Creating a Mailslot in a driver

Hey.
I’m trying to create a mailslot in my driver, i read theres a special system call for it
‘ZwCreateMailslotFile’, which i can’t find ANYwhere. So I guess it was deleted, so i’m trying to create it via ‘ZwCreateFile’, like this:

UNICODE_STRING MailslotName;
HANDLE Handle = NULL;
OBJECT_ATTRIBUTES ObjectAttr;
UNICODE_STRING MailslotName;
IO_STATUS_BLOCK IoStatus;
WCHAR Buffer[1024];

MailslotName.Buffer = Buffer;
MailslotName.Length = 1024 * sizeof(TCHAR);
MailslotName.MaximumLength = 1024 * sizeof(TCHAR);

RtlUnicodeStringPrintf(&MailslotName,
L"\??\mailslot\main");

InitializeObjectAttributes(&ObjectAttr, &MailslotName,
OBJ_INHERIT, NULL, NULL);

ZwCreateFile(&Handle, GENERIC_READ | GENERIC_WRITE, &ObjectAttr,
&IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE, FILE_NON_DIRECTORY_FILE, NULL, 0);

But i fail with an error 0xC0000033(OBJECT_NAME_INVALID)
Any ideas why?

Try IoCreateFile with CreateFileTypeMailslot file type

MAILSLOT_CREATE_PARAMETERS MailslotParameters = {0};

// init MailslotParameters with quota etc
MailslotParameters … = …;

IoCreateFile( …,
CreateFileTypeMailslot,
&MailslotParameters,
0 );

It is still here but not exported from the kernel

nt!ZwCreateMailslotFile:
fffff8004775e460 488bc4 mov rax,rsp fffff8004775e463 fa cli
fffff8004775e464 4883ec10 sub rsp,10h fffff8004775e468 50 push rax
fffff8004775e469 9c pushfq fffff8004775e46a 6a10 push 10h
fffff8004775e46c 488d050d550000 lea rax,[nt!KiServiceLinkage (fffff80047763980)]
fffff800`4775e473 50 push rax

nt!NtCreateMailslotFile:
fffff80047ace4e0 4881ec98000000 sub rsp,98h fffff80047ace4e7 488b055246e3ff mov rax,qword ptr [nt!_security_cookie (fffff800`47902b40)]
fffff800`47ace4ee 4833c4 xor rax,rsp
fffff800`47ace4f1 4889842488000000 mov qword ptr [rsp+88h],rax
fffff800`47ace4f9 4d8bd8 mov r11,r8
fffff800`47ace4fc 4c8bd1 mov r10,rcx
fffff800`47ace4ff 4c8b8424d8000000 mov r8,qword ptr [rsp+0D8h]
fffff800`47ace507 4d85c0 test r8,r8

Just to clarify why you need IoCreateFile( … CreateFileTypeMailslot … ).

ZwCreateFile issued IRP_MJ_CREATE(0x0) instead of IRP_MJ_CREATE_MAILSLOT(0x13) .

I have a mailslot that is created by a userspace process with the name X

Now i’m trying to open the mailslot in my driver with:
Status = IoCreateFile(&Handle, GENERIC_READ | GENERIC_WRITE, &ObjectAttr,
&IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0, CreateFileTypeMailslot, &MailSlotParam, 0);

But i fail with 0xc0000035 or STATUS_OBJECT_NAME_COLLISION

Can’t figure out why… i’m opening it, not creating it… any ideas?
and thanks

In that light you tried to “open mailslot” instead “create mailslot” . ZwCreateMailslotFile creates mailslot but not open an existing one.

Try ZwCreateFile with FILE_OPEN instead FILE_CREATE .

I will ask the standard question, why do you want to do this? Mailslots are
not a great communication mechanism in general, and not normally used for
communications.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, May 18, 2017 10:31 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Creating a Mailslot in a driver

I have a mailslot that is created by a userspace process with the name X

Now i’m trying to open the mailslot in my driver with:
Status = IoCreateFile(&Handle, GENERIC_READ | GENERIC_WRITE,
&ObjectAttr,
&IoStatus, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0,
CreateFileTypeMailslot, &MailSlotParam, 0);

But i fail with 0xc0000035 or STATUS_OBJECT_NAME_COLLISION

Can’t figure out why… i’m opening it, not creating it… any ideas?
and thanks


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

Look at the doc for OBJECT_ATTRIBUTES.

https://msdn.microsoft.com/fr-fr/library/windows/hardware/ff557749(v=vs.85).aspx

You can use ZwCreateFile but you have to set the OBJ_OPENIF attributes to avoid STATUS_OBJECT_NAME_COLLISION when the file already exists. You should also set the OBJ_CASE_INSENSITIVE attribute.

Now \ ??\MailSlot is a symlink to \Device\MailSlot. So \ ??\MailSlot\Main is a FILE_OBJECT that belongs to the \Device\MailSlot device object’s namespace.

You could provide your own implementation for instance by creating your own control device \Device\MyDriverMailSlot. Your driver would then provide the Read/Write file dispatch routines.

Also, you should remove references to the TCHAR type which is used in user mode. Use the WCHAR type with UNICODE strings and the CHAR type with ANSI strings.

The MailslotName initialization is wrong :

WCHAR Buffer = L\??\mailslot\main<file:> ;
MailslotName.Buffer = Buffer;
MailslotName.Length = sizeof(Buffer) - sizeof(WCHAR);
MailslotName.MaximumLength = sizeof(Buffer);

Then you don’t need RtlUnicodeStringPrintf.

J. S.</file:>

Not applicable to mailslots, they are a special beast. To create a mailslot you need to issue IRP_MJ_CREATE_MAILSLOT(0x13). To open an existing mailslot you need IRP_MJ_CREATE(0x0).

The object manager substitutes \GLOBAL?? instead of ?? when looking for an object by name. So it is not a problem here as \GLOBAL??\mailslot is a symbolic link to \Device\mailslot



You can do this as RtlInitUnicodeString( &MailslotName, L"\??\mailslot\main" ) without counting by your fingers.</file:>

Pass the handle down in an IOCTL. Depending on when your driver loads, and
how it loads, it is a high probability that \BaseNamedObjects has not been
created yet.

On Thu, May 18, 2017 at 11:14 AM Don Burn wrote:

> I will ask the standard question, why do you want to do this? Mailslots
> are
> not a great communication mechanism in general, and not normally used for
> communications.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Thursday, May 18, 2017 10:31 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Creating a Mailslot in a driver
>
> I have a mailslot that is created by a userspace process with the name X
>
> Now i’m trying to open the mailslot in my driver with:
> Status = IoCreateFile(&Handle, GENERIC_READ | GENERIC_WRITE,
> &ObjectAttr,
> &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_READ | FILE_SHARE_WRITE,
> FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0,
> CreateFileTypeMailslot, &MailSlotParam, 0);
>
>
> But i fail with 0xc0000035 or STATUS_OBJECT_NAME_COLLISION
>
> Can’t figure out why… i’m opening it, not creating it… any ideas?
> and thanks
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:>

Why do you advice peoples to go undocumented ?

Where is the OP supposed to find the CreateFileTypeMailslot definition ?

MailSlot objects are just file objects.

kd> !handle FC

PROCESS ffffd50d5d743080
SessionId: 1 Cid: 13b0 Peb: 3d083d8000 ParentCid: 0b54
DirBase: 5cf62000 ObjectTable: ffffc289c44ed300 HandleCount:
Image: TestMailSlot.exe

Handle Error reading handle count.

00fc: Object: ffffd50d5eb7e080 GrantedAccess: 00160089 (Protected) (Audit) Entry: ffffc289c36c13f0
Object: ffffd50d5eb7e080 Type: (ffffd50d5ba63ae0) File
ObjectHeader: ffffd50d5eb7e050 (new version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \sample_mailslot {Mailslot}

kd> !fileobj ffffd50d5eb7e080

\sample_mailslot

Device Object: 0xffffd50d5bd4faa0 \FileSystem\Msfs
Vpb is NULL
Event signalled

Flags: 0x40210
Write Through
Mailslot
Handle Created

FsContext: 0xffffd50d5cbfc8d0 FsContext2: 0x00000000
CurrentByteOffset: 0

kd> !drvobj \FileSystem\Msfs
Driver object (ffffd50d5bd4fe60) is for:
\FileSystem\Msfs
Driver Extension List: (id , addr)

Device Object list:
ffffd50d5bd4faa0
kd> !devobj ffffd50d5bd4faa0
Device object (ffffd50d5bd4faa0) is for:
Mailslot \FileSystem\Msfs DriverObject ffffd50d5bd4fe60
Current Irp 00000000 RefCount 5 Type 0000000c Flags 00000040
SecurityDescriptor ffffc289bc795360 DevExt ffffd50d5bd4fbf0 DevObjExt ffffd50d5bd4fd98
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
AttachedDevice (Upper) ffffd50d5d1da7e0 \FileSystem\FltMgr
Device queue is not busy.

Really?

Windows Driver Kit(WDK). Do you have one?

\Include\km\wdm.h

typedef enum _CREATE_FILE_TYPE {
CreateFileTypeNone,
CreateFileTypeNamedPipe,
CreateFileTypeMailslot
} CREATE_FILE_TYPE;

Thanks cap.
Nevertheless you still need IRP_MJ_CREATE_MAILSLOT to create a mailsot.
IoCreateFile issues IRP_MJ_CREATE_MAILSLOT when called with the documented CreateFileTypeMailslot.

According to the doc:

CreateFileType [in]:

Drivers must set this parameter to CreateFileTypeNone.

That is why I thought the definition was not available. So go undocumented and don’t complain if the code breaks…

J. S.

No worries. A habit to search in header files comes with experience.