Re[2]: open files which are already opened in exclusive shared mode

NTFSD
1

Hello Tony,

thanks, this simplifies things a lot


Roman Kudinov

mailto:xxxxx@rbcmail.ru

Friday, August 6, 2004, 9:53:07 PM, you wrote:

TM> In a filter driver, open the file for some minimal access and then roll
TM> your own IRPs. Access check is done above the level of the filter (not
TM> in the FSD) so this will work.

TM> You could use a filter driver to bypass share access checks as well.

TM> Regards,

TM> Tony

TM> Tony Mason
TM> Consulting Partner
TM> OSR Open Systems Resources Inc.
TM> http://www.osr.com

TM> -----Original Message-----
TM> From: xxxxx@lists.osr.com
TM> [mailto:xxxxx@lists.osr.com] On Behalf Of Roman Kudinov
TM> Sent: Friday, August 06, 2004 1:35 PM
TM> To: ntfsd redirect
TM> Subject: [ntfsd] open files which are already opened in exclusive shared
TM> mode

TM> Hello all,

TM> What is the best approach to open a file alredy opened in exclusive
TM> shared mode by another process?

TM> I have an idea to emulate sharing in my filter driver, are there any
TM> other easier solutions?

TM> P.S. I’d prefer to open and work with files in user space application
TM> but
TM> filter driver is also acceptable

2

> In a filter driver, open the file for some minimal access and then roll

your own IRPs. Access check is done above the level of the filter (not
in the FSD) so this will work.

Before starting implementation, consider if you will
or will not need to open the files on the network.

I think the approach Tony described will probably not work
on network files because the network server will check the
share access check too.
Tony, am I right ?

L.

3

Hello Ladislav,

I will work with fixed drives only


Roman Kudinov

mailto:xxxxx@rbcmail.ru

Monday, August 9, 2004, 9:54:54 AM, you wrote:

> In a filter driver, open the file for some minimal access and then roll
> your own IRPs. Access check is done above the level of the filter (not
> in the FSD) so this will work.

LZ> Before starting implementation, consider if you will
LZ> or will not need to open the files on the network.

LZ> I think the approach Tony described will probably not work
LZ> on network files because the network server will check the
LZ> share access check too.
LZ> Tony, am I right ?

LZ> L.

LZ> —
LZ> Questions? First check the IFS FAQ at
LZ> https://www.osronline.com/article.cfm?id=17

LZ> You are currently subscribed to ntfsd as: xxxxx@rbcmail.ru
LZ> To unsubscribe send a blank email to
LZ> xxxxx@lists.osr.com

4

In order to work, the open must be on the same machine with the
exclusive access or on the server itself. Otherwise this certainly
would not work.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Monday, August 09, 2004 1:55 AM
To: ntfsd redirect
Subject: Re: [ntfsd] open files which are already opened in exclusive
shared mode

In a filter driver, open the file for some minimal access and then
roll
your own IRPs. Access check is done above the level of the filter
(not
in the FSD) so this will work.

Before starting implementation, consider if you will
or will not need to open the files on the network.

I think the approach Tony described will probably not work
on network files because the network server will check the
share access check too.
Tony, am I right ?

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

DDK says about ZwCreateFile:

"Driver routines that run in a process context other than that of the
system process must set the OBJ_KERNEL_HANDLE attribute for the
ObjectAttributes parameter of ZwCreateFile. This restricts the use of
the handle returned by ZwCreateFile to processes running only in
kernel mode. Otherwise, the thread handle can be accessed by the
^^^^^^^^^^^^^ may be FILE handle?

process in whose context the driver is running. Drivers can call
InitializeObjectAttributes to set the OBJ_KERNEL_HANDLE attribute as
follows."

Why it is a must to set the OBJ_KERNEL_HANDLE attribute in such cases?
What if I want to access a file handle in my user mode application?


Best regards,
Roman mailto:xxxxx@rbcmail.ru

Friday, August 6, 2004, 9:53:07 PM, you wrote:

TM> In a filter driver, open the file for some minimal access and then roll
TM> your own IRPs. Access check is done above the level of the filter (not
TM> in the FSD) so this will work.

TM> You could use a filter driver to bypass share access checks as well.

TM> Regards,

TM> Tony

TM> Tony Mason
TM> Consulting Partner
TM> OSR Open Systems Resources Inc.
TM> http://www.osr.com

TM> -----Original Message-----
TM> From: xxxxx@lists.osr.com
TM> [mailto:xxxxx@lists.osr.com] On Behalf Of Roman Kudinov
TM> Sent: Friday, August 06, 2004 1:35 PM
TM> To: ntfsd redirect
TM> Subject: [ntfsd] open files which are already opened in exclusive shared
TM> mode

TM> Hello all,

TM> What is the best approach to open a file alredy opened in exclusive
TM> shared mode by another process?

TM> I have an idea to emulate sharing in my filter driver, are there any
TM> other easier solutions?

TM> P.S. I’d prefer to open and work with files in user space application
TM> but
TM> filter driver is also acceptable

6

If the handle was created by using OBJ_KERNEL_HANDLE, that means access
checks may not have been done on the file. Allowing a user to access that
file would be incredibly stupid because of the security issues. If you want
to write software like that, please put a LARGE FONT box in your application
saying you want to open their system to being used as a spam remailer,
phisher robot, and DOS slave. Make them click thru that box at least five
times before you actually open the file.

Why use OBJ_KERNEL_HANDLE or not? Try looking about files and contexts - as
in process & thread. I personally don’t worry about it because if I need a
file, I always user a worker thread that waits until needed. The context
remains the same. I don’t think the kernel handle table existed in NT 4.

“Roman Kudinov” wrote in message news:xxxxx@ntfsd…
> DDK says about ZwCreateFile:
>
> “Driver routines that run in a process context other than that of the
> system process must set the OBJ_KERNEL_HANDLE attribute for the
> ObjectAttributes parameter of ZwCreateFile. This restricts the use of
> the handle returned by ZwCreateFile to processes running only in
> kernel mode. Otherwise, the thread handle can be accessed by the
> ^^^^^^^^^^^^^ may be FILE handle?
>
> process in whose context the driver is running. Drivers can call
> InitializeObjectAttributes to set the OBJ_KERNEL_HANDLE attribute as
> follows.”
>
> Why it is a must to set the OBJ_KERNEL_HANDLE attribute in such cases?
> What if I want to access a file handle in my user mode application?
>
> –
> Best regards,
> Roman mailto:xxxxx@rbcmail.ru
>
> Friday, August 6, 2004, 9:53:07 PM, you wrote:
>
> TM> In a filter driver, open the file for some minimal access and then
> roll
> TM> your own IRPs. Access check is done above the level of the filter
> (not
> TM> in the FSD) so this will work.
>
> TM> You could use a filter driver to bypass share access checks as well.
>
> TM> Regards,
>
> TM> Tony
>
> TM> Tony Mason
> TM> Consulting Partner
> TM> OSR Open Systems Resources Inc.
> TM> http://www.osr.com
>
>
> TM> -----Original Message-----
> TM> From: xxxxx@lists.osr.com
> TM> [mailto:xxxxx@lists.osr.com] On Behalf Of Roman Kudinov
> TM> Sent: Friday, August 06, 2004 1:35 PM
> TM> To: ntfsd redirect
> TM> Subject: [ntfsd] open files which are already opened in exclusive
> shared
> TM> mode
>
> TM> Hello all,
>
> TM> What is the best approach to open a file alredy opened in exclusive
> TM> shared mode by another process?
>
> TM> I have an idea to emulate sharing in my filter driver, are there any
> TM> other easier solutions?
>
> TM> P.S. I’d prefer to open and work with files in user space application
> TM> but
> TM> filter driver is also acceptable
>
>
>

7

Hello Tony,

I tried to do like you say, but got shared access violation error (I
try to open L"C:\WINDOWS\system32\config\default" which is always
opened in exclusive mode). Other files are opened successfully

Here is my code, it is executed in IRP_MJ_DEVICE_CONTROL

RtlInitEmptyUnicodeString(&strFilename, szBuffer, sizeof(szBuffer));
RtlAppendUnicodeToString(&strFilename, L"\??\“);
RtlAppendUnicodeToString(&strFilename, InputBuffer);
//InputBuffer = L"C:\WINDOWS\system32\config\default”

//I tried both with and without OBJ_KERNEL_HANDLE
InitializeObjectAttributes(&Attributes,
&strFilename,
OBJ_KERNEL_HANDLE |
OBJ_CASE_INSENSITIVE, //Attributes,
NULL, //RootDirectory
NULL); //SecurityDescriptor

IoStatus->Status = ZwCreateFile(&hFile, //Output handle
FILE_READ_DATA |
SYNCHRONIZE, //DesiredAccess
&Attributes, //ObjectAttributes
&IoStatusBlock,
&AllocationSize, //AllocationSize
FILE_ATTRIBUTE_NORMAL, //FileAttributes
FILE_SHARE_READ |
FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_ALERT, //CreateOptions
NULL,
NULL);
if( !NT_SUCCESS(IoStatus->Status) )
{
break;
}

I get error code 32 (shared access violation). Do I do something
wrong?


Best regards,
Roman mailto:xxxxx@rbcmail.ru

Friday, August 6, 2004, 9:53:07 PM, you wrote:

TM> In a filter driver, open the file for some minimal access and then roll
TM> your own IRPs. Access check is done above the level of the filter (not
TM> in the FSD) so this will work.

TM> You could use a filter driver to bypass share access checks as well.

TM> Regards,

TM> Tony

TM> Tony Mason
TM> Consulting Partner
TM> OSR Open Systems Resources Inc.
TM> http://www.osr.com

TM> -----Original Message-----
TM> From: xxxxx@lists.osr.com
TM> [mailto:xxxxx@lists.osr.com] On Behalf Of Roman Kudinov
TM> Sent: Friday, August 06, 2004 1:35 PM
TM> To: ntfsd redirect
TM> Subject: [ntfsd] open files which are already opened in exclusive shared
TM> mode

TM> Hello all,

TM> What is the best approach to open a file alredy opened in exclusive
TM> shared mode by another process?

TM> I have an idea to emulate sharing in my filter driver, are there any
TM> other easier solutions?

TM> P.S. I’d prefer to open and work with files in user space application
TM> but
TM> filter driver is also acceptable