A forum for reverse engineering, OS internals and malware analysis 

Zwxxx routine: ZwReadfile Example

Forum for discussion about kernel-mode development.

Zwxxx routine: ZwReadfile Example

 #6295  by StriderH2
 Thu May 12, 2011 4:06 am
I need to use the driver and have it read information from a text file periodically. Being new to drivers I thought it would be great to start with strings.

What I cannot understand is how to actually compile the following code in WinDDK. I can do a simple Hello world but..

Is there a way to read a line of text from a text file, and output it to the dbg console.

Am I doing something wrong in this code? Any help would be most appreciated.

Code: Select all
#include <ntddk.h> 

//1.Path information
UNICODE_STRING     uniName;
    OBJECT_ATTRIBUTES  objAttr;
//Path
    RtlInitUnicodeString(&uniName, L"\\SystemRoot\\example.txt"));  // or L"\\SystemRoot\\example.txt"
    InitializeObjectAttributes(&objAttr, &uniName,
                               OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
                               NULL, NULL);
                               //
//2.Obtain file handle From 1.
 HANDLE   handle;
    NTSTATUS ntstatus;
    IO_STATUS_BLOCK    ioStatusBlock;

    if(KeGetCurrentIrql() != PASSIVE_LEVEL)
        return STATUS_INVALID_DEVICE_STATE; 

    ntstatus = ZwCreateFile(&handle,
                            GENERIC_WRITE,
                            &objAttr, &ioStatusBlock, NULL,
                            FILE_ATTRIBUTE_NORMAL,
                            0,
                            FILE_OVERWRITE_IF, 
                            FILE_SYNCHRONOUS_IO_NONALERT,
                            NULL, 0);
                            // 
//3. Load the buffer (ie. contents of text file to the console)
LARGE_INTEGER      byteOffset;

    ntstatus = ZwCreateFile(&handle,
                            GENERIC_READ,
                            &objAttr, &ioStatusBlock,
                            NULL,
                            FILE_ATTRIBUTE_NORMAL,
                            0,
                            FILE_OPEN, 
                            FILE_SYNCHRONOUS_IO_NONALERT,
                            NULL, 0);
    if(NT_SUCCESS(ntstatus)) {
        byteOffset.LowPart = byteOffset.HighPart = 0;
        ntstatus = ZwReadFile(handle, NULL, NULL, NULL, &ioStatusBlock,
                              buffer, BUFFER_SIZE, &byteOffset, NULL);
        if(NT_SUCCESS(ntstatus)) {
            buffer[BUFFER_SIZE-1] = '\0';
            DbgPrint("%s\n", buffer);
        }
        ZwClose(handle);
    }


NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)  
{  //Driver entry <--am I supposed to put some of the code above into this area? Or are they supposed to be outside of it?
  
  //DbgPrint("Hello World\n");
  return STATUS_SUCCESS;

}

Re: Zwxxx routine: ZwReadfile Example

 #6296  by izlesa
 Thu May 12, 2011 7:41 am
read book about C (e.g K&R). Code of open and read file must be placed into DriverEntry procedure. And why you open file twice?

Re: Zwxxx routine: ZwReadfile Example

 #6301  by StriderH2
 Thu May 12, 2011 11:42 am
It's okay I think I'm almost there.

There was a lot of reading involved, yes.

I managed to compile it without error this time but it does not return anything to the debugview console.
Code: Select all
#include <ntddk.h> 
#define  BUFFER_SIZE 30

    HANDLE   handle;
    NTSTATUS ntstatus;
    IO_STATUS_BLOCK    ioStatusBlock;
    LARGE_INTEGER      byteOffset;
   CHAR     buffer[BUFFER_SIZE];
    size_t  cb;

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)  
{
          NTSTATUS NtStatus = STATUS_SUCCESS;
         /////////////////////// THIS SECTION /////////////////////////////////////
UNICODE_STRING     uniName;
    OBJECT_ATTRIBUTES  objAttr;
 RtlInitUnicodeString(&uniName, L"\\SystemRoot\\example.txt");  // or L"\\SystemRoot\\example.txt"
    InitializeObjectAttributes(&objAttr, &uniName,
                               OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
                               NULL, NULL);
//////////////////////////////////

///////////////////////////////////
//Load the buffer (ie. contents of text file to the console)
 ntstatus = ZwCreateFile(&handle,
                            GENERIC_READ,
                            &objAttr, &ioStatusBlock,
                            NULL,
                            FILE_ATTRIBUTE_NORMAL,
                            0,
                            FILE_OPEN, 
                            FILE_SYNCHRONOUS_IO_NONALERT,
                            NULL, 0);
///////////////////////////////////////
if(NT_SUCCESS(ntstatus)) {
        byteOffset.LowPart = byteOffset.HighPart = 0;
        ntstatus = ZwReadFile(handle, NULL, NULL, NULL, &ioStatusBlock,
                              buffer, BUFFER_SIZE, &byteOffset, NULL);
        if(NT_SUCCESS(ntstatus)) {
            buffer[BUFFER_SIZE-1] = '\0';
          KdPrint(("%s\n", buffer));
        }
        ZwClose(handle);
    } 
   
  //DbgPrint("Hello World\n");
 return STATUS_SUCCESS;
}
CAn't edit the previous post however ;(

Ok

 #6303  by StriderH2
 Thu May 12, 2011 12:35 pm
Windows XP Service pack 3.

The problem is resolved- here is the code:
Code: Select all
#include <ntddk.h> 
#define  BUFFER_SIZE 30
//
    HANDLE   handle;
    NTSTATUS ntstatus;
    IO_STATUS_BLOCK    ioStatusBlock;
    LARGE_INTEGER      byteOffset;
   CHAR     buffer[BUFFER_SIZE];
    size_t  cb;

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)  
{
          NTSTATUS NtStatus = STATUS_SUCCESS;
         /////////////////////// THIS SECTION /////////////////////////////////////
UNICODE_STRING     uniName;
    OBJECT_ATTRIBUTES  objAttr;
    ////////////////////////////////\\SystemRoot\\ or C:\WINDOWS / C:|WINNT
 RtlInitUnicodeString(&uniName, L"\\SystemRoot\\native.txt");  // or L"\\SystemRoot\\example.txt"
    InitializeObjectAttributes(&objAttr, &uniName,
                               OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
                               NULL, NULL);
//////////////////////////////////

///////////////////////////////////
//Load the buffer (ie. contents of text file to the console)
 ntstatus = ZwCreateFile(&handle,
                            GENERIC_READ,
                            &objAttr, &ioStatusBlock,
                            NULL,
                            FILE_ATTRIBUTE_NORMAL,
                            0,
                            FILE_OPEN, 
                            FILE_SYNCHRONOUS_IO_NONALERT,
                            NULL, 0);
///////////////////////////////////////
if(NT_SUCCESS(ntstatus)) {
        byteOffset.LowPart = byteOffset.HighPart = 0;
        ntstatus = ZwReadFile(handle, NULL, NULL, NULL, &ioStatusBlock,
                              buffer, BUFFER_SIZE, &byteOffset, NULL);
      buffer[BUFFER_SIZE-1] = '\0';
          KdPrint(("%s\n", buffer));
          
        }
        ZwClose(handle);
          //DbgPrint("Hello World\n");
  return 0;
    }
 Return to “Kernel-Mode Development”