none
How get complete directory (including driver letter) and file name from a handle? RRS feed

  • Question

  • I'm using this following code to obtain file name from a handle but it not returns driver letter.

    How i can solve this?

    NTSTATUS FileHandleToUNICODE_STRING(IN	HANDLE FileHandle, OUT PUNICODE_STRING FileName) {
    
    	PIO_STATUS_BLOCK		pioStatusBlock;
    	PFILE_NAME_INFORMATION	fniFileInfo;
    	NTSTATUS				status;
    
    	pioStatusBlock = (PIO_STATUS_BLOCK)ExAllocatePoolWithTag(NonPagedPool, sizeof(IO_STATUS_BLOCK), 'TAG');
    
    	if (pioStatusBlock == NULL)
    	{
    		status = STATUS_INSUFFICIENT_RESOURCES;
    
    		DbgPrint(":Failed to allocate memory for pioStatusBlock");
    
    		return status;
    	}
    
    	fniFileInfo = (PFILE_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, sizeof(FILE_NAME_INFORMATION) + (MAX_PATH - 1), 'TAG');
    
    	if (fniFileInfo == NULL)
    	{
    		status = STATUS_INSUFFICIENT_RESOURCES;
    
    		ExFreePoolWithTag(pioStatusBlock, 'TAG');
    
    		DbgPrint(":Failed to allocate memory for fniFileInfo");
    
    		return status;
    	}
    
    	status = ZwQueryInformationFile(FileHandle, pioStatusBlock, fniFileInfo, (ULONG)sizeof(FILE_NAME_INFORMATION) + (MAX_PATH - 1), FileNameInformation);
    
    	if (status != STATUS_SUCCESS)
    	{
    		ExFreePoolWithTag(pioStatusBlock, 'TAG');
    		ExFreePoolWithTag(fniFileInfo, 'TAG');
    
    		DbgPrint("--.STATUS %x", status);
    
    		return status;
    	}
    
    	FileName->MaximumLength = fniFileInfo->FileNameLength;
    	FileName->Length = fniFileInfo->FileNameLength;
    	//FileName->Buffer = fniFileInfo->FileName;
    
    	RtlCopyMemory(FileName->Buffer, &fniFileInfo->FileName, fniFileInfo->FileNameLength);
    
    	ExFreePoolWithTag(pioStatusBlock, 'TAG');
    	ExFreePoolWithTag(fniFileInfo, 'TAG');
    
    	status = STATUS_SUCCESS;
    
    	return status;
    }


    • Edited by FL4SHC0D3R Monday, March 26, 2018 1:01 PM
    Monday, March 26, 2018 1:01 PM

Answers

  • What is the bugcheck? I would guess that it is because the Object parameter is supposed to be a pointer to a pointer. In other words, you don't have to allocate space for fileObject

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by FL4SHC0D3R Tuesday, March 27, 2018 6:32 PM
    Tuesday, March 27, 2018 5:45 AM
    Moderator
  • The short answer is that the drive letter is a user-mode concept that kernel-mode components don't understand. You can get what you want by calling FltGetFileNameInformationUnsafe

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, March 26, 2018 7:00 PM
    Moderator

All replies

  • The short answer is that the drive letter is a user-mode concept that kernel-mode components don't understand. You can get what you want by calling FltGetFileNameInformationUnsafe

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, March 26, 2018 7:00 PM
    Moderator
  • I'm trying this code below but i have a BSOD in ObReferenceObjectByHandle. How fix?

    NTSTATUS FileHandleToUNICODE_STRING(IN	HANDLE FileHandle, OUT PUNICODE_STRING FileName) {
    
    	PFILE_OBJECT        fileObject;
    	PDEVICE_OBJECT      fileSysDevice;
    	POBJECT_NAME_INFORMATION	pobjObjectNameInfo;
    	ULONG      ulLength = 0;
    	NTSTATUS            ntStatus;
    
    	ntStatus = STATUS_SUCCESS;
    
    	pobjObjectNameInfo = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH * 2), 'TG');
    	
    	if (pobjObjectNameInfo == NULL)
    	{
    		DbgPrint("Failed to allocate memory for pobjObjectNameInfo\n");
    
    		ntStatus = STATUS_INSUFFICIENT_RESOURCES;
    
    		return ntStatus;
    	}
    
    	fileObject = (PFILE_OBJECT)ExAllocatePoolWithTag(NonPagedPool, sizeof(FILE_OBJECT), 'TG');
    	
    	if (fileObject == NULL)
    	{
    		ntStatus = STATUS_INSUFFICIENT_RESOURCES;
    
    		DbgPrint("Failed to allocate memory for fileObject\n");
    
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    		return ntStatus;
    	} 
    
    	ntStatus = ObReferenceObjectByHandle(FileHandle, GENERIC_ALL, NULL, KernelMode, &fileObject, NULL);
    	
    	if (!NT_SUCCESS(ntStatus)) {
    
    		DbgPrint("Could not get fileobject from handle\n");
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(fileObject, 'TG');
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    		
    		return ntStatus;
    	}
    
    	ntStatus = ObQueryNameString(fileObject, pobjObjectNameInfo, sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH * 2), &ulLength);
    	
    	if (ntStatus != STATUS_SUCCESS)
    	{
    		DbgPrint("ObQueryNameString() --. STATUS %x \n", ntStatus);
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(fileObject, 'TG');
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    		return ntStatus;
    	}
    
    	fileSysDevice = IoGetRelatedDeviceObject(fileObject);
    
    	if (!fileSysDevice) {
    
    		DbgPrint("Could not get related device object\n");
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(fileObject, 'TG');
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    		
    		return ntStatus;
    	}
    
    	ntStatus = IoVolumeDeviceToDosName(fileObject->DeviceObject, FileName);
    
    	if (ntStatus != STATUS_SUCCESS)
    	{
    		DbgPrint("IoVolumeDeviceToDosName() --. STATUS %x \n", ntStatus);
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(fileObject, 'TG');
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    		return ntStatus;
    	} 
    
    	ObDereferenceObject(fileObject); 
    	ExFreePoolWithTag(fileObject, 'TG');
    	ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
        return ntStatus;
    }

    Tuesday, March 27, 2018 3:48 AM
  • What is the bugcheck? I would guess that it is because the Object parameter is supposed to be a pointer to a pointer. In other words, you don't have to allocate space for fileObject

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by FL4SHC0D3R Tuesday, March 27, 2018 6:32 PM
    Tuesday, March 27, 2018 5:45 AM
    Moderator