I’m having to read a binary file that is currently being installed with my KMDF driver. I’ve done some searching, but am not finding the information/examples for using ZwOpenFile. Oney’s WDM book doesn’t have much info on the Zw… functions. I’ll dig some more through Windows Internals as well.
The issue I am having is that ZwOpenFile is failing with 0xC0000034 (STATUS_OBJECT_NAME_NOT_FOUND).
I believe I need something in the format of: L"\??\C:\WINDOWS\system32\drivers\“, so my code would look something like:
RtlInitUnicodeString(&fileName, L”\??\C:\WINDOWS\system32\drivers\");
InitializeObjectAttributes(&objectAttributes,
&fileName,
(OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
NULL,
NULL);
status = ZwOpenFile(&fileHandle,
GENERIC_READ | SYNCHRONIZE,
&objectAttributes,
&iosb,
FILE_SHARE_READ,
FILE_NON_DIRECTORY_FILE);
So my question is, how do I go about implementing a kernel version of GetSystemDirectory and appending “drivers” to it?
Using Sysinternals winobj.exe, I can find the symbolic link for the C drive as \Device\HarddiskVolume1. Not sure if I want to temporarily hack that into my driver. What is a good way of going about this?
Your path is wrong try L"\SystemRoot\system32\drivers\“
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
;
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, December 15, 2013 4:15 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Getting a handle to a file in system32\drivers directory
I’m having to read a binary file that is currently being installed with my
KMDF driver. I’ve done some searching, but am not finding the
information/examples for using ZwOpenFile. Oney’s WDM book doesn’t have
much info on the Zw… functions. I’ll dig some more through Windows
Internals as well.
The issue I am having is that ZwOpenFile is failing with 0xC0000034
(STATUS_OBJECT_NAME_NOT_FOUND).
I believe I need something in the format of:
L”\??\C:\WINDOWS\system32\drivers\“, so my code would look
something like:
RtlInitUnicodeString(&fileName,
L”\??\C:\WINDOWS\system32\drivers\");
InitializeObjectAttributes(&objectAttributes,
&fileName,
(OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
NULL,
NULL);
status = ZwOpenFile(&fileHandle,
GENERIC_READ | SYNCHRONIZE,
&objectAttributes,
&iosb,
FILE_SHARE_READ,
FILE_NON_DIRECTORY_FILE);
So my question is, how do I go about implementing a kernel version of
GetSystemDirectory and appending “drivers” to it?
Using Sysinternals winobj.exe, I can find the symbolic link for the C drive
as \Device\HarddiskVolume1. Not sure if I want to temporarily hack that
into my driver. What is a good way of going about this?
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Don,
That did the trick! Now, last question for this. To determine the size, I’m using ZwQueryInformationFile:
IO_STATUS_BLOCK iosb;
HANDLE fileHandle = NULL;
FILE_END_OF_FILE_INFORMATION fileInfo = { 0 };
status = ZwQueryInformationFile(fileHandle,
&iosb,
(PVOID)&fileInfo,
sizeof(fileInfo),
FileEndOfFileInformation);
I thought by using the end of file (the next free byte) would give me the length. What is a correct way? I just want to know how many bytes of course before I read. I’ll be reading 64KB at a time, so I’ll do the appropriate book keeping.
Yes, it should do the trick.
Remember that you never need to cast a pointer to PVOID.
The code snippet I provided unfortunately doesn’t work. I’ll remove the cast.
Sorry, EndOfFileInformation is for ZwSetFileInformation.
For query, use FileStandardInformation.
That did the trick. Thanks!
Why don’t you use \SystemRoot for the purpose? I.e. you are interested
in \SystemRoot\system32\drivers … I trust you can add the escape
backslashes yourself.
The behavior of ?? depends on the system version. In newer systems with
terminal services you’ll likely want \GLOBAL?? instead. Or \SystemRoot 
Side-note: the WDK documents the function ZwOpenFile().
// Oliver
On 2013-12-15 21:15, xxxxx@gmail.com wrote:
I’m having to read a binary file that is currently being installed with my KMDF driver. I’ve done some searching, but am not finding the information/examples for using ZwOpenFile. Oney’s WDM book doesn’t have much info on the Zw… functions. I’ll dig some more through Windows Internals as well.
The issue I am having is that ZwOpenFile is failing with 0xC0000034 (STATUS_OBJECT_NAME_NOT_FOUND).
I believe I need something in the format of: L"\??\C:\WINDOWS\system32\drivers\“, so my code would look something like:
>
> RtlInitUnicodeString(&fileName, L”\??\C:\WINDOWS\system32\drivers\");
>
> InitializeObjectAttributes(&objectAttributes,
> &fileName,
> (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
> NULL,
> NULL);
>
>
> status = ZwOpenFile(&fileHandle,
> GENERIC_READ | SYNCHRONIZE,
> &objectAttributes,
> &iosb,
> FILE_SHARE_READ,
> FILE_NON_DIRECTORY_FILE);
>
> So my question is, how do I go about implementing a kernel version of GetSystemDirectory and appending “drivers” to it?
>
> Using Sysinternals winobj.exe, I can find the symbolic link for the C drive as \Device\HarddiskVolume1. Not sure if I want to temporarily hack that into my driver. What is a good way of going about this?