I am trying to traverse windows namespaces. I would like to seamlessly go from the object namespace to the file system namespace. To do this I use the RootDirectory and ObjectName of OBJECT_ATTRIBUTES. However, I seem to have hit a wall when it comes to obtaining a file system handle from a device handle.
I am able to traverse using NtOpenDirectoryObject and NtQueryDirectoryObject to traverse \ -> Device -> HarddiskVolume1
HarddiskVolume1 cannot be opened as directory and queried (which makes sense as it is a device), nor can it be used as a RootDirectory to obtain a handle to the root of the filesystem (I've tried using "", "\", ".", NULL as ObjectName).
I am aware that I could instead open HarddiskVolume1\ but that seems inelegant as it is not an entry obtained using NtQueryDirectoryObject
NtOpenDirectoryObject() and NtQueryDirectoryObject() operate on object manager directories. These are containers that other objects can be created in. HarddiskVolume1 is a volume device, not an object manager directory. The object manager doesn't know anything about volumes or file systems, so the only way to access them is to access the volume device itself. You must use NtCreateFile() or similar for this. If you access \Device\HarddiskVolume1 then you are accessing the volume device itself. To access the file system root directory you must access \Device\HarddiskVolume1\ instead. This is just something you have to know to do. There is no API that given \Device\HarddiskVolume1 will return you \ as a child object. It is similar with other types of objects; for example, with \REGISTRY you need to open \REGISTRY\ with NtOpenKey().