-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
yes, that’s exactly what i’m trying to do now.
I’ve already done read/write/query irp, but i’ve problems issuing my own
create irps.
I’ve found an old post on osr’s site, which describes how to roll create
irps… but that routine is limited
and doesnt seem to work fine (trying on w2k sp2).
I’ve tried to extend that routine to best suite my driver needs, here’s the
code (all credits to the original poster,
can’t remember his name).
Anyway … it bugchecks with invalid address in the IoCallDriver call.
What could be wrong in the code ?
Ciao,
Valerio
kd> !analyze -v
****************************************************************************
***
* *
* Bugcheck Analysis *
* *
****************************************************************************
***
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: e1d3e000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bfef438e, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
READ_ADDRESS: e1d3e000 Paged pool
FAULTING_IP:
Ntfs!NtfsFindPrefixHashEntry+75
bfef438e 0fb710 movzx edx,word ptr [eax]
MM_INTERNAL_CODE: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 8042bef7 to 80455994
STACK_TEXT:
be99b3ec 8042bef7 00000003 be99b434 e1d3e000
nt!RtlpBreakWithStatusInstruction
be99b41c 8042c2bb 00000003 c03874f8 80064b6c nt!KiBugCheckDebugBreak+0x31
be99b7a8 80449b3f 00000000 e1d3e000 00000000 nt!KeBugCheckEx+0x390
be99b7f0 80467cc6 00000000 e1d3e000 00000000 nt!MmAccessFault+0x74e
be99b7f0 bfef438e 00000000 e1d3e000 00000000 nt!KiTrap0E+0xc3
be99b8a4 bfef6043 8129c4e8 81676c38 e1cfc858
Ntfs!NtfsFindPrefixHashEntry+0x75
be99bbc4 bfef8855 8129c4e8 81446008 be99bc24 Ntfs!NtfsCommonCreate+0x1565
be99bc64 8041f61f 81676500 81446008 81412408 Ntfs!NtfsFsdCreate+0x157
be99bc78 be1afafa 00000000 81446174 81676500 nt!IopfCallDriver+0x35
be99bd6c be1c2988 be1c25f0 00000294 c0000000
stealth!ifsutil_CreateFileStealth+0x4aa [g:\stealth\src\util.c @ 811]
be99bda8 80454faf 8143eb30 00000000 00000000
stealth!_drv_InitializeLoge+0x158 [g:\stealth\src\driver.c @ 595]
be99bddc 80468ec2 be1c2830 8143eb30 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
What could be wrong ?
NTSTATUS ifsutil_CreateFileStealth (PWCHAR pRelativeFilename,HANDLE
hRootDirectory,
ACCESS_MASK DesiredAccess, ULONG ulCreateOptions, USHORT usShareAccess,
USHORT usAttributes, OUT PHANDLE pOutHandle)
{
PFILE_OBJECT pFileObject = NULL;
PFILE_OBJECT pRootFileObject = NULL;
PIRP Irp = NULL;
PIO_STACK_LOCATION IrpSp = NULL;
IO_STATUS_BLOCK Iosb;
BOOLEAN ObjectReferenced = FALSE;
NTSTATUS Status = STATUS_SUCCESS;
KEVENT Event;
PDEVICE_OBJECT pTopOfStack = NULL;
PDEVICE_OBJECT pTargetDevice = NULL;
PCHAR pAuxData;
ACCESS_STATE AccessState;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_SECURITY_CONTEXT ctx;
HANDLE ObjHandle = NULL;
USHORT FilenameLen;
#if DBG
gIfsStealthEnabled = FALSE; // for debug
#endif
// we actually need a handle to a root directory if we need to send our own
// Create irp, and Filename must be relative to this root.
// This is to ease coding of this routine 
//
// It works this way : we absolutely need a target device object, and
// if we’re passed an handle to an already existing object, we can obtain
it.
// if we aren’t, well… we would need to browse the whole pathname
(including
// symbolic links) until we obtain an existing fileobject (i.e. the drive
root).
// That’s exactly how the nt executive implements zwCreateFile, and its a
pain
// in the ass to code
//
(!hRootDirectory)
{
DebugPrint ((“%s Missing root directory handle for Create IRP.\n”, MODULE));
Status = STATUS_UNSUCCESSFUL;
goto __exit;
}
// get root fileobject, pFilename must be relative to this root
ObReferenceObjectByHandle(hRootDirectory, FILE_ANY_ACCESS, NULL, KernelMode,
&pRootFileObject,NULL);
// get highest and lowest stack devices for this initial fileobject
pTopOfStack = IoGetRelatedDeviceObject(pRootFileObject);
pTargetDevice = IoGetBaseFileSystemDeviceObject(pRootFileObject);
//initialize an event and an IRP to send to the fsd
KeInitializeEvent(&Event, SynchronizationEvent, FALSE);
// allocate our own irp
Irp = IoAllocateIrp(pTopOfStack->StackSize, FALSE);
if (!Irp)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
DebugPrint ((“%s Cannot allocate Create IRP.\n”, MODULE));
goto __exit;
}
// initialize empty object attributes
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE,
NULL, NULL);
// create a file object for the irp
Status = ObCreateObject(KernelMode, *IoFileObjectType,
&ObjectAttributes, KernelMode, 0, sizeof(FILE_OBJECT), 0, 0, &pFileObject);
if (!NT_SUCCESS (Status))
{
DebugPrint ((“%s Cannot create object for Create IRP.\n”, MODULE));
goto __exit;
}
//initialize the file object
RtlZeroMemory(pFileObject, sizeof(FILE_OBJECT));
pFileObject->Type = IO_TYPE_FILE;
pFileObject->Size = sizeof(FILE_OBJECT);
pFileObject->DeviceObject = pTargetDevice;
pFileObject->Flags = FO_SYNCHRONOUS_IO;
pFileObject->RelatedFileObject = pRootFileObject;
//initialize embedded synch objects
KeInitializeEvent(&pFileObject->Lock, SynchronizationEvent, FALSE);
KeInitializeEvent(&pFileObject->Event, NotificationEvent, FALSE);
//copy the file name into the buffer
FilenameLen = wcslen(pRelativeFilename);
pFileObject->FileName.Buffer = ExAllocatePool(NonPagedPool,FilenameLen+1);
if (pFileObject->FileName.Buffer == NULL)
{
DebugPrint ((“%s Cannot allocate memory for Create IRP.\n”, MODULE));
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
pFileObject->FileName.MaximumLength = FilenameLen;
pFileObject->FileName.Length = FilenameLen;
wcscpy(pFileObject->FileName.Buffer,pRelativeFilename);
//setup the irp
Irp->UserIosb = &Iosb;
Irp->Tail.Overlay.Thread = KeGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = pFileObject;
Irp->RequestorMode = KernelMode;
Irp->Flags = IRP_CREATE_OPERATION | IRP_SYNCHRONOUS_API;
Irp->MdlAddress = NULL;
Irp->PendingReturned = FALSE;
Irp->Cancel = FALSE;
Irp->CancelRoutine = NULL;
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
//Set up the I/O stack location.
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_CREATE;
IrpSp->DeviceObject = pTargetDevice;
IrpSp->FileObject = pFileObject;
// allocate memory for access state
// 1024 just for testing, need to be fixed using lookaside lists
pAuxData = ExAllocatePool(NonPagedPool, 1024);
if (pAuxData == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
memset(pAuxData, 0, 1024);
Status = SeCreateAccessState(&AccessState, pAuxData, DesiredAccess,
IoGetFileObjectGenericMapping());
if (!NT_SUCCESS (Status))
{
DebugPrint ((“%s Cannot allocate memory for Create IRP.\n”, MODULE));
goto __exit;
}
//fill out the create’s security context
ctx.AccessState = &AccessState;
ctx.DesiredAccess = DesiredAccess;
ctx.SecurityQos = NULL;
ctx.FullCreateOptions = 0;
//
//NTSTATUS ifsutil_CreateFileStealth (PWCHAR pRelativeFilename,HANDLE
hRootDirectory,
// ACCESS_MASK DesiredAccess, ULONG ulCreateOptions, USHORT usShareAccess,
// USHORT usAttributes, OUT PHANDLE pOutHandle)
//Status = ifsutil_CreateFileStealth (L"vkd.log",
// gBaseDirectoryHandle, GENERIC_READ|GENERIC_WRITE,
// FILE_OPEN_IF, FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_ATTRIBUTE_NORMAL,
&gVkdFileHandle);
//
//fill out the the create parameter
IrpSp->Parameters.Create.SecurityContext = &ctx;
IrpSp->Parameters.Create.Options = ulCreateOptions;
IrpSp->Parameters.Create.FileAttributes = usAttributes;
IrpSp->Parameters.Create.ShareAccess = usShareAccess;
IrpSp->Parameters.Create.EaLength = 0;
//set the completion routine (that will free the irp)
IoSetCompletionRoutine(Irp, util_SetEventCompletionRoutine, &Event, TRUE,
TRUE, TRUE);
IO_FORCE_ACCESS_CHECK
//Send it to the FSD
KdBreakPoint ();
Status = IoCallDriver(pTargetDevice, Irp);
if (Status == STATUS_PENDING)
{
//wait for the io to complete
KeWaitForSingleObject(&Event, Executive, KernelMode, TRUE, 0);
Status = Iosb.Status;
}
// free irp and memory
ExFreePool(pAuxData);
IoFreeIrp (Irp);
DebugPrint ((“%s Own IRP_MJ_CREATE Irp completed with status %.08X.\n”,
MODULE, Status));
__exit:
if (pRootFileObject)
ObDereferenceObject(pRootFileObject);
if (!NT_SUCCESS(Status))
{
if (Irp)
IoFreeIrp(Irp);
if (pFileObject)
{
ExFreePool (pFileObject->FileName.Buffer);
pFileObject->DeviceObject = NULL;
ObDereferenceObject(pFileObject);
}
}
else
{
//Increment Target Device’s reference count.
InterlockedIncrement(&pFileObject->DeviceObject->ReferenceCount);
//Increment Vpb’s reference count, if one exists.
if (pFileObject->Vpb)
InterlockedIncrement(&pFileObject->Vpb->ReferenceCount);
//set the out param
ObOpenObjectByPointer (pFileObject,OBJ_CASE_INSENSITIVE,NULL,
0,NULL,KernelMode,&ObjHandle);
*pOutHandle = ObjHandle;
}
return Status;
}
“Kernel Coder” wrote in message news:xxxxx@ntfsd…
>
> why not just get the file system device object and send your own irps.
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP4FCkmGxr2U3nc5EEQIPvgCeNwxK9kHb6V9IEvD+YsNNqdN6rMcAnRge
DDOycFDazX9UjX+mLezASxMP
=UQZi
-----END PGP SIGNATURE-----