NtSetFileInformation

Is there any way to call/use NtSetFileInformation in usermode. if yes what i can do .

> Is there any way to call/use NtSetFileInformation in usermode.

Yes, the trick is finding the correct DLL - it mighy br in Ntdll.dll (like
NtCreateFile
https://msdn.microsoft.com/en-us/library/bb432380(v=vs.85).aspx), dunno

you might want to start by looking at SetFileInformationByHandle

https://msdn.microsoft.com/en-us/library/windows/desktop/aa365539(v=vs.85).aspx

Sure there is. Either link against ntdll.lib, or call it using function pointer obtained by calling GetProcAddress(hNtdll, “NtSetInformationFile”).

Or, for test purposes, just use FileTest :slight_smile:

http://www.zezula.net/en/fstools/filetest.html

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

Sure there is. Either link against ntdll.lib, or call it using function
pointer obtained by calling GetProcAddress(hNtdll, “NtSetInformationFile”).

> Or, for test purposes, just use FileTest :slight_smile:

The single most useful tool in the file system developer’s toolkit. Thanks
again Ladislav…

I tried to use GetProcAddress(hNtdll, “NtSetInformationFile”). but i think ntdll is not exporting the function address that can be used. for rest nt calls i am able to successfully get the values and outputs too.
I am bit of stuck here!!! i am actually want to rename file streams so i thought it is the only possible way however it seems … no luck.
is there any way??
my filter failing the ifs test of StreamRename test. with the filetest (insanely awesome tool) my filter is not reporting any error for stream rename but ntfs reporting error!!!
any help will be greatly appreciated.

Thanks,

What is a problem with SetFileInformationByHandle which does the same?

ZwSetInformationFile/NtSetInformationFile is just a stub to a system call with 0x24 ordinal number. You can implement it if for some reasons you are unable to retrieve the address from ntdll .

ZwSetInformationFile:
0000000076D6BFA0 mov r10,rcx
0000000076D6BFA3 mov eax,24h
0000000076D6BFA8 syscall
0000000076D6BFAA ret

Thanks for the pointer slava…many thanks.