Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1086

Timestamp:

6/2/2009 2:53:07 AM (4 years ago)

Author:

lowjoel

Message:

Use NtQueryInformationFile? to get ADS information instead of the backup reading APIs

Location:

trunk/eraser6/Eraser.Util

Files:

: 3 edited

Eraser.Util.csproj (modified) (2 diffs)
File.cs (modified) (1 diff)
NTApi.cs (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/eraser6/Eraser.Util/Eraser.Util.csproj

-                      r1075
+                      r1086
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
     <AllowUnsafeBlocks>false</AllowUnsafeBlocks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <CodeAnalysisRules>-Microsoft.Interoperability#CA1404;-Microsoft.Naming#CA1704;-Microsoft.Naming#CA1707</CodeAnalysisRules>
   </PropertyGroup>
 …
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
     <AllowUnsafeBlocks>false</AllowUnsafeBlocks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
   <ItemGroup>

trunk/eraser6/Eraser.Util/File.cs

-                      r1084
+                      r1086
+            {
                 //Allocate the structures
+                KernelApi.NativeMethods.WIN32_STREAM_ID streamID =
+                    new KernelApi.NativeMethods.WIN32_STREAM_ID();
+                IntPtr context = IntPtr.Zero;
+                uint bytesRead = 0;
+                //Read the header of the WIN32_STREAM_ID
+                KernelApi.NativeMethods.BackupRead(streamHandle, out streamID,
+                    (uint)Marshal.SizeOf(streamID), out bytesRead, false, false,
+                    ref context);
+                while (bytesRead == Marshal.SizeOf(streamID))
+                NTApi.NativeMethods.FILE_STREAM_INFORMATION[] streams =
+                    NTApi.NativeMethods.NtQueryInformationFile(streamHandle);
+                foreach (NTApi.NativeMethods.FILE_STREAM_INFORMATION streamInfo in streams)
+                {
+                    if (streamID.dwStreamId == KernelApi.NativeMethods.BACKUP_ALTERNATE_DATA)
+                    {
+                        //Allocate memory to copy the stream name into, then copy the name
+                        IntPtr pName = Marshal.AllocHGlobal((int)streamID.dwStreamNameSize);
+                        uint nameLength = streamID.dwStreamNameSize / sizeof(char);
+                        char[] name = new char[nameLength];
+                        try
+                        {
+                            KernelApi.NativeMethods.BackupRead(streamHandle, pName,
+                                streamID.dwStreamNameSize, out bytesRead, false, false,
+                                ref context);
+                            Marshal.Copy(pName, name, 0, (int)nameLength);
+                        }
+                        finally
+                        {
+                            Marshal.FreeHGlobal(pName);
+                        }
+                        //Get the name of the stream. The raw value is :NAME:$DATA
+                        string streamName = new string(name);
+                        result.Add(streamName.Substring(1, streamName.LastIndexOf(':') - 1));
+                    }
+                    //Skip the file contents. Jump to the next header.
+                    uint seekLow = 0, seekHigh = 0;
+                    KernelApi.NativeMethods.BackupSeek(streamHandle,
+                        (uint)(streamID.Size & uint.MaxValue),
+                        (uint)(streamID.Size >> (sizeof(uint) * 8)), out seekLow,
+                        out seekHigh, ref context);
+                    //And try to read the header
+                    KernelApi.NativeMethods.BackupRead(streamHandle, out streamID,
+                        (uint)Marshal.SizeOf(streamID), out bytesRead, false, false,
+                        ref context);
+                    //Get the name of the stream. The raw value is :NAME:$DATA
+                    string streamName = streamInfo.StreamName.Substring(1,
+                        streamInfo.StreamName.LastIndexOf(':') - 1);
+                    if (streamName.Length != 0)
+                        result.Add(streamName);
+                }
-                //Free the context
-                KernelApi.NativeMethods.BackupRead(streamHandle, IntPtr.Zero, 0,
-                    out bytesRead, true, false, ref context);
+            }

trunk/eraser6/Eraser.Util/NTApi.cs

-                      r1009
+                      r1086
             /// <summary>
+            /// The ZwQueryInformationFile routine returns various kinds of information
+            /// about a file object.
+            /// </summary>
+            /// <param name="FileHandle">Handle to a file object. The handle is created
+            /// by a successful call to ZwCreateFile or ZwOpenFile.</param>
+            /// <param name="IoStatusBlock">Pointer to an IO_STATUS_BLOCK structure
+            /// that receives the final completion status and information about
+            /// the operation. The Information member receives the number of bytes
+            /// that this routine actually writes to the FileInformation buffer.</param>
+            /// <param name="FileInformation">Pointer to a caller-allocated buffer
+            /// into which the routine writes the requested information about the
+            /// file object. The FileInformationClass parameter specifies the type
+            /// of information that the caller requests.</param>
+            /// <param name="Length">The size, in bytes, of the buffer pointed to
+            /// by FileInformation.</param>
+            /// <param name="FileInformationClass">Specifies the type of information
+            /// to be returned about the file, in the buffer that FileInformation
+            /// points to. Device and intermediate drivers can specify any of the
+            /// following FILE_INFORMATION_CLASS enumeration values, which are defined
+            /// in header file Wdm.h.</param>
+            /// <returns>ZwQueryInformationFile returns STATUS_SUCCESS or an appropriate
+            /// NTSTATUS error code.</returns>
+            [DllImport("NtDll.dll")]
+            private static extern uint NtQueryInformationFile(SafeFileHandle FileHandle,
+                ref IO_STATUS_BLOCK IoStatusBlock, IntPtr FileInformation, uint Length,
+                FILE_INFORMATION_CLASS FileInformationClass);
+            public static FILE_STREAM_INFORMATION[] NtQueryInformationFile(SafeFileHandle FileHandle)
+            {
+                IO_STATUS_BLOCK status = new IO_STATUS_BLOCK();
+                IntPtr fileInfoPtr = IntPtr.Zero;
+                try
+                {
+                    FILE_STREAM_INFORMATION streamInfo = new FILE_STREAM_INFORMATION();
+                    int fileInfoPtrLength = (Marshal.SizeOf(streamInfo) + 32768) / 2;
+                    uint ntStatus = 0;
+                    do
+                    {
+                        fileInfoPtrLength *= 2;
+                        if (fileInfoPtr != IntPtr.Zero)
+                            Marshal.FreeHGlobal(fileInfoPtr);
+                        fileInfoPtr = Marshal.AllocHGlobal(fileInfoPtrLength);
+                        ntStatus = NtQueryInformationFile(FileHandle, ref status, fileInfoPtr,
+                            (uint)fileInfoPtrLength, FILE_INFORMATION_CLASS.FileStreamInformation);
+                    }
+                    while (ntStatus != 0 /*STATUS_SUCCESS*/ && ntStatus == 0x80000005 /*STATUS_BUFFER_OVERFLOW*/);
+                    //Marshal the structure manually (argh!)
+                    List<FILE_STREAM_INFORMATION> result = new List<FILE_STREAM_INFORMATION>();
+                    unsafe
+                    {
+                        for (byte* i = (byte*)fileInfoPtr; ; i += streamInfo.NextEntryOffset)
+                        {
+                            byte* currStreamPtr = i;
+                            streamInfo.NextEntryOffset = *(uint*)currStreamPtr;
+                            byte* nextEntry = currStreamPtr + streamInfo.NextEntryOffset;
+                            currStreamPtr += sizeof(uint);
+                            streamInfo.StreamNameLength = *(uint*)currStreamPtr;
+                            currStreamPtr += sizeof(uint);
+                            streamInfo.StreamSize = *(long*)currStreamPtr;
+                            currStreamPtr += sizeof(long);
+                            streamInfo.StreamAllocationSize = *(long*)currStreamPtr;
+                            currStreamPtr += sizeof(long);
+                            streamInfo.StreamName = Marshal.PtrToStringUni((IntPtr)currStreamPtr,
+                                (int)streamInfo.StreamNameLength / 2);
+                            result.Add(streamInfo);
+                            if (streamInfo.NextEntryOffset == 0)
+                                break;
+                        }
+                    }
+                    return result.ToArray();
+                }
+                finally
+                {
+                    Marshal.FreeHGlobal(fileInfoPtr);
+                }
+            }
+            public struct IO_STATUS_BLOCK
+            {
+                public IntPtr PointerStatus;
+                public UIntPtr Information;
+            }
+            public struct FILE_STREAM_INFORMATION
+            {
+                /// <summary>
+                /// The offset of the next FILE_STREAM_INFORMATION entry. This
+                /// member is zero if no other entries follow this one.
+                /// </summary>
+                public uint NextEntryOffset;
+                /// <summary>
+                /// Length, in bytes, of the StreamName string.
+                /// </summary>
+                public uint StreamNameLength;
+                /// <summary>
+                /// Size, in bytes, of the stream.
+                /// </summary>
+                public long StreamSize;
+                /// <summary>
+                /// File stream allocation size, in bytes. Usually this value
+                /// is a multiple of the sector or cluster size of the underlying
+                /// physical device.
+                /// </summary>
+                public long StreamAllocationSize;
+                /// <summary>
+                /// Unicode string that contains the name of the stream.
+                /// </summary>
+                public string StreamName;
+            }
+            public enum FILE_INFORMATION_CLASS
+            {
+                FileDirectoryInformation = 1,
+                FileFullDirectoryInformation,
+                FileBothDirectoryInformation,
+                FileBasicInformation,
+                FileStandardInformation,
+                FileInternalInformation,
+                FileEaInformation,
+                FileAccessInformation,
+                FileNameInformation,
+                FileRenameInformation,
+                FileLinkInformation,
+                FileNamesInformation,
+                FileDispositionInformation,
+                FilePositionInformation,
+                FileFullEaInformation,
+                FileModeInformation,
+                FileAlignmentInformation,
+                FileAllInformation,
+                FileAllocationInformation,
+                FileEndOfFileInformation,
+                FileAlternateNameInformation,
+                FileStreamInformation,
+                FilePipeInformation,
+                FilePipeLocalInformation,
+                FilePipeRemoteInformation,
+                FileMailslotQueryInformation,
+                FileMailslotSetInformation,
+                FileCompressionInformation,
+                FileCopyOnWriteInformation,
+                FileCompletionInformation,
+                FileMoveClusterInformation,
+                FileQuotaInformation,
+                FileReparsePointInformation,
+                FileNetworkOpenInformation,
+                FileObjectIdInformation,
+                FileTrackingInformation,
+                FileOleDirectoryInformation,
+                FileContentIndexInformation,
+                FileInheritContentIndexInformation,
+                FileOleInformation,
+                FileMaximumInformation
+            }
+            /// <summary>
             /// Represents volume data. This structure is passed to the
             /// FSCTL_GET_NTFS_VOLUME_DATA control code.

Note: See TracChangeset for help on using the changeset viewer.