In NtSetInformationFile(…) if the FileInformationClass is set to
FileRenameInformation it means a rename operation.
Can this be used in the debugger to find out (from the other parameters)
what was renamed and to what ( all the three cases of rename discussed in
the OSR "cracking rename paper ) ?
regards
–
> Can this be used in the debugger to find out (from the other parameters)
what was renamed and to what ( all the three cases of rename discussed
in the OSR "cracking rename paper ) ?
I think you should be able to resolve the name of the root directory by
referencing the handle and thus getting the pointer which you feed to
ObQueryNameString(), documented in the IFSKit (or in the WDK which now
combines DDK and IFSKit).
Cheers,
Oliver
May the source be with you, stranger 
ICQ: #281645
URL: http://assarbad.net
sorry oliver, beg your pardon,
but I couldn’t comprehend what you said.
Dis you say that the FileHandle parameter contains the handle to the root
directory?
Also what information does PVOID FileInformation contain for class = rename?
Didn't you say we were talking about this ...?
typedef struct _FILE_RENAME_INFORMATION {
...
HANDLE RootDirectory;
...
WCHAR FileName[1];
} ...
The RootDirectory handle can be evaluated and will give a path if set. The
rest of the name is contained in FileName. And of course the handle passed
into the function NtSetInformationFile() can be resolved the same way to
give you a name.
So you have both, source and target name finally.
Cheers,
Oliver
May the source be with you, stranger
ICQ: #281645
URL: http://assarbad.net
I don’t think there is any API to convert the handle into filename, you can
get information about the file but not the name directly.
Oliver, others, is there a way to convert the file handle into the name???
-AP
I copy pasted the example code from PSDK
http://www.google.com/url?sa=D&q=http://msdn.microsoft.com/library/default.asp%3Furl%3D/library/en-us/fileio/fs/obtaining_a_file_name_from_a_file_handle.asp
where they teach you to get the fname from handle.
The code works fine in normal caxses.
Then I added it to my NtSetInformationFile hook code and it returned
garbage, why?
const char * GetFileNameFromHandle(HANDLE hFile)
{
BOOL bSuccess = FALSE;
TCHAR pszFilename[MAX_PATH+1];
HANDLE hFileMap;
// Get the file size.
DWORD dwFileSizeHi = 0;
DWORD dwFileSizeLo = GetFileSize(hFile, &dwFileSizeHi);
if( dwFileSizeLo == 0 && dwFileSizeHi == 0 )
{
//printf(“Cannot map a file with a length of zero.\n”);
//return FALSE;
strName=string(“Cannot map a file with a length of zero”);
return strName.c_str();
}
// Create a file mapping object.
hFileMap = CreateFileMapping(hFile,
NULL,
PAGE_READONLY,
0,
1,
NULL);
if (hFileMap)
{
// Create a file mapping to get the file name.
void* pMem = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1);
if (pMem)
{
if (GetMappedFileName (GetCurrentProcess(),
pMem,
pszFilename,
MAX_PATH))
{
// Translate path with device name to drive letters.
TCHAR szTemp[BUFSIZE];
szTemp[0] = ‘\0’;
if (GetLogicalDriveStrings(BUFSIZE-1, szTemp))
{
TCHAR szName[MAX_PATH];
TCHAR szDrive[3] = TEXT(" :");
BOOL bFound = FALSE;
TCHAR* p = szTemp;
do
{
// Copy the drive letter to the template string
*szDrive = *p;
// Look up each device name
if (QueryDosDevice(szDrive, szName, BUFSIZE))
{
UINT uNameLen = _tcslen(szName);
if (uNameLen < MAX_PATH)
{
bFound = _tcsnicmp(pszFilename, szName,
uNameLen) == 0;
if (bFound)
{
// Reconstruct pszFilename using szTemp
// Replace device path with DOS path
TCHAR szTempFile[MAX_PATH];
_stprintf(szTempFile,
TEXT(“%s%s”),
szDrive,
pszFilename+uNameLen);
_tcsncpy(pszFilename, szTempFile, MAX_PATH);
}
}
}
// Go to the next NULL character.
while (*p++);
} while (!bFound && *p); // end of string
}
}
bSuccess = TRUE;
UnmapViewOfFile(pMem);
}
CloseHandle(hFileMap);
}
MessageBox(NULL,pszFilename,“AAAAAAAAAA”,0);
//printf(“File name is %s\n”, pszFilename);
char buff[512];
sprintf(buff,“%s”,pszFilename);
strName=string(buff);
return strName.c_str();
//return(bSuccess);
}
NTSTATUS WINAPI MyNtSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass )
{
NTSTATUS status;
TCHAR szNtPath[MAX_PATH] ;
TCHAR szDosPath[MAX_PATH] ;
string strOldName;
FILE_LINK_RENAME_INFORMATION *pInfo = (FILE_LINK_RENAME_INFORMATION
*)FileInformation ;
if( FileInformationClass==FileRenameInformation ||
FileInformationClass==FileLinkInformation ){
memcpy (szNtPath, pInfo->FileName, pInfo->FileNameLength) ;
szNtPath[pInfo->FileNameLength/sizeof(TCHAR)] = 0 ;
ChangePathNameToDosPathName (pInfo->RootDirectory,
szDosPath,
szNtPath) ;
strOldName=GetFileNameFromHandle(FileHandle);
// log call
//nReaction = SpyInt_CatchCall (REASON_FILE_WRITE, TEXT(“s”), szDosPath)
;
}
status = ( ( Type_NtSetInformationFile
)(PROC)pfnOrigNtSetInformationFile)(
FileHandle,
IoStatusBlock,
FileInformation,
Length,
FileInformationClass );
if( FileInformationClass==FileRenameInformation ||
FileInformationClass==FileLinkInformation ){
char buff[512];
sprintf(buff,“\n[MyNtSetInformationFile] File Name : %s, Handle :
%x\nFile Information Class : %s\nIo Status Information : %s\nOld Name: %s,
New name :
%ws\n”,FMap[FileHandle].c_str(),FileHandle,GenFileInfoClass(FileInformationClass),GenIoStatusStr(IoStatusBlock->Information),
strOldName.c_str(),pInfo->FileName);
Log->DbgPrnt(buff);
}
return status;
}