Hi, all. I must be missing something so simple here, but I can’t see
what…
Say I want to open an ADS from a mini-filter with FltCreateFile… is
??\C:\Test.dat:ABCD the way to open it? This gives me C0000033
(STATUS_OBJECT_NAME_INVALID) error. Doing more <c: sends>the same file name, which works…
(RootDirectory is NULL when I call InitializeObjectAtrributes)
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.</c:>
Dejan,
I do this all the time and it ‘just works’ for me (just like you specified)
I hate to suggest the obvious to you but…
- this isn’t on a FAT drive is it? (your later comments make me doubt this)
- You don’t have a length issue in your unicode string (I’ve seen people
who want to use strlen and don’t take account of the trailing L’\0’)
Rod
Consulting Partner
Steading System Software
“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
>
> Hi, all. I must be missing something so simple here, but I can’t see
> what…
> Say I want to open an ADS from a mini-filter with FltCreateFile… is
> ??\C:\Test.dat:ABCD the way to open it? This gives me C0000033
> (STATUS_OBJECT_NAME_INVALID) error. Doing more <c: sends>> the same file name, which works…
> (RootDirectory is NULL when I call InitializeObjectAtrributes)
>
> –
> Kind regards, Dejan
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
></c:>
> I hate to suggest the obvious to you but…
- this isn’t on a FAT drive is it? (your later comments make me doubt this)
No, it’s NTFS.
- You don’t have a length issue in your unicode string (I’ve seen people
who want to use strlen and don’t take account of the trailing L’\0’)
Just checked, the string is valid, ends with ABCD, no trailing
character.
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Dejan,
I just had a moment of doubt - FltMgr sometimes is too smart for it’s own
good and I have seen it parse valid file names as invalid.
Does it make any difference if you specify the full device name (after all,
it’s going to want to do a IoCreateFileSpecifyDeviceObjectHint and so may
not reparse the ??\c:\ into \Device\HardDiskWhatever)?
Alternatively, does the create work without the ADS specified?
Rod
“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
>> I hate to suggest the obvious to you but…
>> 1) this isn’t on a FAT drive is it? (your later comments make me doubt
>> this)
>
> No, it’s NTFS.
>
>> 2) You don’t have a length issue in your unicode string (I’ve seen people
>> who want to use strlen and don’t take account of the trailing L’\0’)
>
> Just checked, the string is valid, ends with ABCD, no trailing
> character.
>
> –
> Kind regards, Dejan
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
Is your code similar to this (or anyone else sees something obviously wrong
here):
UNICODE_STRING FileName;
InitializeObjectAttributes(&lpObjAttr,
&FileName,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntRes = FltCreateFile(FltObjects->Filter,
FltObjects->Instance,
&lpHandle,
GENERIC_READ,
&lpObjAttr,
&IoStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,
0,
NULL,
0,
IO_IGNORE_SHARE_ACCESS_CHECK);
Thanks.
Rod Widdowson wrote:
Dejan,
I do this all the time and it ‘just works’ for me (just like you specified)
> Say I want to open an ADS from a mini-filter with FltCreateFile… is
> ??\C:\Test.dat:ABCD the way to open it? This gives me C0000033
> (STATUS_OBJECT_NAME_INVALID) error. Doing more <c: sends>> > the same file name, which works…
> > (RootDirectory is NULL when I call InitializeObjectAtrributes)
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.</c:>
Hmm, it doesn’t work without the ADS either…
Does it make any difference if you specify the full device name (after all,
it’s going to want to do a IoCreateFileSpecifyDeviceObjectHint and so may not
reparse the ??\c:\ into \Device\HardDiskWhatever)?
Alternatively, does the create work without the ADS specified?
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Found ir! It WAS the traling NULL (#define STREAM_NAME L"ABCD" -
sizeof(STREAM_NAME) = 5 * sizeof(WHCAR) not 4)
Thanks!
Rod Widdowson wrote:
Dejan,
I just had a moment of doubt - FltMgr sometimes is too smart for it’s own
good and I have seen it parse valid file names as invalid.Does it make any difference if you specify the full device name (after all,
it’s going to want to do a IoCreateFileSpecifyDeviceObjectHint and so may
not reparse the ??\c:\ into \Device\HardDiskWhatever)?Alternatively, does the create work without the ADS specified?
Rod
“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
> >> I hate to suggest the obvious to you but…
> >> 1) this isn’t on a FAT drive is it? (your later comments make me doubt
> >> this)
> >
> > No, it’s NTFS.
> >
> >> 2) You don’t have a length issue in your unicode string (I’ve seen people
> >> who want to use strlen and don’t take account of the trailing L’\0’)
> >
> > Just checked, the string is valid, ends with ABCD, no trailing
> > character.
> >
> > –
> > Kind regards, Dejan
> > http://www.alfasp.com
> > File system audit, security and encryption kits.
> >
> >
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
To keep to the topic… Was there a change in Vista that doesnt allow it to use ??\c:\ (or what ever letter)
In my clean build of vista, I use a filename that is sent over from usermode in unicode via FilterSendMessage to do a FltCreate when i need to get an object. Nothing trailing, everything is good, but I will get STATUS_OBJECT_NAME_INVALID as well from it. Now if I send over \Device\HardDiskWhatever without changing the code 1 bit it passes, everything is good.
I did take a look and found a different link called \GLOBAL?? pointing to my DOS letters in the system. Since I was issuing the base paths from user mode, I didnt care since its just as easy to convert with QueryDosDevice. I looked around the lists to see if anyone else had seen it, but found nothing.