Solved

Needed help with using NtCreateFile()

Posted on 2011-09-20
2
704 Views
Last Modified: 2012-06-21
I have written a program that queries the change journal records and lists them. The change journal returns:

1) filereferencenumber( combination of fileindex.high and fileindex.low) 2) parentfilereferencenumber(same as above except it is for directory) 3) szReason(Reason it appears in the change record) 4) Filename and Filelength.

I want to find the path of this file listed in the change journal. Most of the implementations I have seen keep track of all the filereferencenumber and query it to compare, or they use FindNextFile() functions ot traverse through the entire volume.

I came across a discussion where they say, they can open a file handle using just the filereferencenumber. http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.file_system/2004-11/0244.html

The msdn article says, we have to load a library before calling Internal API's http://msdn.microsoft.com/en-us/library/bb432380%28v=vs.85%29.aspx

Can someone point me in the right direction and tell me exactly what to do? How do I use NtCreateFile()?

Or, is there a way to access file path using just the filereferencenumber?
0
Comment
Question by:zystemsgo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 34

Accepted Solution

by:
sarabande earned 500 total points
ID: 36571827
those internal functions have no import library. so you not simply can call NtCreateFile aafter including a header but has to load the dll and get a function pointer out of the dll loaded.

that is done like

#include <wininternl.h>
....
HMODULE hdll = LoadLibrary("winnt.dll");
if (hdll == NULL)
{
    long err = GetLastError();
    return err;
}
FUNC_NTCREATEFILE pfunc = GetProcAddress(hdll, "NtCreateFile");
if (pfunc == NULL)
{
    long err = GetLastError();
    return err;
}
// call NtCreateFile 
NTSTATUS = pfunc(&filehandle, ....);

Open in new window


the FUNC_NTCREATEFILE is supposed to be the type of function pointer fitting to NtCreateFile. i don't have a copy of the winternal.h where such kind of  type should be declared. of course it has a different name than that i used.

in the docs to NtCreateFile they mention that the WDK (windows driver kit) would provide ntdll.lib, an import library for ntdll.dll. if you have the WDK installed you could include ntdef.h and call the NtCreateFile directly. you then would need to add ntdll.lib to the linker import modules.

Sara
0
 
LVL 34

Expert Comment

by:sarabande
ID: 36571831
it should have been

NTSTATUS nstat = pfunc(&filehandle, ....);

Sara
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question