I want a way to call FltSetInformationFile () from the network path(shared folder), (err 0xC0000022)

NTFSD
1

Hi
I have tried to move the detected file in IRP_MJ_CREATE by calling FltSetInformationFile ().
However, I get a STATUS_ACCESS_DENIED (0xC0000022) error.

  • I wonder if there is a way to access the shared folder in the kernel.

Below is my code.

// OriginFilePath : \Device\Mup\192.168.0.4\test\test.txt
// DestFilePath : \Device\Mup\192.168.0.4\test\test.txt.move
NTSTATUS MoveFile(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, WCHAR *OriginFilePath, WCHAR *DestFilePath)
{
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(OriginFilePath);
UNREFERENCED_PARAMETER(DestFilePath);

NTSTATUS Status = STATUS_UNSUCCESSFUL;
UNICODE_STRING OrifileNameUnicodeString = { 0, };
UNICODE_STRING RenfileNameUnicodeString = { 0, };
OBJECT_ATTRIBUTES OriObjAttr = { 0 };
IO_STATUS_BLOCK OriIoFileStatus = { 0, };
PFILE_RENAME_INFORMATION RenameInfo = NULL;
HANDLE FileHandle = NULL;
PFILE_OBJECT ptmpfo = NULL;

if (!OriginFilePath || !DestFilePath)
	return Status;

DbgPrint("MoveFile %S -> %S\n", OriginFilePath, DestFilePath);

RtlInitUnicodeString(&OrifileNameUnicodeString, OriginFilePath);
RtlInitUnicodeString(&RenfileNameUnicodeString, DestFilePath);

InitializeObjectAttributes(&OriObjAttr, &OrifileNameUnicodeString, OBJ_KERNEL_HANDLE, NULL, NULL);

Status = FltCreateFileEx(FltObjects->Filter,
	FltObjects->Instance,
	&FileHandle,
	&ptmpfo,
	FILE_GENERIC_WRITE, &OriObjAttr, &OriIoFileStatus, NULL,
	FILE_ATTRIBUTE_NORMAL,
	FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
	FILE_OPEN, 0, NULL, 0, 0
	);

if (!NT_SUCCESS(Status) || !FileHandle) {
	DbgPrint("FAIL - MoveFile, FltCreateFileEx %X\n", Status);
	return Status;
}

RenameInfo = (PFILE_RENAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 
	sizeof(FILE_RENAME_INFORMATION) + RenfileNameUnicodeString.Length, '12WR');
if (!RenameInfo) {
	FltClose(FileHandle);
	return Status;
}

memcpy(RenameInfo->FileName, RenfileNameUnicodeString.Buffer, RenfileNameUnicodeString.Length);
RenameInfo->ReplaceIfExists = TRUE;
RenameInfo->RootDirectory = NULL;
RenameInfo->FileNameLength = RenfileNameUnicodeString.Length;

Status = FltSetInformationFile(FltObjects->Instance, ptmpfo, RenameInfo,
	sizeof(FILE_RENAME_INFORMATION) + RenfileNameUnicodeString.Length,
	FileRenameInformation);

if (!NT_SUCCESS(Status))
	DbgPrint("FAIL - MoveFile, FltSetInformation %X\n", Status); 			// <--- STATUS_ACCESS_DENIED (0xC0000022) error.

ExFreePool(RenameInfo);
FltClose(FileHandle);
return Status;

}

2

Was the file already opened when you call your MoveFile API?
If so, you cannot overcome any sharing restrictions, as they are handled by the server, which does not recognize your driver as its kernel mode code. You are just another client.

3

Hi. Dejan_Maksimovic.
Thank you for your reply.
When IRP_MJ_CREATE, I want to back up.
When the MoveFile () API is called, the application has already called CreateFile () with the share option(FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).
If there is no sharing option, it returns STATUS_ACCESS_VIOLATION.
Can not access shared folders in kernel mode code?

@Dejan_Maksimovic said:
Was the file already opened when you call your MoveFile API?
If so, you cannot overcome any sharing restrictions, as they are handled by the server, which does not recognize your driver as its kernel mode code. You are just another client.

4

You just answered you own question.

If there is no sharing option, it returns STATUS_ACCESS_VIOLATION.