
IO_STATUS_BLOCK OriIoFileStatus = { 0, };
PFILE_RENAME_INFORMATION RenameInfo = NULL;
HANDLE FileHandle = NULL;
PFILE_OBJECT ptmpfo = NULL;

if (!OriginFilePath || !DestFilePath)
    return Status;

DbgPrint("MoveFile %S -> %S\n", OriginFilePath, DestFilePath);

RtlInitUnicodeString(&OrifileNameUnicodeString, OriginFilePath);
RtlInitUnicodeString(&RenfileNameUnicodeString, DestFilePath);

InitializeObjectAttributes(&OriObjAttr, &OrifileNameUnicodeString, OBJ_KERNEL_HANDLE, NULL, NULL);

Status = FltCreateFileEx(FltObjects->Filter,
    FltObjects->Instance,
    &FileHandle,
    &ptmpfo,
    FILE_GENERIC_WRITE, &OriObjAttr, &OriIoFileStatus, NULL,
    FILE_ATTRIBUTE_NORMAL,
    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    FILE_OPEN, 0, NULL, 0, 0
    );

if (!NT_SUCCESS(Status) || !FileHandle) {
    DbgPrint("FAIL - MoveFile, FltCreateFileEx %X\n", Status);
    return Status;
}

RenameInfo = (PFILE_RENAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 
    sizeof(FILE_RENAME_INFORMATION) + RenfileNameUnicodeString.Length, '12WR');
if (!RenameInfo) {
    FltClose(FileHandle);
    return Status;
}

memcpy(RenameInfo->FileName, RenfileNameUnicodeString.Buffer, RenfileNameUnicodeString.Length);
RenameInfo->ReplaceIfExists = TRUE;
RenameInfo->RootDirectory = NULL;
RenameInfo->FileNameLength = RenfileNameUnicodeString.Length;

Status = FltSetInformationFile(FltObjects->Instance, ptmpfo, RenameInfo,
    sizeof(FILE_RENAME_INFORMATION) + RenfileNameUnicodeString.Length,
    FileRenameInformation);

if (!NT_SUCCESS(Status))
    DbgPrint("FAIL - MoveFile, FltSetInformation %X\n", Status);            // <--- STATUS_ACCESS_DENIED (0xC0000022) error.

ExFreePool(RenameInfo);
FltClose(FileHandle);
return Status;

}

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 224

    Was the file already opened when you call your MoveFile API?
    If so, you cannot overcome any sharing restrictions, as they are handled by the server, which does not recognize your driver as its kernel mode code. You are just another client.

  • snheosnheo Member Posts: 4

    Hi. Dejan_Maksimovic.
    Thank you for your reply.
    When IRP_MJ_CREATE, I want to back up.
    When the MoveFile () API is called, the application has already called CreateFile () with the share option(FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).
    If there is no sharing option, it returns STATUS_ACCESS_VIOLATION.
    Can not access shared folders in kernel mode code?

    @Dejan_Maksimovic said:
    Was the file already opened when you call your MoveFile API?
    If so, you cannot overcome any sharing restrictions, as they are handled by the server, which does not recognize your driver as its kernel mode code. You are just another client.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 224
    via Email
    You just answered you own question.

    > If there is no sharing option, it returns STATUS_ACCESS_VIOLATION.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA