Problem with ZwCreateFile (NTCreateFile)

[chetnik]

Well I don't getr one thing this works fine when I create one file (ajova) !!?!?! But when I try to create another it return FILE_SUPERSEDED in ioblock.Information (I have no idea what this flag means, I've read DDK and still have no idea what is this flag all about)
Here is code snipet

Code Select Expand


                     push   null
                     push   null
                     push   60h
                     push   FILE_OPEN_IF
                     push   null    ;no share                                       
                     push   null    ; file attributes
                     push   null    ;AllocationSize
                     push   offset ioblock
                     push   offset object
                     push   FILE_GENERIC_READ or FILE_GENERIC_WRITE ;0C0100080h
                     push   offset hFile
                     call     NtCreateFile

I have tried tofile OBJECT_ATTRIBUTES struct in 2 ways  -> 1st with NTPath to the file "\??\C:\masm32\progz\test.txt", and with "test.txt", and RootDir set to handle of current dir, but it won't work :( Ofcourse this is modified to unicode and UNICODE_STRING is initialized trough RtlInitUnicodeString(full rewrite from ntdll.dll)... It works for file "ajova"!?!?
It is really weird I guess, I creates one file, but the other won't...
Has anyone idea on this?

Also I have stusided InitializeObjectAttributes MACRO and I see that  6th member (SecurityQualityOfService is set to 0), but tracing CreateFileW trough OllyDbg I see that it is set to that struct. Acording to DDK and many exmaples that I've read it should be 0 but in practice there is something weird going on :( Or maybe I'm crazy traying to make this work...

Any halp would be appriciated :)  :U :U
Best regards
Sorry for my bad english, I havent spoke it for more than 3 years  :green

[pbrennick]

chetnik,
When you get down into kernel mode, you are rubbing shoulders with another user called 'System.'  If there is a rights issue which is what SUPERCEDED is all about, you will always lose that one.  Why are you pursuing that method?  Is it for the Case Sensitivity that is enforced?  Remember that NTDLL.DLL has lots of undocumented stuff that can cause issues, also.

Paul

[chetnik]

Well I like to go as deep as possible that is why I'm using this. I've traced CreateFile al the way, all APIs everything, but I still don't get why this doesn't work (I use same parameter after all obtained by Olly), really weird stuff is going on here :)
I guess that I will have to spend one more night debugging it :)

SUPRCEDED flag, ehh, I don't understand it yet :( Any documents on it? I'm reading DDK right now and trying to figure it out (and I have spen whole day yesterday  :dazzled: :dazzled: but still nothing :(

[pbrennick]

chetnik,
I will herlp search, but my copy of the API is old so I must go to MSDN.  There, it is mentioned everywhere but nothing specific.  One thing I have noticed is that particular API is sensitive to what attributes you chunk together.  Why don't you start by playing with those

Paul

[chetnik]

Yap I'm checking all args passed to it trough OllyDbg, and they are the same.
But I guess that teher is something about filename len. As I see I can make files which are 5 chars, but I can't make any longer or shorter :( Something weird,,,, ehhh long night :)

[chetnik]

I have found it.
Arguments passed to it have to be on stack or on heap, that is my conslucsion...
As I see most of arguments are made on stack, so by debuging CreateFileW and single stepping it, I saw that arguments unicode_string and such have to be on stack or on heap.
And that is my conclusion on this issue :))))
By stracing my previous code I get STATUS_DATATYPE_MISALIGNMENT, so suddenly I've got idea, I have read many C source codes and I found that args MUST be created on stack...
Well that's it, 2 nights - no sleep and I got it :)))
:dance: :dance: :dance: :dazzled: :dazzled: