[RoxinAz]

Hi,
I'm loading boot time driver at "System Reserved" or "Boot bus extender(tag = 1)" group.
How can I access file system (even raw)?
I wanna use 'zwopenfile' or 'zwcreatefile' but it didn't work and return 0xc000003a = 'can not find the file specified'
anyone know what is the correct path (filename) for these APIs?

The pathes I tried : "\\Device\\HarddiskVolumeX" , "\\DosDevices\\C:" , "\\arcname\\multi(0)disk(0)rdisk(0)partition(x)\\windows" , ...

Code: Select all

BOOLEAN FileAccessCheck()
{

	UNICODE_STRING     uniName;
	OBJECT_ATTRIBUTES  objAttr;
	NTSTATUS Status = STATUS_SUCCESS;
	HANDLE FileHandle = NULL;
	IO_STATUS_BLOCK ioStatusBlock;
	__asm int 3
	RtlInitUnicodeString(&uniName,L"\\DosDevices\\C:\\Windows\\Test.txt"); 
	InitializeObjectAttributes(&objAttr, &uniName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL, NULL);
	Status =  ZwCreateFile(&FileHandle,
				GENERIC_READ,
				&objAttr,
				&ioStatusBlock,
				0,
				FILE_ATTRIBUTE_NORMAL,
				FILE_SHARE_READ | FILE_SHARE_WRITE,
				FILE_CREATE,
				0x10000,
				0,
				0);
	if(!NT_SUCCESS(Status)) 
	{
			DbgPrint("Can't create : %x h\n",Status);
			return FALSE;
	}
	else
		DbgPrint("Created! : %x h\n",Status);
		
	ZwClose(FileHandle);
		
	return TRUE;
}

[EP_X0FF]

RtlInitUnicodeString(&uniName,L"\\DosDevices\\C:\\Windows\\Test.txt");

try L"\\SystemRoot\\test.txt" instead

[RoxinAz]

try L"\\SystemRoot\\test.txt" instead

I tried, but it seems ,these path didn't work at boot time...
Hmmm... Whatever, I don't know how 'ImagePath' of service registries can be recognize by these path then load drivers?!!

[TETYYSs]

Well i did L"\\??\\C:\\test.txt" last time, when I was creating file from kernel-mode.

[RoxinAz]

Well i did L"\\??\\C:\\test.txt" last time, when I was creating file from kernel-mode.

It's not just kernel mode question,even it's boot time loading question...( right after loading ntoskernel , KDCOM and some important dlls ). ;)
However, symlink and GLOBAL objects are not yet created, so I can't use "\\??\\"

[kmd]

boot drivers must be located inside system32\drivers directory otherwise windows won't load them. It just like recovery console.

arcname should be available

try \Device\Harddisk0\Partition1\windows\test.txt etc and not C:\ or \??\

[tx707]

It has to be in the drivers directory and you are calling it wrong. You HAVE TO specify the name which you have but you specified it incorrectly.

-tx707

[EP_X0FF]

try L"\\SystemRoot\\test.txt" instead

I tried, but it seems ,these path didn't work at boot time...
Hmmm... Whatever, I don't know how 'ImagePath' of service registries can be recognize by these path then load drivers?!!

It seems I don't understand you correctly. You placed your driver right after ntoskrnl and it dependencies, yes?
SystemRoot link created at very early stage of ntos initialization, so it is here, but what is happening when you do usual ZwCreateFile: system using object manager to create a IRP and send it to the corresponding driver. Which is not loaded, so service fails. If you have WRK you can investigate how Windows itself manages drivers loading at boot stage.

[Cr4sh]

I'm loading boot time driver at "System Reserved" or "Boot bus extender(tag = 1)" group.
How can I access file system (even raw)?

You can't do that because disk and file system drivers are not initialized at this point.
But it's possible to register notification routine (with IoRegisterPlugPlayNotification) that will be called by kernel when appropriate devices and drivers will be ready.

[kmd]

so how does windows itself then loads boot drivers?