kernel vs user file name

TheMSsForum.com: The Microsoft Software Forum

I need to read a file in a kernel mode driver. The file name is passed from
a user mode application in the form of "C:\file" or \\Computer\Share\File.
Is there a standard kernel or user mode API, or some document describing the
proper algorithm to convert "C:\file" to "\??\C:\file" (or "\Device\...."),
and "\\Computer\Share\File" to "\Device\Lanman..." (or whatever), in order
to make a user mode file name usable in kernel mode?

Thank you.
Top

Re: kernel vs user file name by Skywing

Skywing
Wed Mar 08 20:51:05 CST 2006

What about passing the handle from user mode instead of the filename? This
way you can avoid a malicious application giving you a filename that the app
couldn't normally touch, and you have better control over network
credentials for remote files.

"Simon" <anonymous@discussions.microsoft.com> wrote in message
news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>I need to read a file in a kernel mode driver. The file name is passed from
>a user mode application in the form of "C:\file" or \\Computer\Share\File.
>Is there a standard kernel or user mode API, or some document describing
>the proper algorithm to convert "C:\file" to "\??\C:\file" (or
>"\Device\...."), and "\\Computer\Share\File" to "\Device\Lanman..." (or
>whatever), in order to make a user mode file name usable in kernel mode?
>
> Thank you.
>


Top

Re: kernel vs user file name by r_konjeti

r_konjeti
Thu Mar 09 08:58:39 CST 2006

Can you explain why handle is more secure than file name. Is it becoz,
for example, user who has no permission to write to a file cannot get a
file handle with write permission? So he cannot make driver do what he
is not allowed to do?

Thanks,
Raj

Top

Re: kernel vs user file name by Skywing

Skywing
Thu Mar 09 13:05:26 CST 2006

It depends on how (and when) you open the file in the driver whether the
user would be able to do this - but making the user supply the file handle
makes sure that in all cases the driver cannot be tricked into doing
something "bad" by a nonprivileged user.

If you needed to convert the handle to a PFILE_OBJECT for what you are doing
with it in kernel mode (i.e. instead of using the ZwXxxFile APIs with the
handle) you could use ObReferenceObjectByHandle(UserHandle, RequiredAccess,
*IoFileObjectType, UserMode, (PVOID*)&FileObject, 0), where RequiredAccess
is the access that you need the file handle to provide.

<r_konjeti@mailcity.com> wrote in message
news:1141916319.923380.311010@e56g2000cwe.googlegroups.com...
> Can you explain why handle is more secure than file name. Is it becoz,
> for example, user who has no permission to write to a file cannot get a
> file handle with write permission? So he cannot make driver do what he
> is not allowed to do?
>
> Thanks,
> Raj
>


Top

Re: kernel vs user file name by Simon

Simon
Thu Mar 09 19:13:09 CST 2006

Unfortunately, this is not acceptable. Only the file name can be passed to
the driver. We handle security by impersonating the user in kernel mode.



"Skywing" <skywing_NO_SPAM_@valhallalegends.com> wrote in message
news:uuYWQRyQGHA.5552@TK2MSFTNGP10.phx.gbl...
> What about passing the handle from user mode instead of the filename?
> This way you can avoid a malicious application giving you a filename that
> the app couldn't normally touch, and you have better control over network
> credentials for remote files.
>
> "Simon" <anonymous@discussions.microsoft.com> wrote in message
> news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>>I need to read a file in a kernel mode driver. The file name is passed
>>from a user mode application in the form of "C:\file" or
>>\\Computer\Share\File. Is there a standard kernel or user mode API, or
>>some document describing the proper algorithm to convert "C:\file" to
>>"\??\C:\file" (or "\Device\...."), and "\\Computer\Share\File" to
>>"\Device\Lanman..." (or whatever), in order to make a user mode file name
>>usable in kernel mode?
>>
>> Thank you.
>>
>
>


Top

Re: kernel vs user file name by Skywing

Skywing
Thu Mar 09 22:06:24 CST 2006

From user mode, there is the undocumented ntdll!RtlDosPathNameToNtPathName_U
to convert a Win32 path to the appropriate NT path using the correct
symlinks. I would prefer to stick to documented methods (i.e. open the file
in user mode) if at all possible though.

"Simon" <anonymous@discussions.microsoft.com> wrote in message
news:OwYFN$9QGHA.1160@TK2MSFTNGP09.phx.gbl...
> Unfortunately, this is not acceptable. Only the file name can be passed to
> the driver. We handle security by impersonating the user in kernel mode.
>
>
>
> "Skywing" <skywing_NO_SPAM_@valhallalegends.com> wrote in message
> news:uuYWQRyQGHA.5552@TK2MSFTNGP10.phx.gbl...
>> What about passing the handle from user mode instead of the filename?
>> This way you can avoid a malicious application giving you a filename that
>> the app couldn't normally touch, and you have better control over network
>> credentials for remote files.
>>
>> "Simon" <anonymous@discussions.microsoft.com> wrote in message
>> news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>>>I need to read a file in a kernel mode driver. The file name is passed
>>>from a user mode application in the form of "C:\file" or
>>>\\Computer\Share\File. Is there a standard kernel or user mode API, or
>>>some document describing the proper algorithm to convert "C:\file" to
>>>"\??\C:\file" (or "\Device\...."), and "\\Computer\Share\File" to
>>>"\Device\Lanman..." (or whatever), in order to make a user mode file name
>>>usable in kernel mode?
>>>
>>> Thank you.
>>>
>>
>>
>
>


Top

Re: kernel vs user file name by Carl

Carl
Fri Mar 10 06:41:13 CST 2006

You can call ZwOpenSymbolicLinkObject on \\DosDevices\\?: where ? is you
driver letter and then call ZwQuerySymbolicLink object to get the target
name, this will give you \\Device\\Harddisk1 etc. All you need to do is some
string work to build up

\Device\Harddisk1\File.txt

from

C:\File.txt

This technique uses APIs that are fully documented in the IFS kit and
possibly the standard DDK.

Hope that helps

Carly

"Simon" <anonymous@discussions.microsoft.com> wrote in message
news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>I need to read a file in a kernel mode driver. The file name is passed from
>a user mode application in the form of "C:\file" or \\Computer\Share\File.
>Is there a standard kernel or user mode API, or some document describing
>the proper algorithm to convert "C:\file" to "\??\C:\file" (or
>"\Device\...."), and "\\Computer\Share\File" to "\Device\Lanman..." (or
>whatever), in order to make a user mode file name usable in kernel mode?
>
> Thank you.
>


Top

Re: kernel vs user file name by Skywing

Skywing
Fri Mar 10 08:25:10 CST 2006

This will not work for all paths though - for instance, UNC paths have their
own translation conventions.

"Carl Woodward" <nospam@please.com> wrote in message
news:JteQf.29315$bw1.8164@newsfe2-win.ntli.net...
> You can call ZwOpenSymbolicLinkObject on \\DosDevices\\?: where ? is you
> driver letter and then call ZwQuerySymbolicLink object to get the target
> name, this will give you \\Device\\Harddisk1 etc. All you need to do is
> some string work to build up
>
> \Device\Harddisk1\File.txt
>
> from
>
> C:\File.txt
>
> This technique uses APIs that are fully documented in the IFS kit and
> possibly the standard DDK.
>
> Hope that helps
>
> Carly
>
> "Simon" <anonymous@discussions.microsoft.com> wrote in message
> news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>>I need to read a file in a kernel mode driver. The file name is passed
>>from a user mode application in the form of "C:\file" or
>>\\Computer\Share\File. Is there a standard kernel or user mode API, or
>>some document describing the proper algorithm to convert "C:\file" to
>>"\??\C:\file" (or "\Device\...."), and "\\Computer\Share\File" to
>>"\Device\Lanman..." (or whatever), in order to make a user mode file name
>>usable in kernel mode?
>>
>> Thank you.
>>
>
>


Top

Re: kernel vs user file name by Carl

Carl
Fri Mar 10 14:00:22 CST 2006

True.

Carly

"Skywing" <skywing_NO_SPAM_@valhallalegends.com> wrote in message
news:e3nqw5ERGHA.224@TK2MSFTNGP10.phx.gbl...
> This will not work for all paths though - for instance, UNC paths have
> their own translation conventions.
>
> "Carl Woodward" <nospam@please.com> wrote in message
> news:JteQf.29315$bw1.8164@newsfe2-win.ntli.net...
>> You can call ZwOpenSymbolicLinkObject on \\DosDevices\\?: where ? is you
>> driver letter and then call ZwQuerySymbolicLink object to get the target
>> name, this will give you \\Device\\Harddisk1 etc. All you need to do is
>> some string work to build up
>>
>> \Device\Harddisk1\File.txt
>>
>> from
>>
>> C:\File.txt
>>
>> This technique uses APIs that are fully documented in the IFS kit and
>> possibly the standard DDK.
>>
>> Hope that helps
>>
>> Carly
>>
>> "Simon" <anonymous@discussions.microsoft.com> wrote in message
>> news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>>>I need to read a file in a kernel mode driver. The file name is passed
>>>from a user mode application in the form of "C:\file" or
>>>\\Computer\Share\File. Is there a standard kernel or user mode API, or
>>>some document describing the proper algorithm to convert "C:\file" to
>>>"\??\C:\file" (or "\Device\...."), and "\\Computer\Share\File" to
>>>"\Device\Lanman..." (or whatever), in order to make a user mode file name
>>>usable in kernel mode?
>>>
>>> Thank you.
>>>
>>
>>
>
>


Top

Re: kernel vs user file name by Carl

Carl
Fri Mar 10 14:04:24 CST 2006

True, it will only work on paths symbolic links (obviously)... Didn't read
the original postee's requirements as well as I might have...!

Carly

"Skywing" <skywing_NO_SPAM_@valhallalegends.com> wrote in message
news:e3nqw5ERGHA.224@TK2MSFTNGP10.phx.gbl...
> This will not work for all paths though - for instance, UNC paths have
> their own translation conventions.
>
> "Carl Woodward" <nospam@please.com> wrote in message
> news:JteQf.29315$bw1.8164@newsfe2-win.ntli.net...
>> You can call ZwOpenSymbolicLinkObject on \\DosDevices\\?: where ? is you
>> driver letter and then call ZwQuerySymbolicLink object to get the target
>> name, this will give you \\Device\\Harddisk1 etc. All you need to do is
>> some string work to build up
>>
>> \Device\Harddisk1\File.txt
>>
>> from
>>
>> C:\File.txt
>>
>> This technique uses APIs that are fully documented in the IFS kit and
>> possibly the standard DDK.
>>
>> Hope that helps
>>
>> Carly
>>
>> "Simon" <anonymous@discussions.microsoft.com> wrote in message
>> news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>>>I need to read a file in a kernel mode driver. The file name is passed
>>>from a user mode application in the form of "C:\file" or
>>>\\Computer\Share\File. Is there a standard kernel or user mode API, or
>>>some document describing the proper algorithm to convert "C:\file" to
>>>"\??\C:\file" (or "\Device\...."), and "\\Computer\Share\File" to
>>>"\Device\Lanman..." (or whatever), in order to make a user mode file name
>>>usable in kernel mode?
>>>
>>> Thank you.
>>>
>>
>>
>
>


Top

Re: kernel vs user file name by Simon

Simon
Sun Mar 12 13:13:30 CST 2006

Thank you. I looked for "Dos" in ntoskrnl, but forgot to check ntdll.



"Skywing" <skywing_NO_SPAM_@valhallalegends.com> wrote in message
news:OscmAg$QGHA.5296@TK2MSFTNGP10.phx.gbl...
> From user mode, there is the undocumented
> ntdll!RtlDosPathNameToNtPathName_U to convert a Win32 path to the
> appropriate NT path using the correct symlinks. I would prefer to stick
> to documented methods (i.e. open the file in user mode) if at all possible
> though.
>
> "Simon" <anonymous@discussions.microsoft.com> wrote in message
> news:OwYFN$9QGHA.1160@TK2MSFTNGP09.phx.gbl...
>> Unfortunately, this is not acceptable. Only the file name can be passed
>> to the driver. We handle security by impersonating the user in kernel
>> mode.
>>
>>
>>
>> "Skywing" <skywing_NO_SPAM_@valhallalegends.com> wrote in message
>> news:uuYWQRyQGHA.5552@TK2MSFTNGP10.phx.gbl...
>>> What about passing the handle from user mode instead of the filename?
>>> This way you can avoid a malicious application giving you a filename
>>> that the app couldn't normally touch, and you have better control over
>>> network credentials for remote files.
>>>
>>> "Simon" <anonymous@discussions.microsoft.com> wrote in message
>>> news:uiWy9XxQGHA.4696@tk2msftngp13.phx.gbl...
>>>>I need to read a file in a kernel mode driver. The file name is passed
>>>>from a user mode application in the form of "C:\file" or
>>>>\\Computer\Share\File. Is there a standard kernel or user mode API, or
>>>>some document describing the proper algorithm to convert "C:\file" to
>>>>"\??\C:\file" (or "\Device\...."), and "\\Computer\Share\File" to
>>>>"\Device\Lanman..." (or whatever), in order to make a user mode file
>>>>name usable in kernel mode?
>>>>
>>>> Thank you.
>>>>
>>>
>>>
>>
>>
>
>


Top