Solved

Needed help with using NtCreateFile()

Posted on 2011-09-20
2
647 Views
Last Modified: 2012-06-21
I have written a program that queries the change journal records and lists them. The change journal returns:

1) filereferencenumber( combination of fileindex.high and fileindex.low) 2) parentfilereferencenumber(same as above except it is for directory) 3) szReason(Reason it appears in the change record) 4) Filename and Filelength.

I want to find the path of this file listed in the change journal. Most of the implementations I have seen keep track of all the filereferencenumber and query it to compare, or they use FindNextFile() functions ot traverse through the entire volume.

I came across a discussion where they say, they can open a file handle using just the filereferencenumber. http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.file_system/2004-11/0244.html

The msdn article says, we have to load a library before calling Internal API's http://msdn.microsoft.com/en-us/library/bb432380%28v=vs.85%29.aspx

Can someone point me in the right direction and tell me exactly what to do? How do I use NtCreateFile()?

Or, is there a way to access file path using just the filereferencenumber?
0
Comment
Question by:zystemsgo
  • 2
2 Comments
 
LVL 32

Accepted Solution

by:
sarabande earned 500 total points
ID: 36571827
those internal functions have no import library. so you not simply can call NtCreateFile aafter including a header but has to load the dll and get a function pointer out of the dll loaded.

that is done like

#include <wininternl.h>
....
HMODULE hdll = LoadLibrary("winnt.dll");
if (hdll == NULL)
{
    long err = GetLastError();
    return err;
}
FUNC_NTCREATEFILE pfunc = GetProcAddress(hdll, "NtCreateFile");
if (pfunc == NULL)
{
    long err = GetLastError();
    return err;
}
// call NtCreateFile 
NTSTATUS = pfunc(&filehandle, ....);

Open in new window


the FUNC_NTCREATEFILE is supposed to be the type of function pointer fitting to NtCreateFile. i don't have a copy of the winternal.h where such kind of  type should be declared. of course it has a different name than that i used.

in the docs to NtCreateFile they mention that the WDK (windows driver kit) would provide ntdll.lib, an import library for ntdll.dll. if you have the WDK installed you could include ntdef.h and call the NtCreateFile directly. you then would need to add ntdll.lib to the linker import modules.

Sara
0
 
LVL 32

Expert Comment

by:sarabande
ID: 36571831
it should have been

NTSTATUS nstat = pfunc(&filehandle, ....);

Sara
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now