\FileSystem\RawFS and \Driver\Disk

OSR_Community_User · October 30, 2006, 10:51pm

Hi gurus,

I was trying to figure out the list of disk device objects (of disk.sys
obviously) using IoGetDeviceObjectPointer() and
IoEnumerateDeviceObjectList() on \Device\Harddisk0\DR0. Guess what? I’ve
got devices of \FileSystem\RawFS.

It appears that IoGetDeviceObjectPointer() returns file system device object
instead of disk device object, which seems to be true here because it
searches through all file system in obj name space and returns RawFS as it
couldn’t find out \Device\Harddisk0\DR0. Is my theory correct?

So I did the following test to get disk.sys device object list again.

UNICODE_STRING name;
RtlInitUnicodeString(&name, L"\Device\Harddisk0\DR0");

PFILE_OBJECT pFileObj;
PDEVICE_OBJECT pDevObj;
NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA,
&pFileObj, &pDevObj);

if(NT_SUCCESS(status))
{
status = IoGetDiskDeviceObject(pDevObj, &pDevObj);

// Now pDevObj points to the real disk device object for
“\Device\Harddisk0\DR0”
// And pDevObj->DriverObj->DriverName is obviously \Driver\Disk
}

My second question is, ‘Is this the only generic way to detect disk device
objects who claimed the physical harddrives or is there any cooler way?’

Thanks a lot in advance.

Regards,
Sean

OSR_Community_User · October 31, 2006, 2:35am

If you want to get device object for disks with drive letters you may use
this one:

PDEVICE_OBJECT DiskDevice;
HANDLE hLink;
OBJECT_ATTRIBUTES Attr;
UNICODE_STRING link_name, device_name;
PFILE_OBJECT device_file;
WCHAR name_buffer[40],device_buffer[MAX_PATH];
CHAR devLetter; //disk letter

name_buffer[sizeof(name_buffer) - 1] = UNICODE_NULL;
_snwprintf(name_buffer, sizeof(name_buffer) - 1, L"\GLOBAL??\%c:",
devLetter);
RtlInitUnicodeString(&link_name, name_buffer);
InitializeObjectAttributes(&Attr,&link_name,OBJ_CASE_INSENSITIVE,NULL,NULL);
status=ZwOpenSymbolicLinkObject(&hLink,FILE_READ_DATA,&Attr);
if (!NT_SUCCESS(status))
{
//we failed
}

RtlInitEmptyUnicodeString(&device_name, device_buffer,MAX_PATH);
status=ZwQuerySymbolicLinkObject(hLink,&device_name,NULL);
if (!NT_SUCCESS(status)||!device_name.Buffer)
{
ZwClose(hLink);
}
status=IoGetDeviceObjectPointer(&device_name,FILE_READ_ATTRIBUTES,&device_fi
le,&DiskDevice);
if (!NT_SUCCESS(status))
{
ObDereferenceObject(device_file);
ZwClose(hLink);
}
//here you have DeviceObject - DiskDevice

ObDereferenceObject(device_file);
ZwClose(hLink);

Andrey Gunko
soft Xpansion Ukraine Ltd.
Programmer
Powered by eKnow-how
Artjoma St. 118B … 83048 Donetsk … Tel/Fax: +38 062 3818874 …
Internet: [www.soft-xpansion.com]

|-----Original Message-----
|From: xxxxx@lists.osr.com [mailto:bounce-268362-
|xxxxx@lists.osr.com] On Behalf Of Sean Park
|Sent: Tuesday, October 31, 2006 5:51 AM
|To: Windows File Systems Devs Interest List
|Subject: [ntfsd] \FileSystem\RawFS and \Driver\Disk
|
|Hi gurus,
|
|I was trying to figure out the list of disk device objects (of disk.sys
|obviously) using IoGetDeviceObjectPointer() and
|IoEnumerateDeviceObjectList() on \Device\Harddisk0\DR0. Guess what? I’ve
|got devices of \FileSystem\RawFS.
|
|It appears that IoGetDeviceObjectPointer() returns file system device
|object
|instead of disk device object, which seems to be true here because it
|searches through all file system in obj name space and returns RawFS as it
|couldn’t find out \Device\Harddisk0\DR0. Is my theory correct?
|
|
|So I did the following test to get disk.sys device object list again.
|
|UNICODE_STRING name;
| RtlInitUnicodeString(&name, L"\Device\Harddisk0\DR0");
|
| PFILE_OBJECT pFileObj;
| PDEVICE_OBJECT pDevObj;
| NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA,
|&pFileObj, &pDevObj);
|
| if(NT_SUCCESS(status))
| {
| status = IoGetDiskDeviceObject(pDevObj, &pDevObj);
|
|// Now pDevObj points to the real disk device object for
|“\Device\Harddisk0\DR0”
|// And pDevObj->DriverObj->DriverName is obviously \Driver\Disk
|}
|
|My second question is, ‘Is this the only generic way to detect disk device
|objects who claimed the physical harddrives or is there any cooler way?’
|
|
|Thanks a lot in advance.
|
|Regards,
|Sean
|
|
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua
|To unsubscribe send a blank email to xxxxx@lists.osr.com

Slava_Imameyev · November 1, 2006, 8:33am

> It appears that IoGetDeviceObjectPointer() returns file system device

object

IoGetDeviceObjectPointer calls ZwOpenFile, and the system mounts the RAW
FSD. Then IoGetDeviceObjectPointer calls IoGetRelatedDeviceObject(
FileObject ) which returns the mounted FSD’s device object.
The returned FileObject is initialized by RAW FSD( the IRP_MJ_CREATE request
is not sent to the disk.sys driver ), but the FileObject->DeviceObject
points to a real disk/volume device object.

–
Slava Imameyev, xxxxx@hotmail.com

“Sean Park” wrote in message news:xxxxx@ntfsd…
> Hi gurus,
>
> I was trying to figure out the list of disk device objects (of disk.sys
> obviously) using IoGetDeviceObjectPointer() and
> IoEnumerateDeviceObjectList() on \Device\Harddisk0\DR0. Guess what?
> I’ve got devices of \FileSystem\RawFS.
>
> It appears that IoGetDeviceObjectPointer() returns file system device
> object instead of disk device object, which seems to be true here because
> it searches through all file system in obj name space and returns RawFS as
> it couldn’t find out \Device\Harddisk0\DR0. Is my theory correct?
>
>
> So I did the following test to get disk.sys device object list again.
>
> UNICODE_STRING name;
> RtlInitUnicodeString(&name, L"\Device\Harddisk0\DR0");
>
> PFILE_OBJECT pFileObj;
> PDEVICE_OBJECT pDevObj;
> NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA,
> &pFileObj, &pDevObj);
>
> if(NT_SUCCESS(status))
> {
> status = IoGetDiskDeviceObject(pDevObj, &pDevObj);
>
> // Now pDevObj points to the real disk device object for
> “\Device\Harddisk0\DR0”
> // And pDevObj->DriverObj->DriverName is obviously \Driver\Disk
> }
>
> My second question is, ‘Is this the only generic way to detect disk device
> objects who claimed the physical harddrives or is there any cooler way?’
>
>
> Thanks a lot in advance.
>
> Regards,
> Sean
>
>

Slava_Imameyev · November 1, 2006, 8:50am

>IoGetDeviceObjectPointer(&device_name,FILE_READ_ATTRIBUTES,&device_fi

In your case the RAW FSD is not mounted or not used( even if has been
mounted ) because you use FILE_READ_ATTRIBUTES.
In the original post FILE_READ_DATA is used and the system mounts the RAW
FSD.

–
Slava Imameyev, xxxxx@hotmail.com

“Gunko Andrey” wrote in message news:xxxxx@ntfsd…
> If you want to get device object for disks with drive letters you may use
> this one:
>
> PDEVICE_OBJECT DiskDevice;
> HANDLE hLink;
> OBJECT_ATTRIBUTES Attr;
> UNICODE_STRING link_name, device_name;
> PFILE_OBJECT device_file;
> WCHAR name_buffer[40],device_buffer[MAX_PATH];
> CHAR devLetter; //disk letter
>
> name_buffer[sizeof(name_buffer) - 1] = UNICODE_NULL;
> _snwprintf(name_buffer, sizeof(name_buffer) - 1, L"\GLOBAL??\%c:“,
> devLetter);
> RtlInitUnicodeString(&link_name, name_buffer);
> InitializeObjectAttributes(&Attr,&link_name,OBJ_CASE_INSENSITIVE,NULL,NULL);
> status=ZwOpenSymbolicLinkObject(&hLink,FILE_READ_DATA,&Attr);
> if (!NT_SUCCESS(status))
> {
> //we failed
> }
>
> RtlInitEmptyUnicodeString(&device_name, device_buffer,MAX_PATH);
> status=ZwQuerySymbolicLinkObject(hLink,&device_name,NULL);
> if (!NT_SUCCESS(status)||!device_name.Buffer)
> {
> ZwClose(hLink);
> }
> status=IoGetDeviceObjectPointer(&device_name,FILE_READ_ATTRIBUTES,&device_fi
> le,&DiskDevice);
> if (!NT_SUCCESS(status))
> {
> ObDereferenceObject(device_file);
> ZwClose(hLink);
> }
> //here you have DeviceObject - DiskDevice
>
> ObDereferenceObject(device_file);
> ZwClose(hLink);
>
>
>
> Andrey Gunko
> soft Xpansion Ukraine Ltd.
> Programmer
> Powered by eKnow-how
> Artjoma St. 118B … 83048 Donetsk … Tel/Fax: +38 062 3818874 …
> Internet: [www.soft-xpansion.com]
>
> |-----Original Message-----
> |From: xxxxx@lists.osr.com [mailto:bounce-268362-
> |xxxxx@lists.osr.com] On Behalf Of Sean Park
> |Sent: Tuesday, October 31, 2006 5:51 AM
> |To: Windows File Systems Devs Interest List
> |Subject: [ntfsd] \FileSystem\RawFS and \Driver\Disk
> |
> |Hi gurus,
> |
> |I was trying to figure out the list of disk device objects (of disk.sys
> |obviously) using IoGetDeviceObjectPointer() and
> |IoEnumerateDeviceObjectList() on \Device\Harddisk0\DR0. Guess what?
> I’ve
> |got devices of \FileSystem\RawFS.
> |
> |It appears that IoGetDeviceObjectPointer() returns file system device
> |object
> |instead of disk device object, which seems to be true here because it
> |searches through all file system in obj name space and returns RawFS as
> it
> |couldn’t find out \Device\Harddisk0\DR0. Is my theory correct?
> |
> |
> |So I did the following test to get disk.sys device object list again.
> |
> |UNICODE_STRING name;
> | RtlInitUnicodeString(&name, L”\Device\Harddisk0\DR0");
> |
> | PFILE_OBJECT pFileObj;
> | PDEVICE_OBJECT pDevObj;
> | NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA,
> |&pFileObj, &pDevObj);
> |
> | if(NT_SUCCESS(status))
> | {
> | status = IoGetDiskDeviceObject(pDevObj, &pDevObj);
> |
> |// Now pDevObj points to the real disk device object for
> |“\Device\Harddisk0\DR0”
> |// And pDevObj->DriverObj->DriverName is obviously \Driver\Disk
> |}
> |
> |My second question is, ‘Is this the only generic way to detect disk
> device
> |objects who claimed the physical harddrives or is there any cooler way?’
> |
> |
> |Thanks a lot in advance.
> |
> |Regards,
> |Sean
> |
> |
> |
> |—
> |Questions? First check the IFS FAQ at
> |https://www.osronline.com/article.cfm?id=17
> |
> |You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua
> |To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

OSR_Community_User · November 6, 2006, 10:25pm

Thanks for your code, Andrey.

I tried your code already, but it retrieves the device object of the
volume manager (ftdisk) instead of disk class driver. If volsnap is
installed, then device object of volsnap is returned. What I wanted to
know was the device object of disk class driver. And the code is
described in my original post.

Another thing that I want to know is mapping from volume manager device
name to the device object of disk class driver. You need this code if
you want to directly access disk class devices using the plain drive
name (i.e. ??\c:). Unfortunately it seems quite difficult to associate
the volume manager’s volume device name and its corresponding device
object in disk class driver. For example, it’s difficult to figure out
the following mapping.

\Device\HarddiskVolume1 <-> disk device object of disk.sys

If you look at the device tree, ftdisk seems like a dead end in the disk
stack associated with a file system. Disk.sys has partition manager
(partmgr.sys) attached to it. Also if you investigate further using irp
tracker, partition manager removes its irp stack location and passes the
irp to the disk class driver. By the time disk.sys receives that irp,
there is no irp stack location created by partmgr and IRP looks like it
is coming directly from ftdisk.sys.

I’m just trying to figure out how to get disk device object from ftdisk
device name. Any clue?

Sean Park
Kernel Driver Developer
PCTools Research Pty Ltd.
www.pctools.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gunko Andrey
Sent: Tuesday, October 31, 2006 6:35 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] \FileSystem\RawFS and \Driver\Disk

If you want to get device object for disks with drive letters you may
use this one:

PDEVICE_OBJECT DiskDevice;
HANDLE hLink;
OBJECT_ATTRIBUTES Attr;
UNICODE_STRING link_name, device_name;
PFILE_OBJECT device_file;
WCHAR name_buffer[40],device_buffer[MAX_PATH];
CHAR devLetter; //disk letter

name_buffer[sizeof(name_buffer) - 1] = UNICODE_NULL;
_snwprintf(name_buffer, sizeof(name_buffer) - 1, L"\GLOBAL??\%c:",
devLetter); RtlInitUnicodeString(&link_name, name_buffer);
InitializeObjectAttributes(&Attr,&link_name,OBJ_CASE_INSENSITIVE,NULL,NU
LL);
status=ZwOpenSymbolicLinkObject(&hLink,FILE_READ_DATA,&Attr);
if (!NT_SUCCESS(status))
{
//we failed
}

RtlInitEmptyUnicodeString(&device_name, device_buffer,MAX_PATH);
status=ZwQuerySymbolicLinkObject(hLink,&device_name,NULL);
if (!NT_SUCCESS(status)||!device_name.Buffer)
{
ZwClose(hLink);
}
status=IoGetDeviceObjectPointer(&device_name,FILE_READ_ATTRIBUTES,&devic
e_fi
le,&DiskDevice);
if (!NT_SUCCESS(status))
{
ObDereferenceObject(device_file);
ZwClose(hLink);
}
//here you have DeviceObject - DiskDevice

ObDereferenceObject(device_file);
ZwClose(hLink);

Andrey Gunko
soft Xpansion Ukraine Ltd.
Programmer
Powered by eKnow-how
Artjoma St. 118B … 83048 Donetsk … Tel/Fax: +38 062 3818874 …
Internet: [www.soft-xpansion.com]

|-----Original Message-----
|From: xxxxx@lists.osr.com [mailto:bounce-268362-
|xxxxx@lists.osr.com] On Behalf Of Sean Park
|Sent: Tuesday, October 31, 2006 5:51 AM
|To: Windows File Systems Devs Interest List
|Subject: [ntfsd] \FileSystem\RawFS and \Driver\Disk
|
|Hi gurus,
|
|I was trying to figure out the list of disk device objects (of disk.sys
|obviously) using IoGetDeviceObjectPointer() and
|IoEnumerateDeviceObjectList() on \Device\Harddisk0\DR0. Guess what?
|I’ve got devices of \FileSystem\RawFS.
|
|It appears that IoGetDeviceObjectPointer() returns file system device
|object instead of disk device object, which seems to be true here
|because it searches through all file system in obj name space and
|returns RawFS as it couldn’t find out \Device\Harddisk0\DR0. Is my
|theory correct?
|
|
|So I did the following test to get disk.sys device object list again.
|
|UNICODE_STRING name;
| RtlInitUnicodeString(&name, L"\Device\Harddisk0\DR0");
|
| PFILE_OBJECT pFileObj;
| PDEVICE_OBJECT pDevObj;
| NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA,
|&pFileObj, &pDevObj);
|
| if(NT_SUCCESS(status))
| {
| status = IoGetDiskDeviceObject(pDevObj, &pDevObj);
|
|// Now pDevObj points to the real disk device object for
|“\Device\Harddisk0\DR0”
|// And pDevObj->DriverObj->DriverName is obviously \Driver\Disk }
|
|My second question is, ‘Is this the only generic way to detect disk
|device objects who claimed the physical harddrives or is there any
cooler way?’
|
|
|Thanks a lot in advance.
|
|Regards,
|Sean
|
|
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua To
|unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@pctools.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Slava_Imameyev · November 7, 2006, 5:13am

>Another thing that I want to know is mapping from volume manager device

name to the device object of disk class driver.

Query removal relations(
IRP_MJ_PNP::IRP_MN_QUERY_DEVICE_RELATIONS::RemovalRelations ) for class
driver’s objects.

–
Slava Imameyev, xxxxx@hotmail.com

“Sean Park” wrote in message news:xxxxx@ntfsd…
Thanks for your code, Andrey.

I tried your code already, but it retrieves the device object of the
volume manager (ftdisk) instead of disk class driver. If volsnap is
installed, then device object of volsnap is returned. What I wanted to
know was the device object of disk class driver. And the code is
described in my original post.

Another thing that I want to know is mapping from volume manager device
name to the device object of disk class driver. You need this code if
you want to directly access disk class devices using the plain drive
name (i.e. ??\c:). Unfortunately it seems quite difficult to associate
the volume manager’s volume device name and its corresponding device
object in disk class driver. For example, it’s difficult to figure out
the following mapping.

\Device\HarddiskVolume1 <-> disk device object of disk.sys

If you look at the device tree, ftdisk seems like a dead end in the disk
stack associated with a file system. Disk.sys has partition manager
(partmgr.sys) attached to it. Also if you investigate further using irp
tracker, partition manager removes its irp stack location and passes the
irp to the disk class driver. By the time disk.sys receives that irp,
there is no irp stack location created by partmgr and IRP looks like it
is coming directly from ftdisk.sys.

I’m just trying to figure out how to get disk device object from ftdisk
device name. Any clue?

Sean Park
Kernel Driver Developer
PCTools Research Pty Ltd.
www.pctools.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gunko Andrey
Sent: Tuesday, October 31, 2006 6:35 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] \FileSystem\RawFS and \Driver\Disk

If you want to get device object for disks with drive letters you may
use this one:

PDEVICE_OBJECT DiskDevice;
HANDLE hLink;
OBJECT_ATTRIBUTES Attr;
UNICODE_STRING link_name, device_name;
PFILE_OBJECT device_file;
WCHAR name_buffer[40],device_buffer[MAX_PATH];
CHAR devLetter; //disk letter

name_buffer[sizeof(name_buffer) - 1] = UNICODE_NULL;
_snwprintf(name_buffer, sizeof(name_buffer) - 1, L"\GLOBAL??\%c:“,
devLetter); RtlInitUnicodeString(&link_name, name_buffer);
InitializeObjectAttributes(&Attr,&link_name,OBJ_CASE_INSENSITIVE,NULL,NU
LL);
status=ZwOpenSymbolicLinkObject(&hLink,FILE_READ_DATA,&Attr);
if (!NT_SUCCESS(status))
{
//we failed
}

RtlInitEmptyUnicodeString(&device_name, device_buffer,MAX_PATH);
status=ZwQuerySymbolicLinkObject(hLink,&device_name,NULL);
if (!NT_SUCCESS(status)||!device_name.Buffer)
{
ZwClose(hLink);
}
status=IoGetDeviceObjectPointer(&device_name,FILE_READ_ATTRIBUTES,&devic
e_fi
le,&DiskDevice);
if (!NT_SUCCESS(status))
{
ObDereferenceObject(device_file);
ZwClose(hLink);
}
//here you have DeviceObject - DiskDevice

ObDereferenceObject(device_file);
ZwClose(hLink);

Andrey Gunko
soft Xpansion Ukraine Ltd.
Programmer
Powered by eKnow-how
Artjoma St. 118B … 83048 Donetsk … Tel/Fax: +38 062 3818874 …
Internet: [www.soft-xpansion.com]

|-----Original Message-----
|From: xxxxx@lists.osr.com [mailto:bounce-268362-
|xxxxx@lists.osr.com] On Behalf Of Sean Park
|Sent: Tuesday, October 31, 2006 5:51 AM
|To: Windows File Systems Devs Interest List
|Subject: [ntfsd] \FileSystem\RawFS and \Driver\Disk
|
|Hi gurus,
|
|I was trying to figure out the list of disk device objects (of disk.sys
|obviously) using IoGetDeviceObjectPointer() and
|IoEnumerateDeviceObjectList() on \Device\Harddisk0\DR0. Guess what?
|I’ve got devices of \FileSystem\RawFS.
|
|It appears that IoGetDeviceObjectPointer() returns file system device
|object instead of disk device object, which seems to be true here
|because it searches through all file system in obj name space and
|returns RawFS as it couldn’t find out \Device\Harddisk0\DR0. Is my
|theory correct?
|
|
|So I did the following test to get disk.sys device object list again.
|
|UNICODE_STRING name;
| RtlInitUnicodeString(&name, L”\Device\Harddisk0\DR0");
|
| PFILE_OBJECT pFileObj;
| PDEVICE_OBJECT pDevObj;
| NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA,
|&pFileObj, &pDevObj);
|
| if(NT_SUCCESS(status))
| {
| status = IoGetDiskDeviceObject(pDevObj, &pDevObj);
|
|// Now pDevObj points to the real disk device object for
|“\Device\Harddisk0\DR0”
|// And pDevObj->DriverObj->DriverName is obviously \Driver\Disk }
|
|My second question is, ‘Is this the only generic way to detect disk
|device objects who claimed the physical harddrives or is there any
cooler way?’
|
|
|Thanks a lot in advance.
|
|Regards,
|Sean
|
|
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as: xxxxx@maus.donetsk.ua To
|unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@pctools.com To
unsubscribe send a blank email to xxxxx@lists.osr.com