-1

I'm trying to open the ::$EA stream of a file. Has anyone done this before? I'm not finding any samples anywhere.

What are the dwDesiredAccess needed to do this? Apparently FILE_EA_READ is not quite enough. I'm getting ACCESS_DENIED with:

HANDLE h = CreateFile(L"foobar.txt::$EA", FILE_READ_EA, 0, NULL, OPEN_EXISTING, 0, NULL);
DWORD err = GetLastError();

Or do I need some privilege activated with AdjustTokenPrivilege? I am obviously running under an Administrator account.

Patrick
  • 356
  • 1
  • 10
  • why you decide that this is related to any privilege ? `GetLastError();` what show for you, why you not paste this here ? file not found guess. than if you want read *EA* this is not file. you need use [`ZwQueryEaFile`](https://msdn.microsoft.com/en-us/library/windows/hardware/ff961907(v=vs.85).aspx) – RbMm Jan 31 '19 at 08:31
  • 2
    We can't open a file's anonymous $EA attribute directly. It's specifically disallowed by `ntfs!NtfsCheckValidAttributeAccess`, which returns `STATUS_ACCESS_DENIED` in this case. The fact that everything is a [stream](https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-streams) in NTFS is an implementation detail that's not generally available to create/open calls, except for $DATA (anonymous or named) and $INDEX_ALLOCATION (index types, such as a directory "$I30" file index -- or the "$R" reparse-point index in "$Extend\$Reparse" that's opened by `FindFirstVolumeMountPoint`). – Eryk Sun Jan 31 '19 at 10:22
  • @RbMm - I figured that stream would be meant for system-level code and in the past I've had to acquire privileges to do that sort of thing. It was just a guess. As for the return of GetLastError(), it was ACCESS_DENIED. – Patrick Feb 01 '19 at 00:28
  • @eryksun - Since Microsoft bothered documenting the existence of the $EA stream https://learn.microsoft.com/en-us/windows/desktop/FileIO/file-streams I figured it would be of some use to somebody. I just wanted to see what was in there. – Patrick Feb 01 '19 at 00:30
  • @Patrick you can use `ZwQueryEaFile` for read all or particular EA attribute – RbMm Feb 01 '19 at 00:36
  • Certainly it's problematic to allow direct write access to the $EA stream, which is involved in terms of keeping the EA buffer valid (e.g. `NtfsIsEaNameValid`, `NtfsAppendEa`, `NtfsDeleteEa`), plus modifying "$Kernel." EAs is disallowed from user mode. So EA access is gated behind the system calls `NtQueryEaFile`, `NtSetEaFile`, `NtQueryInformationFile` (`FileEaInformation`, `FileFullEaInformation`), and `NtCreateFile` (`EaBuffer`, `EaLength`). This also of course allows other file systems to implement EAs differently, instead of using file streams. – Eryk Sun Feb 01 '19 at 01:14
  • There is [libtsk](https://github.com/sleuthkit/sleuthkit) which can be used to access the attributes of a file in NTFS. You could also check out [this `DirectCopy` code](http://www.rohitab.com/discuss/topic/24252-ntfs-directcopy-method-from-napalm/#entry198142) that does something similar (to access only non-resident $DATA stream(s)). The attribute ID will be different for $EA than for $DATA, so you could modify it and use the data structure to parse as needed. This is not using Windows API, though, it is getting raw disk handle and parsing $MFT manually. – Dan Feb 01 '19 at 03:32

1 Answers1

0

My understanding from the comments above and further reading is that the $EA stream is simply not accessible from user-mode.

Patrick
  • 356
  • 1
  • 10