Hi All,
I am enumarating ADS of a file with NtQueryInformationFile().
Microsoft states that …
If a buffer contains two or more of these structures, the NextEntryOffset value in each entry, except the last, falls on an 8-byte boundary.
I have written following code to count the ADS
ulADSCount = 0;
pFileStreamInformationTemp = pFileStreamInformation;
ulNextEntryOffset = 0;
do
{
pFileStreamInformationTemp = (PFILE_STREAM_INFORMATION)(((char *)pFileStreamInformationTemp) + ulNextEntryOffset);
if (0 != (ULONG_PTR)pFileStreamInformationTemp % 8)
{
break;
}
if (pFileStreamInformationTemp > (PFILE_STREAM_INFORMATION)((((char *)
pFileStreamInformation) + ulSizeOfFileStreamInfo) - sizeof
(FILE_STREAM_INFORMATION)))
{
break;
}
if (0 == pFileStreamInformationTemp->StreamNameLength)
{
break;
}
ulADSCount++;
ulNextEntryOffset = pFileStreamInformationTemp->NextEntryOffset;
} while (0 != pFileStreamInformationTemp->NextEntryOffset);
This code is producing BSOD.
Note that pFileStreamInformation is also aligned at 8 byte boundry.
http://www.flexhex.com/docs/articles/alternate-streams.phtml
Try
if (NULL != pFileStreamInformationTemp)
instead of
if (0 != (ULONG_PTR)pFileStreamInformationTemp % 8)
MS says that offsets are on an aligned boundary, but it does_not
say that list end is marked by a non-aligned value.
-------------- Original message --------------
From: xxxxx@yahoo.com
Hi All,
I am enumarating ADS of a file with NtQueryInformationFile().
Microsoft states that …
If a buffer contains two or more of these structures, the NextEntryOffset value
in each entry, except the last, falls on an 8-byte boundary.
I have written following code to count the ADS
ulADSCount = 0;
pFileStreamInformationTemp = pFileStreamInformation;
ulNextEntryOffset = 0;
do
{
pFileStreamInformationTemp = (PFILE_STREAM_INFORMATION)(((char
*)pFileStreamInformationTemp) + ulNextEntryOffset);
if (0 != (ULONG_PTR)pFileStreamInformationTemp % 8)
{
break;
}
if (pFileStreamInformationTemp > (PFILE_STREAM_INFORMATION)((((char *)
pFileStreamInformation) + ulSizeOfFileStreamInfo) - sizeof
(FILE_STREAM_INFORMATION)))
{
break;
}
if (0 == pFileStreamInformationTemp->StreamNameLength)
{
break;
}
ulADSCount++;
ulNextEntryOffset = pFileStreamInformationTemp->NextEntryOffset;
} while (0 != pFileStreamInformationTemp->NextEntryOffset);
This code is producing BSOD.
Note that pFileStreamInformation is also aligned at 8 byte boundry.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I think it is the problem of buffer alignment.
It is giviing Access Violation while derefrencing the pointer.
Anyone know how to align this buffer.