*** Vista RTM *** Writing to raw disk sectors

Hi,

I have an application that is accessing the physical drive to read and write directly to the sectors.
Recently I’ve used the new Vista RTM, and unfortunately my application is not working anymore. I get write access denied error when trying to write to sectors in the physical drive. I use CREATEFILE to get the handle to the physical drive (ie: \.\c:), then the WRITEFILE to write directly to the sectors. I use SETFILEPOINTER to point to which sector I want to write. The WRITEFILE always fails with ERROR: 5 Access Denied.
I run the app in user mode, but I elevate my app to administrator level. The problem still there.
I have found the following discussion in a blog by Joanna Rutkowska:
http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html

It seems that the only solution if I want to WRITEFILE directly to raw sectors during normal windows running in user mode, is to write a KERNEL MODE DRIVER. As Im not familiar with windows driver development I would like to know how do I go about writing a KERNEL MODE DRIVER???
What I need to do is to write a simple KERNEL MODE DRIVER for WRITEFILE that will give me the alternative operation of the WRITEFILE API that fails in normal windows running mode.
What do I need to develop a KERNEL MODE DRIVER, and how can I build it? What DDK/WDK will I need to use, and where can I find information that will point me out where to start from???

Is there an alternative solution that someone knows about out there???
Please let me know of any suggestions solutions, Im completely lost…

Thank you,
Jim

Have you tried a service running under a system account? When this
particular controversy first came out, I had a customer who was accessing
raw disks through a service, they had no problem with RC2.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntdev…
> Hi,
>
> I have an application that is accessing the physical drive to read and
> write directly to the sectors.
> Recently I’ve used the new Vista RTM, and unfortunately my application is
> not working anymore. I get write access denied error when trying to write
> to sectors in the physical drive. I use CREATEFILE to get the handle to
> the physical drive (ie: \.\c:), then the WRITEFILE to write directly to
> the sectors. I use SETFILEPOINTER to point to which sector I want to
> write. The WRITEFILE always fails with ERROR: 5 Access Denied.
> I run the app in user mode, but I elevate my app to administrator level.
> The problem still there.
> I have found the following discussion in a blog by Joanna Rutkowska:
> http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html
>
> It seems that the only solution if I want to WRITEFILE directly to raw
> sectors during normal windows running in user mode, is to write a KERNEL
> MODE DRIVER. As Im not familiar with windows driver development I would
> like to know how do I go about writing a KERNEL MODE DRIVER???
> What I need to do is to write a simple KERNEL MODE DRIVER for WRITEFILE
> that will give me the alternative operation of the WRITEFILE API that
> fails in normal windows running mode.
> What do I need to develop a KERNEL MODE DRIVER, and how can I build it?
> What DDK/WDK will I need to use, and where can I find information that
> will point me out where to start from???
>
> Is there an alternative solution that someone knows about out there???
> Please let me know of any suggestions solutions, Im completely lost…
>
> Thank you,
> Jim
>

you need run your program “run as administrator” .

You do not ne4ed a kernel mode driver. All that needs to happen is to run
the app as an administrator and of course login to an account that can be
elevated to adminidstrator. We have an API that uses SCSI and ATA pass
through to send all of the T-10 and T-13 commands to our drives for testing.
One app I have written, uses that API to copy all LBA’s from 0 to max LBA to
another disc. However, realize that indiscriminatel writing raw LBA’s can
easily clobber any mounted file system, nor have I been stupid enough to use
my boot disc as the target of this operation, nor will I for rather obvious
reasons.

The personal opinion of
Gary G. Little

“Don Burn” wrote in message news:xxxxx@ntdev…
> Have you tried a service running under a system account? When this
> particular controversy first came out, I had a customer who was accessing
> raw disks through a service, they had no problem with RC2.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
>
>
> wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> I have an application that is accessing the physical drive to read and
>> write directly to the sectors.
>> Recently I’ve used the new Vista RTM, and unfortunately my application is
>> not working anymore. I get write access denied error when trying to write
>> to sectors in the physical drive. I use CREATEFILE to get the handle to
>> the physical drive (ie: \.\c:), then the WRITEFILE to write directly to
>> the sectors. I use SETFILEPOINTER to point to which sector I want to
>> write. The WRITEFILE always fails with ERROR: 5 Access Denied.
>> I run the app in user mode, but I elevate my app to administrator level.
>> The problem still there.
>> I have found the following discussion in a blog by Joanna Rutkowska:
>> http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html
>>
>> It seems that the only solution if I want to WRITEFILE directly to raw
>> sectors during normal windows running in user mode, is to write a KERNEL
>> MODE DRIVER. As Im not familiar with windows driver development I would
>> like to know how do I go about writing a KERNEL MODE DRIVER???
>> What I need to do is to write a simple KERNEL MODE DRIVER for WRITEFILE
>> that will give me the alternative operation of the WRITEFILE API that
>> fails in normal windows running mode.
>> What do I need to develop a KERNEL MODE DRIVER, and how can I build it?
>> What DDK/WDK will I need to use, and where can I find information that
>> will point me out where to start from???
>>
>> Is there an alternative solution that someone knows about out there???
>> Please let me know of any suggestions solutions, Im completely lost…
>>
>> Thank you,
>> Jim
>>
>
>
>

Vista RTM will block all raw writes (passthrough or WriteFile to the volume) that fall within a recognized partition.

-----Original Message-----
From: Gary G. Little [mailto:glittle@mn.rr.com]
Sent: Friday, November 24, 2006 8:46 PM
Subject: Re: *** Vista RTM *** Writing to raw disk sectors

You do not ne4ed a kernel mode driver. All that needs to happen is to run
the app as an administrator and of course login to an account that can be
elevated to adminidstrator. We have an API that uses SCSI and ATA pass
through to send all of the T-10 and T-13 commands to our drives for testing.
One app I have written, uses that API to copy all LBA’s from 0 to max LBA to
another disc. However, realize that indiscriminatel writing raw LBA’s can
easily clobber any mounted file system, nor have I been stupid enough to use
my boot disc as the target of this operation, nor will I for rather obvious
reasons.

The personal opinion of
Gary G. Little

“Don Burn” wrote in message news:xxxxx@ntdev…
> Have you tried a service running under a system account? When this
> particular controversy first came out, I had a customer who was accessing
> raw disks through a service, they had no problem with RC2.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
>
>
> wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> I have an application that is accessing the physical drive to read and
>> write directly to the sectors.
>> Recently I’ve used the new Vista RTM, and unfortunately my application is
>> not working anymore. I get write access denied error when trying to write
>> to sectors in the physical drive. I use CREATEFILE to get the handle to
>> the physical drive (ie: \.\c:), then the WRITEFILE to write directly to
>> the sectors. I use SETFILEPOINTER to point to which sector I want to
>> write. The WRITEFILE always fails with ERROR: 5 Access Denied.
>> I run the app in user mode, but I elevate my app to administrator level.
>> The problem still there.
>> I have found the following discussion in a blog by Joanna Rutkowska:
>> http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html
>>
>> It seems that the only solution if I want to WRITEFILE directly to raw
>> sectors during normal windows running in user mode, is to write a KERNEL
>> MODE DRIVER. As Im not familiar with windows driver development I would
>> like to know how do I go about writing a KERNEL MODE DRIVER???
>> What I need to do is to write a simple KERNEL MODE DRIVER for WRITEFILE
>> that will give me the alternative operation of the WRITEFILE API that
>> fails in normal windows running mode.
>> What do I need to develop a KERNEL MODE DRIVER, and how can I build it?
>> What DDK/WDK will I need to use, and where can I find information that
>> will point me out where to start from???
>>
>> Is there an alternative solution that someone knows about out there???
>> Please let me know of any suggestions solutions, Im completely lost…
>>
>> Thank you,
>> Jim
>>
>
>
>

>Vista RTM will block all raw writes (passthrough or WriteFile to the
volume) that fall within a recognized partition.

Surely you jest. You are saying that if I open \.\D: for write access and
no sharing, that I can’t write to it anymore?

If that’s not the case, please define what you mean by “all”.

• Dan.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeff Goldner
Sent: Saturday, November 25, 2006 7:07 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] *** Vista RTM *** Writing to raw disk sectors

Vista RTM will block all raw writes (passthrough or WriteFile to the volume)
that fall within a recognized partition.

-----Original Message-----
From: Gary G. Little [mailto:glittle@mn.rr.com]
Sent: Friday, November 24, 2006 8:46 PM
Subject: Re: *** Vista RTM *** Writing to raw disk sectors

You do not ne4ed a kernel mode driver. All that needs to happen is to run
the app as an administrator and of course login to an account that can be
elevated to adminidstrator. We have an API that uses SCSI and ATA pass
through to send all of the T-10 and T-13 commands to our drives for testing.
One app I have written, uses that API to copy all LBA’s from 0 to max LBA to
another disc. However, realize that indiscriminatel writing raw LBA’s can
easily clobber any mounted file system, nor have I been stupid enough to use
my boot disc as the target of this operation, nor will I for rather obvious
reasons.

The personal opinion of
Gary G. Little

“Don Burn” wrote in message news:xxxxx@ntdev…
> Have you tried a service running under a system account? When this
> particular controversy first came out, I had a customer who was
> accessing raw disks through a service, they had no problem with RC2.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com Remove StopSpam from the email to reply
>
>
>
> wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> I have an application that is accessing the physical drive to read
>> and write directly to the sectors. Recently I’ve used the new Vista
>> RTM, and unfortunately my application is not working anymore. I get
>> write access denied error when trying to write to sectors in the
>> physical drive. I use CREATEFILE to get the handle to the physical
>> drive (ie: \.\c:), then the WRITEFILE to write directly to the
>> sectors. I use SETFILEPOINTER to point to which sector I want to
>> write. The WRITEFILE always fails with ERROR: 5 Access Denied. I run
>> the app in user mode, but I elevate my app to administrator level.
>> The problem still there. I have found the following discussion in a
>> blog by Joanna Rutkowska:
>> http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-page
>> file-attack-and-some.html
>>
>> It seems that the only solution if I want to WRITEFILE directly to
>> raw sectors during normal windows running in user mode, is to write a
>> KERNEL MODE DRIVER. As Im not familiar with windows driver
>> development I would like to know how do I go about writing a KERNEL
>> MODE DRIVER??? What I need to do is to write a simple KERNEL MODE
>> DRIVER for WRITEFILE that will give me the alternative operation of
>> the WRITEFILE API that fails in normal windows running mode. What do
>> I need to develop a KERNEL MODE DRIVER, and how can I build it? What
>> DDK/WDK will I need to use, and where can I find information that
>> will point me out where to start from???
>>
>> Is there an alternative solution that someone knows about out
>> there??? Please let me know of any suggestions solutions, Im
>> completely lost…
>>
>> Thank you,
>> Jim
>>
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

If you are able to open the handle that way, it should work. You won’t be able to if the disk has a pagefile or other open files. The intent of blocking write access is to address the issue raised by Joanna (see Jim’s posting below) - even if she disagrees with the mechanics of it.

-----Original Message-----
From: Dan Kyler [mailto:xxxxx@privtek.com]
Sent: Sunday, November 26, 2006 8:16 AM
Subject: RE: *** Vista RTM *** Writing to raw disk sectors

Vista RTM will block all raw writes (passthrough or WriteFile to the
volume) that fall within a recognized partition.

Surely you jest. You are saying that if I open \.\D: for write access and
no sharing, that I can’t write to it anymore?

If that’s not the case, please define what you mean by “all”.

• Dan.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeff Goldner
Sent: Saturday, November 25, 2006 7:07 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] *** Vista RTM *** Writing to raw disk sectors

Vista RTM will block all raw writes (passthrough or WriteFile to the volume)
that fall within a recognized partition.

-----Original Message-----
From: Gary G. Little [mailto:glittle@mn.rr.com]
Sent: Friday, November 24, 2006 8:46 PM
Subject: Re: *** Vista RTM *** Writing to raw disk sectors

You do not ne4ed a kernel mode driver. All that needs to happen is to run
the app as an administrator and of course login to an account that can be
elevated to adminidstrator. We have an API that uses SCSI and ATA pass
through to send all of the T-10 and T-13 commands to our drives for testing.
One app I have written, uses that API to copy all LBA’s from 0 to max LBA to
another disc. However, realize that indiscriminatel writing raw LBA’s can
easily clobber any mounted file system, nor have I been stupid enough to use
my boot disc as the target of this operation, nor will I for rather obvious
reasons.

The personal opinion of
Gary G. Little

“Don Burn” wrote in message news:xxxxx@ntdev…
> Have you tried a service running under a system account? When this
> particular controversy first came out, I had a customer who was
> accessing raw disks through a service, they had no problem with RC2.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com Remove StopSpam from the email to reply
>
>
>
> wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> I have an application that is accessing the physical drive to read
>> and write directly to the sectors. Recently I’ve used the new Vista
>> RTM, and unfortunately my application is not working anymore. I get
>> write access denied error when trying to write to sectors in the
>> physical drive. I use CREATEFILE to get the handle to the physical
>> drive (ie: \.\c:), then the WRITEFILE to write directly to the
>> sectors. I use SETFILEPOINTER to point to which sector I want to
>> write. The WRITEFILE always fails with ERROR: 5 Access Denied. I run
>> the app in user mode, but I elevate my app to administrator level.
>> The problem still there. I have found the following discussion in a
>> blog by Joanna Rutkowska:
>> http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-page
>> file-attack-and-some.html
>>
>> It seems that the only solution if I want to WRITEFILE directly to
>> raw sectors during normal windows running in user mode, is to write a
>> KERNEL MODE DRIVER. As Im not familiar with windows driver
>> development I would like to know how do I go about writing a KERNEL
>> MODE DRIVER??? What I need to do is to write a simple KERNEL MODE
>> DRIVER for WRITEFILE that will give me the alternative operation of
>> the WRITEFILE API that fails in normal windows running mode. What do
>> I need to develop a KERNEL MODE DRIVER, and how can I build it? What
>> DDK/WDK will I need to use, and where can I find information that
>> will point me out where to start from???
>>
>> Is there an alternative solution that someone knows about out
>> there??? Please let me know of any suggestions solutions, Im
>> completely lost…
>>
>> Thank you,
>> Jim
>>
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thank you all for your replies.
I’m running the application from a user account and elevating it to administrator. Still though I get Error 5: Access Denied when I use WRITEFILE. I open the “\.\c:” for write access but in sharing mode.

To Gary Little, your solution using the API that uses SCSI and ATA is it possible to be used under Vista when working on the system volume that already has files open, during nurmal running of windows? And if so are there any examples of how to write this kind of API?
Are there any other types I can use instead of WRITEFILE???

Thank you,
Jim

Granted I’m using drives that are unallocated by Disk Manager, but I have
not seen what you described Jeff. I have copied LBA 0 to max LBA from an
NTFS drive to an unmounted drive and still have not encountered this.
Granted, neither drive was a boot drive however, and the task itself
specifically only uses SCSI drives.

I’d be interested in more information on this “recognized partition”
however. Or was your comments describing a Vista fail safe that will prevent
you from shooting yourself in the foot?

–
The personal opinion of
Gary G. Little

“Jeff Goldner” wrote in message
news:xxxxx@ntdev…
Vista RTM will block all raw writes (passthrough or WriteFile to the volume)
that fall within a recognized partition.

-----Original Message-----
From: Gary G. Little [mailto:glittle@mn.rr.com]
Sent: Friday, November 24, 2006 8:46 PM
Subject: Re: Vista RTM Writing to raw disk sectors

You do not ne4ed a kernel mode driver. All that needs to happen is to run
the app as an administrator and of course login to an account that can be
elevated to adminidstrator. We have an API that uses SCSI and ATA pass
through to send all of the T-10 and T-13 commands to our drives for testing.
One app I have written, uses that API to copy all LBA’s from 0 to max LBA to
another disc. However, realize that indiscriminatel writing raw LBA’s can
easily clobber any mounted file system, nor have I been stupid enough to use
my boot disc as the target of this operation, nor will I for rather obvious
reasons.

The personal opinion of
Gary G. Little

“Don Burn” wrote in message news:xxxxx@ntdev…
> Have you tried a service running under a system account? When this
> particular controversy first came out, I had a customer who was accessing
> raw disks through a service, they had no problem with RC2.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
>
>
> wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> I have an application that is accessing the physical drive to read and
>> write directly to the sectors.
>> Recently I’ve used the new Vista RTM, and unfortunately my application is
>> not working anymore. I get write access denied error when trying to write
>> to sectors in the physical drive. I use CREATEFILE to get the handle to
>> the physical drive (ie: \.\c:), then the WRITEFILE to write directly to
>> the sectors. I use SETFILEPOINTER to point to which sector I want to
>> write. The WRITEFILE always fails with ERROR: 5 Access Denied.
>> I run the app in user mode, but I elevate my app to administrator level.
>> The problem still there.
>> I have found the following discussion in a blog by Joanna Rutkowska:
>> http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html
>>
>> It seems that the only solution if I want to WRITEFILE directly to raw
>> sectors during normal windows running in user mode, is to write a KERNEL
>> MODE DRIVER. As Im not familiar with windows driver development I would
>> like to know how do I go about writing a KERNEL MODE DRIVER???
>> What I need to do is to write a simple KERNEL MODE DRIVER for WRITEFILE
>> that will give me the alternative operation of the WRITEFILE API that
>> fails in normal windows running mode.
>> What do I need to develop a KERNEL MODE DRIVER, and how can I build it?
>> What DDK/WDK will I need to use, and where can I find information that
>> will point me out where to start from???
>>
>> Is there an alternative solution that someone knows about out there???
>> Please let me know of any suggestions solutions, Im completely lost…
>>
>> Thank you,
>> Jim
>>
>
>
>

Technically we (Seagate) use the SetupDiXXX API to scan for the controllers
and attached devices, acquire the “real” name of the device and then open
that. From there we use pass through to send raw CDB or TFR commands to the
device or drive. From what Jeff has said, I think our success hinges on the
fact that we are NOT using a system drive, or even a drive with a mounted
file system and open files. That will most likely fail the open of the
handle to the drive. which is fine … since anything that keeps me from
clobbeirng my boot drive is appreciated.

As a side note — the minimum OS needed to do this is XP SP2 or Vista and
the 3790.1830 DDK (haven’t used the WDK … yet). It does appear that Vista
has fixed some of the ATA pass through issues with reading multiple sectors
using PIO.

–
The personal opinion of
Gary G. Little

wrote in message news:xxxxx@ntdev…
> Thank you all for your replies.
> I’m running the application from a user account and elevating it to
> administrator. Still though I get Error 5: Access Denied when I use
> WRITEFILE. I open the “\.\c:” for write access but in sharing mode.
>
> To Gary Little, your solution using the API that uses SCSI and ATA is it
> possible to be used under Vista when working on the system volume that
> already has files open, during nurmal running of windows? And if so are
> there any examples of how to write this kind of API?
> Are there any other types I can use instead of WRITEFILE???
>
> Thank you,
> Jim
>

Yup. If there are no mounted file systems, no problem. Otherwise, writes are blocked if the write would occur (not from the FS - via a passthrough to the device itself) within a recognized partition unless you can either lock the volume (FSCTL_LOCK_VOLUME) or if that fails force dismount (FSCTL_DISMOUNT_VOLUME). So in Gary’s example, the volume IS RAW so not mounted. In theory, omitting SHARE_WRITE could work on the off chance that no one else was touching the volume - but you have a lot of other nosy services perusing your disks these days.

However, you shouldn’t expect this to protect you completely. It’s intended to protect against the type of attack presented by Blue Pill (compromise a running system) and not intended to prevent data corruption/destruction. And the boot sector does not fall within a partition, so…

-----Original Message-----
From: Gary G. Little [mailto:xxxxx@seagate.com]
Sent: Tuesday, November 28, 2006 12:32 PM
Subject: Re: *** Vista RTM *** Writing to raw disk sectors

Technically we (Seagate) use the SetupDiXXX API to scan for the controllers
and attached devices, acquire the “real” name of the device and then open
that. From there we use pass through to send raw CDB or TFR commands to the
device or drive. From what Jeff has said, I think our success hinges on the
fact that we are NOT using a system drive, or even a drive with a mounted
file system and open files. That will most likely fail the open of the
handle to the drive. which is fine … since anything that keeps me from
clobbeirng my boot drive is appreciated.

As a side note — the minimum OS needed to do this is XP SP2 or Vista and
the 3790.1830 DDK (haven’t used the WDK … yet). It does appear that Vista
has fixed some of the ATA pass through issues with reading multiple sectors
using PIO.

–
The personal opinion of
Gary G. Little

wrote in message news:xxxxx@ntdev…
> Thank you all for your replies.
> I’m running the application from a user account and elevating it to
> administrator. Still though I get Error 5: Access Denied when I use
> WRITEFILE. I open the “\.\c:” for write access but in sharing mode.
>
> To Gary Little, your solution using the API that uses SCSI and ATA is it
> possible to be used under Vista when working on the system volume that
> already has files open, during nurmal running of windows? And if so are
> there any examples of how to write this kind of API?
> Are there any other types I can use instead of WRITEFILE???
>
> Thank you,
> Jim
>