Problem with IoVolumeDeviceToDosName

Amit_Kulkarni-2 · August 14, 2007, 12:17am

Hi All,

I am calling IoVolumeDeviceToDosName to get the path of a file.

E.g. the file is \Device\HarddiskVolume1\Program Files\Cat Computer\Client Agent\accasrvc.exe

Then I am opening \Device\HarddiskVolume1 with ZwCreateFile() and using ObReferenceObjectByHandle to get the object and I am passing that handle to IoVolumeDeviceToDosName so that I can get the path.

But it is producing BSOD.
What will be the problem?

Thanks & Regards,
Amit.

anton_bassov · August 14, 2007, 12:42am

It is so difficult to understand what is going on???

Look at the following statement:

[begin quote]

… I am passing that handle to IoVolumeDeviceToDosName so that I can get the path

[end quote]

Now look at IoVolumeDeviceToDosName() declaration, and pay a special attention to the first parameter:

NTSTATUS IoVolumeDeviceToDosName( IN PVOID VolumeDeviceObject,
OUT PUNICODE_STRING DosName );

You pass a handle, while the function expects a pointer. Therefore, it treats this handle as a memory address, which, of course, is invalid . BANG!!!

Anton Bassov

David_J_Craig · August 14, 2007, 12:42am

Try Google and searching the OSR newsgroups. I think I have seen several
posts about this issue.

–
David J. Craig
Engineer, Sr. Staff Software Systems
Broadcom Corporation

wrote in message news:xxxxx@ntdev…
> Hi All,
>
> I am calling IoVolumeDeviceToDosName to get the path of a file.
>
> E.g. the file is \Device\HarddiskVolume1\Program Files\Cat Computer\Client
> Agent\accasrvc.exe
>
> Then I am opening \Device\HarddiskVolume1 with ZwCreateFile() and using
> ObReferenceObjectByHandle to get the object and I am passing that handle
> to IoVolumeDeviceToDosName so that I can get the path.
>
> But it is producing BSOD.
> What will be the problem?
>
> Thanks & Regards,
> Amit.
>
>

OSR_Community_User · August 14, 2007, 12:52am

How about an !analyze -v. Some source code would be also nice.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, August 14, 2007 00:17
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem with IoVolumeDeviceToDosName

Hi All,

I am calling IoVolumeDeviceToDosName to get the path of a file.

E.g. the file is \Device\HarddiskVolume1\Program Files\Cat
Computer\Client Agent\accasrvc.exe

Then I am opening \Device\HarddiskVolume1 with ZwCreateFile() and using
ObReferenceObjectByHandle to get the object and I am passing that handle
to IoVolumeDeviceToDosName so that I can get the path.

But it is producing BSOD.
What will be the problem?

Thanks & Regards,
Amit.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Amit_Kulkarni-2 · August 14, 2007, 1:37am

Sorry I want to say

I am passing that Object to
IoVolumeDeviceToDosName so that I can get the path.

I think I am getting the file object and IoVolumeDeviceToDosName requires DeviceObject. Is this the problem.

Because CreateFile will give me the handle ObReferenceObjectByHandle will give me the file object
and I require deviceobject.

anton_bassov · August 14, 2007, 1:47am

> How about an !analyze -v. Some source code would be also nice.

Well, if the OP, indeed, does what he describes, i.e. passes a handle instead of pointer, then the reason for BSOD is so plainly obvious that the problem can be diagnosed without any additional info…

However, even if he passes not a handle but a pointer that he obtains with ObReferenceObjectByHandle() from this handle… well, then the reason for crash is still obvious -
if you pass a file handle that you have earlier obtained with ZwCreateFile() call to ObReferenceObjectByHandle() , you will get a pointer to FILE_OBJECT. However, IoVolumeDeviceToDosName() expects a pointer to DEVICE_OBJECT. Therefore, he needs to pass not ‘pFile’ that ObReferenceObjectByHandle() returns, but ‘pFile->DeviceObject’.

In any case, I believe the OP is able to figure it out himself without our help. I would advise the OP to read documentation and to do elementary investigations on his own before posting questions. I believe that using a NG as a substitute for a debugger is nothing more and nothing less than just abusing it - I think NGs are meant to have a bit different purpose…

Anton Bassov

anton_bassov · August 14, 2007, 1:51am

> I think I am getting the file object and IoVolumeDeviceToDosName requires

DeviceObject. Is this the problem.

You just took words out of my mouth - you made your post while I was typing mine, so that we have arrived to the same conclusion independently from one another. As you can see, there is nothing complex here - you managed to figure it out yourself without our assistance. Well done…

Anton Bassov

Amit_Kulkarni-2 · August 14, 2007, 1:58am

Thanks Anton Bassov, for giving me inspiration.
I am working on AntiRootkit project and this is my first project in Driver technology. And you have solved most of my queries on OSR. Thanks for that.

anton_bassov · August 14, 2007, 3:07am

Amit,

I am working on AntiRootkit project and this is my first project in Driver
technology. And you have solved most of my queries on OSR.

I am afraid this NG is of no help to you then - if you want to write more-or-less efficient rootkit detector, you have to do quite a few things that you are not supposed to do, and explaining to you what can be done, let alone *how* it can be done, will be seen as “bad advice” here (I can assure you of that - I know it from my own experience). Therefore, no one is going to help you here- you are completely on your own, so that you have to figure out everything yourself. In order to get some ideas, you can check phrack archives and rootkit.com, plus read blackhat.org’s presentations - they will give you some approximate directions of search. However, when it comes to the actual work, you are completely on your own, with practically no assistance either from MSDN or from the NGs. Volumes 2 and 3 of Intel Developer’s Manual should become your Bible - they explain things that Windows developers are not supposed even to know about, because HAL insulates you from all this “gory stuff”, and disassembling the OS should take the lion’s share of your time.

To summarize, get ready for experimentation, investigations and self-study. Never mind - I am in exactly in the same position myself, so that I can assure you that the whole thing is really exciting…

Good luck…

Anton Bassov

Maxim_S_Shatskih · August 14, 2007, 6:34am

> I think I am getting the file object and IoVolumeDeviceToDosName requires

DeviceObject. Is this the problem.

Yes. Use IoGetBaseFileSystemDeviceObject to get the device object from the file
object.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

anton_bassov · August 14, 2007, 7:05am

> Use IoGetBaseFileSystemDeviceObject to get the device object from the file object.

Actually, this function is reserved for the system use…

Anton Bassov

Maxim_S_Shatskih · August 14, 2007, 7:32pm

> > Use IoGetBaseFileSystemDeviceObject to get the device object from the file

object.

Actually, this function is reserved for the system use…

Widely used in FS filters.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com