A $MFD Reader
-
Wednesday, March 28, 2012 9:06 AM
"OBJ_KERNEL_HANDLE attribute for ObjectAttributes.""
Im building an mfd reader and running into a protection problem.
How do I do this in VB fix for this:
fOk = NtCreateFile(hFile, 0, ObjAttributes, IoStatusBlock, 0, 0, _
FILE_SHARE_READ Or FILE_SHARE_WRITE, _
FILE_OPEN, FILE_OPEN_BY_FILE_ID Or
FILE_OPEN_FOR_BACKUP_INTENT, 0, 0)
which is currently seeing an 'access denied' here. The process is trying to read the directiry FID and failing.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
- Edited by Renee Culver Wednesday, March 28, 2012 10:14 AM
- Moved by Jesse JiangMicrosoft Contingent Staff Thursday, March 29, 2012 3:02 AM (From:Visual C++ General)
All Replies
-
Wednesday, March 28, 2012 10:06 AM
Ive just done a check. The process runs fine on XP 32 bits. This has to be a WIN7 Access problem.
What Im asking is how to fix it in VB. I came here because the problem occurs in Win7 on the NTCreatefile as an access problem on C routines. I'm hoping you know.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
- Edited by Renee Culver Wednesday, March 28, 2012 10:07 AM
-
Thursday, March 29, 2012 3:01 AM
Hi Renee,
I think your issue should be raised in the Windows WDK and Driver Development Forum. I believe they will know more information of this issue than us, and I will move this one to that forum.
Thanks for your understanding,
Best regards,
JesseJesse Jiang [MSFT]
MSDN Community Support | Feedback to us
-
Thursday, March 29, 2012 4:18 AMOwnerwhy are you not calling CreateFile? Using NtCreateFile puts you at the mercy of any behavior or contract change. I am guessing this doesn't work because your app is not running elevated (as admin is not enough). NtCreateFile is no less or more secure than CreateFile by the way, the underlying access checks are done in the kernel no matter what user mode API you call
d -- This posting is provided "AS IS" with no warranties, and confers no rights.
-
Thursday, March 29, 2012 4:41 AM
The answer is that I am calling Createfile...just not in the routine that I showed. The routine that I show is the one getting the exception and the one thats failin. As far as I know, the Create File royine is workin fine.
Yes, I understanf priviledges and I understand that admin is not enough. I think I need to call it with "OBJ_KERNEL_HANDLE attribute for ObjectAttributes.
I'll post the code or most of it....
Renee
- Edited by Renee Culver Thursday, March 29, 2012 4:54 AM
-
Thursday, March 29, 2012 4:45 AM
Imports System.Runtime.InteropServices
Public Class EnumMFT
Private Const INVALID_HANDLE_VALUE = (-1)
Private Const GENERIC_READ = &H80000000
Private Const FILE_SHARE_READ = &H1
Private Const FILE_SHARE_WRITE = &H2
Private Const OPEN_EXISTING = 3
Private Const FILE_READ_ATTRIBUTES = &H80
Private Const FileNameInformationClass = 9
Private Const FILE_FLAG_BACKUP_SEMANTICS = &H2000000
Private Const FILE_OPEN_FOR_BACKUP_INTENT = &H4000
Private Const FILE_OPEN_BY_FILE_ID = &H2000
Private Const FILE_OPEN = &H1
Private Const OBJ_CASE_INSENSITIVE = &H40
Private Const FSCTL_ENUM_USN_DATA = &H900B3
Dim Files As UInt32
Dim Directories As UInt32
<StructLayout(LayoutKind.Sequential)> _
Private Structure MFT_ENUM_DATA
Dim StartFileReferenceNumber As Long
Dim LowUsn As Long
Dim HighUsn As Long
End Structure
<StructLayout(LayoutKind.Sequential)> _
Private Structure USN_RECORD
Dim RecordLength As Integer
Dim MajorVersion As Short
Dim MinorVersion As Short
Dim FileReferenceNumber As Long
Dim ParentFileReferenceNumber As Long
Dim Usn As Long
Dim TimeStamp As Long
Dim Reason As Integer
Dim SourceInfo As Integer
Dim SecurityId As Integer
Dim FileAttributes As Integer
Dim FileNameLength As Short
Dim FileNameOffset As Short
End Structure
<StructLayout(LayoutKind.Sequential)> _
Private Structure IO_STATUS_BLOCK
Dim Status As Integer
Dim Information As Integer
End Structure
<StructLayout(LayoutKind.Sequential)> _
Private Structure UNICODE_STRING
Dim Length As Short
Dim MaximumLength As Short
Dim Buffer As IntPtr
End Structure
<StructLayout(LayoutKind.Sequential)> _
Private Structure OBJECT_ATTRIBUTES
Dim Length As Integer
Dim RootDirectory As IntPtr
Dim ObjectName As IntPtr
Dim Attributes As Integer
Dim SecurityDescriptor As Integer
Dim SecurityQualityOfService As Integer
End Structure
'// MFT_ENUM_DATA
<DllImport("kernel32.dll", ExactSpelling:=True, SetLastError:=True, CharSet:=CharSet.Auto)> _
Private Shared Function DeviceIoControl(ByVal hDevice As IntPtr, ByVal dwIoControlCode As Integer, ByRef lpInBuffer As MFT_ENUM_DATA, ByVal nInBufferSize As Integer, ByVal lpOutBuffer As IntPtr, ByVal nOutBufferSize As Integer, ByRef lpBytesReturned As Integer, ByVal lpOverlapped As IntPtr) As Boolean
End Function
<DllImport("kernel32.dll", SetLastError:=True, CharSet:=CharSet.Auto)> _
Private Shared Function CreateFile(ByVal lpFileName As String, ByVal dwDesiredAccess As Integer, ByVal dwShareMode As Integer, ByVal lpSecurityAttributes As IntPtr, ByVal dwCreationDisposition As Integer, ByVal dwFlagsAndAttributes As Integer, ByVal hTemplateFile As IntPtr) As IntPtr
End Function
<DllImport("kernel32.dll", ExactSpelling:=True, SetLastError:=True, CharSet:=CharSet.Auto)> _
Private Shared Function CloseHandle(ByVal lpObject As IntPtr) As Int32
End Function
<DllImport("ntdll.dll", ExactSpelling:=True, SetLastError:=True, CharSet:=CharSet.Auto)> _
Private Shared Function NtCreateFile(ByRef FileHandle As IntPtr, ByVal DesiredAccess As Integer, ByRef ObjectAttributes As OBJECT_ATTRIBUTES, ByRef IoStatusBlock As IO_STATUS_BLOCK, ByVal AllocationSize As Integer, ByVal FileAttribs As Integer, ByVal SharedAccess As Integer, ByVal CreationDisposition As Integer, ByVal CreateOptions As Integer, ByVal EaBuffer As Integer, ByVal EaLength As Integer) As Integer
End Function
<DllImport("ntdll.dll", ExactSpelling:=True, SetLastError:=True, CharSet:=CharSet.Auto)> _
Private Shared Function NtQueryInformationFile(ByVal FileHandle As IntPtr, ByRef IoStatusBlock As IO_STATUS_BLOCK, ByVal FileInformation As IntPtr, ByVal Length As Integer, ByVal FileInformationClass As Integer) As Integer
End Function
Private m_hCJ As IntPtr
Private m_Buffer As IntPtr
Private m_BufferSize As Integer
Private m_DriveLetter As String
Private Function OpenVolume(ByVal szDriveLetter As String) As IntPtr
Dim hCJ As IntPtr '// volume handle
m_DriveLetter = szDriveLetter
hCJ = CreateFile("\\.\" & szDriveLetter, GENERIC_READ, _
FILE_SHARE_READ Or FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, 0, 0)
Return hCJ
End Function
Private Sub Cleanup()
If m_hCJ <> 0 Then
' Close the volume handle.
CloseHandle(m_hCJ)
m_hCJ = INVALID_HANDLE_VALUE
End If
If m_Buffer <> 0 Then
' Free the allocated memory
Marshal.FreeHGlobal(m_Buffer)
m_Buffer = IntPtr.Zero
End If
End Sub
Public Sub FindAllFiles(ByVal szDriveLetter As String)
Dim usnRecord As USN_RECORD
Dim mft As MFT_ENUM_DATA
Dim dwRetBytes As Integer
Dim cb As Integer
' This shouldn't be called more than once.
If m_Buffer.ToInt32 <> 0 Then
Console.WriteLine("invalid buffer")
Exit Sub
End If
' Assign buffer size
m_BufferSize = 65536 '64KB
' Allocate a buffer to use for reading records.
m_Buffer = Marshal.AllocHGlobal(m_BufferSize)
' Open the volume handle
m_hCJ = OpenVolume(szDriveLetter)
' Check if the volume handle is valid.
If m_hCJ = INVALID_HANDLE_VALUE Then
Console.WriteLine("Couldn't open handle to the volume.")
Cleanup()
Exit Sub
End If
mft.StartFileReferenceNumber = 0
mft.LowUsn = 0
mft.HighUsn = Long.MaxValue
Do
If DeviceIoControl(m_hCJ, FSCTL_ENUM_USN_DATA, mft, Marshal.SizeOf(mft), m_Buffer, m_BufferSize, dwRetBytes, IntPtr.Zero) Then
cb = dwRetBytes
' Pointer to the first record
Dim pUsnRecord As New IntPtr(m_Buffer.ToInt32() + 8)
While (dwRetBytes > 8)
' Copy pointer to USN_RECORD structure.
usnRecord = Marshal.PtrToStructure(pUsnRecord, usnRecord.GetType)
' The filename within the USN_RECORD.
Dim FileName As String = Marshal.PtrToStringUni(New IntPtr(pUsnRecord.ToInt32() + usnRecord.FileNameOffset), _
usnRecord.FileNameLength / 2)
If usnRecord.FileAttributes And vbDirectory Then
Dim dirPath As String = PathFromFrn(usnRecord.ParentFileReferenceNumber)
'If dirPath = "" Then Debugger.Break()
' directory
Directories += 1
Console.WriteLine("Directory {0} ", szDriveLetter & dirPath)
Else
' files
Files += 1
Dim filePath As String = PathFromFrn(usnRecord.ParentFileReferenceNumber) & "\" & FileName
Console.WriteLine("File {0} ", szDriveLetter & filePath)
End If
' Pointer to the next record in the buffer.
pUsnRecord = New IntPtr(pUsnRecord.ToInt32() + usnRecord.RecordLength)
dwRetBytes -= usnRecord.RecordLength
End While
' The first 8 bytes is always the start of the next USN.
mft.StartFileReferenceNumber = Marshal.ReadInt64(m_Buffer, 0)
Else
Exit Do
End If ' DeviceIoControl)
Loop Until cb <= 8
'// cleanup
Cleanup()
Console.WriteLine()
Console.WriteLine("Files: {0} Directories: {1}", Files, Directories)
End Sub
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
-
Thursday, March 29, 2012 4:48 AM
Private Function PathFromFrn(ByVal Id As Long) As String
Dim fOk As Integer
Dim FileName As String = String.Empty
Dim UnicodeString As UNICODE_STRING
Dim ObjAttributes As OBJECT_ATTRIBUTES
Dim IoStatusBlock As IO_STATUS_BLOCK
Dim hFile As IntPtr ' out handle
Dim Buffer As IntPtr = Marshal.AllocHGlobal(4096) ' Raw buffer
Dim Refptr As IntPtr = Marshal.AllocHGlobal(8) ' 8 byte FileID - allocate 8 bytes of unmanaged memory
Dim ObjAtt As IntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(ObjAttributes)) 'pointer to the unicode string struct
Static i As UInt32 : i += 1 ' If i = 100 Then Debugger.Break()
' pointer>>fileid
Marshal.WriteInt64(Refptr, 0, Id)
' 8 byte file id
UnicodeString.Length = 8
UnicodeString.MaximumLength = 8
UnicodeString.Buffer = Refptr
' copy unicode structure to pointer
Marshal.StructureToPtr(UnicodeString, ObjAtt, True)
' InitializeObjectAttributes Macro
ObjAttributes.Length = Marshal.SizeOf(ObjAttributes)
ObjAttributes.ObjectName = ObjAtt ' Or OBJ_KERNEL_HANDLE
ObjAttributes.RootDirectory = m_hCJ
ObjAttributes.Attributes = OBJ_CASE_INSENSITIVE
fOk = NtCreateFile(hFile, 0, ObjAttributes, IoStatusBlock, 0, 0, _
FILE_SHARE_READ Or FILE_SHARE_WRITE, _
FILE_OPEN, FILE_OPEN_BY_FILE_ID Or FILE_OPEN_FOR_BACKUP_INTENT, 0, 0)
' If Not fOk Then Debugger.Break()
If fOk <> INVALID_HANDLE_VALUE Then
fOk = NtQueryInformationFile(hFile, IoStatusBlock, Buffer, 4096, FileNameInformationClass)
If fOk = 0 Then
' The first 4 bytes is the length
Dim FileLength As Integer = Marshal.ReadInt32(Buffer, 0)
' The filename is just after the first 4 bytes.
FileName = Marshal.PtrToStringUni(New IntPtr(Buffer.ToInt32() + 4), FileLength / 2)
End If
End If
' free allocated memory and handles
CloseHandle(hFile)
Marshal.FreeHGlobal(Buffer)
Marshal.FreeHGlobal(ObjAtt)
Marshal.FreeHGlobal(Refptr)
Return FileName
End Function
Thats it.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
-
Thursday, March 29, 2012 4:57 AM
. I think I need to call it with "OBJ_KERNEL_HANDLE attribute for ObjectAttributes. My question is where is this defined and how do I OR to attributes in VB?
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
-
Thursday, March 29, 2012 5:02 AM
Found it!!!!
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
-
Thursday, March 29, 2012 5:14 AMOwner
what are you really trying to do? why are you calling a bunch of undocumented APIs? why in VB of all languages?
OBJ_KERNEL_HANDLE is only valid for kernel mode callers, all it does is make the handle created by Zw/NtCreateFile exist in the system process handle table instead of the calling process handle table. there is nothing magical about it that will make your code work.
d -- This posting is provided "AS IS" with no warranties, and confers no rights.
-
Thursday, March 29, 2012 5:49 AM
Well you asked so I'll tell you....
I simply am tryin to list the real files, the ones that have not been deleted in the MFT. I am writing a utility. AND I am using VB because that and some form of C is all MS makes and hey...I'm from Digital and I think C of any kind is a crime against nature so by process of elimimination I use VB.
Does that answer your question? The API's are quite documented.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
- Edited by Renee Culver Thursday, March 29, 2012 5:53 AM
-
Thursday, March 29, 2012 10:56 AM
Just because you did not like the answer from the previous thread you started on this http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/da27841f-3076-465a-b1b1-78e351975136 Why do you think you will get a different answer? For that matter given your attitude about breaking Windows security why do you think you will get help at all?
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr
-
Thursday, March 29, 2012 11:40 AM
You are lots of loaded questions asked here.
My thread was moved here by a moderator. How do you know what I thought?
I have a utility now that will do this not using file I/O.
Now I come from a different operating system, one done by professionals. Not one intended to make as much money as possible. Along with being an OS developer I used to write drivers professionally although not in C but assembler. Perhaps you are correct but I'll tell you one thing-we didn't write operating systems that would break an application as was done here.
I am current writing a driver to do this, although I don't know C.
With the I'll leave you for I find you to be presumptuous as well as finding Windows to be a bad joke.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
- Edited by Renee Culver Thursday, March 29, 2012 11:56 AM
-
Thursday, March 29, 2012 1:33 PM
You must be extremely lucky, to not encounter changes in the OS that impacted some applications. I've worked in systems programming including operating systems and compiler for the last 40 years, and not a single one of the close to 100 OS or OS variants I have encountered in that time have not had changes that impacted something.
Conditions change for OS'es, In this case the Windows team realized they had a security hole, that needed to be fixed. Yes it broke a small number of applications when they did it around 5 years ago, but the good of improving security was weighed against the cost to a limited number of applications and found acceptable.
Windows is done by professionals, I have been very impressed by the OS and WDK developers from Microsoft I have met over the last 18 years. I have managed teams in the system programming world and every Microsoft OS or WDK developer I have met, I would have considered hiring back when I was a manager.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr
-
Thursday, March 29, 2012 2:03 PM
Donald, luck had nothing to do with it-our operarting systemswere designed to minimize impact. Of course things were impacted just not any applications that I had anything to do with. There is a caveat though. That was that I cared about OSes and not applications.
You know, I'm an honest woman and I've never written a virus or worm or see any reason for "security" as we know it today, although we were quite secure.
I do not consider Windows people professionals for many reasons or reason is that Windows is written in C. I think thats the beginning of a language. On the other hand, C is quite fast and quite to performer which is more than I can say for managed code.
C - I could talk on that for quite a while on what it does NOT have for people who write operating systems.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
- Edited by Renee Culver Thursday, March 29, 2012 2:12 PM
-
Thursday, March 29, 2012 2:57 PM
Hello Renee,
Obviously it is not your guilt that the admin moved your thread in here. This happens. (often it's my guilt). But please notice that you are now in the kernel forum, posting VB code here is like, er, c++ in a VB forum. Not quite welcome.
As Doron wrote - trying OBJ_KERNEL_HANDLE outside of kernel has no sense at all, and only paints you as hopeless userlander. Please, let's stop the ego wars. If there still is a technical question to solve, please re-sync.
Regards,
-- pa
- Edited by Pavel A Thursday, March 29, 2012 2:58 PM
-
Thursday, March 29, 2012 3:30 PMI think Pavel meant "fault" not "quilt". But he is correct, you are trying to use a a kernel object, OBJ_KERNEL_HANDLE and the associate object attributes structure, in a user application, and not only that, but trying to PINVOKE/marshall all of that inappropriate usage into a VB user application. Have you looked at the file system internals book by Russinovich and Solomon? You might get some valuable insight from that text, and I believe it is available at OsrOnline.com.
Gary G. Little NanoTelesis Systems, LLC
-
Thursday, March 29, 2012 3:46 PM
David Solumon and Dave Cutler worked at the same place I did and I knew that both in Spitbrook and Dave in Seattle and Spitbrook. And I have a copy of Russonovich right here. Not much technical meat in there.
And if you'll take a look at what I said, I noted that pinvoke is slow. Actually I fing that Windows is a patchwork.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
- Edited by Renee Culver Thursday, March 29, 2012 3:49 PM
-
Thursday, March 29, 2012 7:01 PM
Oh. Are we in Jurassic park or what? :~/
But right, patchwork is the good definition for it. the new win8 "metro" screen certainly looks as patchwork! :)
-- pa
-
Thursday, March 29, 2012 7:07 PM
:)
Pavel I can't help that the industry sold out to people who are not comptent.
Renee
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
