wraithdu Posted October 19, 2008 Share Posted October 19, 2008 (edited) EDIT - Awwww, crap. Just figued it out. Stupid.... 1st param in NtOpenFile should be hwnd* I've been trying to get this function working all night, but no luck so far. I keep getting error C0000005 which is STATUS_ACCESS_VIOLATION. Here's the code I have so far. Just create a file 'new.txt' in the same directory as the script. Unfortunately, the "handle" returned by FileOpen is not sufficient to use with the NtQueryInformationFile function.Any help would be greatly appreciated!expandcollapse popupGlobal Const $FileDirectoryInformation = 1 Global Const $FileFullDirectoryInformation = 2 Global Const $FileBothDirectoryInformation = 3 Global Const $FileBasicInformation = 4 Global Const $FileStandardInformation = 5 Global Const $FileInternalInformation = 6 Global Const $FileEaInformation = 7 Global Const $FileAccessInformation = 8 Global Const $FileNameInformation = 9 Global Const $FileRenameInformation = 10 Global Const $FileLinkInformation = 11 Global Const $FileNamesInformation = 12 Global Const $FileDispositionInformation = 13 Global Const $FilePositionInformation = 14 Global Const $FileFullEaInformation = 15 Global Const $FileModeInformation = 16 Global Const $FileAlignmentInformation = 17 Global Const $FileAllInformation = 18 Global Const $FileAllocationInformation = 19 Global Const $FileEndOfFileInformation = 20 Global Const $FileAlternateNameInformation = 21 Global Const $FileStreamInformation = 22 Global Const $FilePipeInformation = 23 Global Const $FilePipeLocalInformation = 24 Global Const $FilePipeRemoteInformation = 25 Global Const $FileMailslotQueryInformation = 26 Global Const $FileMailslotSetInformation = 27 Global Const $FileCompressionInformation = 28 Global Const $FileCopyOnWriteInformation = 29 Global Const $FileCompletionInformation = 30 Global Const $FileMoveClusterInformation = 31 Global Const $FileQuotaInformation = 32 Global Const $FileReparsePointInformation = 33 Global Const $FileNetworkOpenInformation = 34 Global Const $FileObjectIdInformation = 35 Global Const $FileTrackingInformation = 36 Global Const $FileOleDirectoryInformation = 37 Global Const $FileContentIndexInformation = 38 Global Const $FileInheritContentIndexInformation = 39 Global Const $FileOleInformation = 40 Global Const $FileMaximumInformation = 41 Global Const $READ_CONTROL = 0x20000 Global Const $GENERIC_READ = 0x80000000 Global Const $SYNCHRONIZE = 0x100000 Global Const $OBJ_CASE_INSENSITIVE = 0x00000040 Global Const $OBJ_INHERIT = 0x2 Global Const $FILE_NON_DIRECTORY_FILE = 0x00000040 Global Const $FILE_RANDOM_ACCESS = 0x00000800 Global Const $FILE_SHARE_READ = 0x1 Global Const $tagFILESTREAMINFO = "ulong NextEntryOffset;ulong StreamNameLength;int64 StreamSize;int64 StreamAllocationSize;wchar StreamName" Global Const $tagIOSTATUSBLOCK = "dword Status;dword Information" Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService" Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer" $hNTDLL = DllOpen("ntdll.dll") $szName = DllStructCreate("wchar[260]") $sUS = DllStructCreate($tagUNICODESTRING) $sOA = DllStructCreate($tagOBJECTATTRIBUTES) $sFSO = DllStructCreate($tagFILESTREAMINFO) $sISB = DllStructCreate($tagIOSTATUSBLOCK) $buffer = DllStructCreate("byte[16384]") $file = "\??\" & @ScriptDir & "\new.txt" ConsoleWrite($file & @CRLF) DllStructSetData($szName, 1, $file) $ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName)) ConsoleWrite("Length: " & DllStructGetData($sUS, "Length") & @CRLF) ConsoleWrite("Max: " & DllStructGetData($sUS, "MaximumLength") & @CRLF) ConsoleWrite("Buff ptr: " & DllStructGetData($sUS, "Buffer") & @CRLF) DllStructSetData($sOA, "Length", DllStructGetSize($sOA)) DllStructSetData($sOA, "RootDirectory", Chr(0)) DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS)) DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE) DllStructSetData($sOA, "SecurityDescriptor", Chr(0)) DllStructSetData($sOA, "SecurityQualityOfService", Chr(0)) $ret = DllCall($hNTDLL, "int", "NtOpenFile", "hwnd", "", "dword", $GENERIC_READ, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($sISB), _ "ulong", $FILE_SHARE_READ, "ulong", BitOR($FILE_NON_DIRECTORY_FILE, $FILE_RANDOM_ACCESS)) ConsoleWrite("Return: " & Hex($ret[0]) & @CRLF) $hFile = $ret[1] ConsoleWrite("hFile: " & $hFile & @CRLF) $ret = DllCall($hNTDLL, "int", "NtClose", "hwnd", $hFile) ConsoleWrite("Return: " & Hex($ret[0]) & @CRLF) DllClose($hNTDLL) Exit ;~ $ret = DllCall($hNTDLL, "int", "NtQueryInformationFile", "hwnd", $hFile, "ptr", DllStructGetPtr($sISB), "ptr", DllStructGetPtr($buffer), _ ;~ "int", 16384, "int", $FileStreamInformation) ;~ If @error Then ;~ ConsoleWrite("->Error querying file." & @error & @CRLF) ;~ Exit ;~ EndIf ;~ ConsoleWrite(">" & Hex($ret[0]) & @CRLF) ;~ If NT_SUCCESS($ret[0]) Then ;~ ConsoleWrite("+>Successful query." & @CRLF) ;~ EndIf ;~ $ret = DllCall($hNTDLL, "int", "NtClose", "hwnd", $hFile) ;~ ConsoleWrite("Return: " & Hex($ret[0]) & @CRLF) ;~ Func NT_SUCCESS($status) ;~ If 0 <= $status And $status <= 0x7FFFFFFF Then ;~ Return True ;~ Else ;~ Return False ;~ EndIf ;~ EndFunc Edited October 19, 2008 by wraithdu Link to comment Share on other sites More sharing options...
wraithdu Posted October 19, 2008 Author Share Posted October 19, 2008 Well here's the finished function to query NTFS ADS streams -http://www.autoitscript.com/forum/index.ph...st&p=593163 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now