virtual disk 2 - Object Manager namespace

Hi everyone,

Earlier this week, I have asked a question regarding virtual disk and Michal answered me that I can use either subst or DefineDosDevice.

Let me try to explain what I am trying to do here just to give you little bit of background. Right now, I have a program that sort of checkpoint an application and I can move it to other machine and restart the app there.

As an initial step, it is working relatively but suppose I have a machine that has c: and d: drive and I move an app to new machine that has c: drive only. In this case, an app can fail if it expects any data from d:. Of course I save all the dependent files in certain fashion to differentiate data between from c: and d: drive.

Now, I can use either subst or DefineDosDevice to create d: drive but then this d: drive will then appear in other apps in the same machine.
In other words, I just want to have it display in my app only. I also have read that Object Manager deals with all the data regarding devices so I was just wondering if there is any calls that I can work with to show my app d: drive.

Or just an initial step, is there any way I can somehow directly store d: drive in Object namespace? I am sort of limited to use calls in NTDLL so this is another problem.
If I can at least know the function calls that I can use for query/set d: drive, I can perhaps just add d: drive and replace arguments.

Please let me know if I am making any sense. I will really appreciate any help/advice.

YEH

Object Manager namespace is visible to all applications. It is only possible to distinguish global (whole OS) and logon session namespace. If you can run your app in separate logon session (using runas for example), you can have substed drives visible to this session only. As an experiment start cmd.exe using runas, create a substed drive and run your app from there. Logon session namespaces are under \Sessions\N\DosDevices\xxxxxxxx-yyyyyyyy where N is interactive session number (usually 0) and xxxxxxxx-yyyyyyyy is logon session ID.

I guess the correct solutin is to change your app. Create a configuration file or registry values which says where data are stored and after move just change these data accordingly.

Next solution is to install your app in the virtual machine and copy whole VM. Looks like an overkill

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@gmail.com[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, October 19, 2007 6:03 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] virtual disk 2 - Object Manager namespace

Hi everyone,

Earlier this week, I have asked a question regarding virtual disk and Michal answered me that I can use either subst or DefineDosDevice.

Let me try to explain what I am trying to do here just to give you little bit of background. Right now, I have a program that sort of checkpoint an application and I can move it to other machine and restart the app there.

As an initial step, it is working relatively but suppose I have a machine that has c: and d: drive and I move an app to new machine that has c: drive only. In this case, an app can fail if it expects any data from d:. Of course I save all the dependent files in certain fashion to differentiate data between from c: and d: drive.

Now, I can use either subst or DefineDosDevice to create d: drive but then this d: drive will then appear in other apps in the same machine.
In other words, I just want to have it display in my app only. I also have read that Object Manager deals with all the data regarding devices so I was just wondering if there is any calls that I can work with to show my app d: drive.

Or just an initial step, is there any way I can somehow directly store d: drive in Object namespace? I am sort of limited to use calls in NTDLL so this is another problem.
If I can at least know the function calls that I can use for query/set d: drive, I can perhaps just add d: drive and replace arguments.

Please let me know if I am making any sense. I will really appreciate any help/advice.

YEH

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

All of what follows is predicated on the assumption that your program
can be used to monitor any other program; that is, it’s not a specially
designed program. If this isn’t the case, then most of what follows
will not apply.

Unless I’m missing something, no matter what you use - subst, Object
Manager, et. c. - if you use standard resources - drive letters or
really anything that resolves to a system or session wide symbolic link

• you’re going to be SOL if whatever the application originally used
  happens to exists on the new machine, and it isn’t the same thing.
  Also, what are you doing about the data? That is, are you packing it up
  and taking it with you? Is this what the virtual disk is for? It
  doesn’t matter what you put under the application, as long as the
  application expects to read a certain file from, say, “C:\tmp\tst2,”
  then “c:\tmp\tst2” or a hard link to it must exist on the new machine,
  and if it already exists and isn’t the same, you’re screwed. A virtual
  disk doesn’t change this. It some cases it probably would be possible
  to exploit the separate local and global DOS namespaces to get around
  this, but not in generic way that would work for any resource.

Object Manager is ultimately involved in this whole mapping business,
but using it directly won’t help you get around this problem.

In order to do this, I think you need an additional level of abstraction
here, and you’ve got to essentially monitor all system resources that
the application uses: file system, registry, stack, context, et. c.
This is a tall order. This is essentially what VMM’s do with Live
Migration. Because you are confining yourself to applications only (not
drivers), your task is easier, but it is still a lot of work.

If I’m on the right track, let me know, and we’ll see how it goes, if
you still wish to proceed, but, assuming I am, one would have to have a
very good reason for doing this to make it worth the investment. One
very good reason is if this is for educational purposes.

mm

xxxxx@gmail.com wrote:

Hi everyone,

Earlier this week, I have asked a question regarding virtual disk and Michal answered me that I can use either subst or DefineDosDevice.

Let me try to explain what I am trying to do here just to give you little bit of background. Right now, I have a program that sort of checkpoint an application and I can move it to other machine and restart the app there.

As an initial step, it is working relatively but suppose I have a machine that has c: and d: drive and I move an app to new machine that has c: drive only. In this case, an app can fail if it expects any data from d:. Of course I save all the dependent files in certain fashion to differentiate data between from c: and d: drive.

Now, I can use either subst or DefineDosDevice to create d: drive but then this d: drive will then appear in other apps in the same machine.
In other words, I just want to have it display in my app only. I also have read that Object Manager deals with all the data regarding devices so I was just wondering if there is any calls that I can work with to show my app d: drive.

Or just an initial step, is there any way I can somehow directly store d: drive in Object namespace? I am sort of limited to use calls in NTDLL so this is another problem.
If I can at least know the function calls that I can use for query/set d: drive, I can perhaps just add d: drive and replace arguments.

Please let me know if I am making any sense. I will really appreciate any help/advice.

YEH

First of all, thank you for your valuable input.

I think that my title was misleading in that my goal is not to create a virtual disk but to have an app continue to run from checkpoint.
Yes, I gather all the data that the app is using including files, registries and so on. Therefore, an app is running from what I gathered from the old machine but this time it simply uses new cpu resources to run the apps. Of course, there are cases I may fail to gather all the data and in this case it searches files in the new machines.

Now, I also have written a program that intreacts at NTDLL level and I intercept system calls for necessary translations. I have been working on this for the last few months and althogh it is not perfect I can move an app from one machine to another depending on its depencies on certain resources.

As my intial experiment, I just used vmware to create windows and made a copy and did tests.
Then, I ran into the problem that I described regarding disks.

Suppose, I capture wordpad application and I created a file in d: drive. But after I move it to new machine. I could not see d: drive in file browser. But because I intercept other system calls, if I run wordapd with an argument, it works. i.e. wordpad d:\temp\hello.txt
This is so because I transalte a filename path to locate the actual file location.

So although there are still so many issues that I need to solve, my impending problem is to be able to display d: drive but I do not want it to display d: in other apps.
Yes, I can use runas as Michal suggested but this will eventually limit my capability so I wanted to know how to go about this. Thank you once again and I really appreciate any suggestion/advice.
If my description is not clear enough, please let me know.
Thank you.

YEH

One more question I forgot to ask!

Michal, you mentioned that Object Manager namespace is inivisible to all applications. Could you kindly tell me how to interact with it?
In other words, I just want to know if there is any call that I can intercept to translate for my purpose. Just like how I can translate filename path, if I can somehow translate arguments in the calls that interact with Object Manager namespace, I am good.
Again, my limitation is I can only translate calls at NTDLL level.

Thank you once again!

YEH

You need to get a copy of Nebbett’s “Windows NT/2000 Native API
Reference” if you’re going to go this route. It’s the closest thing to
documentation that there is, in addition to what you can generally
conclude about the similarity between the Native API and its kernel mode
counter part.

http://www.amazon.com/Windows-2000-Native-API-Reference/dp/1578701996

What is it you’re looking to translate in the object namespace other
that isn’t file system or registry (which have other interfaces)?

mm

xxxxx@gmail.com wrote:

One more question I forgot to ask!

Michal, you mentioned that Object Manager namespace is inivisible to all applications. Could you kindly tell me how to interact with it?
In other words, I just want to know if there is any call that I can intercept to translate for my purpose. Just like how I can translate filename path, if I can somehow translate arguments in the calls that interact with Object Manager namespace, I am good.
Again, my limitation is I can only translate calls at NTDLL level.

Thank you once again!

YEH

Thank you for your reply.

To be honest with you, it has been a lot of learning process as I make progress. So to your question, I do not know what I should translate.
But I was just hoping that if I get to know any calls that returns drive mapping information, I might be able to add/translate so that my app believes that there is a d: drive. Sorry for my ignorance. I only have Windows Internals and most of the time I have been referring to Reactos and winehq site. I will definately get Windows NT/2000 Native API Reference.

One final question, how can we access Object Manager’s namespace other than using WinObj?
Sorry for repeated question and thank you once again.

YEH

I mentioned it is *visible* to all applications.

Sorry, I don’t know where actual translation is made and I presume kernel. I mean there may not be any interaction with OM in user mode. Anyway, why don’t you just translate file names for your app at NTDLL level? This way you woudln’t need to bother with virtual drives at all.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@gmail.com[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, October 19, 2007 8:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] virtual disk 2 - Object Manager namespace

One more question I forgot to ask!

Michal, you mentioned that Object Manager namespace is inivisible to all applications. Could you kindly tell me how to interact with it?
In other words, I just want to know if there is any call that I can intercept to translate for my purpose. Just like how I can translate filename path, if I can somehow translate arguments in the calls that interact with Object Manager namespace, I am good.
Again, my limitation is I can only translate calls at NTDLL level.

Thank you once again!

YEH

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thank you, Michal.
I did not even know that I typed ‘invisible’. That is probably because it seems to be *invisible* to me.
Once again, thank you very much for your replies and I have learned a few things from your replies. Have a good one!

YEH

You should translate all file APIs which receive ObjectAtrtibutes parameter (which contains file name). NtCreateFile, NtOpenFile, NtDeleteFile for the beginning; take Nebbett’s book. File system filter is better and supported way how to do it (STATUS_REPARSE); I wrote one for this purpose and it is “relatively” simple (comparing to other FS filters; still not easy job).

Why do you want to access Object Manager namespace? You can’t do anything behind subst/DeviceDosDevice function. The limitation is in the way how drive letter mapping is used by OS and I don’t believe you can influence it. If you really want to have drive letter visible to your app only (and I don’t understand why), separate logon session is the only chance. It shouldn’t be limiting; it is like some other user logs on and starts the app.

As for accessing OM namespace, there are few native APIs. Get the Nebbetts’ book.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@gmail.com[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, October 19, 2007 8:39 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] virtual disk 2 - Object Manager namespace

Thank you for your reply.

To be honest with you, it has been a lot of learning process as I make progress. So to your question, I do not know what I should translate.
But I was just hoping that if I get to know any calls that returns drive mapping information, I might be able to add/translate so that my app believes that there is a d: drive. Sorry for my ignorance. I only have Windows Internals and most of the time I have been referring to Reactos and winehq site. I will definately get Windows NT/2000 Native API Reference.

One final question, how can we access Object Manager’s namespace other than using WinObj?
Sorry for repeated question and thank you once again.

YEH

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

This best thing that I can recommend beyond Nebbett’s book, which is
superb, is to experiment with the windbg extensions that deal with
objects. The major one is !object, which dumps a bunch of information
about anything with an object header; the other is !obtrace which, in
conjunction with a change in the setting to NtGlobalFlags, allows you to
trace references to objects. Finally, take a close look at the WDK,
especially the Object routines in the IFS. Collectively, between the
regular WDK and the IFS part, there’s only a handful of routines
“documented,” a fair number of which just say “don’t use,” but the basic
system is there.

Good luck,

mm

xxxxx@gmail.com wrote:

Thank you for your reply.

To be honest with you, it has been a lot of learning process as I make progress. So to your question, I do not know what I should translate.
But I was just hoping that if I get to know any calls that returns drive mapping information, I might be able to add/translate so that my app believes that there is a d: drive. Sorry for my ignorance. I only have Windows Internals and most of the time I have been referring to Reactos and winehq site. I will definately get Windows NT/2000 Native API Reference.

One final question, how can we access Object Manager’s namespace other than using WinObj?
Sorry for repeated question and thank you once again.

YEH

For the time being, I wold advise you to forget about “Native API Reference” and all other books that cover advanced topics - it just does not make sense to learn advanced stuff at the time when you don’t seem to be familiar with Win32 API. Judging from your description of a problem, Win32 GetModuleFileName()/ GetSystemDirectory is all that you need here. Assuming that your app creates/accesses files only on a drive where its executable file is located and/or on the system drive (and, unless you target some particular machine(s) with known-in-advance configuration, it would be quite wise to take this approach), it can always get its own full path and the system path with respectively GetModuleFileName() and GetSystemDirectory(). At this point it can parse the path and modify it in such way that it points to a file your app is insterested in. This is all that you need here…

Anton Bassov

Thank you everyone for valuable input.

I have solved my problem and I would like to share it with everyone so that if anyone has the same issue in the future, they can have help just like I got help from others here.

To solve my problem, I wrote a program to call GetLogicalDrives() and then I intercepted NtQueryInformationProcess and printed out the value of DriveMap field.
The reason I did this is because when I disassembled kernel32 to see the path of GetLogicalDrives(), it calls NtQueryInformationProcess.

Then, I realized that I DriveMap field of PROCESS_DEVICEMAP_INFORMATION struct and the return value of GetLogicalDrive() are same.

For instance, if we have only C and D drive, it is 0xC(001100) and if we have C, D, and F drive, the value is 0x2C (101100).
As an example, for 0x2C we are getting bit mask as follows.
F E D C B A
1 0 1 1 0 0

So I hard-coded the value in NtQueryInformationProcess and I got the hard-coded value from my test program.
So when I moved the application from the other machine and open file browser from notepad application, I was able to view the drive that is not present in the new machine.

FYI, I am also intercepting many other NT calls including NtOpenFile and NtCreateFile. So simply put, I did not have to mess with Object Manager which I do not really know anything about.

So thank you everyone and have a good one!

YEH