|
No navigation frame on the left? Click here. NTFS streams
|
|
NTFS streams are not normally visible -- unless you know one is there (and unless you know its name), you are out of luck. Enumerating NTFS streams: The only documented way to enumerate streams in a file is to use BackupRead(). Contrary to what I stated here earlier, SeBackupPrivilege is not needed to enumerate streams (assuming you have permissions to the file). My gratitude to Bob Kreuch for setting me straight. Anyway, the dump_ntfs_streams.cpp sample shows you how to enumerate those streams with BackupRead(), and how to not have to eat all the data by using BackupSeek(). dump_ntfs_streams.cpp, 3 KB Enumerating NTFS streams: But then, there are always undocumented ways, or rather, underdocumented ones. For kernel-mode drivers (KMDs), NT provides a routine named ZwQueryInformationFile(), and an enumeration in a DDK header file tells us what it can do -- for example, get all the stream names associated with a file in one fell swoop. Well, the Zw*() functions are for KMDs what the Nt*() functions are for user-mode programs, and that will become important in a moment. Nt*() functions are those that talk to the "real" NT, as opposed to functions from USER32.DLL or KERNEL32.DLL; these handle some simple things themselves, but they do a series of calls into NTDLL.DLL for the rest. Unfortunately, these Nt*()-functions are not documented. There are a few tantalizingly incomplete references on System Internals, in a few MSJ articles by Matt Pietrek, and Rajeev Nagar lists a few in the appendices to his "Windows NT File System Internals", sure. But on the whole, the situation is depressing ... unless you have the NT DDK installed, in which case you hunt in NTDDK.H for something suitable starting with "Zw". The rest is easy. This sample is specifically for Unicode. As it requires special options for this, I am including a project file (no, unlike my other samples, this will not easily compile from the command-line unless you recall to set the Unicode options such as the entry point name). streams.dsp, 3 KB 24-May-1998: I just fixed a horrible bug in streams.cpp; the check whether a particular stream was the default stream (a) used the returned stream name length which is in bytes instead of Unicode characters, and (b) in the same line, the comparison was limited to no more than that length (which would have become a bug if I had only fixed problem (a)). My apologies, and I really recommend you download the current version of the source. |