需要帮助使用NtCreateFile()打开fileIndex

Need help using NtCreateFile() to open by fileIndex

本文关键字：打开 fileIndex NtCreateFile 帮助更新时间：2023-10-16

我编写了一个程序来查询更改日志记录并列出它们。更改日志返回:

1) filereferencenumber(fileindex的组合。High和fileindex.low)2) parentfilereferencenumber(同上，除了用于目录)3) szReason(出现在变更记录中的原因)4)文件名和长度

我想找到在更改日志中列出的这个文件的路径。我见过的大多数实现都跟踪所有filereferencenumber并查询它以进行比较，或者使用FindNextFile()函数遍历整个卷。

我遇到一个讨论，他们说，他们可以打开一个文件句柄只用filereferencenumber。http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.file_system/2004-11/0244.html

msdn文章说，我们必须在调用内部API的http://msdn.microsoft.com/en-us/library/bb432380%28v=vs.85%29.aspx之前加载一个库

谁能给我指个方向，告诉我该怎么做?我如何使用NtCreateFile()?

或者，是否有一种方法可以仅使用filereferencenumber访问文件路径?

下面是我使用的代码:http://www.ragestorm.net/blogs/?cat=7

 #include windows.h
 typedef ULONG (__stdcall *pNtCreateFile)(
   PHANDLE FileHandle,
   ULONG DesiredAccess,
   PVOID ObjectAttributes,
   PVOID IoStatusBlock,
   PLARGE_INTEGER AllocationSize,
   ULONG FileAttributes,
   ULONG ShareAccess,
   ULONG CreateDisposition,
   ULONG CreateOptions,
   PVOID EaBuffer,
   ULONG EaLength
 );
 typedef ULONG (__stdcall *pNtReadFile)(
    IN HANDLE  FileHandle,
    IN HANDLE  Event  OPTIONAL,
    IN PVOID  ApcRoutine  OPTIONAL,
    IN PVOID  ApcContext  OPTIONAL,
    OUT PVOID  IoStatusBlock,
    OUT PVOID  Buffer,
    IN ULONG  Length,
    IN PLARGE_INTEGER  ByteOffset  OPTIONAL,
    IN PULONG  Key  OPTIONAL    );
 typedef struct _UNICODE_STRING {
    USHORT Length, MaximumLength;
    PWCH Buffer;
 } UNICODE_STRING, *PUNICODE_STRING;
 typedef struct _OBJECT_ATTRIBUTES {
 ULONG Length;
 HANDLE RootDirectory;
 PUNICODE_STRING ObjectName;
 ULONG Attributes;
 PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
 } OBJECT_ATTRIBUTES;
 #define InitializeObjectAttributes( p, n, a, r, s ) { 
(p)->Length = sizeof( OBJECT_ATTRIBUTES );          
(p)->RootDirectory = r;                             
(p)->Attributes = a;                                
(p)->ObjectName = n;                                
(p)->SecurityDescriptor = s;                        
(p)->SecurityQualityOfService = NULL;               
}
 #define OBJ_CASE_INSENSITIVE  0x00000040L
 #define FILE_NON_DIRECTORY_FILE  0×00000040
 #define FILE_OPEN_BY_FILE_ID  0×00002000
 #define FILE_OPEN   0×00000001
 int main(int argc, char* argv[])
 {
    HANDLE d = CreateFile(L"\\.\c:", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0  );
    BY_HANDLE_FILE_INFORMATION i;
    HANDLE f = CreateFile(L"c:\bla.bla", GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    ULONG bla;
    WriteFile(f, "helloworld", 11, &bla, NULL);
    printf("%x, %dn", f, GetLastError());
    GetFileInformationByHandle(f, &i);
    printf("id:%08x-%08xn", i.nFileIndexHigh, i.nFileIndexLow);
    CloseHandle(f);
    pNtCreateFile NtCreatefile = (pNtCreateFile)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateFile");
    pNtReadFile NtReadFile = (pNtReadFile)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtReadFile");
    ULONG fid[2] = {i.nFileIndexLow, i.nFileIndexHigh};
    UNICODE_STRING fidstr = {8, 8, (PWSTR) fid};
    OBJECT_ATTRIBUTES oa = {0};
     InitializeObjectAttributes (&oa, &fidstr, OBJ_CASE_INSENSITIVE, d, NULL);
     ULONG iosb[2];
     ULONG status = NtCreatefile(&f, GENERIC_ALL, &oa, iosb, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_OPEN_BY_FILE_ID | FILE_NON_DIRECTORY_FILE, NULL, 0);
    printf("status: %X, handle: %xn", status, f);
    UCHAR buf[11] = {0};
    LONG Off[2] = {0};
    status = NtReadFile(f, NULL, NULL, NULL, (PVOID)&iosb, (PVOID)buf, sizeof(buf), (PLARGE_INTEGER)&Off, NULL);
    printf("status: %X, bytes: %dn", status, iosb[1]);
    printf("buf: %sn", buf);
    CloseHandle(f);
    CloseHandle(d);
 }

如您所见，一旦您给出fileindex。高和文件索引。filereferencenumber的Low部分，它为您提供该文件的句柄。我使用了psapi的getFileMapping函数来获取完整的路径。相关信息:http://msdn.microsoft.com/en-us/library/aa366789.aspx