2

I would like to open an alternate data stream of a file using an existing handle to the file, or using the file id. The only way I found is by the full name (file name + ADS name). I am afraid of the file being renamed during the operation.

Is there a way to do that?

michael
  • 530
  • 4
  • 16
  • If the anonymous data stream (i.e. "file.ext" is the same as "file.ext::$DATA") was opened without delete sharing, then it can't be renamed on you, at least not from user mode. If that's the case and you'd rather stick to the Windows API instead of making direct system calls, then you can set the working directory to the file's directory and use a relative open. Windows will use the process working directory handle as the `RootDirectory` handle in [`OBJECT_ATTRIBUTES`](https://msdn.microsoft.com/en-us/library/ff557749) when it calls `NtCreateFile`. – Eryk Sun Sep 10 '17 at 21:31

1 Answers1

3

this is very easy do with NtOpenFile or NtCreateFile

for example for open existing ADS on hFile

NTSTATUS OpenADS(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, HANDLE hFile, PCWSTR Name)
{
    IO_STATUS_BLOCK iosb;
    UNICODE_STRING ObjectName;
    RtlInitUnicodeString(&ObjectName, Name);
    OBJECT_ATTRIBUTES oa = { sizeof(oa), hFile, &ObjectName };
    return NtOpenFile(FileHandle, DesiredAccess, &oa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_SYNCHRONOUS_IO_NONALERT);
}

where Name something like L":test_stream" (begin with :)

RbMm
  • 31,280
  • 3
  • 35
  • 56
  • Thanks! Do you know if there is a way to directly open ADS using file id and stream name? I mean without opening the file first using the id. – michael Sep 10 '17 at 20:39
  • @michael - no. direct by id and stream name you not can not open stream file. any way for use `FILE_OPEN_BY_FILE_ID` you need have some open file on volume in `OBJECT_ATTRIBUTES`. you ask are possible open relative from file handle - yes - possible, and i show code. are possible open file by file **it** id - yes. but yo anyway need here some already open file on volume. relative open by file id and stream name - impossible – RbMm Sep 10 '17 at 20:45
  • If I have a handle to the volume, how can I open ADS using file id and stream name (without opening the file first)? – michael Sep 11 '17 at 15:56
  • @michael - but you have not the stream file file id ? if you have it you can direct open file by file id and you not need it name. you have id of parent file i guess ? in this case only first open parent or format full path. and what not ok for you in current solution ? – RbMm Sep 11 '17 at 16:01
  • @michael - i check - all streams have the same file id as parent. when you open file by id need set `ObjectName` in `OBJECT_ATTRIBUTES` to file is as is (8 byte data) and `RootDirectory` to any file with this filesystem. and you open parent file by id. no place for stream name here. only after you open parent - can do relative open, as in my code. or just format full path – RbMm Sep 11 '17 at 16:20
  • I wanted to reduce the overhead of opening 2 streams (file data + ads). I understand it is not possible. Thanks. – michael Sep 11 '17 at 16:47