NtReadFile problem & Direct Write Access detection

NTFSD
1

Hi there!

  1. I have problems reading a text file. I want to read
    it (line by line if possible) and I do this:

PVOID pBuffer;

main (int Argc, char ** Argv )
{
NTSTATUS Status;
UNICODE_STRING UnicodeFilespec;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE FileHandle;
IO_STATUS_BLOCK Iosb;

RtlInitUnicodeString(&UnicodeFilespec,
L"\DosDevices\C:\Temp\filetoread.txt");

InitializeObjectAttributes(&ObjectAttributes,
&UnicodeFilespec,OBJ_CASE_INSENSITIVE,NULL,NULL );

Status = NtCreateFile(&FileHandle,(GENERIC_READ |
SYNCHRONIZE),&ObjectAttributes,&Iosb,0,0,FILE_SHARE_READ,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,NULL,0);

if(!NT_SUCCESS(Iosb.Status) )
{
printf(“CREATE failed with status =
0x%0x\n”,Iosb.Status);
exit(0);
}

Status =
NtReadFile(FileHandle,0,NULL,NULL,&Iosb,(PVOID)pBuffer,sizeof(pBuffer),0,NULL);

if(!NT_SUCCESS(Status) )
{
printf(“NtReadFile request failed 0x%0x\n”, Status);
exit(0);
}

Status = NtClose(FileHandle);

if(!NT_SUCCESS(Status) )
{
printf(“NtClose request failed 0x%0x\n”,
Status);
exit(0);
}

printf(“Read buffer:\n”);
printf(“%s\n”,pBuffer);

exit(1);
}

After successfully opening the file, i get ACCESS
VIOLATION (0xc000005) as return value of NtReadFile.
What’s wrong?

  1. How can i detect (in my file system filter driver)
    and stop an attempt to format the disk (DIRECT DISK
    WRITE ACCESS)? Any ideas or code snippets?

Thank you!

Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

2

pBuffer has not been initialized to anything! It is probably NULL.
Also sizeof(pBuffer) will yield 4 since the size of a pointer is 4 bytes.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of The Mind Phobia
Sent: Monday, March 18, 2002 4:39 PM
To: File Systems Developers
Subject: [ntfsd] NtReadFile problem & Direct Write Access detection

Hi there!

  1. I have problems reading a text file. I want to read
    it (line by line if possible) and I do this:

PVOID pBuffer;

main (int Argc, char ** Argv )
{
NTSTATUS Status;
UNICODE_STRING UnicodeFilespec;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE FileHandle;
IO_STATUS_BLOCK Iosb;

RtlInitUnicodeString(&UnicodeFilespec,
L"\DosDevices\C:\Temp\filetoread.txt");

InitializeObjectAttributes(&ObjectAttributes,
&UnicodeFilespec,OBJ_CASE_INSENSITIVE,NULL,NULL );

Status = NtCreateFile(&FileHandle,(GENERIC_READ |
SYNCHRONIZE),&ObjectAttributes,&Iosb,0,0,FILE_SHARE_READ,FILE_OPEN,FILE_SYNC
HRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,NULL,0);

if(!NT_SUCCESS(Iosb.Status) )
{
printf(“CREATE failed with status =
0x%0x\n”,Iosb.Status);
exit(0);
}

Status =
NtReadFile(FileHandle,0,NULL,NULL,&Iosb,(PVOID)pBuffer,sizeof(pBuffer),0,NUL
L);

if(!NT_SUCCESS(Status) )
{
printf(“NtReadFile request failed 0x%0x\n”, Status);
exit(0);
}

Status = NtClose(FileHandle);

if(!NT_SUCCESS(Status) )
{
printf(“NtClose request failed 0x%0x\n”,
Status);
exit(0);
}

printf(“Read buffer:\n”);
printf(“%s\n”,pBuffer);

exit(1);
}

After successfully opening the file, i get ACCESS
VIOLATION (0xc000005) as return value of NtReadFile.
What’s wrong?

  1. How can i detect (in my file system filter driver)
    and stop an attempt to format the disk (DIRECT DISK
    WRITE ACCESS)? Any ideas or code snippets?

Thank you!

Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to %%email.unsub%%

3

  1. can you provide me with a working example? forget
    mine and write a working example. the file i’ll read
    is a configuration file so i need to read it line by
    line. can this be done?

  2. any ideas for preventing format? (DIRECT WRITE
    ACCESS)

thank you.
— Ken Galipeau wrote:
> pBuffer has not been initialized to anything! It is
> probably NULL.
> Also sizeof(pBuffer) will yield 4 since the size of
> a pointer is 4 bytes.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of
> The Mind Phobia
> Sent: Monday, March 18, 2002 4:39 PM
> To: File Systems Developers
> Subject: [ntfsd] NtReadFile problem & Direct Write
> Access detection
>
>
> Hi there!
>
> ---------------------------------------
> 1. I have problems reading a text file. I want to
> read
> it (line by line if possible) and I do this:
>
> PVOID pBuffer;
>
> main (int Argc, char ** Argv )
> {
> NTSTATUS Status;
> UNICODE_STRING UnicodeFilespec;
> OBJECT_ATTRIBUTES ObjectAttributes;
> HANDLE FileHandle;
> IO_STATUS_BLOCK Iosb;
>
>
> RtlInitUnicodeString(&UnicodeFilespec,
> L"\DosDevices\C:\Temp\filetoread.txt");
>
> InitializeObjectAttributes(&ObjectAttributes,
> &UnicodeFilespec,OBJ_CASE_INSENSITIVE,NULL,NULL );
>
> Status = NtCreateFile(&FileHandle,(GENERIC_READ
> |
>
SYNCHRONIZE),&ObjectAttributes,&Iosb,0,0,FILE_SHARE_READ,FILE_OPEN,FILE_SYNC
> HRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,NULL,0);
>
> if(!NT_SUCCESS(Iosb.Status) )
> {
> printf(“CREATE failed with status =
> 0x%0x\n”,Iosb.Status);
> exit(0);
> }
>
> Status =
>
NtReadFile(FileHandle,0,NULL,NULL,&Iosb,(PVOID)pBuffer,sizeof(pBuffer),0,NUL
> L);
>
> if(!NT_SUCCESS(Status) )
> {
> printf(“NtReadFile request failed 0x%0x\n”,
> Status);
> exit(0);
> }
>
> Status = NtClose(FileHandle);
>
>
> if(!NT_SUCCESS(Status) )
> {
> printf(“NtClose request failed 0x%0x\n”,
> Status);
> exit(0);
> }
>
> printf(“Read buffer:\n”);
> printf(“%s\n”,pBuffer);
>
> exit(1);
> }
>
> After successfully opening the file, i get ACCESS
> VIOLATION (0xc000005) as return value of NtReadFile.
> What’s wrong?
> -----------------------------------------------
>
> 2. How can i detect (in my file system filter
> driver)
> and stop an attempt to format the disk (DIRECT DISK
> WRITE ACCESS)? Any ideas or code snippets?
>
> Thank you!
>
>
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@legato.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
%%email.unsub%%
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

4

  1. I don’t have a working example. YOu just have to declare the buffer as a
    global or allocate it using ExAllocatePool. As far as reading line by line
    you’ll have to read a block of data into a buffer and scan for the EOL
    characters. There is no support for reading line by line in the kernel that
    I know of.

  2. don’t know

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of The Mind Phobia
Sent: Monday, March 18, 2002 5:57 PM
To: File Systems Developers
Subject: [ntfsd] RE: NtReadFile problem & Direct Write Access detection

  1. can you provide me with a working example? forget
    mine and write a working example. the file i’ll read
    is a configuration file so i need to read it line by
    line. can this be done?

  2. any ideas for preventing format? (DIRECT WRITE
    ACCESS)

thank you.
— Ken Galipeau wrote:
> pBuffer has not been initialized to anything! It is
> probably NULL.
> Also sizeof(pBuffer) will yield 4 since the size of
> a pointer is 4 bytes.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of
> The Mind Phobia
> Sent: Monday, March 18, 2002 4:39 PM
> To: File Systems Developers
> Subject: [ntfsd] NtReadFile problem & Direct Write
> Access detection
>
>
> Hi there!
>
> ---------------------------------------
> 1. I have problems reading a text file. I want to
> read
> it (line by line if possible) and I do this:
>
> PVOID pBuffer;
>
> main (int Argc, char ** Argv )
> {
> NTSTATUS Status;
> UNICODE_STRING UnicodeFilespec;
> OBJECT_ATTRIBUTES ObjectAttributes;
> HANDLE FileHandle;
> IO_STATUS_BLOCK Iosb;
>
>
> RtlInitUnicodeString(&UnicodeFilespec,
> L"\DosDevices\C:\Temp\filetoread.txt");
>
> InitializeObjectAttributes(&ObjectAttributes,
> &UnicodeFilespec,OBJ_CASE_INSENSITIVE,NULL,NULL );
>
> Status = NtCreateFile(&FileHandle,(GENERIC_READ
> |
>
SYNCHRONIZE),&ObjectAttributes,&Iosb,0,0,FILE_SHARE_READ,FILE_OPEN,FILE_SYNC
> HRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,NULL,0);
>
> if(!NT_SUCCESS(Iosb.Status) )
> {
> printf(“CREATE failed with status =
> 0x%0x\n”,Iosb.Status);
> exit(0);
> }
>
> Status =
>
NtReadFile(FileHandle,0,NULL,NULL,&Iosb,(PVOID)pBuffer,sizeof(pBuffer),0,NUL
> L);
>
> if(!NT_SUCCESS(Status) )
> {
> printf(“NtReadFile request failed 0x%0x\n”,
> Status);
> exit(0);
> }
>
> Status = NtClose(FileHandle);
>
>
> if(!NT_SUCCESS(Status) )
> {
> printf(“NtClose request failed 0x%0x\n”,
> Status);
> exit(0);
> }
>
> printf(“Read buffer:\n”);
> printf(“%s\n”,pBuffer);
>
> exit(1);
> }
>
> After successfully opening the file, i get ACCESS
> VIOLATION (0xc000005) as return value of NtReadFile.
> What’s wrong?
> -----------------------------------------------
>
> 2. How can i detect (in my file system filter
> driver)
> and stop an attempt to format the disk (DIRECT DISK
> WRITE ACCESS)? Any ideas or code snippets?
>
> Thank you!
>
>
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@legato.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
%%email.unsub%%
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/


You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to %%email.unsub%%

5

If you are in kernel mode, use the documented kernel mode file access
functions. If you are in user mode, use documented user mode file access
functions. Config files for drivers can be very difficult, because you
have no guarantee that your initialization will happen after the FS is
fully functional, unless your Start Type is system or automatic. But since
this is an FSD list, those are probably not options. So the right place
for your configuration information is the registry, specifically, the
HKLM\System\CurrentControlSet\Services\YourDriver key. That exists largely
for the purpose of giving you a place to keep your config info available,
and it’s guaranteed to be available to you at init time. So use it.

Don’t have a clue about detecting Direct Write access.

Phil

Ken Galipeau @lists.osr.com on 03/18/2002 10:26:12 PM

Please respond to “File Systems Developers”

Sent by: xxxxx@lists.osr.com

To: “File Systems Developers”
cc:

Subject: [ntfsd] RE: NtReadFile problem & Direct Write Access detection

1. I don’t have a working example. YOu just have to declare the buffer as a
global or allocate it using ExAllocatePool. As far as reading line by line
you’ll have to read a block of data into a buffer and scan for the EOL
characters. There is no support for reading line by line in the kernel that
I know of.

2. don’t know

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of The Mind Phobia
Sent: Monday, March 18, 2002 5:57 PM
To: File Systems Developers
Subject: [ntfsd] RE: NtReadFile problem & Direct Write Access detection

1. can you provide me with a working example? forget
mine and write a working example. the file i’ll read
is a configuration file so i need to read it line by
line. can this be done?

2. any ideas for preventing format? (DIRECT WRITE
ACCESS)

thank you.
— Ken Galipeau wrote:
> pBuffer has not been initialized to anything! It is
> probably NULL.
> Also sizeof(pBuffer) will yield 4 since the size of
> a pointer is 4 bytes.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of
> The Mind Phobia
> Sent: Monday, March 18, 2002 4:39 PM
> To: File Systems Developers
> Subject: [ntfsd] NtReadFile problem & Direct Write
> Access detection
>
>
> Hi there!
>
> ---------------------------------------
> 1. I have problems reading a text file. I want to
> read
> it (line by line if possible) and I do this:
>
> PVOID pBuffer;
>
> main (int Argc, char ** Argv )
> {
> NTSTATUS Status;
> UNICODE_STRING UnicodeFilespec;
> OBJECT_ATTRIBUTES ObjectAttributes;
> HANDLE FileHandle;
> IO_STATUS_BLOCK Iosb;
>
>
> RtlInitUnicodeString(&UnicodeFilespec,
> L"\DosDevices\C:\Temp\filetoread.txt");
>
> InitializeObjectAttributes(&ObjectAttributes,
> &UnicodeFilespec,OBJ_CASE_INSENSITIVE,NULL,NULL );
>
> Status = NtCreateFile(&FileHandle,(GENERIC_READ
> |
>
SYNCHRONIZE),&ObjectAttributes,
&Iosb,0,0,FILE_SHARE_READ,FILE_OPEN,FILE_SYNC
> HRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,NULL,0);
>
> if(!NT_SUCCESS(Iosb.Status) )
> {
> printf(“CREATE failed with status =
> 0x%0x\n”,Iosb.Status);
> exit(0);
> }
>
> Status =
>
NtReadFile(FileHandle,0,NULL,NULL,
&Iosb,(PVOID)pBuffer,sizeof(pBuffer),0,NUL
> L);
>
> if(!NT_SUCCESS(Status) )
> {
> printf(“NtReadFile request failed 0x%0x\n”,
> Status);
> exit(0);
> }
>
> Status = NtClose(FileHandle);
>
>
> if(!NT_SUCCESS(Status) )
> {
> printf(“NtClose request failed 0x%0x\n”,
> Status);
> exit(0);
> }
>
> printf(“Read buffer:\n”);
> printf(“%s\n”,pBuffer);
>
> exit(1);
> }
>
> After successfully opening the file, i get ACCESS
> VIOLATION (0xc000005) as return value of NtReadFile.
> What’s wrong?
> -----------------------------------------------
>
> 2. How can i detect (in my file system filter
> driver)
> and stop an attempt to format the disk (DIRECT DISK
> WRITE ACCESS)? Any ideas or code snippets?
>
> Thank you!
>
>
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@legato.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
%%email.unsub%%
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/


You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to %%email.unsub%%


You are currently subscribed to ntfsd as: xxxxx@Seagate.com
To unsubscribe send a blank email to %%email.unsub%%