Access denied while opening file with FILE_OPEN_BY_FILE_ID, NtCreateFIle, ObjectID

NTFSD
1

Here I am trying to get a file handle by opening the fine by objectID, this open call is returning in access denied but the calling process has fill write access to the volume. Same call is working on some particular machine and getting access denied always on other.

FILE_OBJECTID_BUFFER ObjId
UNICODESTRING findstr;
findstr.Buffer = (WCHAR)&(ObjId->ObjectId);

OBJECT_ATTRIBUTES ObjAttribute = {0};
InitializeObjectAttributes (&ObjAttribute,
&fidstr,
OBJ_CASE_INSENSITIVE,
VolumeHandle,
NULL);

ULONG iosb[2];

ULONG status = NtCreatefile(&targethandle,
GENERIC_ALL,
&ObjAttribute,
iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_OPEN_BY_FILE_ID | FILE_NON_DIRECTORY_FILE,
NULL, 0);

Is some flag is missing here? Or Is there any other way to open the file handle by ObjectID? I am using FSCTL_GET_OBJECT_ID to get the file objectid.

fsutil objectid query <file_path>

2

findstr.Buffer = (WCHAR)&(ObjId->ObjectId);

Seems like you cast the ObjectId pointer to WCHAR which truncates the value to the first 2 bytes of the pointer. Try to use PWCHAR instead.

Also, regarding this

ULONG iosb[2];
why don’t you use IO_STATUS_BLOCK? I think the size is incorrect in x64 systems. (The .Information member is not ULONG but ULONG_PTR. Which makes the size of this structure 16 and not 8.)

Both of these issues could cause STATUS_ACCESS_VIOLATION because the kernel invokes ProbeForRead before accessing the buffers.

3

findstr.Buffer = (PWCHAR)&(ObjId->ObjectId);
findstr.Length = sizeof(ObjId->ObjectId);
findstr.MaximumLength = sizeof(ObjId->ObjectId);

OBJECT_ATTRIBUTES ObjAttribute = {0};
InitializeObjectAttributes (&ObjAttribute,
&fidstr,
OBJ_CASE_INSENSITIVE,
VolumeHandle,
NULL);

IO_STATUS_BLOCK iosb = {0};

I am initializing attributes as above, still the same issue getting access denied.
If the file is not present in the volume it should return file_not_found in nt_status, but in this case as well I am getting access denied.

4

Hmm, sounds weird.