Does a FILE_OBJECT contains any information about an opened ads stream?

NTFSD
1

Hello,

while analysing a memory.dmp I recognized that the name of the fileobjects does not show the ads name (the ads was opened successful), but the FileName.Buffer contains it and the MaximumLength holds the full length (including ads).
It seems the FileName.Length was decreased to the name of the file without the “:”+adsname.

A difference in Length and MaximumLength might show the usage of an ADS - not sure?
Is this the only indication or are there others (e.g. in FsContext or FsContext2)?

ntdll!_FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xffffe00003b8cca0 _DEVICE_OBJECT +0x010 Vpb : 0xffffe00003b6dad0 _VPB
+0x018 FsContext : 0xffffc00002912dd0 Void +0x020 FsContext2 : 0xffffc00002a2c6b0 Void
+0x028 SectionObjectPointer : 0xffffe000063f8610 _SECTION_OBJECT_POINTERS +0x030 PrivateCacheMap : 0xffffe0000d63b428 Void
+0x038 FinalStatus : 0n0
+0x040 RelatedFileObject : (null)
+0x048 LockOperation : 0 ‘’
+0x049 DeletePending : 0 ‘’
+0x04a ReadAccess : 0 ‘’
+0x04b WriteAccess : 0x1 ‘’
+0x04c DeleteAccess : 0 ‘’
+0x04d SharedRead : 0 ‘’
+0x04e SharedWrite : 0 ‘’
+0x04f SharedDelete : 0 ‘’
+0x050 Flags : 0x40060
+0x058 FileName : _UNICODE_STRING “\DLR1\171121-120733\171121-120733-1\file-10.txt”
+0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x070 Waiters : 0
+0x074 Busy : 0
+0x078 LastLock : (null)
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : (null)
+0x0b8 IrpListLock : 0
+0x0c0 IrpList : _LIST_ENTRY [0xffffe0000d33cc60 - 0xffffe0000d33cc60]
+0x0d0 FileObjectExtension : 0xffffe000`0d35e840 Void

(*((ntdll!_UNICODE_STRING *)0xffffe0000d33cbf8)) : “\DLR1\171121-120733\171121-120733-1\file-10.txt” [Type: _UNICODE_STRING]
[+0x000] Length : 0x5e [Type: unsigned short]
[+0x002] MaximumLength : 0x78 [Type: unsigned short]
[+0x008] Buffer : 0xffffc000028b7d40 : 0x5c [Type: unsigned short *]

In Memory it shows the expected:
“\DLR1\171121-120733\171121-120733-1\file-10.txt:FILE_ADS”

I saw this for this waiting thread:

Child-SP RetAddr : Args to Child : Call Site
ffffd00021565910 fffff802c7f2dc45 : ffffd000208b0180 ffffd000208b0100 ffffd000208b0180 ffffd000208b0180 : nt!KiSwapContext+0x76
ffffd00021565a50 fffff802c7f37b00 : ffffe000061d0880 ffffd000208b0180 ffffe000061d0880 fffff80000c7f686 : nt!KiSwapThread+0x791
ffffd00021565ab0 fffff802c7f04b74 : ffffe000061d0880 ffffe000061d09c0 ffffe00000000000 0000000000000000 : nt!KiCommitThreadWait+0x470
ffffd00021565b20 fffff802c87bd516 : ffffe0000d830ae8 0000000000000000 ffffe00000000100 ffffe00006bc0901 : nt!KeWaitForSingleObject+0x5b0
ffffd00021565bc0 fffff802c87bd418 : 0000000000000001 ffffd00021565c80 ffffd00000000000 0000000000000000 : nt!FsRtlCancellableWaitForMultipleObjects+0xf6
ffffd00021565c40 fffff80000a7c909 : ffffe0000d830ae8 0000000000000000 0000000000000000 ffffe00006b20060 : nt!FsRtlCancellableWaitForSingleObject+0x44
ffffd00021565c80 fffff80000a7ea96 : ffffd00021565d30 0000000000000000 ffffe0000d830b00 ffffe0000d830ba8 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x5a9
ffffd00021565d00 fffff80000a80336 : ffffe0000d830ba8 0000000000000000 ffffe0000d830ba8 0000000000000000 : fltmgr!FltPerformSynchronousIo+0x19e
ffffd00021565d70 fffff80000a7fd25 : ffffe00006b15c30 ffffe0000d33cba0 ffffd00021565f88 0000000000000020 : fltmgr!FltWriteFileEx+0x60a
ffffd00021565e70 fffff80000f75034 : ffffe00006b15c30 ffffe0000d33cba0 ffffd00021565f88 0000000000000020 : fltmgr!FltWriteFile+0x61

Thanks
Norbert

2

The only time the content of the FO->FileName is guaranteed to be valid,
and unmodified (unless someone above you modifies it), is in pre-create
processing. The underlying file system can change the content of the
name, modify the Length value, etc. So no, there are no indicators in
the file object itself that can be used to tell you it is for an ADS.
That said, grab the name using the FltGFNI Api in pre/post create and
tag a context it if it is an ADS. Then you can grab this context during
any other operation to see if it is for an ADS.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “xxxxx@graudata.com
To: “Windows File Systems Devs Interest List”
Sent: 11/21/2017 10:23:19 AM
Subject: [ntfsd] Does a FILE_OBJECT contains any information about an
opened ads stream?

>Hello,
>
>while analysing a memory.dmp I recognized that the name of the
>fileobjects does not show the ads name (the ads was opened successful),
>but the FileName.Buffer contains it and the MaximumLength holds the
>full length (including ads).
>It seems the FileName.Length was decreased to the name of the file
>without the “:”+adsname.
>
>A difference in Length and MaximumLength might show the usage of an ADS
>- not sure?
>Is this the only indication or are there others (e.g. in FsContext or
>FsContext2)?
>
>
>
>
>ntdll!_FILE_OBJECT
> +0x000 Type : 0n5
> +0x002 Size : 0n216
> +0x008 DeviceObject : 0xffffe00003b8cca0 _DEVICE_OBJECT<br>&gt; +0x010 Vpb : 0xffffe00003b6dad0 _VPB
> +0x018 FsContext : 0xffffc00002912dd0 Void<br>&gt; +0x020 FsContext2 : 0xffffc00002a2c6b0 Void
> +0x028 SectionObjectPointer : 0xffffe000063f8610 <br>&gt;_SECTION_OBJECT_POINTERS<br>&gt; +0x030 PrivateCacheMap : 0xffffe0000d63b428 Void
> +0x038 FinalStatus : 0n0
> +0x040 RelatedFileObject : (null)
> +0x048 LockOperation : 0 ‘’
> +0x049 DeletePending : 0 ‘’
> +0x04a ReadAccess : 0 ‘’
> +0x04b WriteAccess : 0x1 ‘’
> +0x04c DeleteAccess : 0 ‘’
> +0x04d SharedRead : 0 ‘’
> +0x04e SharedWrite : 0 ‘’
> +0x04f SharedDelete : 0 ‘’
> +0x050 Flags : 0x40060
> +0x058 FileName : _UNICODE_STRING
>“\DLR1\171121-120733\171121-120733-1\file-10.txt”
> +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
> +0x070 Waiters : 0
> +0x074 Busy : 0
> +0x078 LastLock : (null)
> +0x080 Lock : _KEVENT
> +0x098 Event : _KEVENT
> +0x0b0 CompletionContext : (null)
> +0x0b8 IrpListLock : 0
> +0x0c0 IrpList : _LIST_ENTRY [0xffffe0000d33cc60 - <br>&gt;0xffffe0000d33cc60]
> +0x0d0 FileObjectExtension : 0xffffe0000d35e840 Void<br>&gt;<br>&gt;<br>&gt;(*((ntdll!_UNICODE_STRING *)0xffffe0000d33cbf8)) : <br>&gt;"\DLR1\171121-120733\171121-120733-1\file-10.txt" [Type: <br>&gt;_UNICODE_STRING]<br>&gt; [+0x000] Length : 0x5e [Type: unsigned short]<br>&gt; [+0x002] MaximumLength : 0x78 [Type: unsigned short]<br>&gt; [+0x008] Buffer : 0xffffc000028b7d40 : 0x5c [Type: <br>&gt;unsigned short *]<br>&gt;<br>&gt;In Memory it shows the expected:<br>&gt;"\DLR1\171121-120733\171121-120733-1\file-10.txt:FILE_ADS"<br>&gt;<br>&gt;<br>&gt;I saw this for this waiting thread:<br>&gt;<br>&gt; Child-SP RetAddr : Args to Child <br>&gt; : Call Site<br>&gt; ffffd00021565910 fffff802c7f2dc45 : ffffd000208b0180
>ffffd000208b0100 ffffd000208b0180 ffffd000208b0180 : <br>&gt;nt!KiSwapContext+0x76<br>&gt; ffffd00021565a50 fffff802c7f37b00 : ffffe000061d0880
>ffffd000208b0180 ffffe000061d0880 fffff80000c7f686 : <br>&gt;nt!KiSwapThread+0x791<br>&gt; ffffd00021565ab0 fffff802c7f04b74 : ffffe000061d0880
>ffffe000061d09c0 ffffe00000000000 0000000000000000 : <br>&gt;nt!KiCommitThreadWait+0x470<br>&gt; ffffd00021565b20 fffff802c87bd516 : ffffe0000d830ae8
>0000000000000000 ffffe00000000100 ffffe00006bc0901 : <br>&gt;nt!KeWaitForSingleObject+0x5b0<br>&gt; ffffd00021565bc0 fffff802c87bd418 : 0000000000000001
>ffffd00021565c80 ffffd00000000000 0000000000000000 : <br>&gt;nt!FsRtlCancellableWaitForMultipleObjects+0xf6<br>&gt; ffffd00021565c40 fffff80000a7c909 : ffffe0000d830ae8
>0000000000000000 0000000000000000 ffffe00006b20060 : <br>&gt;nt!FsRtlCancellableWaitForSingleObject+0x44<br>&gt; ffffd00021565c80 fffff80000a7ea96 : ffffd00021565d30
>0000000000000000 ffffe0000d830b00 ffffe0000d830ba8 : <br>&gt;fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x5a9<br>&gt; ffffd00021565d00 fffff80000a80336 : ffffe0000d830ba8
>0000000000000000 ffffe0000d830ba8 0000000000000000 : <br>&gt;fltmgr!FltPerformSynchronousIo+0x19e<br>&gt; ffffd00021565d70 fffff80000a7fd25 : ffffe00006b15c30
>ffffe0000d33cba0 ffffd00021565f88 0000000000000020 : <br>&gt;fltmgr!FltWriteFileEx+0x60a<br>&gt; ffffd00021565e70 fffff80000f75034 : ffffe00006b15c30
>ffffe0000d33cba0 ffffd00021565f88 00000000`00000020 :
>fltmgr!FltWriteFile+0x61
>
>
>
>Thanks
>Norbert
>
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

3

Pete,

Thanks for your answer.
Norbert