tag:blogger.com,1999:blog-971876119771204189.post8572532858513225263..comments2024-03-12T22:24:25.119-07:00Comments on Of Filesystems And Other Demons: Opening an Alternate Data StreamAnonymoushttp://www.blogger.com/profile/04456600991354270152noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-971876119771204189.post-23825132546117110312012-07-19T08:12:55.542-07:002012-07-19T08:12:55.542-07:00Well, no. Actually the openFileHandle is a handle ...Well, no. Actually the openFileHandle is a handle to the file that i've opened myself (i.e. I called FltCreateFile to open it). That happened to be the way my driver worked (I only cared about the ADS for files that I had opened myself). <br /><br />Let's continue the discussion on the NTFSD thread (http://www.osronline.com/showthread.cfm?link=229144).Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-40297951285344109022012-07-19T03:31:19.889-07:002012-07-19T03:31:19.889-07:00Hi Alex, great blog very informative,
in the code...Hi Alex, great blog very informative,<br /><br />in the code above, you use the variable: openFileHandle. Is that the same as FltObjects->Instance in the filter XXXXXPostCreate function? <br /><br />I am trying to open the ADS attached to the current file but i keep getting status: 0xc0000008 on the FltCreateFile operation.<br /><br />Here's my code (in the XXXXXPostCreate section), where,<br />UNICODE_STRING ADSName = RTL_CONSTANT_STRING(L":sensitive:$DATA");<br /><br />InitializeObjectAttributes( &objectAttributes, &ADSName, OBJ_KERNEL_HANDLE, openFileHandle , NULL );<br /> <br /> <br />DbgPrint("Calling FltCreateFile for ADS file %wZ\n", &ADSName );<br /> <br /> <br />// and now issue our open for the stream.<br />adsStatus = FltCreateFile( ScannerData.Filter, <br />FltObjects->Instance, <br />&ADSHandle,<br />FILE_READ_DATA | FILE_READ_ATTRIBUTES,<br />&objectAttributes, <br />&ioStatus, <br />0, <br />FILE_ATTRIBUTE_NORMAL, <br />FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, <br />FILE_OPEN_IF, <br />FILE_OPEN_REPARSE_POINT,<br />NULL,<br />0, 0 );<br /><br /><br /><br />if (NT_SUCCESS( adsStatus ))<br />{<br /> DbgPrint( "--- !!!THIS IS A SENSITIVE FILE!!!\n" );<br /> <br /> hasADS = TRUE;<br /> <br /> <br /> if (NT_SUCCESS( FltClose(ADSHandle))) <br /> {<br /> DbgPrint( "--- Close ADS attached to file\n" );<br /> }<br />} <br />else<br />{<br />DbgPrint( "--- Not a sensitive file, ADS does not exist, status 0x%X\n", adsStatus );<br />hasADS = FALSE; <br />}<br /><br />I am definitely doing something wrong but I cannot figure out where.BinaryAgenthttps://www.blogger.com/profile/03001292286576032149noreply@blogger.com