ZwCreateFile VS IoCreateFile

2007/2/9

Apart from their obvious name difference and number of parameters, do YOU know what the difference between them?
 
Well, obviously, ZwCreateFile calls IoCreateFile at some point in it's life, but there is a less obvious differences as well:
 
ZwCreateFile is used by kernel mode drivers to create their file, and intenally this cals IoCreateFile. But a little less known fact is that ZwCreateFile will make the create in kernel mode while IoCreateFile will not override the mode that you are in.
 
What does that mean? Well, if you are in the context of the user process, and you try to use IoCreateFile, and don't specify any override flags, the call will fail with 0xC0000005. The reason is that IoCreateFile is checking the parameters, figurs out that he is in a usermode context, but that the create is a kernel mode call, so he sees a discrepancy, and will fail.
 
You can also specify the extra parameter: IO_NO_PARAMETER_CHECKING, and that should override the calls mean streak ;)
 
Another little difference is that you could (if you were a bad person) hook the ZwCreateFile, and replace it with your own, directly in the kernel service table, but the other one would be a bit more difficult ;) It's an export of our true friend: Nt Kernel, better known as ntoskrnl.exe.
 
Oh well, now remember that ZwCreate is usually the safer bet ;)