ObOpenObjectByName fails to open device object

Hi all,

I am trying to get the DEVICE_OBJECT handle using ObOpenObjectByName(). The device object names that is passed to this API is of the form “\Device\device_obj_name”. The code snippet is as follows:

//==============================================//
RtlInitUnicodeString( &ObjName, L"\Device\KSecDD" ); // KSecDD just as an example.
InitializeObjectAttributes( &ObjectAttributes,
&ObjName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
ntStatus = ObOpenObjectByName( &ObjectAttributes,
NULL, // POBJECT_TYPE
KernelMode, // KPROCESSOR_MODE
NULL, // PACCESS_STATE
0x80000000, // ACCESS_MASK
NULL, // ParseContext
&hObject ); // Handle
if( STATUS_SUCCESS == ntStatus )
{
// Do some work…
ZwClose( hObject );
}
else
{
DbgPrint( “ObOpenObjectByName failed: 0x%x”, ntStatus );
}
//==============================================//

However, ObOpenObjectByName fails with error 0xC0000024 (STATUS_OBJECT_TYPE_MISMATCH). The same piece of code works fine if I try to get handle of a DRIVER_OBJECT (\Driver\driver_obj_name).

Any idea why ObOpenObjectByName() is failing to get the handle for a DEVICE_OBJECT? Any bug in this code??? It would be great if anybody can help me out on this!

Thanks!!!

Obvious question: Why aren’t you using IoGetDeviceObjectPointer?

That’s the “normal” way of achieving this, I’ve never personally tried
ObOpenObjectByName with a DO so I can’t say if it would work or not…

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Looking forward to seeing you at the next OSR Kernel Debugging Class April
6, 2009 in Portland, OR!

wrote in message news:xxxxx@ntdev…
> Hi all,
>
> I am trying to get the DEVICE_OBJECT handle using ObOpenObjectByName().
> The device object names that is passed to this API is of the form
> “\Device\device_obj_name”. The code snippet is as follows:
>
> //==============================================//
> RtlInitUnicodeString( &ObjName, L"\Device\KSecDD" ); // KSecDD just as
> an example.
> InitializeObjectAttributes( &ObjectAttributes,
> &ObjName,
> OBJ_CASE_INSENSITIVE,
> NULL,
> NULL );
> ntStatus = ObOpenObjectByName( &ObjectAttributes,
> NULL, // POBJECT_TYPE
> KernelMode, //
> KPROCESSOR_MODE
> NULL, // PACCESS_STATE
> 0x80000000, //
> ACCESS_MASK
> NULL, // ParseContext
> &hObject ); // Handle
> if( STATUS_SUCCESS == ntStatus )
> {
> // Do some work…
> ZwClose( hObject );
> }
> else
> {
> DbgPrint( “ObOpenObjectByName failed: 0x%x”, ntStatus );
> }
> //==============================================//
>
> However, ObOpenObjectByName fails with error 0xC0000024
> (STATUS_OBJECT_TYPE_MISMATCH). The same piece of code works fine if I try
> to get handle of a DRIVER_OBJECT (\Driver\driver_obj_name).
>
> Any idea why ObOpenObjectByName() is failing to get the handle for a
> DEVICE_OBJECT? Any bug in this code??? It would be great if anybody can
> help me out on this!
>
> Thanks!!!
>

You need to feed in nt!IoDeviceObjectType which is not defined in DDK header IIRC. But as Scott pointed out, why not use IoGetDeviceObjectPointer? Are you just doing it for fun?

Calvin Guan
Broadcom Corp.
Connecting Everything(r)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@rocketmail.com
Sent: Wednesday, March 04, 2009 11:00 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ObOpenObjectByName fails to open device object

Hi all,

I am trying to get the DEVICE_OBJECT handle using ObOpenObjectByName(). The device object names that is passed to this API is of the form “\Device\device_obj_name”. The code snippet is as follows:

//==============================================//
RtlInitUnicodeString( &ObjName, L"\Device\KSecDD" ); // KSecDD just as an example.
InitializeObjectAttributes( &ObjectAttributes,
&ObjName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
ntStatus = ObOpenObjectByName( &ObjectAttributes,
NULL, // POBJECT_TYPE
KernelMode, // KPROCESSOR_MODE
NULL, // PACCESS_STATE
0x80000000, // ACCESS_MASK
NULL, // ParseContext
&hObject ); // Handle
if( STATUS_SUCCESS == ntStatus )
{
// Do some work…
ZwClose( hObject );
}
else
{
DbgPrint( “ObOpenObjectByName failed: 0x%x”, ntStatus );
}
//==============================================//

However, ObOpenObjectByName fails with error 0xC0000024 (STATUS_OBJECT_TYPE_MISMATCH). The same piece of code works fine if I try to get handle of a DRIVER_OBJECT (\Driver\driver_obj_name).

Any idea why ObOpenObjectByName() is failing to get the handle for a DEVICE_OBJECT? Any bug in this code??? It would be great if anybody can help me out on this!

Thanks!!!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

As a general rule, you should never use ObOpenObjectByName without a POBJECT_TYPE; doing so allows name-squatting to compromise system security.

• S

-----Original Message-----
From: xxxxx@rocketmail.com
Sent: Wednesday, March 04, 2009 10:58
To: Windows System Software Devs Interest List
Subject: [ntdev] ObOpenObjectByName fails to open device object

Hi all,

I am trying to get the DEVICE_OBJECT handle using ObOpenObjectByName(). The device object names that is passed to this API is of the form “\Device\device_obj_name”. The code snippet is as follows:

//==============================================//
RtlInitUnicodeString( &ObjName, L"\Device\KSecDD" ); // KSecDD just as an example.
InitializeObjectAttributes( &ObjectAttributes,
&ObjName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
ntStatus = ObOpenObjectByName( &ObjectAttributes,
NULL, // POBJECT_TYPE
KernelMode, // KPROCESSOR_MODE
NULL, // PACCESS_STATE
0x80000000, // ACCESS_MASK
NULL, // ParseContext
&hObject ); // Handle
if( STATUS_SUCCESS == ntStatus )
{
// Do some work…
ZwClose( hObject );
}
else
{
DbgPrint( “ObOpenObjectByName failed: 0x%x”, ntStatus );
}
//==============================================//

However, ObOpenObjectByName fails with error 0xC0000024 (STATUS_OBJECT_TYPE_MISMATCH). The same piece of code works fine if I try to get handle of a DRIVER_OBJECT (\Driver\driver_obj_name).

Any idea why ObOpenObjectByName() is failing to get the handle for a DEVICE_OBJECT? Any bug in this code??? It would be great if anybody can help me out on this!

Thanks!!!

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> why not use IoGetDeviceObjectPointer?

Unlike IoGetDeviceObjectPointer(), ObOpenObjectByName() returns a pointer to PDO, rather than the one on top of the stack. What the poster is going to do with this DO is already another story…

Anton Bassov

In addition to what other folks have said already about best practices:

A driver will usually need to specify the OBJ_KERNEL_HANDLE flag when creating a handle (by calling ObOpenObjectByName or some other kernel API).

We tried to explain some of the issues related to missing the OBJ_KERNEL_HANDLE flag at the beginning of the doc from http://www.microsoft.com/whdc/devtools/tools/Win7DriverVer.mspx.

Dan

Isn’t it better for the squatter to match the type ? Or squatters tend to be
lazy as well ?

“Skywing” wrote in message
news:xxxxx@ntdev…
> As a general rule, you should never use ObOpenObjectByName without a
> POBJECT_TYPE; doing so allows name-squatting to compromise system
> security.
>
> - S
>
> -----Original Message-----
> From: xxxxx@rocketmail.com
> Sent: Wednesday, March 04, 2009 10:58
> To: Windows System Software Devs Interest List
> Subject: [ntdev] ObOpenObjectByName fails to open device object
>
>
> Hi all,
>
> I am trying to get the DEVICE_OBJECT handle using ObOpenObjectByName().
> The device object names that is passed to this API is of the form
> “\Device\device_obj_name”. The code snippet is as follows:
>
> //==============================================//
> RtlInitUnicodeString( &ObjName, L"\Device\KSecDD" ); // KSecDD just as
> an example.
> InitializeObjectAttributes( &ObjectAttributes,
> &ObjName,
> OBJ_CASE_INSENSITIVE,
> NULL,
> NULL );
> ntStatus = ObOpenObjectByName( &ObjectAttributes,
> NULL, // POBJECT_TYPE
> KernelMode, //
> KPROCESSOR_MODE
> NULL, // PACCESS_STATE
> 0x80000000, //
> ACCESS_MASK
> NULL, // ParseContext
> &hObject ); // Handle
> if( STATUS_SUCCESS == ntStatus )
> {
> // Do some work…
> ZwClose( hObject );
> }
> else
> {
> DbgPrint( “ObOpenObjectByName failed: 0x%x”, ntStatus );
> }
> //==============================================//
>
> However, ObOpenObjectByName fails with error 0xC0000024
> (STATUS_OBJECT_TYPE_MISMATCH). The same piece of code works fine if I try
> to get handle of a DRIVER_OBJECT (\Driver\driver_obj_name).
>
> Any idea why ObOpenObjectByName() is failing to get the handle for a
> DEVICE_OBJECT? Any bug in this code??? It would be great if anybody can
> help me out on this!
>
> Thanks!!!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hi all,

Thanks for the info! I switched to IoGetDeviceObjectPointer, and it works just fine By the way, do I need dereference (ObDereferenceObject()) both PFILE_OBJECT and PDEVICE_OBJECT? Or, only PFILE_OBJECT?

>ObOpenObjectByName() returns a pointer to PDO

How so? Assuming that you could even use this routine to open a DO (which
I’m dubious about), the parse procedure of the object type still needs to be
called. And IopParseDevice returns the top unless you specify a DO hint.

But now we’re speculating about what it might do if it worked, which is a
bit silly…

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Looking forward to seeing you at the next OSR Kernel Debugging Class April
6, 2009 in Portland, OR!

wrote in message news:xxxxx@ntdev…
>> why not use IoGetDeviceObjectPointer?
>
> Unlike IoGetDeviceObjectPointer(), ObOpenObjectByName() returns a pointer
> to PDO, rather than the one on top of the stack. What the poster is going
> to do with this DO is already another story…
>
>
> Anton Bassov
>

>By the way, do I need dereference (ObDereferenceObject()) both PFILE_OBJECT

and PDEVICE_OBJECT? Or, only >PFILE_OBJECT?

You only need to deref the file object.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Looking forward to seeing you at the next OSR Kernel Debugging Class April
6, 2009 in Portland, OR!

wrote in message news:xxxxx@ntdev…
> Hi all,
>
> Thanks for the info! I switched to IoGetDeviceObjectPointer, and it works
> just fine By the way, do I need dereference (ObDereferenceObject())
> both PFILE_OBJECT and PDEVICE_OBJECT? Or, only PFILE_OBJECT?
>

>need dereference (ObDereferenceObject()) both PFILE_OBJECT and PDEVICE_OBJECT? Or, only

PFILE_OBJECT?

File object only

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

>> ObOpenObjectByName() returns a pointer to PDO

How so? Assuming that you could even use this routine to open a DO (which I’m dubious about),

IIRC, this is how it works…

And IopParseDevice returns the top unless you specify a DO hint.

IIRC, if you get the device with ObOpenObjectByName() and IoGetDeviceObjectPointer() with the same name, you will get two different DOs…

In any case, I experimented with it around 3 years ago, so that it may well be just a memory lapse…

Anton Bassov