Reset dwDesiredAccess,
-
Hello all, I am detecting deletion of files on the system and to do this i am hooking the NtSetInformationFile function. this gets passed to it the file handle, and from this i need the file name. so i am using the API GetFileInformationByHandleEx to get the file name, But the problem is that the file name comes like this "\sample\a.txt", Now this doesn't give me device name(\device\volume) with File name, so i cannot assume from where the file has been accessed, It could be "C:\sample\a.txt" or "D:\sample\a.txt". So it's quite clear that i must have "\Device\volume0", "\Device\volume1" etc before the filename, Further googling took me to THIS page where the file name can be retrieved from FileHandle, This uses CreateFileMapping, MapViewOfFile, GetMappedFileName, GetLogicalDriveStrings and QueryDosDevice to retrieve the file name, But when i use it CreateFileMapping fail with error 5 which is "Access Denied", Some more google and i found that the file handle must have GENERIC_READ access else CreateFileMapping will fail. Now i'm not opening the file, explorer is.. So how could i check with which access explorer opens or access the file or how could i change the dwDesiredAccess.. Thanks All..
-
Hello all, I am detecting deletion of files on the system and to do this i am hooking the NtSetInformationFile function. this gets passed to it the file handle, and from this i need the file name. so i am using the API GetFileInformationByHandleEx to get the file name, But the problem is that the file name comes like this "\sample\a.txt", Now this doesn't give me device name(\device\volume) with File name, so i cannot assume from where the file has been accessed, It could be "C:\sample\a.txt" or "D:\sample\a.txt". So it's quite clear that i must have "\Device\volume0", "\Device\volume1" etc before the filename, Further googling took me to THIS page where the file name can be retrieved from FileHandle, This uses CreateFileMapping, MapViewOfFile, GetMappedFileName, GetLogicalDriveStrings and QueryDosDevice to retrieve the file name, But when i use it CreateFileMapping fail with error 5 which is "Access Denied", Some more google and i found that the file handle must have GENERIC_READ access else CreateFileMapping will fail. Now i'm not opening the file, explorer is.. So how could i check with which access explorer opens or access the file or how could i change the dwDesiredAccess.. Thanks All..
Skimming this MSDN page[^] tells me it isn't really simple, however it also suggests me one could call GetFileInformationByHandleEx more than once, with different values for FileInformationClass, and then combine the results. :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, and improve readability.
-
Skimming this MSDN page[^] tells me it isn't really simple, however it also suggests me one could call GetFileInformationByHandleEx more than once, with different values for FileInformationClass, and then combine the results. :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, and improve readability.
Thanks for the reply, and yes we can call GetFileInformationByHandleEx more than once, But i don't see any value returning the Drive letter or Device name of drive where the file is located in FileInformationClass unless i'm missing something..
-
Skimming this MSDN page[^] tells me it isn't really simple, however it also suggests me one could call GetFileInformationByHandleEx more than once, with different values for FileInformationClass, and then combine the results. :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, and improve readability.
As GetFileInformationByHandleEx won't give me the device name, I'm using GetFileInformationByHandle to get the volume number and hopefully compare the number with drive manually.. But the dwVolumeSerialNumber reurns some garbage value..
BY_HANDLE_FILE_INFORMATION info;
DWORD dwSerialNumber = 0;if(GetFileInformationByHandle(FileHandle, &info) != 0)
{
dwSerialNumber = info.dwVolumeSerialNumber;
swprintf(szTemp, L"The Volume Serial Number = %d", info.dwVolumeSerialNumber);
MessageBox(NULL, szTemp, L"Success", MB_OK);
}
else
{
swprintf(szTemp, L"GetFileInformationByHandle Error = %d", GetLastError());
MessageBox(NULL, szTemp, L"Success", MB_OK);
} -
As GetFileInformationByHandleEx won't give me the device name, I'm using GetFileInformationByHandle to get the volume number and hopefully compare the number with drive manually.. But the dwVolumeSerialNumber reurns some garbage value..
BY_HANDLE_FILE_INFORMATION info;
DWORD dwSerialNumber = 0;if(GetFileInformationByHandle(FileHandle, &info) != 0)
{
dwSerialNumber = info.dwVolumeSerialNumber;
swprintf(szTemp, L"The Volume Serial Number = %d", info.dwVolumeSerialNumber);
MessageBox(NULL, szTemp, L"Success", MB_OK);
}
else
{
swprintf(szTemp, L"GetFileInformationByHandle Error = %d", GetLastError());
MessageBox(NULL, szTemp, L"Success", MB_OK);
}I think it's done, I don't know if it's ugly... I used GetFileInformationByHandleEx to get the truncated file name, GetFileInformationByHandle to get the volume serial number, GetLogicalDriveStrings to get all the drives and GetVolumeInformation to get the volume serial number of all the drives, I then compare volume serial number returned by GetVolumeInformation and GetFileInformationByHandle, If it matches then it concatenate the drive letter with the truncated file name returned by GetFileInformationByHandleEx...