Solved

CreateFile to open a filter driver

Posted on 2004-03-25
6
1,658 Views
Last Modified: 2013-12-03
Hi,
I am using the Filemon code available on net and I am trying to write an application, of
my own to make IOCTL calls into the Filemon driver. When my application calls CreateFile()
i get an error ERROR_FILE_NOT_FOUND

   if((SysHandle = CreateFile( "\\\\.\\FILEMON",  // lpFileName        GENERIC_READ | GENERIC_WRITE,            // dwDesiredAccess
                             FILE_SHARE_READ | FILE_SHARE_WRITE,      // dwShareMode
  NULL,       // lpSecurityAttributes
OPEN_EXISTING,       // dwCreationDistribution
FILE_ATTRIBUTE_NORMAL,             // dwFlagsAndAttributes
  NULL      // hTemplateFile
    )) == INVALID_HANDLE_VALUE


Could someone please help !!

Regards,
Lib
----
0
Comment
Question by:lib7
  • 2
6 Comments
 
LVL 48

Accepted Solution

by:
AlexFM earned 125 total points
ID: 10676582
As I remember, all applications from SysInternals which are using their own drivers, keep driver .sys file inside of resources. When program starts, it extracts driver from resources, saves to hard disk and registers it. After this driver is available for CreateFile function.
Does your program have all this stuff?
0
 
LVL 86

Assisted Solution

by:jkr
jkr earned 125 total points
ID: 10678443
>>i get an error ERROR_FILE_NOT_FOUND

AlexFM is correct about the resource issue. Furthermore, after extracting the driver, you will have to install and load it, e.g.

#define UNICODE 1
#include <windows.h>
#include <stdlib.h>
#include <string.h>

BOOL LoadDeviceDriver( const TCHAR * Name, const TCHAR * Path, HANDLE * lphDevice );
BOOL UnloadDeviceDriver( const TCHAR * Name );



BOOL
InstallDriver(
    IN SC_HANDLE  SchSCManager,
    IN LPCTSTR    DriverName,
    IN LPCTSTR    ServiceExe
    );

BOOL
StartDriver(
    IN SC_HANDLE  SchSCManager,
    IN LPCTSTR    DriverName
    );

BOOL
OpenDevice(
    IN LPCTSTR    DriverName, HANDLE * lphDevice
    );

BOOL
StopDriver(
    IN SC_HANDLE  SchSCManager,
    IN LPCTSTR    DriverName
    );

BOOL
RemoveDriver(
    IN SC_HANDLE  SchSCManager,
    IN LPCTSTR    DriverName
    );



/****************************************************************************
*
*    FUNCTION: LoadDeviceDriver( const TCHAR, const TCHAR, HANDLE *)
*
*    PURPOSE: Registers a driver with the system configuration manager
*      and then loads it.
*
****************************************************************************/
BOOL LoadDeviceDriver( const TCHAR * Name, const TCHAR * Path, HANDLE * lphDevice )
{
     SC_HANDLE     schSCManager;
     BOOL          okay;

     schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );

     // Ignore success of installation: it may already be installed.
     InstallDriver( schSCManager, Name, Path );

     // Ignore success of start: it may already be started.
     StartDriver( schSCManager, Name );

     // Do make sure we can open it.
     okay = OpenDevice( Name, lphDevice );

      CloseServiceHandle( schSCManager );

     return okay;
}


/****************************************************************************
*
*    FUNCTION: InstallDriver( IN SC_HANDLE, IN LPCTSTR, IN LPCTSTR)
*
*    PURPOSE: Creates a driver service.
*
****************************************************************************/
BOOL InstallDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName, IN LPCTSTR ServiceExe )
{
    SC_HANDLE  schService;

    //
    // NOTE: This creates an entry for a standalone driver. If this
    //       is modified for use with a driver that requires a Tag,
    //       Group, and/or Dependencies, it may be necessary to
    //       query the registry for existing driver information
    //       (in order to determine a unique Tag, etc.).
    //

    schService = CreateService( SchSCManager,          // SCManager database
                                DriverName,           // name of service
                                DriverName,           // name to display
                                SERVICE_ALL_ACCESS,    // desired access
                                SERVICE_KERNEL_DRIVER, // service type
                                SERVICE_DEMAND_START,  // start type
                                SERVICE_ERROR_NORMAL,  // error control type
                                ServiceExe,            // service's binary
                                NULL,                  // no load ordering group
                                NULL,                  // no tag identifier
                                NULL,                  // no dependencies
                                NULL,                  // LocalSystem account
                                NULL                   // no password
                                );
    if ( schService == NULL )
        return FALSE;

    CloseServiceHandle( schService );

    return TRUE;
}


/****************************************************************************
*
*    FUNCTION: StartDriver( IN SC_HANDLE, IN LPCTSTR)
*
*    PURPOSE: Starts the driver service.
*
****************************************************************************/
BOOL StartDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
    SC_HANDLE  schService;
    BOOL       ret;

    schService = OpenService( SchSCManager,
                              DriverName,
                              SERVICE_ALL_ACCESS
                              );
    if ( schService == NULL )
        return FALSE;

    ret = StartService( schService, 0, NULL )
       || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING;

    CloseServiceHandle( schService );

    return ret;
}



/****************************************************************************
*
*    FUNCTION: OpenDevice( IN LPCTSTR, HANDLE *)
*
*    PURPOSE: Opens the device and returns a handle if desired.
*
****************************************************************************/
BOOL OpenDevice( IN LPCTSTR DriverName, HANDLE * lphDevice )
{
    TCHAR    completeDeviceName[64];
    HANDLE   hDevice;

    //
    // Create a \\.\XXX device name that CreateFile can use
    //
    // NOTE: We're making an assumption here that the driver
    //       has created a symbolic link using it's own name
    //       (i.e. if the driver has the name "XXX" we assume
    //       that it used IoCreateSymbolicLink to create a
    //       symbolic link "\DosDevices\XXX". Usually, there
    //       is this understanding between related apps/drivers.
    //
    //       An application might also peruse the DEVICEMAP
    //       section of the registry, or use the QueryDosDevice
    //       API to enumerate the existing symbolic links in the
    //       system.
    //

    wsprintf( completeDeviceName, TEXT("\\\\.\\%s"), DriverName );

    hDevice = CreateFile( completeDeviceName,
                          GENERIC_READ | GENERIC_WRITE,
                          0,
                          NULL,
                          OPEN_EXISTING,
                          FILE_ATTRIBUTE_NORMAL,
                          NULL
                          );
    if ( hDevice == ((HANDLE)-1) )
        return FALSE;

     // If user wants handle, give it to them.  Otherwise, just close it.
     if ( lphDevice )
          *lphDevice = hDevice;
     else
         CloseHandle( hDevice );

    return TRUE;
}


/****************************************************************************
*
*    FUNCTION: UnloadDeviceDriver( const TCHAR *)
*
*    PURPOSE: Stops the driver and has the configuration manager unload it.
*
****************************************************************************/
BOOL UnloadDeviceDriver( const TCHAR * Name )
{
     SC_HANDLE     schSCManager;

     schSCManager = OpenSCManager(     NULL,                 // machine (NULL == local)
                                        NULL,                 // database (NULL == default)
                                             SC_MANAGER_ALL_ACCESS // access required
                                        );

     StopDriver( schSCManager, Name );
     RemoveDriver( schSCManager, Name );
     
     CloseServiceHandle( schSCManager );

     return TRUE;
}



/****************************************************************************
*
*    FUNCTION: StopDriver( IN SC_HANDLE, IN LPCTSTR)
*
*    PURPOSE: Has the configuration manager stop the driver (unload it)
*
****************************************************************************/
BOOL StopDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
    SC_HANDLE       schService;
    BOOL            ret;
    SERVICE_STATUS  serviceStatus;

    schService = OpenService( SchSCManager, DriverName, SERVICE_ALL_ACCESS );
    if ( schService == NULL )
        return FALSE;

    ret = ControlService( schService, SERVICE_CONTROL_STOP, &serviceStatus );

    CloseServiceHandle( schService );

    return ret;
}


/****************************************************************************
*
*    FUNCTION: RemoveDriver( IN SC_HANDLE, IN LPCTSTR)
*
*    PURPOSE: Deletes the driver service.
*
****************************************************************************/
BOOL RemoveDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
    SC_HANDLE  schService;
    BOOL       ret;

    schService = OpenService( SchSCManager,
                              DriverName,
                              SERVICE_ALL_ACCESS
                              );

    if ( schService == NULL )
        return FALSE;

    ret = DeleteService( schService );

    CloseServiceHandle( schService );

    return ret;
}

(code taken from an earlier filemon which credits the above to the DDKs instsvr sample)
0
 

Author Comment

by:lib7
ID: 10684467
Hi ,
  Thanx for your replies.

  I am using the entire code of filemon as it is !
  I am just writting an application of my own which will make IOCTL calls into the filemon driver. To communicate with the driver i am getting the handle to it through the CreateFile() call.

To test the application -- i am first running the Filemon.exe  (GUI part) which should install the driver.  And then i am running my application. And i am getting the error code 5 this time ie ACCESS DENIED.!  

Is it true that two applications cannot get a handle to the same driver at the same time?
This could be happening in this case ?

Lib7
-----
0
 
LVL 86

Expert Comment

by:jkr
ID: 10688801
>>Is it true that two applications cannot get a handle to the same driver at the same time?

Depends on the driver design. In case of FileMon, it would make sense. So, I suggest you load and start filemon.sys from your own application.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This tutorial is about how to put some of your C++ program's functionality into a standard DLL, and how to make working with the EXE and the DLL simple and seamless.   We'll be using Microsoft Visual Studio 2008 and we will cut out the noise; that i…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now