Hello,
I’m developing a File System Filter Driver, and I intercept IRP_MJ_CREATE
calls, but when I get the file name, sometimes I get the MS-DOS file name.
For example if the file is
c:\programs files\driver utils\device tree.exe
I get
c:\progra~1\driver~1\device~1.exe.
I need to get the WNT file name.
How can I do it?
I get the file name just like in FileMon of Mark Russinovich.
Thank you.
My understanding is that you must open each of the parent
directories and use ZwQueryDirectoryFile with FILE_BOTH_DIR_INFORMATION.
Iterate through each file until the short name matches the child you are
searching for (you can use the child as the search key to speed this
up).
As far as I know, if you also need to know the exact case sensitive
name, then you must always perform the above operation. For example, if
you enter a DOS shell and type in “dir C:\wInNt\sYsTeM32” then you will
capture that name in your driver and must query the parents for the
correct case.
There are several other file name issues that FileMon does not
resolve correctly such as with the RelatedFileObject. I’m surprised
that no one has released a definitive fix for all of the above issues as
this question crops up every few months, but I guess everyone is either
bound by a NDA or wants to make a buck fixing these problems through
consulting
If there is a better way of resolving the above issues I’d love to
hear about them.
----- Original Message -----
From: “Ratmil Torres Vargas”
To: “File Systems Developers”
Sent: Wednesday, July 05, 2000 10:33 AM
Subject: [ntfsd] Getting file name
> Hello,
> I’m developing a File System Filter Driver, and I intercept
IRP_MJ_CREATE
> calls, but when I get the file name, sometimes I get the MS-DOS file
name.
> For example if the file is c:\programs files\driver utils\device
tree.exe
> I get c:\progra~1\driver~1\device~1.exe.
> I need to get the WNT file name.
> How can I do it?
> I get the file name just like in FileMon of Mark Russinovich.
> Thank you.
>My understanding is that you must open each of the parent
directories and use ZwQueryDirectoryFile with >FILE_BOTH_DIR_INFORMATION.
Iterate through each file until the short name matches the child you >are
searching for (you can use the child as the search key to speed this
up).
I don’t understand what you say.
Do you mean that I should use this method instead of the Russsinovich’s
method or that that I should use it as a patch to the Russinovich’s?
I should use ZwQueryDirectoryFile for each parent directory, so I walk
through them via RelatedFileObject. Isn’t it?
Would you please explain me the parameters to ZwQueryDirectoryFile?
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Ratmil Torres wrote:
> I should use ZwQueryDirectoryFile for each parent directory,
> so I walk through them via RelatedFileObject. Isn’t it?
The name in RelatedFileObject or FileObject in a CREATE is not
necessarily the long file name (LFN), it might be the 8.3 short file
name (SFN) or a mix of LFNs and SFNs. So you need to query for the first
level directory starting from the root, noting the name(s) that match.
You repeat this for every level. That way you can determine both the SFN
and the LFN (in the correct case) of every part of the fully qualified
name.
> Would you please explain me the parameters to ZwQueryDirectoryFile?
It’s undocumented but it worked great for me!
NTSTATUS
ZwQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
Look at the description of NtQueryDirectoryFile() in Rajeev Nagar’s
“File System Internals” for a description of what the parameters do. If
you don’t have Nagar’s book, get it!
Best wishes
Joe
Hi,
Thank you very much.
Sorry but I still don’t get it. You say I must start searching for the root,
but matching with what? I only the FILE_OBJECT, or I could get the file
handle too.
I don’t have the book, It’s very hard to buy it from here (Cuba), I’m still
waiting that someones in the company I’m working for goes to USA or other
country and can buy it. I already asked to buy “Windows NT Device Driver
Development” from Mason and Viscarola and I have it now but it doesn’t help
much. Anyway, I discuss my thesis next tuesday and I can’t wait for the
book, so I’m going to make a tricky patch. I don’t have time for more.
From: “Joe Wein”
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: Getting file name
>Date: Fri, 7 Jul 2000 10:30:06 +0900
>
>Ratmil Torres wrote:
> > I should use ZwQueryDirectoryFile for each parent directory,
> > so I walk through them via RelatedFileObject. Isn’t it?
>
>The name in RelatedFileObject or FileObject in a CREATE is not
>necessarily the long file name (LFN), it might be the 8.3 short file
>name (SFN) or a mix of LFNs and SFNs. So you need to query for the first
>level directory starting from the root, noting the name(s) that match.
>You repeat this for every level. That way you can determine both the SFN
>and the LFN (in the correct case) of every part of the fully qualified
>name.
>
> > Would you please explain me the parameters to ZwQueryDirectoryFile?
>
>It’s undocumented but it worked great for me!
>
>NTSTATUS
>ZwQueryDirectoryFile(
> IN HANDLE FileHandle,
> IN HANDLE Event OPTIONAL,
> IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
> IN PVOID ApcContext OPTIONAL,
> OUT PIO_STATUS_BLOCK IoStatusBlock,
> OUT PVOID FileInformation,
> IN ULONG Length,
> IN FILE_INFORMATION_CLASS FileInformationClass,
> IN BOOLEAN ReturnSingleEntry,
> IN PUNICODE_STRING FileName OPTIONAL,
> IN BOOLEAN RestartScan
> );
>
>Look at the description of NtQueryDirectoryFile() in Rajeev Nagar’s
>“File System Internals” for a description of what the parameters do. If
>you don’t have Nagar’s book, get it!
>
>Best wishes
>
>Joe
>
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com