Dear experts :
I have hooked the ZwCreateFile ZwSetInformationFile ZwDeleteFile and many
other ZwXXX functions in my driver, and I hope to get to know what’s the
actions of kernel level functions do when a app call the “DeleteFile” api.
My application only have one line in it----DeleteFile(argv[1]);
when I run it from console , If I understand well, the process of the
DeleteFile api should be ZwCreateFile->ZwSetInformationFile->ZwCloseFile.
but ONLY the break point in ZwSetInformationFile is invoked , the
ZwCreateFile havn’t been invoked at all. this confused me cause I think the
FileHandle parmeter of ZwSetInformationFile can be only come from the
ZwCreateFile(the ZwOpenFile will finially finished by the ZwCreateFile).
Could any one of you help to clarify my confusion?
thanks very much for your help in advance!
B.R
YANG Xiao
Well if you want to see what’s going on while you call DeleteFile,
there’s no need to hook half of the APIs in the kernel. Just open
your testprogram in Windbg and step into DeleteFile API.
If you did that, you would know that it does
NtOpenFile
NtQueryInformationFile
NtSetInformationFile
NtClose
L.
Try to put breakpoint also into ZwOpenFile(). Both functions should end in IoCreateFileEx().
Nt vs. Zw - Clearing Confusion On The Native API
http://www.osronline.com/article.cfm?article=257
Have you looked at kernel32!DeleteFileW assembly?
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
“Xiao YANG” wrote in message news:xxxxx@ntfsd…
> Dear experts :
> I have hooked the ZwCreateFile ZwSetInformationFile ZwDeleteFile and many
> other ZwXXX functions in my driver, and I hope to get to know what’s the
> actions of kernel level functions do when a app call the “DeleteFile” api.
>
> My application only have one line in it----DeleteFile(argv[1]);
> when I run it from console , If I understand well, the process of the
> DeleteFile api should be ZwCreateFile->ZwSetInformationFile->ZwCloseFile.
> but ONLY the break point in ZwSetInformationFile is invoked , the
> ZwCreateFile havn’t been invoked at all. this confused me cause I think the
> FileHandle parmeter of ZwSetInformationFile can be only come from the
> ZwCreateFile(the ZwOpenFile will finially finished by the ZwCreateFile).
>
> Could any one of you help to clarify my confusion?
> thanks very much for your help in advance!
>
> B.R
> YANG Xiao
>
thanks all of your help, I get to know the process, and it is more important
that I have learned some method from you.
B.R
YANG Xiao
2007/12/15, Maxim S. Shatskih :
>
> Have you looked at kernel32!DeleteFileW assembly?
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Xiao YANG” wrote in message news:xxxxx@ntfsd…
> > Dear experts :
> > I have hooked the ZwCreateFile ZwSetInformationFile ZwDeleteFile and
> many
> > other ZwXXX functions in my driver, and I hope to get to know what’s the
> > actions of kernel level functions do when a app call the “DeleteFile”
> api.
> >
> > My application only have one line in it----DeleteFile(argv[1]);
> > when I run it from console , If I understand well, the process of the
> > DeleteFile api should be
> ZwCreateFile->ZwSetInformationFile->ZwCloseFile.
> > but ONLY the break point in ZwSetInformationFile is invoked , the
> > ZwCreateFile havn’t been invoked at all. this confused me cause I think
> the
> > FileHandle parmeter of ZwSetInformationFile can be only come from the
> > ZwCreateFile(the ZwOpenFile will finially finished by the ZwCreateFile).
> >
> > Could any one of you help to clarify my confusion?
> > thanks very much for your help in advance!
> >
> > B.R
> > YANG Xiao
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>