Is it possible to read a file from a network share in kernel mode?

OSR_Community_User · August 14, 2007, 10:22am

And if yes, what is the correct syntax for ZwOpenFile?

Thank you.

OSR_Community_User · August 14, 2007, 11:17am

Without a lot of work your kernel thread will not have the correct
permissions to read a network file. You should generally avoid doing
this. Open the file from user mode instead.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, August 14, 2007 10:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Is it possible to read a file from a network share in
kernel mode?

And if yes, what is the correct syntax for ZwOpenFile?

Thank you.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · August 14, 2007, 4:43pm

User mode is not a viable option for now.

I found this thread which seems to be of help http://www.osronline.com/showThread.cfm?link=45076

But my second question still remains: what is the correct syntax for ZwOpenFile? I have tried ??\\computername\share\path_to_file, ??\computername\share\path_to_file, \computername\share\path_to_file but they all return “Invalid object name” of “Path not found”. I’m thinking that I should get an “Access denied” error.

OSR_Community_User · August 14, 2007, 4:58pm

Try \Device\LanManRedirector\Server\Share\path

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, August 14, 2007 4:43 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it possible to read a file from a network share in
kernel mode?

User mode is not a viable option for now.

I found this thread which seems to be of help
http://www.osronline.com/showThread.cfm?link=45076

But my second question still remains: what is the correct syntax for
ZwOpenFile? I have tried ??\\computername\share\path_to_file,
??\computername\share\path_to_file, \computername\share\path_to_file but
they all return “Invalid object name” of “Path not found”. I’m thinking that
I should get an “Access denied” error.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Rich_Hornay · August 14, 2007, 5:36pm

I am reading a file through a share. I do this in a workitem, which is running as “Local System”. NTLM’s impersonation won’t work for multiple hops. This is why I want to get a token for “Network Service”.

Anyway, the unc syntax is ??\UNC<server name><share name>.… This will go through the mpr and endup in the correct provider. I have done this with NT shares and DFS shares. I have not tested WebDAV.

Don_Burn_1 · August 14, 2007, 5:48pm

As Mark Roddy already pointed out, you cannot just open a network share
from the kernel, a workitem is running in the local system account which
will not have access to a remote system. Do this in user space, or expect
to do a lot of code to make this work purely in the kernel.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
>I am reading a file through a share. I do this in a workitem, which is
>running as “Local System”. NTLM’s impersonation won’t work for multiple
>hops. This is why I want to get a token for “Network Service”.
>
> Anyway, the unc syntax is ??\UNC<server name><share name>.… This
> will go through the mpr and endup in the correct provider. I have done
> this with NT shares and DFS shares. I have not tested WebDAV.
>

Rich_Hornay · August 15, 2007, 10:40am

A little impersonation is not that much work. Unfortunetley, operations that come in through srv are already impersonation tokens so impersonation does not work in this case.

Does part of the “a lot of code” consist of getting a token for “Network Service”?

OSR_Community_User · August 15, 2007, 11:33am

I call SeCreateClientSecurity in the original user-request thread, SeImpersonateClientEx in my work-item, I read the file using the ??\UNC<server name><share name>\ syntax, call PsRevertToSelf and SeDeleteClientSecurity. From now everything seems to work fine.

Am I missing something? What was that complicated?

OSR_Community_User · August 15, 2007, 4:35pm

Nothing as long as you have an original user request thread. The
requirement appeared to be ‘do this without any user mode interaction’,
which would be difficult. Also the security interfaces are almost
undocumented in the WDK, so you have to translate from SDK to WDK and
apply the appropriate magic decoder ring.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, August 15, 2007 11:33 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it possible to read a file from a network share
in kernel mode?

I call SeCreateClientSecurity in the original user-request thread,
SeImpersonateClientEx in my work-item, I read the file using the
??\UNC<server name><share name>\ syntax, call PsRevertToSelf and
SeDeleteClientSecurity. From now everything seems to work fine.

Am I missing something? What was that complicated?

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Rich_Hornay · August 15, 2007, 6:17pm

Just note that if the thread that you get the security context from is already an impersonation token, you will not be able to imersonate again (unless it is still on the originating machine?). This is due to the challege/response authentication of NTLM. Kerberos is a different beast. The point is that if the thread you get the security context from is the server service handling access through a share (as would happen on a file server), your remote access to another share on another machine will most likely fail.

This is why I want to get a security context for the Network Service account. The session exists while the OS is running, so I know it is there. I guess I need to get some cracker-jacks and hope for a decoder ring. Translating from the SDK is a good idea. The SCM must be able to get the token for Network Service.

OSR_Community_User · August 15, 2007, 11:47pm

Run a service that has credentials and runs in a context other than LocalSystem. Set up an IOCTL in your driver that accepts a call from this service and spawns a thread. This thread will have a user context - and if that user context has viable permissions on the target system, you will be able to access shares on that remote system.

OSR_Community_User · August 15, 2007, 11:55pm

I don’t recall why, but the dev wishes to avoid user mode completely.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@VirtualIron.com
Sent: Wednesday, August 15, 2007 23:48
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it possible to read a file from a network share
in kernel mode?

Run a service that has credentials and runs in a context other than
LocalSystem. Set up an IOCTL in your driver that accepts a call from
this service and spawns a thread. This thread will have a user context

and if that user context has viable permissions on the target system,
you will be able to access shares on that remote system.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · August 16, 2007, 12:26am

never did user context in a kernel without a user thread there to set the context… after that it was as simple as using UNC names for network access from whatever user mode application…

void VCD_ConvertPathToZwPath(char* szPath)
{
char szTempPath[VCD_PATH_LENGTH];

if (!strnicmp(szPath,“\\”,2))
wsprintf(szTempPath,“\Device\Mup%s”,szPath+1);
else
wsprintf(szTempPath,“\??\%s”,szPath);

strcpy(szPath,szTempPath);
}

OSR_Community_User · August 16, 2007, 12:33am

I agree totally. I don’t remember what the dev’s reason, but I would
have to have a really compelling one to undertake exploring the kernel
mode only option.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@VirtualIron.com
Sent: Thursday, August 16, 2007 00:27
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it possible to read a file from a network share
in kernel mode?

never did user context in a kernel without a user thread there to set
the context… after that it was as simple as using UNC names for
network access from whatever user mode application…

void VCD_ConvertPathToZwPath(char* szPath)
{
char szTempPath[VCD_PATH_LENGTH];

if (!strnicmp(szPath,“\\”,2))
wsprintf(szTempPath,“\Device\Mup%s”,szPath+1);
else
wsprintf(szTempPath,“\??\%s”,szPath);

strcpy(szPath,szTempPath);
}

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer