Create and Write to File in kernel-mode

OSR_Community_User · July 13, 2003, 7:29am

Hi all,

I would like to know if it is possible the opening file and recording data to file in kernel mode. I know that exist functions ZwXXX however I can not open any file :(. Below I demonstrate a simple source code of use these functions and I ask about any HELP what is wrong.

HANDLE uchwyt;
OBJECT_ATTRIBUTES Atrybuty ;
UNICODE_STRING nazwa ;
IO_STATUS_BLOCK blok ;

RtlInitUnicodeString(&nazwa, L"C:\File.txt");
InitializeObjectAttributes( &Atrybuty, &nazwa, OBJ_KERNEL_HANDLE, NULL, NULL ) ;

ZwCreateFile( &uchwyt, FILE_WRITE_DATA, &Atrybuty, &blok, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0 ) ;

ZwWriteFile( uchwyt, NULL, NULL, NULL, &blok, “TEXT - LALALA”, sizeof (“Ala ma kota\n”), NULL, NULL ) ;

ZwClose( uchwyt ) ;

Grand merci for every help - THX
It greeting from Polish.

Peter_Viscarola_OSR · July 13, 2003, 12:22pm

>“Marcin O.” wrote in message news:xxxxx@ntdev…

> RtlInitUnicodeString(&nazwa, L"C:\File.txt");
> InitializeObjectAttributes( &Atrybuty, &nazwa, OBJ_KERNEL_HANDLE, NULL,
NULL ) ;

I didn’t look very far, but the first thing that’s wrong is that you must
use NATIVE NT device names with the native NT APIS. Remember, “C:” is just
a symbolic link that could have different mappings depending on the user.
So, you’ll need to either say which name space yo mean “C:” in (such as
\Global??) or use the actual native name.

While it’s old, you can get a working sample showing how to use the Native
NT API at http://www.osronline.com/article.cfm?id=91 – This is a user-mode
app, but the native NT API code is identical in kernel mode. Be sure you
use ZwXxxx from kernel mode and not NtXxxx – Assuming you want to perform
the operations using your driver’s kernel-mode credentials and not those of
the user process in which your driver happens to be running.

If you need to take a examine the object manager name space to figure out
what a native kernel name is, download our free GOBDIR utility (a GUI object
viewer) from http://www.osronline.com/article.cfm?id=42

HTH,

Peter
OSR

James_Antognini · July 13, 2003, 1:01pm

This has been asked very, very often. You could have searched and found
the answer, which Peter kindly provided anyway.

–
If replying by e-mail, please remove “nospam.” from the address.

James Antognini
Windows DDK MVP