Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


I want a way to call FltSetInformationFile () from the network path(shared folder), (err 0xC0000022)

snheosnheo Member Posts: 4

Hi
I have tried to move the detected file in IRP_MJ_CREATE by calling FltSetInformationFile ().
However, I get a STATUS_ACCESS_DENIED (0xC0000022) error.

  • I wonder if there is a way to access the shared folder in the kernel.

Below is my code.

// OriginFilePath : \Device\Mup\192.168.0.4\test\test.txt
// DestFilePath : \Device\Mup\192.168.0.4\test\test.txt.move
NTSTATUS MoveFile(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, WCHAR *OriginFilePath, WCHAR *DestFilePath)
{
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(OriginFilePath);
UNREFERENCED_PARAMETER(DestFilePath);

NTSTATUS Status = STATUS_UNSUCCESSFUL;
UNICODE_STRING OrifileNameUnicodeString = { 0, };
UNICODE_STRING RenfileNameUnicodeString = { 0, };
OBJECT_ATTRIBUTES OriObjAttr = { 0 };
IO_STATUS_BLOCK OriIoFileStatus = { 0, };
PFILE_RENAME_INFORMATION RenameInfo = NULL;
HANDLE FileHandle = NULL;
PFILE_OBJECT ptmpfo = NULL;

if (!OriginFilePath || !DestFilePath)
    return Status;

DbgPrint("MoveFile %S -> %S\n", OriginFilePath, DestFilePath);

RtlInitUnicodeString(&OrifileNameUnicodeString, OriginFilePath);
RtlInitUnicodeString(&RenfileNameUnicodeString, DestFilePath);

InitializeObjectAttributes(&OriObjAttr, &OrifileNameUnicodeString, OBJ_KERNEL_HANDLE, NULL, NULL);

Status = FltCreateFileEx(FltObjects->Filter,
    FltObjects->Instance,
    &FileHandle,
    &ptmpfo,
    FILE_GENERIC_WRITE, &OriObjAttr, &OriIoFileStatus, NULL,
    FILE_ATTRIBUTE_NORMAL,
    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    FILE_OPEN, 0, NULL, 0, 0
    );

if (!NT_SUCCESS(Status) || !FileHandle) {
    DbgPrint("FAIL - MoveFile, FltCreateFileEx %X\n", Status);
    return Status;
}

RenameInfo = (PFILE_RENAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 
    sizeof(FILE_RENAME_INFORMATION) + RenfileNameUnicodeString.Length, '12WR');
if (!RenameInfo) {
    FltClose(FileHandle);
    return Status;
}

memcpy(RenameInfo->FileName, RenfileNameUnicodeString.Buffer, RenfileNameUnicodeString.Length);
RenameInfo->ReplaceIfExists = TRUE;
RenameInfo->RootDirectory = NULL;
RenameInfo->FileNameLength = RenfileNameUnicodeString.Length;

Status = FltSetInformationFile(FltObjects->Instance, ptmpfo, RenameInfo,
    sizeof(FILE_RENAME_INFORMATION) + RenfileNameUnicodeString.Length,
    FileRenameInformation);

if (!NT_SUCCESS(Status))
    DbgPrint("FAIL - MoveFile, FltSetInformation %X\n", Status);            // <--- STATUS_ACCESS_DENIED (0xC0000022) error.

ExFreePool(RenameInfo);
FltClose(FileHandle);
return Status;

}

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 297

    Was the file already opened when you call your MoveFile API?
    If so, you cannot overcome any sharing restrictions, as they are handled by the server, which does not recognize your driver as its kernel mode code. You are just another client.

  • snheosnheo Member Posts: 4

    Hi. Dejan_Maksimovic.
    Thank you for your reply.
    When IRP_MJ_CREATE, I want to back up.
    When the MoveFile () API is called, the application has already called CreateFile () with the share option(FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).
    If there is no sharing option, it returns STATUS_ACCESS_VIOLATION.
    Can not access shared folders in kernel mode code?

    @Dejan_Maksimovic said:
    Was the file already opened when you call your MoveFile API?
    If so, you cannot overcome any sharing restrictions, as they are handled by the server, which does not recognize your driver as its kernel mode code. You are just another client.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 297
    via Email
    You just answered you own question.

    > If there is no sharing option, it returns STATUS_ACCESS_VIOLATION.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA