Strange File Handle<-->File Object resutls

MajorTom · December 16, 2005, 1:56pm

Hi

I wrote codt that hooks ZwOpenFile, ZwCreateFile and
ZwClose
I have very stragne thing happening - Please let me
know if it sounds reasonble for you:

On ZwCreateFile for filename “\Device\SomeDiskDevice”
Than I call original ZwCreateFile, and than with the
returned hanlde:
ObReferenceObjectByHandle (Handle, 0, NULL,
KernelMode, &pObject, NULL))) )
For my very big surprise, the FileObject I get,
reffers on FileName field to “MyDriveLetter:\Some
file.dll”
The File Object I get from ObReferenceObjectByHandle
is really a file object ot this “Some file.dll” that
was created before but why I get it to the “new”
handle I got to “SomeDiskDevice”
Anyway all this action do happen in same Process and
SAME thread…

Thanks in advance

Alon

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · December 16, 2005, 2:09pm

You’re not going to get much sympathy here. Search the archives for
“hooking”. There are better ways to do whatever it is you’re doing,
especially for such a well-known path as IRP_MJ_CREATE.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alon
Sent: Friday, December 16, 2005 1:56 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Strange File Handle<–>File Object resutls

Hi

I wrote codt that hooks ZwOpenFile, ZwCreateFile and ZwClose I have very
stragne thing happening - Please let me know if it sounds reasonble for you:

On ZwCreateFile for filename “\Device\SomeDiskDevice”
Than I call original ZwCreateFile, and than with the returned hanlde:
ObReferenceObjectByHandle (Handle, 0, NULL, KernelMode, &pObject, NULL))) )
For my very big surprise, the FileObject I get, reffers on FileName field to
“MyDriveLetter:\Some file.dll”
The File Object I get from ObReferenceObjectByHandle is really a file object
ot this “Some file.dll” that was created before but why I get it to the
“new”
handle I got to “SomeDiskDevice”
Anyway all this action do happen in same Process and SAME thread…

Thanks in advance

Alon

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@stonestreetone.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Lyndon_J_Clarke-2 · December 16, 2005, 2:17pm

First problem is that you hook. If you want to see file creates/opens and
closes then you should use a file system filter driver; to be more specific
a filter manager minifilter if at all possible. Second problem is that
FileObject->FileName is not valid after the fsd has processed IRP_MJ_CREATE.
There might be a third problem …

“Alon” wrote in message news:xxxxx@ntfsd…
> Hi
>
> I wrote codt that hooks ZwOpenFile, ZwCreateFile and
> ZwClose
> I have very stragne thing happening - Please let me
> know if it sounds reasonble for you:
>
> On ZwCreateFile for filename “\Device\SomeDiskDevice”
> Than I call original ZwCreateFile, and than with the
> returned hanlde:
> ObReferenceObjectByHandle (Handle, 0, NULL,
> KernelMode, &pObject, NULL))) )
> For my very big surprise, the FileObject I get,
> reffers on FileName field to “MyDriveLetter:\Some
> file.dll”
> The File Object I get from ObReferenceObjectByHandle
> is really a file object ot this “Some file.dll” that
> was created before but why I get it to the “new”
> handle I got to “SomeDiskDevice”
> Anyway all this action do happen in same Process and
> SAME thread…
>
> Thanks in advance
>
> Alon
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>

OSR_Community_User · December 16, 2005, 7:05pm

Hooking is a bad. Write the proper filesystem filter instead.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Alon”
To: “Windows File Systems Devs Interest List”
Sent: Friday, December 16, 2005 9:56 PM
Subject: [ntfsd] Strange File Handle<–>File Object resutls

> Hi
>
> I wrote codt that hooks ZwOpenFile, ZwCreateFile and
> ZwClose
> I have very stragne thing happening - Please let me
> know if it sounds reasonble for you:
>
> On ZwCreateFile for filename “\Device\SomeDiskDevice”
> Than I call original ZwCreateFile, and than with the
> returned hanlde:
> ObReferenceObjectByHandle (Handle, 0, NULL,
> KernelMode, &pObject, NULL))) )
> For my very big surprise, the FileObject I get,
> reffers on FileName field to “MyDriveLetter:\Some
> file.dll”
> The File Object I get from ObReferenceObjectByHandle
> is really a file object ot this “Some file.dll” that
> was created before but why I get it to the “new”
> handle I got to “SomeDiskDevice”
> Anyway all this action do happen in same Process and
> SAME thread…
>
> Thanks in advance
>
> Alon
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com