Hello,
while analysing a memory.dmp I recognized that the name of the fileobjects does not show the ads name (the ads was opened successful), but the FileName.Buffer contains it and the MaximumLength holds the full length (including ads).
It seems the FileName.Length was decreased to the name of the file without the “:”+adsname.
A difference in Length and MaximumLength might show the usage of an ADS - not sure?
Is this the only indication or are there others (e.g. in FsContext or FsContext2)?
ntdll!_FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xffffe00003b8cca0 _DEVICE_OBJECT +0x010 Vpb : 0xffffe000
03b6dad0 _VPB
+0x018 FsContext : 0xffffc00002912dd0 Void +0x020 FsContext2 : 0xffffc000
02a2c6b0 Void
+0x028 SectionObjectPointer : 0xffffe000063f8610 _SECTION_OBJECT_POINTERS +0x030 PrivateCacheMap : 0xffffe000
0d63b428 Void
+0x038 FinalStatus : 0n0
+0x040 RelatedFileObject : (null)
+0x048 LockOperation : 0 ‘’
+0x049 DeletePending : 0 ‘’
+0x04a ReadAccess : 0 ‘’
+0x04b WriteAccess : 0x1 ‘’
+0x04c DeleteAccess : 0 ‘’
+0x04d SharedRead : 0 ‘’
+0x04e SharedWrite : 0 ‘’
+0x04f SharedDelete : 0 ‘’
+0x050 Flags : 0x40060
+0x058 FileName : _UNICODE_STRING “\DLR1\171121-120733\171121-120733-1\file-10.txt”
+0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x070 Waiters : 0
+0x074 Busy : 0
+0x078 LastLock : (null)
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : (null)
+0x0b8 IrpListLock : 0
+0x0c0 IrpList : _LIST_ENTRY [0xffffe0000d33cc60 - 0xffffe000
0d33cc60]
+0x0d0 FileObjectExtension : 0xffffe000`0d35e840 Void
(*((ntdll!_UNICODE_STRING *)0xffffe0000d33cbf8)) : “\DLR1\171121-120733\171121-120733-1\file-10.txt” [Type: _UNICODE_STRING]
[+0x000] Length : 0x5e [Type: unsigned short]
[+0x002] MaximumLength : 0x78 [Type: unsigned short]
[+0x008] Buffer : 0xffffc000028b7d40 : 0x5c [Type: unsigned short *]
In Memory it shows the expected:
“\DLR1\171121-120733\171121-120733-1\file-10.txt:FILE_ADS”
I saw this for this waiting thread:
Child-SP RetAddr : Args to Child : Call Site
ffffd00021565910 fffff802
c7f2dc45 : ffffd000208b0180 ffffd000
208b0100 ffffd000208b0180 ffffd000
208b0180 : nt!KiSwapContext+0x76
ffffd00021565a50 fffff802
c7f37b00 : ffffe000061d0880 ffffd000
208b0180 ffffe000061d0880 fffff800
00c7f686 : nt!KiSwapThread+0x791
ffffd00021565ab0 fffff802
c7f04b74 : ffffe000061d0880 ffffe000
061d09c0 ffffe00000000000 00000000
00000000 : nt!KiCommitThreadWait+0x470
ffffd00021565b20 fffff802
c87bd516 : ffffe0000d830ae8 00000000
00000000 ffffe00000000100 ffffe000
06bc0901 : nt!KeWaitForSingleObject+0x5b0
ffffd00021565bc0 fffff802
c87bd418 : 0000000000000001 ffffd000
21565c80 ffffd00000000000 00000000
00000000 : nt!FsRtlCancellableWaitForMultipleObjects+0xf6
ffffd00021565c40 fffff800
00a7c909 : ffffe0000d830ae8 00000000
00000000 0000000000000000 ffffe000
06b20060 : nt!FsRtlCancellableWaitForSingleObject+0x44
ffffd00021565c80 fffff800
00a7ea96 : ffffd00021565d30 00000000
00000000 ffffe0000d830b00 ffffe000
0d830ba8 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x5a9
ffffd00021565d00 fffff800
00a80336 : ffffe0000d830ba8 00000000
00000000 ffffe0000d830ba8 00000000
00000000 : fltmgr!FltPerformSynchronousIo+0x19e
ffffd00021565d70 fffff800
00a7fd25 : ffffe00006b15c30 ffffe000
0d33cba0 ffffd00021565f88 00000000
00000020 : fltmgr!FltWriteFileEx+0x60a
ffffd00021565e70 fffff800
00f75034 : ffffe00006b15c30 ffffe000
0d33cba0 ffffd00021565f88 00000000
00000020 : fltmgr!FltWriteFile+0x61
Thanks
Norbert
The only time the content of the FO->FileName is guaranteed to be valid,
and unmodified (unless someone above you modifies it), is in pre-create
processing. The underlying file system can change the content of the
name, modify the Length value, etc. So no, there are no indicators in
the file object itself that can be used to tell you it is for an ADS.
That said, grab the name using the FltGFNI Api in pre/post create and
tag a context it if it is an ADS. Then you can grab this context during
any other operation to see if it is for an ADS.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “xxxxx@graudata.com”
To: “Windows File Systems Devs Interest List”
Sent: 11/21/2017 10:23:19 AM
Subject: [ntfsd] Does a FILE_OBJECT contains any information about an
opened ads stream?
>Hello,
>
>while analysing a memory.dmp I recognized that the name of the
>fileobjects does not show the ads name (the ads was opened successful),
>but the FileName.Buffer contains it and the MaximumLength holds the
>full length (including ads).
>It seems the FileName.Length was decreased to the name of the file
>without the “:”+adsname.
>
>A difference in Length and MaximumLength might show the usage of an ADS
>- not sure?
>Is this the only indication or are there others (e.g. in FsContext or
>FsContext2)?
>
>
>
>
>ntdll!_FILE_OBJECT
> +0x000 Type : 0n5
> +0x002 Size : 0n216
> +0x008 DeviceObject : 0xffffe00003b8cca0 _DEVICE_OBJECT<br>> +0x010 Vpb : 0xffffe000
03b6dad0 _VPB
> +0x018 FsContext : 0xffffc00002912dd0 Void<br>> +0x020 FsContext2 : 0xffffc000
02a2c6b0 Void
> +0x028 SectionObjectPointer : 0xffffe000063f8610 <br>>_SECTION_OBJECT_POINTERS<br>> +0x030 PrivateCacheMap : 0xffffe000
0d63b428 Void
> +0x038 FinalStatus : 0n0
> +0x040 RelatedFileObject : (null)
> +0x048 LockOperation : 0 ‘’
> +0x049 DeletePending : 0 ‘’
> +0x04a ReadAccess : 0 ‘’
> +0x04b WriteAccess : 0x1 ‘’
> +0x04c DeleteAccess : 0 ‘’
> +0x04d SharedRead : 0 ‘’
> +0x04e SharedWrite : 0 ‘’
> +0x04f SharedDelete : 0 ‘’
> +0x050 Flags : 0x40060
> +0x058 FileName : _UNICODE_STRING
>“\DLR1\171121-120733\171121-120733-1\file-10.txt”
> +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
> +0x070 Waiters : 0
> +0x074 Busy : 0
> +0x078 LastLock : (null)
> +0x080 Lock : _KEVENT
> +0x098 Event : _KEVENT
> +0x0b0 CompletionContext : (null)
> +0x0b8 IrpListLock : 0
> +0x0c0 IrpList : _LIST_ENTRY [0xffffe0000d33cc60 - <br>>0xffffe000
0d33cc60]
> +0x0d0 FileObjectExtension : 0xffffe0000d35e840 Void<br>><br>><br>>(*((ntdll!_UNICODE_STRING *)0xffffe0000d33cbf8)) : <br>>"\DLR1\171121-120733\171121-120733-1\file-10.txt" [Type: <br>>_UNICODE_STRING]<br>> [+0x000] Length : 0x5e [Type: unsigned short]<br>> [+0x002] MaximumLength : 0x78 [Type: unsigned short]<br>> [+0x008] Buffer : 0xffffc000028b7d40 : 0x5c [Type: <br>>unsigned short *]<br>><br>>In Memory it shows the expected:<br>>"\DLR1\171121-120733\171121-120733-1\file-10.txt:FILE_ADS"<br>><br>><br>>I saw this for this waiting thread:<br>><br>> Child-SP RetAddr : Args to Child <br>> : Call Site<br>> ffffd000
21565910 fffff802c7f2dc45 : ffffd000
208b0180
>ffffd000208b0100 ffffd000
208b0180 ffffd000208b0180 : <br>>nt!KiSwapContext+0x76<br>> ffffd000
21565a50 fffff802c7f37b00 : ffffe000
061d0880
>ffffd000208b0180 ffffe000
061d0880 fffff80000c7f686 : <br>>nt!KiSwapThread+0x791<br>> ffffd000
21565ab0 fffff802c7f04b74 : ffffe000
061d0880
>ffffe000061d09c0 ffffe000
00000000 0000000000000000 : <br>>nt!KiCommitThreadWait+0x470<br>> ffffd000
21565b20 fffff802c87bd516 : ffffe000
0d830ae8
>0000000000000000 ffffe000
00000100 ffffe00006bc0901 : <br>>nt!KeWaitForSingleObject+0x5b0<br>> ffffd000
21565bc0 fffff802c87bd418 : 00000000
00000001
>ffffd00021565c80 ffffd000
00000000 0000000000000000 : <br>>nt!FsRtlCancellableWaitForMultipleObjects+0xf6<br>> ffffd000
21565c40 fffff80000a7c909 : ffffe000
0d830ae8
>0000000000000000 00000000
00000000 ffffe00006b20060 : <br>>nt!FsRtlCancellableWaitForSingleObject+0x44<br>> ffffd000
21565c80 fffff80000a7ea96 : ffffd000
21565d30
>0000000000000000 ffffe000
0d830b00 ffffe0000d830ba8 : <br>>fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x5a9<br>> ffffd000
21565d00 fffff80000a80336 : ffffe000
0d830ba8
>0000000000000000 ffffe000
0d830ba8 0000000000000000 : <br>>fltmgr!FltPerformSynchronousIo+0x19e<br>> ffffd000
21565d70 fffff80000a7fd25 : ffffe000
06b15c30
>ffffe0000d33cba0 ffffd000
21565f88 0000000000000020 : <br>>fltmgr!FltWriteFileEx+0x60a<br>> ffffd000
21565e70 fffff80000f75034 : ffffe000
06b15c30
>ffffe0000d33cba0 ffffd000
21565f88 00000000`00000020 :
>fltmgr!FltWriteFile+0x61
>
>
>
>Thanks
>Norbert
>
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
Pete,
Thanks for your answer.
Norbert