Well I don't getr one thing this works fine when I create one file (ajova) !!?!?! But when I try to create another it return FILE_SUPERSEDED in ioblock.Information (I have no idea what this flag means, I've read DDK and still have no idea what is this flag all about)
Here is code snipet
push null
push null
push 60h
push FILE_OPEN_IF
push null ;no share
push null ; file attributes
push null ;AllocationSize
push offset ioblock
push offset object
push FILE_GENERIC_READ or FILE_GENERIC_WRITE ;0C0100080h
push offset hFile
call NtCreateFile
I have tried tofile OBJECT_ATTRIBUTES struct in 2 ways -> 1st with NTPath to the file "\??\C:\masm32\progz\test.txt", and with "test.txt", and RootDir set to handle of current dir, but it won't work :( Ofcourse this is modified to unicode and UNICODE_STRING is initialized trough RtlInitUnicodeString(full rewrite from ntdll.dll)... It works for file "ajova"!?!?
It is really weird I guess, I creates one file, but the other won't...
Has anyone idea on this?
Also I have stusided InitializeObjectAttributes MACRO and I see that 6th member (SecurityQualityOfService is set to 0), but tracing CreateFileW trough OllyDbg I see that it is set to that struct. Acording to DDK and many exmaples that I've read it should be 0 but in practice there is something weird going on :( Or maybe I'm crazy traying to make this work...
Any halp would be appriciated :) :U :U
Best regards
Sorry for my bad english, I havent spoke it for more than 3 years :green
chetnik,
When you get down into kernel mode, you are rubbing shoulders with another user called 'System.' If there is a rights issue which is what SUPERCEDED is all about, you will always lose that one. Why are you pursuing that method? Is it for the Case Sensitivity that is enforced? Remember that NTDLL.DLL has lots of undocumented stuff that can cause issues, also.
Paul
Well I like to go as deep as possible that is why I'm using this. I've traced CreateFile al the way, all APIs everything, but I still don't get why this doesn't work (I use same parameter after all obtained by Olly), really weird stuff is going on here :)
I guess that I will have to spend one more night debugging it :)
SUPRCEDED flag, ehh, I don't understand it yet :( Any documents on it? I'm reading DDK right now and trying to figure it out (and I have spen whole day yesterday :dazzled: :dazzled: but still nothing :(
chetnik,
I will herlp search, but my copy of the API is old so I must go to MSDN. There, it is mentioned everywhere but nothing specific. One thing I have noticed is that particular API is sensitive to what attributes you chunk together. Why don't you start by playing with those
Paul
Yap I'm checking all args passed to it trough OllyDbg, and they are the same.
But I guess that teher is something about filename len. As I see I can make files which are 5 chars, but I can't make any longer or shorter :( Something weird,,,, ehhh long night :)
I have found it.
Arguments passed to it have to be on stack or on heap, that is my conslucsion...
As I see most of arguments are made on stack, so by debuging CreateFileW and single stepping it, I saw that arguments unicode_string and such have to be on stack or on heap.
And that is my conclusion on this issue :))))
By stracing my previous code I get STATUS_DATATYPE_MISALIGNMENT, so suddenly I've got idea, I have read many C source codes and I found that args MUST be created on stack...
Well that's it, 2 nights - no sleep and I got it :)))
:dance: :dance: :dance: :dazzled: :dazzled: