Needed help with using NtCreateFile()

I have written a program that queries the change journal records and lists them. The change journal returns:

1) filereferencenumber( combination of fileindex.high and fileindex.low) 2) parentfilereferencenumber(same as above except it is for directory) 3) szReason(Reason it appears in the change record) 4) Filename and Filelength.

I want to find the path of this file listed in the change journal. Most of the implementations I have seen keep track of all the filereferencenumber and query it to compare, or they use FindNextFile() functions ot traverse through the entire volume.

I came across a discussion where they say, they can open a file handle using just the filereferencenumber. http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.file_system/2004-11/0244.html

The msdn article says, we have to load a library before calling Internal API's http://msdn.microsoft.com/en-us/library/bb432380%28v=vs.85%29.aspx

Can someone point me in the right direction and tell me exactly what to do? How do I use NtCreateFile()?

Or, is there a way to access file path using just the filereferencenumber?
zystemsgoAsked:
Who is Participating?
 
sarabandeConnect With a Mentor Commented:
those internal functions have no import library. so you not simply can call NtCreateFile aafter including a header but has to load the dll and get a function pointer out of the dll loaded.

that is done like

#include <wininternl.h>
....
HMODULE hdll = LoadLibrary("winnt.dll");
if (hdll == NULL)
{
    long err = GetLastError();
    return err;
}
FUNC_NTCREATEFILE pfunc = GetProcAddress(hdll, "NtCreateFile");
if (pfunc == NULL)
{
    long err = GetLastError();
    return err;
}
// call NtCreateFile 
NTSTATUS = pfunc(&filehandle, ....);

Open in new window


the FUNC_NTCREATEFILE is supposed to be the type of function pointer fitting to NtCreateFile. i don't have a copy of the winternal.h where such kind of  type should be declared. of course it has a different name than that i used.

in the docs to NtCreateFile they mention that the WDK (windows driver kit) would provide ntdll.lib, an import library for ntdll.dll. if you have the WDK installed you could include ntdef.h and call the NtCreateFile directly. you then would need to add ntdll.lib to the linker import modules.

Sara
0
 
sarabandeCommented:
it should have been

NTSTATUS nstat = pfunc(&filehandle, ....);

Sara
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.