Hi,
<
Otherwise, writes are blocked if the write would occur (not from the FS -
via a passthrough to the device itself) within a recognized partition
unless you can either lock the volume (FSCTL_LOCK_VOLUME) or if that fails
force dismount (FSCTL_DISMOUNT_VOLUME).
is above true for IRP_MJ_WRITE built and sent from a storage filter driver
below the filesystem too ?
Regards
Else
|---------±-------------------------------->
| | Jeff Goldner |
| | | | t.com> |
| | Sent by: |
| | bounce-271324-16691@li|
| | sts.osr.com |
| | |
| | |
| | 11/29/2006 06:18 AM |
| | Please respond to |
| | “Windows System |
| | Software Devs Interest|
| | List” |
|---------±-------------------------------->
>-----------------------------------------------------------------------------------------------------------|
| |
| To: “Windows System Software Devs Interest List” |
| cc: |
| Subject: RE:[ntdev] Vista RTM Writing to raw disk sectors (Unsigned Mail) |
>-----------------------------------------------------------------------------------------------------------|
Yup. If there are no mounted file systems, no problem. Otherwise, writes
are blocked if the write would occur (not from the FS - via a passthrough
to the device itself) within a recognized partition unless you can either
lock the volume (FSCTL_LOCK_VOLUME) or if that fails force dismount
(FSCTL_DISMOUNT_VOLUME). So in Gary’s example, the volume IS RAW so not
mounted. In theory, omitting SHARE_WRITE could work on the off chance that
no one else was touching the volume - but you have a lot of other nosy
services perusing your disks these days.
However, you shouldn’t expect this to protect you completely. It’s intended
to protect against the type of attack presented by Blue Pill (compromise a
running system) and not intended to prevent data corruption/destruction.
And the boot sector does not fall within a partition, so…
-----Original Message-----
From: Gary G. Little [mailto:xxxxx@seagate.com]
Sent: Tuesday, November 28, 2006 12:32 PM
Subject: Re: Vista RTM Writing to raw disk sectors
Technically we (Seagate) use the SetupDiXXX API to scan for the controllers
and attached devices, acquire the “real” name of the device and then open
that. From there we use pass through to send raw CDB or TFR commands to the
device or drive. From what Jeff has said, I think our success hinges on the
fact that we are NOT using a system drive, or even a drive with a mounted
file system and open files. That will most likely fail the open of the
handle to the drive. which is fine … since anything that keeps me from
clobbeirng my boot drive is appreciated.
As a side note — the minimum OS needed to do this is XP SP2 or Vista and
the 3790.1830 DDK (haven’t used the WDK … yet). It does appear that Vista
has fixed some of the ATA pass through issues with reading multiple sectors
using PIO.
–
The personal opinion of
Gary G. Little
wrote in message news:xxxxx@ntdev…
> Thank you all for your replies.
> I’m running the application from a user account and elevating it to
> administrator. Still though I get Error 5: Access Denied when I use
> WRITEFILE. I open the “\.\c:” for write access but in sharing mode.
>
> To Gary Little, your solution using the API that uses SCSI and ATA is it
> possible to be used under Vista when working on the system volume that
> already has files open, during nurmal running of windows? And if so are
> there any examples of how to write this kind of API?
> Are there any other types I can use instead of WRITEFILE???
>
> Thank you,
> Jim
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer