Retrieving a FILE_OBJECT from a string

Lorenzo · November 17, 2003, 2:24pm

Hi, I have a UNICODE_STRING in this form “C:\WINDOWS\somefile.txt” or
“C:\WINDOWS\System32”, now I need to know which of them is a directory
and which of them is a file, I thought to directly query the file system
to know if it is a file or a directory, but how? May I use
ZwQueryInformationFile or should I build the irp and send it to the file
system? Currently I’m building the Irp to retrieve some informations,
but I need the FILE_OBJECT to query the file system with the Irp, so how
to get the FILE_OBJECT from a string?

Thanks.

Lorenzo

OSR_Community_User · November 17, 2003, 2:34pm

Lorenzo,

You need to open the file. From the handle, extract the file object.

My personal (off the top of my head) algorithm would be:

IoCreateFile (or IoCreateFileSpecifyDeviceObjectHint from a filter on XP or
W2K3) indicating SYNCHRONIZE access (I just want the file object, not
sharing checks, or normal security operations).

ObReferenceObjectByHandle - get a file object from the handle

IoQueryFileInformation - this uses the object (which I didn’t open with
correct security anyway) to retrieve the requisite information

ObDereferenceObject - I’m done with it anyway

ZwClose - delete that unneeded handle (note you cant’ do this earlier
because it sends an IRP_MJ_CLEANUP at this point, which will not allow you
to send arbitrary operations down at that point, since only paging I/O
operations are permitted between IRP_MJ_CLEANUP and IRP_MJ_CLOSE.)

Since this is off the top of my head, I may have missed some detail, but
that’s the basic outline. No doubt whatever I might have missed will be
picked up by someone else on the list - but in the interim you can go off
and start writing code.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
http://www.osronline.com

-----Original Message-----
From: Lorenzo [mailto:xxxxx@email.it]
Sent: Monday, November 17, 2003 2:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Retrieving a FILE_OBJECT from a string

Hi, I have a UNICODE_STRING in this form “C:\WINDOWS\somefile.txt” or
“C:\WINDOWS\System32”, now I need to know which of them is a directory
and which of them is a file, I thought to directly query the file system
to know if it is a file or a directory, but how? May I use
ZwQueryInformationFile or should I build the irp and send it to the file
system? Currently I’m building the Irp to retrieve some informations,
but I need the FILE_OBJECT to query the file system with the Irp, so how
to get the FILE_OBJECT from a string?

Thanks.

Lorenzo

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Vladimir_Chtchetkine · November 17, 2003, 2:34pm

If you have IFS Kit you can ise IoFastQueryNetworkAttributes routine
(declared in ntifs.h). This (I think) is the fastest and simplest way to
see if an object is a file or directory. But if you need a handle to
that object anyway (i.e. you will ZwCreate that object) then use
ZwQueryInformation.
Just remember that in either case you will have to convert “C:\Path”
into “\DosDevices\C:\Path”

-----Original Message-----
From: Lorenzo [mailto:xxxxx@email.it]
Sent: Monday, November 17, 2003 11:23 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Retrieving a FILE_OBJECT from a string

Hi, I have a UNICODE_STRING in this form “C:\WINDOWS\somefile.txt” or
“C:\WINDOWS\System32”, now I need to know which of them is a directory
and which of them is a file, I thought to directly query the file system

to know if it is a file or a directory, but how? May I use
ZwQueryInformationFile or should I build the irp and send it to the file

system? Currently I’m building the Irp to retrieve some informations,
but I need the FILE_OBJECT to query the file system with the Irp, so how

to get the FILE_OBJECT from a string?

Thanks.

Lorenzo

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@borland.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · November 17, 2003, 7:36pm

> If you have IFS Kit you can ise IoFastQueryNetworkAttributes routine

(declared in ntifs.h). This (I think) is the fastest and simplest way to
see if an object is a file or directory.

Yes. It uses the temporary on-stack file object to do the query.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Lorenzo · November 18, 2003, 3:28am

Using functions like IoCreateFile or ZwClose wouldn’t cause reentrancy
problems in my filter driver? I need to get the file name from a
dispatch routine (and sometimes I may need to get it from a
CompletionRoutine), while in a dispatch routine I’m running at IRQL =
PASSIVE_LEVEL, in a CompletionRoutine I could be running at IRQL =
DISPATCH_LEVEL, and I can’t use those functions at that IRQL, so should
I build a worker thread when I’m in the CompletionRoutine?

Regarding the IoFastQueryNetworkAttributes:
I can’t find the documentation for this function in the ddk, but I found
its prototype in the ntifs.h header file, this function can only be
called at an IRQL = PASSIVE_LEVEL right? And its ObjectAttributes should
be initialized in the usual way?

Thanks.

Lorenzo
Tony Mason wrote:

Lorenzo,

You need to open the file. From the handle, extract the file object.

My personal (off the top of my head) algorithm would be:

IoCreateFile (or IoCreateFileSpecifyDeviceObjectHint from a filter on XP or
W2K3) indicating SYNCHRONIZE access (I just want the file object, not
sharing checks, or normal security operations).

ObReferenceObjectByHandle - get a file object from the handle

IoQueryFileInformation - this uses the object (which I didn’t open with
correct security anyway) to retrieve the requisite information

ObDereferenceObject - I’m done with it anyway

ZwClose - delete that unneeded handle (note you cant’ do this earlier
because it sends an IRP_MJ_CLEANUP at this point, which will not allow you
to send arbitrary operations down at that point, since only paging I/O
operations are permitted between IRP_MJ_CLEANUP and IRP_MJ_CLOSE.)

Since this is off the top of my head, I may have missed some detail, but
that’s the basic outline. No doubt whatever I might have missed will be
picked up by someone else on the list - but in the interim you can go off
and start writing code.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
http://www.osronline.com

Vladimir_Chtchetkine · November 18, 2003, 10:15am

Yes, I would expect IoFastQueryNetworkAttributes to be a PASSIVE_LEVEL
routine since there could be a create IRP rolled for this call (if fast
i/o for some reason returns false). And yes, ObjectAttributes should be
initialized in the usual way (whatever that means). And this routine as
well may result in reentering your driver (since you are concerned about
that).

-----Original Message-----
From: Lorenzo [mailto:xxxxx@email.it]
Sent: Tuesday, November 18, 2003 12:28 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Re: Retrieving a FILE_OBJECT from a string

Using functions like IoCreateFile or ZwClose wouldn’t cause reentrancy
problems in my filter driver? I need to get the file name from a
dispatch routine (and sometimes I may need to get it from a
CompletionRoutine), while in a dispatch routine I’m running at IRQL =
PASSIVE_LEVEL, in a CompletionRoutine I could be running at IRQL =
DISPATCH_LEVEL, and I can’t use those functions at that IRQL, so should
I build a worker thread when I’m in the CompletionRoutine?

Regarding the IoFastQueryNetworkAttributes:
I can’t find the documentation for this function in the ddk, but I found

its prototype in the ntifs.h header file, this function can only be
called at an IRQL = PASSIVE_LEVEL right? And its ObjectAttributes should

be initialized in the usual way?

Thanks.

Lorenzo
Tony Mason wrote:

Lorenzo,

You need to open the file. From the handle, extract the file object.

My personal (off the top of my head) algorithm would be:

IoCreateFile (or IoCreateFileSpecifyDeviceObjectHint from a filter on
XP or
W2K3) indicating SYNCHRONIZE access (I just want the file object, not
sharing checks, or normal security operations).

ObReferenceObjectByHandle - get a file object from the handle

IoQueryFileInformation - this uses the object (which I didn’t open
with
correct security anyway) to retrieve the requisite information

ObDereferenceObject - I’m done with it anyway

ZwClose - delete that unneeded handle (note you cant’ do this earlier
because it sends an IRP_MJ_CLEANUP at this point, which will not allow
you
to send arbitrary operations down at that point, since only paging I/O
operations are permitted between IRP_MJ_CLEANUP and IRP_MJ_CLOSE.)

Since this is off the top of my head, I may have missed some detail,
but
that’s the basic outline. No doubt whatever I might have missed will
be
picked up by someone else on the list - but in the interim you can go
off
and start writing code.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
http://www.osronline.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@borland.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · November 18, 2003, 11:54am

IoFastQueryNetworkAttributes underlies several Zwxxx syscalls which do the
“get file information by pathname” semantics.

This routine (and ->FastIoQueryOpen used by it) allows to query the file
without having a full blown file object (on-stack one is enough).

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vladimir Chtchetkine”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, November 18, 2003 6:14 PM
Subject: [ntfsd] Re: Retrieving a FILE_OBJECT from a string

> Yes, I would expect IoFastQueryNetworkAttributes to be a PASSIVE_LEVEL
> routine since there could be a create IRP rolled for this call (if fast
> i/o for some reason returns false). And yes, ObjectAttributes should be
> initialized in the usual way (whatever that means). And this routine as
> well may result in reentering your driver (since you are concerned about
> that).
>
> -----Original Message-----
> From: Lorenzo [mailto:xxxxx@email.it]
> Sent: Tuesday, November 18, 2003 12:28 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Re: Retrieving a FILE_OBJECT from a string
>
> Using functions like IoCreateFile or ZwClose wouldn’t cause reentrancy
> problems in my filter driver? I need to get the file name from a
> dispatch routine (and sometimes I may need to get it from a
> CompletionRoutine), while in a dispatch routine I’m running at IRQL =
> PASSIVE_LEVEL, in a CompletionRoutine I could be running at IRQL =
> DISPATCH_LEVEL, and I can’t use those functions at that IRQL, so should
> I build a worker thread when I’m in the CompletionRoutine?
>
> Regarding the IoFastQueryNetworkAttributes:
> I can’t find the documentation for this function in the ddk, but I found
>
> its prototype in the ntifs.h header file, this function can only be
> called at an IRQL = PASSIVE_LEVEL right? And its ObjectAttributes should
>
> be initialized in the usual way?
>
> Thanks.
>
> Lorenzo
> Tony Mason wrote:
> > Lorenzo,
> >
> > You need to open the file. From the handle, extract the file object.
> >
> > My personal (off the top of my head) algorithm would be:
> >
> > IoCreateFile (or IoCreateFileSpecifyDeviceObjectHint from a filter on
> XP or
> > W2K3) indicating SYNCHRONIZE access (I just want the file object, not
> > sharing checks, or normal security operations).
> >
> > ObReferenceObjectByHandle - get a file object from the handle
> >
> > IoQueryFileInformation - this uses the object (which I didn’t open
> with
> > correct security anyway) to retrieve the requisite information
> >
> > ObDereferenceObject - I’m done with it anyway
> >
> > ZwClose - delete that unneeded handle (note you cant’ do this earlier
> > because it sends an IRP_MJ_CLEANUP at this point, which will not allow
> you
> > to send arbitrary operations down at that point, since only paging I/O
> > operations are permitted between IRP_MJ_CLEANUP and IRP_MJ_CLOSE.)
> >
> > Since this is off the top of my head, I may have missed some detail,
> but
> > that’s the basic outline. No doubt whatever I might have missed will
> be
> > picked up by someone else on the list - but in the interim you can go
> off
> > and start writing code.
> >
> > Regards,
> >
> > Tony
> >
> > Tony Mason
> > Consulting Partner
> > OSR Open Systems Resources, Inc.
> > http://www.osr.com
> > http://www.osronline.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@borland.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Vladimir_Chtchetkine · November 18, 2003, 11:59am

My impression was that IoFastQueryNetworkAttributes uses primarily
FastIoQueryOpen and only if this fast i/o is not supported by the
corresponded driver or returns false it goes Zw or regular IRP way.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, November 18, 2003 8:56 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Re: Retrieving a FILE_OBJECT from a string

IoFastQueryNetworkAttributes underlies several Zwxxx syscalls which
do the
“get file information by pathname” semantics.

This routine (and ->FastIoQueryOpen used by it) allows to query the
file
without having a full blown file object (on-stack one is enough).

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vladimir Chtchetkine”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, November 18, 2003 6:14 PM
Subject: [ntfsd] Re: Retrieving a FILE_OBJECT from a string

> Yes, I would expect IoFastQueryNetworkAttributes to be a PASSIVE_LEVEL
> routine since there could be a create IRP rolled for this call (if
fast
> i/o for some reason returns false). And yes, ObjectAttributes should
be
> initialized in the usual way (whatever that means). And this routine
as
> well may result in reentering your driver (since you are concerned
about
> that).
>
> -----Original Message-----
> From: Lorenzo [mailto:xxxxx@email.it]
> Sent: Tuesday, November 18, 2003 12:28 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Re: Retrieving a FILE_OBJECT from a string
>
> Using functions like IoCreateFile or ZwClose wouldn’t cause reentrancy
> problems in my filter driver? I need to get the file name from a
> dispatch routine (and sometimes I may need to get it from a
> CompletionRoutine), while in a dispatch routine I’m running at IRQL =
> PASSIVE_LEVEL, in a CompletionRoutine I could be running at IRQL =
> DISPATCH_LEVEL, and I can’t use those functions at that IRQL, so
should
> I build a worker thread when I’m in the CompletionRoutine?
>
> Regarding the IoFastQueryNetworkAttributes:
> I can’t find the documentation for this function in the ddk, but I
found
>
> its prototype in the ntifs.h header file, this function can only be
> called at an IRQL = PASSIVE_LEVEL right? And its ObjectAttributes
should
>
> be initialized in the usual way?
>
> Thanks.
>
> Lorenzo
> Tony Mason wrote:
> > Lorenzo,
> >
> > You need to open the file. From the handle, extract the file
object.
> >
> > My personal (off the top of my head) algorithm would be:
> >
> > IoCreateFile (or IoCreateFileSpecifyDeviceObjectHint from a filter
on
> XP or
> > W2K3) indicating SYNCHRONIZE access (I just want the file object,
not
> > sharing checks, or normal security operations).
> >
> > ObReferenceObjectByHandle - get a file object from the handle
> >
> > IoQueryFileInformation - this uses the object (which I didn’t open
> with
> > correct security anyway) to retrieve the requisite information
> >
> > ObDereferenceObject - I’m done with it anyway
> >
> > ZwClose - delete that unneeded handle (note you cant’ do this
earlier
> > because it sends an IRP_MJ_CLEANUP at this point, which will not
allow
> you
> > to send arbitrary operations down at that point, since only paging
I/O
> > operations are permitted between IRP_MJ_CLEANUP and IRP_MJ_CLOSE.)
> >
> > Since this is off the top of my head, I may have missed some detail,
> but
> > that’s the basic outline. No doubt whatever I might have missed
will
> be
> > picked up by someone else on the list - but in the interim you can
go
> off
> > and start writing code.
> >
> > Regards,
> >
> > Tony
> >
> > Tony Mason
> > Consulting Partner
> > OSR Open Systems Resources, Inc.
> > http://www.osr.com
> > http://www.osronline.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@borland.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@borland.com
To unsubscribe send a blank email to xxxxx@lists.osr.com