From: SMTP%"davidg@balder.com" 17-JAN-1998 14:44:10.38 To: "'Phillip Susi'" , "'ntfsd@atria.com'" CC: Subj: RE: [ntfsd] Communicating with a FSD from User Mode? Return-Path: owner-ntfsd@atria.com Received: by arisia.gce.com (UCX V4.1-12C, OpenVMS V7.1 VAX); Sat, 17 Jan 1998 14:43:59 -0500 Received: by gw.atria.com id Sat, 17 Jan 1998 12:37:00 -0500 Received: from ivy-balder.Goebel-Enterprises by gw.atria.com id Sat, 17 Jan 1998 12:36:53 -0500 Received: by ivy-balder.Goebel-Enterprises with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD232B.2AD9E1D0@ivy-balder.Goebel-Enterprises>; Sat, 17 Jan 1998 09:34:54 -0800 Message-ID: From: "David Goebel (Balder Technology Group, Inc.)" To: "'Phillip Susi'" , "'ntfsd@atria.com'" Subject: RE: [ntfsd] Communicating with a FSD from User Mode? Date: Sat, 17 Jan 1998 09:34:51 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ntfsd@atria.com Precedence: bulk X-Majordomo-Taboo: ntfsd just catching up on ntfsd.... Note that NtCreateFile() is an undocumented API and as such is subject to change from release to release (or even service pack to service pack). It should not be used. ZwCreateFile() is documented in the DDK for use in kernel mode. While I'm sure Tony has found a clever way to make it work in user mode, it's not a supported use. Tony's first suggestion, using symbolic links, it the correct method to give user mode programs access to your device objects. You can find details on doing this in the DDK docs: "16.9.1 Making a Named Device Object Visible to User-mode Applications". Also, when sending your device I/O controls, take care that it will be handled differently because it is coming via a different device object. Look at how FSCTL_INVALIDATE_VOLUMES is handled in FatFsdFileSystemControl() (fastfat\fsctrl.c). This FSCTL is sent via the file system's named device object (as opposed to the volume's device object) and thus has to be caught before normal processing. David PS: The difference between Nt and Zw APIs is more than parameter checking. Basically, software interrupts are used to control the value of Irp->RequestorMode, which thereby controls parameter checking. Manish Apte posted a good message on this topic back in June, which I've pasted to the end of this message. >-----Original Message----- >From: Phillip Susi [SMTP:phreak@iag.net] >Sent: Thursday, January 08, 1998 2:04 PM >To: ntfsd@atria.com >Subject: RE: [ntfsd] Communicating with a FSD from User Mode? > >Dont you mean NtCreateFile()? All of the Zw* functions are supposed to be >kernel mode only because they dont do parameter validation. > >At 05:42 PM 12/31/97 -0500, you wrote: >>For a physical media file system you'd normally do this via the NAMED >>device object. Like "\Ntfs" or "\Cdfs". Of course, there's no symbolic >>link to DosDevices, so you can either (a) create one using >>DefineDosDevice; or (b) use ZwCreateFile which is documented in the 4.0 >>DDK (and works in user mode, with a small amount of work.) >> >>Best of luck on your project. >> >>Regards, >> >>Tony >> >>Tony Mason >>Consulting Partner >>OSR Open Systems Resources, Inc. >>http://www.osr.com >> >>-----Original Message----- >>From: Assaf Pazner [mailto:a-pazner@uchicago.edu] >>Sent: Wednesday, December 31, 1997 1:11 PM >>To: 'NTFSD Mailing List' >>Subject: [ntfsd] Communicating with a FSD from User Mode? >> >> >>Hi there, >> >>Is there any way I can send device IO control codes to my FSD without >>generating a mount? >> >>Thanks in advance. >>Assaf Pazner. >> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >>[ To unsubscribe, send email to ntfsd-request@atria.com with body >>UNSUBSCRIBE (the subject is ignored). ] >> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >>[ To unsubscribe, send email to ntfsd-request@atria.com with body >>UNSUBSCRIBE (the subject is ignored). ] >> >> > -->Phillip Susi > Phreak@iag.net > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >[ To unsubscribe, send email to ntfsd-request@atria.com with body >UNSUBSCRIBE (the subject is ignored). ] -----Original Message----- From: Manish Apte [SMTP:manish@querisoft.com] Sent: Wednesday, June 04, 1997 10:50 AM To: 'Lavoie, Martin' Cc: 'NT Mailing List FSD' Subject: RE: Using NtCreateFile or IoCreateFile within drivers Hello, This has to do with the way NtXxxx and ZwXxxx calls are designed. Let me try and explain. Any Kernel Mode Driver (KMD) is not suppose to call 'NtXxxx' functions directly. This is because the OS expects these calls to be made through 'Int 2E' service routine. This 'Int 2E' is the 'NT Executive' gate way to enter Ring-0. This is typically used by 'NTDLL.DLL' running in Ring-3 to transfer control to 'NT Executive' in Ring-0. The same 'Int 2E' is also invoked through 'ZwXxxx' type of calls made from a KMD in Ring-0. 'Int 2E' service routine makes calls to 'NtXxxx' type of functions based on the value in EAX. Before making a call to 'NtXxxx' function, the 'Int 2E' service routine sets a internal flag to indicate the previous mode of the caller of before calling 'Int 2E'. When NTDLL calls 'Int 2E' the mode is 'USER' and when 'ZwXxxx' calls 'Int 2E' the mode is 'KERNEL'. This is achived by checking the CS register value of the caller of 'Int 2E'. In any 'NtXxxx' function this internal flag is very important. It is used to do basic validations of parameters of 'NtXxxx' functions (typically pointers to buffers). Given this, when control reaches a KMD through NTDLL and 'Int 2E' (typically because of some user mode program request) the mode is set to USER. Now when a KMD makes a call to 'NtXxxx' directly in Ring-0 with a parameter such as a 'pointers to buffer' having linear address above 2GB, NtXxxx function gives ACCESS_DENIED because the mode is USER and the address is from the KERNEL mode area (above 2GB). Instead, if you call 'ZwXxxx' type of function, it does nothing but issue 'Int 2E' in Ring-0 again. Now the 'Int 2E' service routine is entered with a differnt CS (the one for KERNEL code). Because of this 'Int 2E' routine sets the mode to KERNEL and calls corrosponding NtXxxx function. Now the NtXxxx function has mode set to KERNEL and pointers are also from KERNEL mode range, hence it does not return ACCESS_DENIED. This is based on my tracing effort. If any one has a correct/different explanation, Pl. feel free to send it to me. Regards, Manish Apte manish@querisoft.com mapte@qspl.stpp.soft.net Querisoft System Pvt. Ltd., Pune, India. > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ To unsubscribe, send email to ntfsd-request@atria.com with body UNSUBSCRIBE (the subject is ignored). ]