Hi there,
I am new here. I have a request regarding a post i found here:
http://fsfilters.blogspot.ie/2011/09/opening-alternate-data-stream.html - entitled Opening an ADS
I want to check to see if a file has a particular ADS associated with it prior to opening it. I have placed such an ADS on the test file. Using NirSoft’s ADS tool we can see the following details:
Stream Name — :sensitive:$DATA
Filename: — C:\SensitiveDocuments\CertandBuild-checklist.txt
FullStreamName— C:\SensitiveDocuments\CertandBuild-checklist.txt:sensitive
So, I know it exists.
I have searched the forum high and low. So, I have added the following function whose purpose is to open the stream. If it exists then it sets the hasADS flag TRUE else sets it FALSE. This function is called it in the xxxxPostCreate function:
NTSTATUS CheckForValidADSonFile(__in PCFLT_RELATED_OBJECTS FltObjects, __in PFLT_FILE_NAME_INFORMATION nameInfo, __out PBOOLEAN bHasADS)
{
PFLT_INSTANCE ADSHandle;
NTSTATUS adsStatus;
UNICODE_STRING ADSName = RTL_CONSTANT_STRING(L":sensitive:$DATA");
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatus;
/// Try to open ADS in the file - if it exists then the file is deemed sensitive
/// this is the name of the ADS that we want to open the file.
/// initialize OBJECT_ATTRIBUTES with the handle we have and the name of the ADS.
InitializeObjectAttributes( &objectAttributes, &ADSName, OBJ_KERNEL_HANDLE, FltObjects->FileObject , NULL );
if(nameInfo)///Logging
{
DbgPrint(“FileSentry.sys !!! Check ADS attached to file %wZ%wZ\n”, nameInfo->Name, &ADSName );
}
// and now issue our open for the stream.
adsStatus = FltCreateFile( SentryData.Filter,
FltObjects->Instance,
&ADSHandle,
FILE_READ_DATA | FILE_READ_ATTRIBUTES,
&objectAttributes, &ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN_IF,
FILE_OPEN_REPARSE_POINT,
NULL,
0,
0 );
if (NT_SUCCESS( adsStatus ))
{
DbgPrint( “fileSentry.sys — !!!THIS IS A SENSITIVE FILE!!!\n” );
*bHasADS = TRUE;
NT_SUCCESS( FltClose(ADSHandle));
}
else
{
DbgPrint( “fileSentry.sys — Not a sensitive file, status 0x%X\n”, adsStatus );
*bHasADS = FALSE;
}
///Remember to close the handle after use
}
This function is called inside:
FLT_POSTOP_CALLBACK_STATUS
KMDrvPostCreate ( __inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
){ … }
Can anyone help me shine a light on why I am getting a status error 0xc0000008 on the FLtCreateFile call (according to http://www.osronline.com/showThread.CFM?link=101794, this is STATUS_INVALID_HANDLE. Since I am trying to use a relative
DebugViews gives me these two entries for one explorer-based file access:
FileSentry.sys !!! name:“\Device\HarddiskVolume3\SensitiveDocuments\CertandBuild-checklist.txt” volume:“\SensitiveDocuments\CertandBuild-checklist.txt” final:“CertandBuild-checklist.txt” stream:“(null) FinalComponent:“CertandBuild-checklist.txt” Share:”(null)" ParentDir:"SensitiveDocuments"
FileSentry.sys !!! Check for ADS attached to file \Device\HarddiskVolume3\SensitiveDocuments\CertandBuild-checklist.txt:sensitive.txt
fileSentry.sys — Not a sensitive file, status 0xC0000008
I appreciate any help/guidance that people may have.
Regards,
J