.Ok, im trying to open the pagefile.sys file from kernel land, and am getting STATUS_SHARING_VIOLATION which seems right considering. In the FILE_OBJECT structure i know there is a flag you can use to adjust the sharing privileges directly, which some software like "unlocker" and a few others can manipulate in order to grant access to the file.
I suppose my question is, how would you get to the FILE_OBJECT struct for pagefile.sys. Or better yet, is there a simple way to get access to this file without using any 3rd party applications?
This is the code im currently messing around with that is failing with the sharing violation.
void * PK_OpenPagefile(){
// ----------- log file declarations ----------------
// outfile
HANDLE fHandle = NULL;
LPWSTR fName = L"\\DosDevices\\c:\\pagefile.sys";
UNICODE_STRING uFName;
// file attributes
OBJECT_ATTRIBUTES ObjectAttributes;
// set access mask
ACCESS_MASK DesiredAccess = GENERIC_READ;
// IO Status Block (reports file status)
IO_STATUS_BLOCK IoStatusBlock;
// Return Value for all NTSTATUS functions
NTSTATUS retVal = 0;
// buffer representing the size of a page
char *writeBuff = (char *) malloc(PAGE_SIZE);
// ---- end declarations -----
RtlInitUnicodeString(&uFName, fName);
InitializeObjectAttributes(&ObjectAttributes, &uFName, OBJ_CASE_INSENSITIVE, NULL, NULL);
retVal = ZwCreateFile(&fHandle,
DesiredAccess,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE,
NULL,
0);
// etc etc goes here
return NULL;
}
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}