Re: [ntfsd] Re: [ntfsd] get sharemode of file handle opened in another process

Your project is impossible from UM. In KM, you don’t need to care about the sharing - your file system filter will simply allow you a backdoor to read data. Your biggest problems will be memory mapped files and cache coherency given that you have no obvious way of synchronizing an arbitrary write pattern with your read access. Assuming you are replicating, backing up or virus scanning, you are okay - as you can coalesce operations or your need is probabilistic

Sent from Surface Pro

From: Arun M. Krishnakumar
Sent: ‎Tuesday‎, ‎October‎ ‎28‎, ‎2014 ‎10‎:‎37‎ ‎PM
To: Windows File Systems Devs Interest List

I am working on a project where I need to have read access to all files on the system to which I have privileges as per ACL.

There are some files that are opened in exclusive mode by services that start early at boot. I don’t have control over the processes and I have not opened the handle.

I know that one way to get this access is to do a CreateFile. I wanted to know if there was another way.

In any case I have been able to work using CreateFile and it doesn’t seem to be too time-intensive.

Thanks,

On Mon, Oct 27, 2014 at 3:29 PM, Marion Bond wrote:

What do you want this for? If you opened the handle, you should know what sharing you specified. If this handle was passed to you, then sharing will have been dealt with by them

Sent from Surface Pro

From: Arun M. Krishnakumar
Sent: ‎Sunday‎, ‎October‎ ‎26‎, ‎2014 ‎10‎:‎38‎ ‎PM
To: Windows File Systems Devs Interest List

I know that it is possible to get the ShareMode from the FILE_OBJECT in a mini-filter. But I am unable to know this from user-mode. There is an object address that I get as part of each entry returned by NtQuerySystemInformation but I cannot access that memory area.

Is there any other way ?

Thanks,

Arun

On Sun, Oct 26, 2014 at 1:51 AM, Arun M. Krishnakumar wrote:

Hi,

(This is a user-land API question. I hope it’s okay to ask here as it’s windows and FS related. Kindly help me redirect this in case this is the wrong forum.)

I have an case where I need to determine in user-mode the share-mode of a file handle opened by another process, mainly to determine if the file is opened exclusively (sharemode = 0). I do the following:

1. Set Debug Privilege

2. NtQuerySystemInformation

3. OpenProcess

4. NtDuplicateObject (process, handle)

5. NtQueryObject(duplicate-handle, ObjectBasicInformation)

The issue is that the Object Attributes returned by the NtQueryObject is always zero. I was hoping that there would be an OBJ_EXCLUSIVE indicating that the open is exclusive. Is this a valid assumption for this problem ?

Is there some other way I can get the shared-mode, other than (attempting to open the file as that would be slower)?

P.S.: The calls above have worked with no errors. I can also get the file path etc from other similar calls. I’m stuck only at the share-mode.

Thanks,

— NTFSD is sponsored by OSR OSR is hiring!! Info at http://www.osr.com/careers For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTFSD is sponsored by OSR OSR is hiring!! Info at http://www.osr.com/careers For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer