Query NTFS file unique ID (volume unique, 16 bytes)

Discussion in 'Windows Vista Drivers' started by Jason, Jul 14, 2008.

  1. Jason

    Jason Guest

    Hello,

    I tried to get the file objetc ID on a NTFS volume for Window Vista (with
    SP1) and Windows XP (with SP2), but all got the same result QueryStatus =
    0xc0000003 (STATUS_INVALID_INFO_CLASS).

    I tried the following cases of inputs and different attributes for
    FltCreateFile:

    PathName->Buffer is \DosDevices\D:\TEST or \DosDevices\D:\TEST\
    FileName->Buffer is \DosDevices\D:\TEST\ABCDEFGH.TXT or ABCDEFGH.TXT

    I also tried to use FltQueryDirectoryFile, but got the same result. And I
    also tried ZwQueryDirectoryFile, the result is STATUS_PENDING.

    Can anybody demonstrate how to query the File Object ID ?

    Thanks...

    /// Source code listing
    /*\DosDevices\D:\TEST\ABCDEFGH.TXT,*/

    void NtfsFileGetUniqueID(PCTX_INSTANCE_CONTEXT InstanceContext,
    PUNICODE_STRING FileName, PUNICODE_STRING pPathName, PUCHAR pID)
    {
    IO_STATUS_BLOCK IoStatus;
    OBJECT_ATTRIBUTES oa;
    HANDLE NtFileHandle = INVALID_HANDLE_VALUE;
    NTSTATUS ntStatus, QueryStatus;
    PFILE_OBJECT hFileObject = NULL;

    InitializeObjectAttributes(&oa, pPathName, OBJ_CASE_INSENSITIVE |
    OBJ_KERNEL_HANDLE | OBJ_OPENIF, NULL, NULL);

    ntStatus = FltCreateFile(MiniSpyData.Filter, InstanceContext->Instance,
    &NtFileHandle, DIRECTORY_QUERY | DIRECTORY_TRAVERSE | FILE_READ_ATTRIBUTES |
    FILE_READ_EA | SYNCHRONIZE, &oa, &IoStatus, NULL,
    FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
    FILE_SHARE_DELETE, FILE_OPEN,
    FILE_DIRECTORY_FILE, NULL, 0, 0);
    if (NT_SUCCESS(ntStatus))
    ntStatus = ObReferenceObjectByHandle(NtFileHandle, DIRECTORY_QUERY |
    DIRECTORY_TRAVERSE | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE,
    *IoFileObjectType, KernelMode, &hFileObject, NULL);

    if (NT_SUCCESS(ntStatus))
    {
    PFILE_OBJECTID_INFORMATION pFileObjIdInfomation;
    PFLT_CALLBACK_DATA pNewCallbackData;

    ntStatus = FltAllocateCallbackData(InstanceContext->Instance, hFileObject,
    &pNewCallbackData);
    if (NT_SUCCESS(ntStatus))
    {
    pNewCallbackData->Iopb->MajorFunction = IRP_MJ_DIRECTORY_CONTROL;
    pNewCallbackData->Iopb->MinorFunction = IRP_MN_QUERY_DIRECTORY;
    pNewCallbackData->Iopb->OperationFlags = SL_RESTART_SCAN |
    SL_RETURN_SINGLE_ENTRY;

    pFileObjIdInfomation =
    (PFILE_OBJECTID_INFORMATION)ExAllocatePool(NonPagedPool,
    sizeof(FILE_OBJECTID_INFORMATION));
    RtlZeroMemory(pFileObjIdInfomation, sizeof(FILE_OBJECTID_INFORMATION));

    pNewCallbackData->Iopb->Parameters.DirectoryControl.QueryDirectory.Length
    = sizeof(FILE_OBJECTID_INFORMATION);
    pNewCallbackData->Iopb->Parameters.DirectoryControl.QueryDirectory.FileName
    = FileName;
    pNewCallbackData->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass
    = FileObjectIdInformation;
    pNewCallbackData->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer
    = pFileObjIdInfomation;
    pNewCallbackData->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress
    = NULL;
    FltSetCallbackDataDirty(pNewCallbackData);
    FltPerformSynchronousIo(pNewCallbackData);
    QueryStatus = pNewCallbackData->IoStatus.Status;
    if (NT_SUCCESS(QueryStatus))
    {
    RtlCopyMemory(pID, &pFileObjIdInfomation->ObjectId[0], 16);
    }
    ExFreePool(pFileObjIdInfomation);
    FltFreeCallbackData(pNewCallbackData);
    }

    if (hFileObject != NULL)
    ObDereferenceObject(hFileObject);
    FltClose(NtFileHandle);
    }
    }
     
    Jason, Jul 14, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.