I'm mimicking the connection between conhost.exe and condrv.sys driver. So I copied the code from conhost.exe in a simple C file and compiled it. But NtOpenFile() always shows 0xc0000005 error. Here is the code snippet.
RtlInitUnicodeString(&DestinationString, L"\\Device\\ConDrv\\Server");
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.SecurityDescriptor = 0;
status = NtOpenFile(&Handle, GENERIC_ALL, &ObjectAttributes, &IoStatusBlock, 0, 0);
How to modify that code to work properly? Am I doing anything wrong?
Thanks @RbMm for that advice. The OBJECT_ATTRIBUTES struct is defined as:
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
The error shows because I forget to make SecurityQualityOfService zero. So NtOpenFile() grabs the SecurityQualityOfService value from whatever left over in memory. And it shows 0xC0000005 aka. Memory Access Violation. I add ObjectAttributes.SecurityQualityOfService = 0; and it works.
The correct way, however, is to use InitializeObjectAttributes() in order to initialize this structure.