Is there any way to call/use NtSetFileInformation in usermode. if yes what i can do .
> Is there any way to call/use NtSetFileInformation in usermode.
Yes, the trick is finding the correct DLL - it mighy br in Ntdll.dll (like
NtCreateFile
https://msdn.microsoft.com/en-us/library/bb432380(v=vs.85).aspx), dunno
you might want to start by looking at SetFileInformationByHandle
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365539(v=vs.85).aspx
Sure there is. Either link against ntdll.lib, or call it using function pointer obtained by calling GetProcAddress(hNtdll, “NtSetInformationFile”).
Or, for test purposes, just use FileTest
http://www.zezula.net/en/fstools/filetest.html
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntfsd…
Sure there is. Either link against ntdll.lib, or call it using function
pointer obtained by calling GetProcAddress(hNtdll, “NtSetInformationFile”).
> Or, for test purposes, just use FileTest
The single most useful tool in the file system developer’s toolkit. Thanks
again Ladislav…
I tried to use GetProcAddress(hNtdll, “NtSetInformationFile”). but i think ntdll is not exporting the function address that can be used. for rest nt calls i am able to successfully get the values and outputs too.
I am bit of stuck here!!! i am actually want to rename file streams so i thought it is the only possible way however it seems … no luck.
is there any way??
my filter failing the ifs test of StreamRename test. with the filetest (insanely awesome tool) my filter is not reporting any error for stream rename but ntfs reporting error!!!
any help will be greatly appreciated.
Thanks,
What is a problem with SetFileInformationByHandle which does the same?
ZwSetInformationFile/NtSetInformationFile is just a stub to a system call with 0x24 ordinal number. You can implement it if for some reasons you are unable to retrieve the address from ntdll .
ZwSetInformationFile:
0000000076D6BFA0 mov r10,rcx
0000000076D6BFA3 mov eax,24h
0000000076D6BFA8 syscall
0000000076D6BFAA ret
Thanks for the pointer slava…many thanks.