0

Here I am trying to get a file handle by opening the fine by objectID, this open call is returning in access denied but the calling process has fill write access to the volume. Same call is working on some particular machine and getting access denied always on other.

FILE_OBJECTID_BUFFER *ObjId
UNICODESTRING findstr;
findstr.Buffer = (WCHAR*)&(ObjId->ObjectId);
findstr.Length          = sizeof(ObjId->ObjectId);
findstr.MaximumLength   = sizeof(ObjId->ObjectId);

OBJECT_ATTRIBUTES ObjAttribute = {0};
InitializeObjectAttributes (&ObjAttribute, 
&fidstr, 
OBJ_CASE_INSENSITIVE, 
VolumeHandle,
NULL);

IO_STATUS_BLOCK iosb = {0};

ULONG status = NtCreatefile(&targethandle, 
GENERIC_ALL,
&ObjAttribute,
iosb, 
NULL, 
FILE_ATTRIBUTE_NORMAL, 
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_OPEN_BY_FILE_ID | FILE_NON_DIRECTORY_FILE, 
NULL, 0);

Is some flag is missing here? Or Is there any other way to open the file handle by ObjectID? I am using FSCTL_GET_OBJECT_ID to get the file objectid.

fsutil objectid query <file_path>

hdk
  • 21
  • 4
  • I am able to open the file with this code, in ws2019 as per msdn documentation https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatefile ObjectAttributes [in] A pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. Use InitializeObjectAttributes to initialize this structure. If the caller is not running in a system thread context, it must set the OBJ_KERNEL_HANDLE attribute when it calls InitializeObjectAttributes. we can pass object attributes here – hdk Oct 09 '20 at 10:49
  • iosb -> IO_STATUS_BLOCK – hdk Oct 09 '20 at 10:52
  • FILE_OPEN_BY_FILE_ID The file name that is specified by the ObjectAttributes parameter includes a binary 8-byte or 16-byte file reference number or object ID for the file, depending on the file system. – hdk Oct 09 '20 at 10:54
  • `UNICODESTRING` or `UNICODE_STRING` ? in any case you not intialize it length – RbMm Oct 09 '20 at 10:59
  • Initialized the length in program, forgot to ad this in sample code for question. But if there is some issue with parameters it should fail with ERROR_INVALID_PARAMETER or ERROR_PATH_NOT_FOUND. The error I am seeing with this is access denied. – hdk Oct 09 '20 at 11:04
  • 1
    it must return NTSTATUS, not win32 error. https://pastebin.com/gX7rGVjY - this code work ok – RbMm Oct 09 '20 at 11:05
  • if you got `STATUS_ACCESS_DENIED` this is ok – RbMm Oct 09 '20 at 11:07
  • STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) yes this was the return – hdk Oct 09 '20 at 11:08
  • what is unusual in `STATUS_ACCESS_DENIED` ? so you can not open it with `GENERIC_ALL` – RbMm Oct 09 '20 at 11:10
  • 1
    *I am using FSCTL_GET_OBJECT_ID to get the file objectid* in this case you already need open file. for what need re-open it again ? not try at begin request less access to file ? if you use `NtQueryDirectoryFile` with `FileObjectIdInformation` - will be more sense compare `FSCTL_GET_OBJECT_ID` – RbMm Oct 09 '20 at 11:15
  • for what need re-open it again ? -> storing the objectid in first open and closing the same. And trying to open the file in later part of the code. let me check with less permissions. – hdk Oct 09 '20 at 11:23
  • already in this case better store 8 byte file id than 16 byte object id – RbMm Oct 09 '20 at 11:27
  • *storing the objectid in first open and closing the same.* but based on what you open file first ? from where you get it name (if you open it by name) ? – RbMm Oct 09 '20 at 11:29
  • If you're not working in the kernel, call [`OpenFileById`](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openfilebyid). Also avoid requesting *all* access when opening files and directories. Backup semantics with SeBackupPrivilege and SeRestorePrivilege enabled does not provide `FILE_DELETE_CHILD` (0x40) access, so in some cases (e.g. an empty DACL) even a privileged administrator can't immediately open a file/directory with *all* access, not without first modiying the file security. Request the minimum required access. – Eryk Sun Oct 09 '20 at 12:05
  • @ErykSun, Will I be able to use OpenFileById, with object attributes? – hdk Oct 09 '20 at 12:12
  • Strange question. Windows API functions don't work with `OBJECT_ATTRIBUTES` records. – Eryk Sun Oct 09 '20 at 12:21
  • Update: If i add SYNCHRONIZE flag in access rights it is giving access denied while opening the file. Without SYNCHRONIZE flag able to get the file handle, any suggestion here? – hdk Oct 27 '20 at 05:31

0 Answers0