Hi all,
I wonder if I could determine wether a file should be opened with
GENERIC_WRITE on IRP_MJ_CREATE. I want to avoid running completion
routine for all IRP_MJ_CREATE calls to determine this.
I tried to figure out, what’s in
currentIrpStack->Parameters.Create.SecurityContext->DesiredAccess - this
seems to have nothing to do with userspace ACCESS_MASK like
GENERIC_WRITE, GENERIC_READ and so on. Here is whats possible
- GENERIC_READ | SYNCHRONIZE: 0x00120089
- GENERIC_WRITE | SYNCHRONIZE: 0x00120116
SYNCHRONIZE and READ_CONTROL/ STANDARD_RIGHTS_* can be found in there
but the highest byte is zero.
The infomation, which mode to use, must be in that IRP, because when the
FS-driver returns, the Flags in the file object are set correctly.
My goal is only to hook on CREATE calls, which are probably followed by
a file modification.
Any hints are welcome,
regards,
Oliver
Oliver Dawid wrote:
I wonder if I could determine wether a file should be opened with
GENERIC_WRITE on IRP_MJ_CREATE. I want to avoid running completion
routine for all IRP_MJ_CREATE calls to determine this.
I tried to figure out, what’s in
currentIrpStack->Parameters.Create.SecurityContext->DesiredAccess - this
seems to have nothing to do with userspace ACCESS_MASK like
GENERIC_WRITE, GENERIC_READ and so on. Here is whats possible
- GENERIC_READ | SYNCHRONIZE: 0x00120089
- GENERIC_WRITE | SYNCHRONIZE: 0x00120116
SYNCHRONIZE and READ_CONTROL/ STANDARD_RIGHTS_* can be found in there
but the highest byte is zero.
Just to complete this here:
I was looking at wrong places leaded by some missinformation I found
with google.
After some digging in header files and sample code of IFS-Kit I found
the solution in wdm.h, where FILE_WRITE_* and FILE_READ_* are defined.
There are combinations of flags in FILE_GENERIC_READ, FILE_GENERIC_WRITE
and FILE_GENERIC_EXECUTE which seems to be mapped in userspace to
GENERIC_READ, GENERIC_WRITE and GENERIC_EXECUTE.
Unfortunately there is sparse information about IO_STACK_LOCATION and
the inner union parts.
Regards,
Oliver