Establishing a network connection ( like "net use" ) in kernel mode

Barakando_Terdo · May 23, 2011, 4:20am

Hi,
I’m looking for a way to access a remote network share ( SMB share ) very early on during the boot process ( i.e. before any user mode processes are executed ).
Thus, I cannot use user mode APIs ( or net use for that matter ) in order to “mount” the network share.

I can’t seem to find a documented way to do this from kernel mode,

Is there a good reason for this not to be available from kernel mode?
Are you guys familiar with a way to do this from kernel mode?

Bronislav_Gabrhelik · May 23, 2011, 7:03am

You should realize that network shares are user specific (differentiation is done by logon session ID).
So you must have good user context in kernel mode when accessing share. It can be achieved either by process context which belongs to specific user, or impersonation in system thread.

The ZwCreateFile with flag FILE_CREATE_TREE_CONNECTION should work. You have to use SSO to authenticate or you can pass credentials in EA buffer in format below. Note that EA is optional and doesn’t work with all redirectors.

Now I am not sure how to form path so request is sent to MUP device. I think something like “\.\UNC\\server\share” might work. Great Sysinternal’s WinObj tool might help in determining of the path.

Hope this helps,
Bronislav Gabrhelik

/* here is excerpt from my old comment strings */
/*
EABuffer contains an array of variable size items of structure FILE_FULL_EA_INFORMATION
RDBSS recognizes and parses following values:
“UserName” value is UNICODE user NAME
“Password” values is UNICODE password
“Domain” value is UNICODE
?? “Type” - value is long probably printer,filesystem or any
*/

Bronislav_Gabrhelik · May 23, 2011, 7:06am

Correcting mistake: path should be this C literal “\.\UNC\server\share”
-bg

Barakando_Terdo · May 23, 2011, 7:12am

Thanks a lot, I’ll give it a try and update how it went.

Bronislav_Gabrhelik · May 23, 2011, 7:27am

The correct path is documented here:
http://msdn.microsoft.com/en-us/library/aa365247(v=vs.85).aspx#maxpath

Below are “C” literals

// from User Mode
“\\?\UNC\server\share”

//from Kernel Mode should work
“\??\UNC\server\share”

-bg

Barakando_Terdo · May 23, 2011, 12:54pm

Alright, successfully implemented the above:

Calling ZwCreateFile( …, FILE_FLAG_TREE_CONNECTION, … ) and passing a properly craftet ea buffer that contains 4 attributes: UserName, Password, Domain and Type as you specified ( first 3 are UNICODE, last one is LONG with value equal to RESOURCETYPE_DISK = 1 ).
At first had some problems with propelry crafting the ea buffer and got STATUS_EA_LIST_INCONSISTENT ( 0x80000014 ) error, but managed to fix that.
Right now, whenever I call ZwCreateFile( “\??\UNC\172.16.0.2\share”, GENERIC_READ ), or ZwCreateFile( “\??\UNC\172.16.0.2\share\subfolder”,… ) or ZwCreateFile( “\??\UNC\172.16.0.2\nonexistantsharename”, … ) I’m getting STATUS_ACCESS_DENIED ( 0xc0000022 ) in the call to ZwCreateFile.
However, If I call ZwCreateFile( “\??\UNC\172.16.0.2\IPC$” ) it does work - STATUS_SUCCESS.

My conclusion from this is that the ea attributes that I pass to ZwCreateFile don’t do the trick so I’m basically allowed access when no authentication is required, but when it is required - I get an access denied because the username/password are not properly passed to the rdbss.

Where can I find the documentation specifying which ea attributes to pass?

Thanks in advance!

Bronislav_Gabrhelik · May 24, 2011, 7:49am

I think it is undocumented. I bump into it during mini-redirector implementation, and IIRC it is used in smbmrx sample in some former WDK. I think both the key & value are not null terminated. The Key is ANSI string. I am not sure about value alignment. You know if UNICODE string can start on odd address. I think you can omit type.

You noted that you would like use it during boot. If I were you I would test in in user mode using native API (NtCreateFile).

-bg