I need to read SQL Server database files opened by server (with exclusive access I guess). After some research I figured that there are two options: with Volume Shadowcopy Service or kernel mode driver. So I implemented first option, but there are issues: it works as backup, it waits for some time to get access and database files can be greater than 1TB. So I'm trying to read files with kernel mode driver, but whatever option I trying with
TraceEvents(TRACE_LEVEL_VERBOSE, DBG_INIT, "Absolute Filename %wZ", &absFileName);
InitializeObjectAttributes(&fileAttributes, &absFileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
status = ZwCreateFile(
&devExt->FileHandle,
SYNCHRONIZE | FILE_READ_DATA,
&fileAttributes,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status)) {
TraceEvents(TRACE_LEVEL_ERROR, DBG_INIT, "ZwCreateFile failed with status %!STATUS!", status);
devExt->FileHandle = NULL;
}
or
status = ZwOpenFile(
&devExt->FileHandle,
SYNCHRONIZE | FILE_READ_DATA,
&fileAttributes,
&ioStatus,
FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT
);
I have error ZwCreateFile failed with status 0xc0000043(STATUS_SHARING_VIOLATION). Is it even possible to read such files from driver. If I restricted to ordinal access rules even in driver then how antiviruses able to read such files. Anything can open something in exclusive mode and block access.
Driver based on Microsoft's example Windows-driver-samples\general\ioctl\kmdf\.