Any clue to (a) what’s the expected behavior for a file system when receiving this IOCTL, and (b) what is the struct that I need to cast the buffer in the IRP?
i have a windbg extension which decodes ioctls it could decode this
140410 to its proper file device FILEDEVICE bt did not know the name
so i tried to lookup but couldnt find any referance to the name i
looked inside your executable and observe that you have special cased
this name along with other 4 names so i was interested to know if
there is any public referance that you can point me to regarding the
name
the output of my windbg extension is as follows i added the name to my
list courtesy of this post but it would be great if there is any
reference to lean back to (winddk upto 7600 doesnt seem to have this
name )
0:000> .load decodeioctl
0:000> !decodeioctl 140410
IoControlCode 140410 is defined as undefined ioctl code
CTL_CODE(00000014 = FILE_DEVICE_NETWORK_FILE_SYSTEM , 00000104 , METHOD_BUFFERED
. FILE_ANY_ACCESS
0:000> !findioctl IOCTL_QUERY_REMOTE_SERVER_NAME
IOCTL_QUERY_REMOTE_SERVER_NAME is not a defined ioctl
0:000> !addioctl /?
!addioctl
- ioctlcode like 0xd3daf987 (base 16) - string Like IOCTL_SOME_FOO_BLAH - filedevicecode like 0xdead (base 16) - string Like FILE_DEVICE_DEAD add an Ioctl Description
0:000> !decodeioctl 140410 IoControlCode 140410 is defined as IOCTL_QUERY_REMOTE_SERVER_NAME CTL_CODE(00000014 = FILE_DEVICE_NETWORK_FILE_SYSTEM , 00000104 , METHOD_BUFFERED . FILE_ANY_ACCESS 0:000>
On 7/19/14, xxxxx@volny.cz wrote: >> @ladislav zezula do you have a referance to the name. > > Do you mean IOCTL_QUERY_REMOTE_SERVER_NAME? > > L. > > — > NTFSD is sponsored by OSR > > OSR is hiring!! Info at http://www.osr.com/careers > > For our schedule of debugging and file system seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
Thanks everyone for the replies – still a mystery how a file system needs to respond to these two IOCTLs and what the request and response structs look like…
A file system wouldn’t normally see this - it would be sent from an SMB client to an SMB server. As for its format, I’d expect it would be fairly straight-forward to figure this out from looking at the return data (e.g., my guess is that it is either a counted string or a null terminated string, with the former more likely). This kind of query wouldn’t typically have any request data (since it is “hey, what’s your name?” there’s no REASON to send along additional information).
Have you tried issuing this IOCTL on an open SMB/CIFS file handle to see what happens?