GetFileHandle from filter

OSR_Community_User · December 9, 2010, 2:30am

Hi,

I have a Minifilter which tracks for set of operations on set of files and persist these operations info in a file which is created on system volume. No other component can access these files.

Now When my user mode application wants to read these entries it can’t open a file as opening a file is blocked.

So am trying to send an IOCTL to filter and trying to get handle to that file but this handle is invalid to user mode app.

How can i convert this handle opened by filter usable to user mode.

Thanks…

OSR_Community_User · December 9, 2010, 6:51am

> So am trying to send an IOCTL to filter and trying to get handle to that file but this handle is invalid to

user mode app.

Have you tried ObOpenObjectByPointer with correct parameters?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Bronislav_Gabrhelik · December 9, 2010, 8:14am

Note also that you must call ObOpenObjectByPointer() in context of user mode process & omit OBJ_KERNEL_HANDLE flag.

Bronislav Gabrhelik

Lyndon_J_Clarke-2 · December 9, 2010, 8:34am

> Now When my user mode application wants to read these entries it can’t

open a file as opening a file is blocked.

First thought, is this a simple FILE_SHARE_ flags, or security
descriptor/context issue?

So am trying to send an IOCTL to filter and trying to get handle to that
file but this handle is invalid to user mode app.

Second thought, if you can send IOCTL to open the file, you can send IOCTL
to retrieve entries from the file?

Good luck, Lyndon

OSR_Community_User · December 13, 2010, 2:14am

Thanks Bronislav,

I am able to retrieve handle to File Object under consideration, but this handle is not working with readfile call. [User mode.]

ObOpenObjectByPointer( pFileObj, 0, NULL, FILE_READ_DATA |FILE_WRITE_DATA,*IoFileObjectType, UserMode, &hFile );

This call works fine and returns handle.

Readfile call always fail with invalid parameter as error code.
I have passed all parameters correctly. Anything that is missing?

>Second thought, if you can send IOCTL to open the file, you can send IOCTL
to retrieve entries from the file?

Lyndon, i can do that but data transfer will be huge.
Instead of that, its always better to pass handle and user mode application can read that data directly.

From: xxxxx@neverfailgroup.com
Subject: Re:[ntfsd] GetFileHandle from filter
Date: Thu, 9 Dec 2010 13:34:56 +0000
To: xxxxx@lists.osr.com

> Now When my user mode application wants to read these entries it can’t
> open a file as opening a file is blocked.

First thought, is this a simple FILE_SHARE_ flags, or security
descriptor/context issue?

> So am trying to send an IOCTL to filter and trying to get handle to that
> file but this handle is invalid to user mode app.

Second thought, if you can send IOCTL to open the file, you can send IOCTL
to retrieve entries from the file?

Good luck, Lyndon

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Bronislav_Gabrhelik · December 13, 2010, 10:39am

It looks like invalid parameter is buffer laying in user mode address space. I would try OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify CreateOptions with this API, so it is not clear if you can use synchronous or asynchronous read. Try asynchronous read and fill offset in each operation. You know it is not official way, so even if you find a way how it works, it may be broken in future by some security update.

Change your design, so it works always. e.g. IOCTL calls, or communication through pipes, pending IPRs (inverted call)…

Good luck,
Bronislav Gabrhelik

OSR_Community_User · December 14, 2010, 8:10am

I will make design changes to support both approach.

But still user buffer should work as am passing “UserMode” parameter to ObOpenObjectByPointer function.
Is there anything that needs to be taken care?

I have not tried yet with mentioned changes. I will do that as well.

Thank you so much.

Date: Mon, 13 Dec 2010 10:39:24 -0500
From: xxxxx@xythos.com
To: xxxxx@lists.osr.com
Subject: RE:[ntfsd] GetFileHandle from filter

It looks like invalid parameter is buffer laying in user mode address space. I would try OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify CreateOptions with this API, so it is not clear if you can use synchronous or asynchronous read. Try asynchronous read and fill offset in each operation. You know it is not official way, so even if you find a way how it works, it may be broken in future by some security update.

Change your design, so it works always. e.g. IOCTL calls, or communication through pipes, pending IPRs (inverted call)…

Good luck,
Bronislav Gabrhelik

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · December 15, 2010, 1:51am

I tried with mentioned changes i.e.
ObOpenObjectByPointer( pFileObj, OBJ_FORCE_ACCESS_CHECK, NULL, FILE_READ_DATA | FILE_WRITE_DATA| SYNCHRONIZE,
*IoFileObjectType, UserMode, &hFile );

Modified this call as mentioned but while using this handle with readfile, call return with error as INVALID_HANDLE.

its simple readfile call as
if( !ReadFile(hFile,&Start,sizeof(INFO),&dwRead,&obTemp)) where obTemp is OVERLAPPED structure and its field are set to o as obTemp.Offset = 0;
obTemp.OffsetHigh = 0;

Any idea why its failing?

From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE: [ntfsd] GetFileHandle from filter
Date: Tue, 14 Dec 2010 18:39:39 +0530

I will make design changes to support both approach.

But still user buffer should work as am passing “UserMode” parameter to ObOpenObjectByPointer function.
Is there anything that needs to be taken care?

I have not tried yet with mentioned changes. I will do that as well.

Thank you so much.

Date: Mon, 13 Dec 2010 10:39:24 -0500
From: xxxxx@xythos.com
To: xxxxx@lists.osr.com
Subject: RE:[ntfsd] GetFileHandle from filter

It looks like invalid parameter is buffer laying in user mode address space. I would try OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify CreateOptions with this API, so it is not clear if you can use synchronous or asynchronous read. Try asynchronous read and fill offset in each operation. You know it is not official way, so even if you find a way how it works, it may be broken in future by some security update.

Change your design, so it works always. e.g. IOCTL calls, or communication through pipes, pending IPRs (inverted call)…

Good luck,
Bronislav Gabrhelik

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

rod_widdowson · December 15, 2010, 5:39am

Are you sure you are in the right process when you call ObOpenObjetByPointer?

What does !handle say after the call to ObOpenObjectByPointer ?
What does it say immediately before the call to ReadFile?

“shashank singh” wrote in message news:xxxxx@ntfsd…
I tried with mentioned changes i.e.
ObOpenObjectByPointer( pFileObj, OBJ_FORCE_ACCESS_CHECK, NULL, FILE_READ_DATA | FILE_WRITE_DATA| SYNCHRONIZE,
*IoFileObjectType, UserMode, &hFile );

Modified this call as mentioned but while using this handle with readfile, call return with error as INVALID_HANDLE.

its simple readfile call as
if( !ReadFile(hFile,&Start,sizeof(INFO),&dwRead,&obTemp)) where obTemp is OVERLAPPED structure and its field are set to o as obTemp.Offset = 0;
obTemp.OffsetHigh = 0;

Any idea why its failing?

--------------------------------------------------------------------------------
From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE: [ntfsd] GetFileHandle from filter
Date: Tue, 14 Dec 2010 18:39:39 +0530

I will make design changes to support both approach.

But still user buffer should work as am passing “UserMode” parameter to ObOpenObjectByPointer function.
Is there anything that needs to be taken care?

I have not tried yet with mentioned changes. I will do that as well.

Thank you so much.

> Date: Mon, 13 Dec 2010 10:39:24 -0500
> From: xxxxx@xythos.com
> To: xxxxx@lists.osr.com
> Subject: RE:[ntfsd] GetFileHandle from filter
>
> It looks like invalid parameter is buffer laying in user mode address space. I would try OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify CreateOptions with this API, so it is not clear if you can use synchronous or asynchronous read. Try asynchronous read and fill offset in each operation. You know it is not official way, so even if you find a way how it works, it may be broken in future by some security update.
>
> Change your design, so it works always. e.g. IOCTL calls, or communication through pipes, pending IPRs (inverted call)…
>
> Good luck,
> Bronislav Gabrhelik
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Alex_Carp · December 15, 2010, 11:28am

Also… is it possible that you have a 64 bit driver and a 32 bit user app ?

Thanks,

Alex.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rod Widdowson
Sent: Wednesday, December 15, 2010 2:39 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] GetFileHandle from filter

Are you sure you are in the right process when you call
ObOpenObjetByPointer?

What does !handle say after the call to ObOpenObjectByPointer ?

What does it say immediately before the call to ReadFile?

“shashank singh” wrote in message
news:xxxxx@ntfsd…

I tried with mentioned changes i.e.
ObOpenObjectByPointer( pFileObj, OBJ_FORCE_ACCESS_CHECK, NULL,
FILE_READ_DATA | FILE_WRITE_DATA| SYNCHRONIZE,
*IoFileObjectType, UserMode, &hFile
);

Modified this call as mentioned but while using this handle with readfile,
call return with error as INVALID_HANDLE.

its simple readfile call as
if( !ReadFile(hFile,&Start,sizeof(INFO),&dwRead,&obTemp)) where obTemp is
OVERLAPPED structure and its field are set to o as obTemp.Offset = 0;
obTemp.OffsetHigh = 0;

Any idea why its failing?

_____

From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE: [ntfsd] GetFileHandle from filter
Date: Tue, 14 Dec 2010 18:39:39 +0530

I will make design changes to support both approach.

But still user buffer should work as am passing “UserMode” parameter to
ObOpenObjectByPointer function.
Is there anything that needs to be taken care?

I have not tried yet with mentioned changes. I will do that as well.

Thank you so much.

> Date: Mon, 13 Dec 2010 10:39:24 -0500
> From: xxxxx@xythos.com
> To: xxxxx@lists.osr.com
> Subject: RE:[ntfsd] GetFileHandle from filter
>
> It looks like invalid parameter is buffer laying in user mode address
space. I would try OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You
cannot specify CreateOptions with this API, so it is not clear if you can
use synchronous or asynchronous read. Try asynchronous read and fill offset
in each operation. You know it is not official way, so even if you find a
way how it works, it may be broken in future by some security update.
>
> Change your design, so it works always. e.g. IOCTL calls, or communication
through pipes, pending IPRs (inverted call)…
>
> Good luck,
> Bronislav Gabrhelik
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · December 16, 2010, 4:01am

Hi,

How can i guarantee that i am in correct process context while calling
ObOpenObjetByPointer?

My UserMode app send request and get handle back, hence it seems that it is in the same context.

>What does it say immediately before the call to ReadFile?
Initially it was saying invalid parameter then after modification [Mentioned in same thread] it says that incorrect handle.

Also this is 32 bit app and drv.

Any idea?
From: xxxxx@steadingsoftware.com
Subject: Re:[ntfsd] GetFileHandle from filter
Date: Wed, 15 Dec 2010 10:38:43 +0000
To: xxxxx@lists.osr.com

Are you sure you are in the right process when you call
ObOpenObjetByPointer?

What does !handle say after the call to ObOpenObjectByPointer ?
What does it say immediately before the call to ReadFile?

“shashank singh” wrote in message
news:xxxxx@ntfsd…

I
tried with mentioned changes i.e.
ObOpenObjectByPointer( pFileObj,
OBJ_FORCE_ACCESS_CHECK, NULL, FILE_READ_DATA | FILE_WRITE_DATA|
SYNCHRONIZE,

*IoFileObjectType, UserMode, &hFile );

Modified this call as
mentioned but while using this handle with readfile, call return with error as
INVALID_HANDLE.

its simple readfile call as
if(
!ReadFile(hFile,&Start,sizeof(INFO),&dwRead,&obTemp)) where obTemp
is OVERLAPPED structure and its field are set to o as obTemp.Offset =
0;
obTemp.OffsetHigh = 0;

Any idea why its
failing?

From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE:
[ntfsd] GetFileHandle from filter
Date: Tue, 14 Dec 2010 18:39:39
+0530

I will make design changes to support both approach.

But still user
buffer should work as am passing “UserMode” parameter to ObOpenObjectByPointer
function.
Is there anything that needs to be taken care?

I have not
tried yet with mentioned changes. I will do that as well.

Thank you so
much.

> Date: Mon, 13 Dec 2010 10:39:24 -0500
> From:
xxxxx@xythos.com
> To: xxxxx@lists.osr.com
> Subject:
RE:[ntfsd] GetFileHandle from filter
>
> It looks like invalid
parameter is buffer laying in user mode address space. I would try
OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify
CreateOptions with this API, so it is not clear if you can use synchronous or
asynchronous read. Try asynchronous read and fill offset in each operation. You
know it is not official way, so even if you find a way how it works, it may be
broken in future by some security update.
>
> Change your design,
so it works always. e.g. IOCTL calls, or communication through pipes, pending
IPRs (inverted call)…
>
> Good luck,
> Bronislav Gabrhelik

>
> —
> NTFSD is sponsored by OSR
>
> For our
schedule of debugging and file system seminars
> (including our new fs
mini-filter seminar) visit:
> http://www.osr.com/seminars
>

> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is
sponsored by OSR

For our schedule of debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server
section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Bronislav_Gabrhelik · December 16, 2010, 8:36am

>How can i guarantee that i am in correct process

FSF shouldn’t change caller context of FSD: see “Dispatch Routine IRQL and Thread Context” in MSDN, so supposing that IRP_MJ_CONTROL is guaranteed to be called in nonarbitrary context. Furthermore if you use METHOD_NEITHER type of IOCLT, you must be at process context, because buffers are in user mode adress space.

Alex:>Also… is it possible that you have a 64 bit driver and a 32 bit user app ?
More clearly. Isn’t your app running under WOW64? Handles can be somehow emulated. Handle is typedef void*, so it has different size for 32/64 bitplatform.

Regarding my advice to use async read.:
You are getting handle from existing FILE_OBJECT. I realized that it depends on original IRP_MJ_CREATE which created the given file object if you should use synchronous or asynchronous API. (flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT). These flags say if file has maintained current possition or not. You are forced to use async API in the case they are not specified, as WIN32 API doesn’t allow you specify offset for synchronous read, you read at current possition. Check (FileObject->Flags & FO_SYNCHRONOUS_IO).

Good luck!
Bronislav Gabrhelik

rod_widdowson · December 17, 2010, 5:07am

> How can i guarantee that i am in correct process context while calling ObOpenObjetByPointer?

If this you are calling ObOpenObjetByPointer in the context of an ioctl that only your filter understand you should be set. If this can happen in arbitrary context you need to consider KeStackAttachProcess.

>What does it say immediately before the call to ReadFile?
What I meant was – look at the parameter in the debugger to make sure that it is the same value that you returned, and more importantly to see if windbg believes that it is valid.

If Windbg believes that the handle is valid, but Win32 doesn’t I guess I might experiment with NtReadFile (to establish whether Win32 is involved) and at that stage I would start single stepping through either Win32 or the kernel… Sorry…

“shashank singh” wrote in message news:xxxxx@ntfsd…

Hi,

How can i guarantee that i am in correct process context while calling ObOpenObjetByPointer?

My UserMode app send request and get handle back, hence it seems that it is in the same context.

>>What does it say immediately before the call to ReadFile?
Initially it was saying invalid parameter then after modification [Mentioned in same thread] it says that incorrect handle.

Also this is 32 bit app and drv.

Any idea?

--------------------------------------------------------------------------------
From: xxxxx@steadingsoftware.com
Subject: Re:[ntfsd] GetFileHandle from filter
Date: Wed, 15 Dec 2010 10:38:43 +0000
To: xxxxx@lists.osr.com

Are you sure you are in the right process when you call ObOpenObjetByPointer?

What does !handle say after the call to ObOpenObjectByPointer ?
What does it say immediately before the call to ReadFile?

“shashank singh” wrote in message news:xxxxx@ntfsd…
I tried with mentioned changes i.e.
ObOpenObjectByPointer( pFileObj, OBJ_FORCE_ACCESS_CHECK, NULL, FILE_READ_DATA | FILE_WRITE_DATA| SYNCHRONIZE,
*IoFileObjectType, UserMode, &hFile );

Modified this call as mentioned but while using this handle with readfile, call return with error as INVALID_HANDLE.

its simple readfile call as
if( !ReadFile(hFile,&Start,sizeof(INFO),&dwRead,&obTemp)) where obTemp is OVERLAPPED structure and its field are set to o as obTemp.Offset = 0;
obTemp.OffsetHigh = 0;

Any idea why its failing?

--------------------------------------------------------------------------------
From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE: [ntfsd] GetFileHandle from filter
Date: Tue, 14 Dec 2010 18:39:39 +0530

I will make design changes to support both approach.

But still user buffer should work as am passing “UserMode” parameter to ObOpenObjectByPointer function.
Is there anything that needs to be taken care?

I have not tried yet with mentioned changes. I will do that as well.

Thank you so much.

> Date: Mon, 13 Dec 2010 10:39:24 -0500
> From: xxxxx@xythos.com
> To: xxxxx@lists.osr.com
> Subject: RE:[ntfsd] GetFileHandle from filter
>
> It looks like invalid parameter is buffer laying in user mode address space. I would try OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify CreateOptions with this API, so it is not clear if you can use synchronous or asynchronous read. Try asynchronous read and fill offset in each operation. You know it is not official way, so even if you find a way how it works, it may be broken in future by some security update.
>
> Change your design, so it works always. e.g. IOCTL calls, or communication through pipes, pending IPRs (inverted call)…
>
> Good luck,
> Bronislav Gabrhelik
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · December 20, 2010, 7:06am

Thanks all.

Yes it is ioctl
that only my filter understand.

I verified handle returned by ObOpenObjetByPointer in windbg and it looks similar while calling user mode Readfile.

Anything else that needs to be considered?

From: xxxxx@steadingsoftware.com
Subject: Re:[ntfsd] GetFileHandle from filter
Date: Fri, 17 Dec 2010 10:07:10 +0000
To: xxxxx@lists.osr.com

How
can i guarantee that i am in correct process context while calling
ObOpenObjetByPointer?

If this you are calling ObOpenObjetByPointer in the context of an ioctl
that only your filter understand you should be set. If this can happen in
arbitrary context you need to consider KeStackAttachProcess.

>What does it say immediately before the call to ReadFile?
What I meant was ? look at the parameter in the debugger to make sure
that it is the same value that you returned, and more importantly to see if
windbg believes that it is valid.

If Windbg believes that the handle is valid, but Win32 doesn?t I guess I
might experiment with NtReadFile (to establish whether Win32 is involved) and at
that stage I would start single stepping through either Win32 or the
kernel… Sorry…

“shashank singh” wrote in message
news:xxxxx@ntfsd…

Hi,

How
can i guarantee that i am in correct process context while calling
ObOpenObjetByPointer?

My UserMode app send request and get handle back,
hence it seems that it is in the same context.

>>What does it say
immediately before the call to ReadFile?
Initially it was saying invalid
parameter then after modification [Mentioned in same thread] it says that
incorrect handle.

Also this is 32 bit app and drv.

Any idea?

From: xxxxx@steadingsoftware.com
Subject: Re:[ntfsd] GetFileHandle from
filter
Date: Wed, 15 Dec 2010 10:38:43 +0000
To:
xxxxx@lists.osr.com

Are you sure you are in the right process when you call
ObOpenObjetByPointer?

What does !handle say after the call to ObOpenObjectByPointer ?
What does it say immediately before the call to ReadFile?

“shashank singh” wrote in message
news:xxxxx@ntfsd…

I
tried with mentioned changes i.e.
ObOpenObjectByPointer( pFileObj,
OBJ_FORCE_ACCESS_CHECK, NULL, FILE_READ_DATA | FILE_WRITE_DATA|
SYNCHRONIZE,

*IoFileObjectType, UserMode, &hFile );

Modified this call as
mentioned but while using this handle with readfile, call return with error as
INVALID_HANDLE.

its simple readfile call as
if(
!ReadFile(hFile,&Start,sizeof(INFO),&dwRead,&obTemp)) where obTemp
is OVERLAPPED structure and its field are set to o as obTemp.Offset =
0;
obTemp.OffsetHigh = 0;

Any idea why its
failing?

From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE:
[ntfsd] GetFileHandle from filter
Date: Tue, 14 Dec 2010 18:39:39
+0530

I will make design changes to support both approach.

But still user
buffer should work as am passing “UserMode” parameter to ObOpenObjectByPointer
function.
Is there anything that needs to be taken care?

I have not
tried yet with mentioned changes. I will do that as well.

Thank you so
much.

> Date: Mon, 13 Dec 2010 10:39:24 -0500
> From:
xxxxx@xythos.com
> To: xxxxx@lists.osr.com
> Subject:
RE:[ntfsd] GetFileHandle from filter
>
> It looks like invalid
parameter is buffer laying in user mode address space. I would try
OBJ_FORCE_ACCESS_CHECK and add SYNCHRONIZE access. You cannot specify
CreateOptions with this API, so it is not clear if you can use synchronous or
asynchronous read. Try asynchronous read and fill offset in each operation. You
know it is not official way, so even if you find a way how it works, it may be
broken in future by some security update.
>
> Change your design,
so it works always. e.g. IOCTL calls, or communication through pipes, pending
IPRs (inverted call)…
>
> Good luck,
> Bronislav Gabrhelik

>
> —
> NTFSD is sponsored by OSR
>
> For our
schedule of debugging and file system seminars
> (including our new fs
mini-filter seminar) visit:
> http://www.osr.com/seminars
>

> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is
sponsored by OSR

For our schedule of debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server
section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our
schedule of debugging and file system seminars
(including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars

To
unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer