Accessing - files in use -

[blueznl]

here's how you do it:

http://msdn.microsoft.com/library/defau ... rights.asp

access_mode = #READ_CONTROL
share_mode = 0
creation_mode = #OPEN_EXISTING
flags = #FILE_FLAG_BACKUP_SEMANTICS

you have to use backupread to actually read the data, can't do it using the normal api's or build in calls

i could open the file normally, even though another program was using it, now going to try to read from it

[blueznl]

ah, i just saw a new possibility for this, ymmie, for another problem i was struggling with...

[fweil]

Great blueznl,

I try to apply in an small HexDump app I made and see if this works for me.

Thanks a lot.

[fweil]

Maybe I don't know how to translate stuff well ...

By using :

Code: Select all

FileName.s = "C:\pagefile.sys"
hFile = CreateFile_(@FileName, #READ_CONTROL, #FILE_SHARE_READ, #NULL, #OPEN_EXISTING, #FILE_FLAG_BACKUP_SEMANTICS, #NULL)
BytesToRead = 512
*Buffer = AllocateMemory(BytesToRead)
Repeat
  Debug BackupRead_(hFile, *Buffer, BytesToRead, @BytesRead, #FALSE, #TRUE, @Context)
  Debug BytesRead
ForEver ; Until BytesRead < BytesToRead

... I don't get bytes in my buffer. BackupRead_() returns 0 and the GetLastError_() is a 6 (Handle invalid).

This way does not bypass the CreateFile_() which returns a -1.

I don't understand more right now.

[blueznl]

i think this is one step in the right direction, doesn't work yet though...

Code: Select all

attribs.SECURITY_ATTRIBUTES
attribs\nLength = SizeOf(attribs)
attribs\lpSecurityDescriptor = 0
attribs\bInheritHandle = 0
;
filename.s = "test.txt" 
hFile = CreateFile_(@filename, #READ_CONTROL, 0, @attribs, #OPEN_EXISTING, #FILE_FLAG_BACKUP_SEMANTICS, 0) 
;
BytesToRead.l = 5 
BytesRead.l = 0
*Buffer = AllocateMemory(BytesToRead) 
Context.l = 0
;
Debug BackupRead_(hFile, *Buffer, BytesToRead, @BytesRead, 0, 1, @Context) 
Debug BackupRead_(hFile, 0, 0, 0, 1, 0, @Context) 
Debug BytesRead

[blueznl]

nah, we're on the wrong track, although i got this working, it has to do with reading associated data such as time / date stamps etc. i think

The function reads data associated with this file

Code: Select all

CreateFile(1,"c:\test.txt")
For n = 1 To 20
  WriteString("dit is een test"+Chr(13)+Chr(10))
Next n
CloseFile(1)
;
attribs.SECURITY_ATTRIBUTES
attribs\nLength = SizeOf(attribs)
attribs\lpSecurityDescriptor = 0
attribs\bInheritHandle = 0
;
filename.s = "c:\test.txt" 
hFile = CreateFile_(@filename, #READ_CONTROL, 0, @attribs, #OPEN_EXISTING, #FILE_FLAG_BACKUP_SEMANTICS, 0) 
;
BytesToRead.l = 1024
BytesRead.l = 0
*Buffer = AllocateMemory(1024) 
Context.l = 0
;
Repeat
  z = BackupRead_(hFile, *Buffer, BytesToRead, @BytesRead, 0, 1, @Context) 
  Debug z
  Debug BytesRead
Until z =0
;
Debug "done"
;
Debug BackupRead_(hFile, 0, 0, 0, 1, 0, @Context) 
;
Debug SizeOf(WIN32_STREAM_ID)

[blueznl]

but i am getting a little lost...

The BackupRead function can be used to back up a file or directory, including the security information. The function reads data associated with a specified file or directory into a buffer, which can then be written to the backup medium using the WriteFile function

[blueznl]

this might shed a little more light... streams?

http://www.ntdev.org/archive/ntdev9704/msg0333.html

[fweil]

Back from lunch and was there http://ttsky.net/ruby/ruby-dl-sample/win32/stream.rb !

[blueznl]

that sample in ruby uses GENERIC_READ but that doesn't work on my machine... only READ_CONTROL, if i use the parameters suggested there it won't work...

[fweil]

I red carefully @ http://www.ntdev.org/archive/ntdev9704/msg0333.html

but this does not solve the bad hFile return from CreateFile_() ATM .

I am puzzled.

[blueznl]

this reads the stream, reports stream name, and reports proper size of that stream (ie. filesize in this case) on win xp pro

Code: Select all

CreateFile(1,"c:\test.txt")
For n = 1 To 2
  WriteString("dit is een test"+Chr(13)+Chr(10))
Next n
CloseFile(1)
;
filename.s = "c:\test.txt" 
file_h = CreateFile_(@filename, #READ_CONTROL, #FILE_SHARE_READ, 0, #OPEN_EXISTING, #FILE_FLAG_BACKUP_SEMANTICS, 0) 
;
*buffer = AllocateMemory(1024) 
context.l = 0
bytes_read.l = 0
;
Structure _win32_stream_id
  dwStreamID.l
  dwStreamAttributes.l
  dwStreamSizeLow.l
  dwStreamSizeHigh.l
  dwStreamNameSize.l
EndStructure

For n =1 To 3
  z = BackupRead_(file_h, *buffer, 20, @bytes_read, 0, 0, @context) 
  Debug z
  If z>0
    Debug "stream "+Str(n)
    ;
    *stream._win32_stream_id = *buffer
    Debug "stream id "+Str( *stream\dwStreamID )
    Debug "stream attributes: %"+Bin( *stream\dwStreamAttributes )
    Debug "stream size: "+Str( *stream\dwStreamSizeLow + *stream\dwStreamSizeHigh *256*256*256*256 )
    Debug "name size: "+Str( *stream\dwStreamNameSize )
    ;
  EndIf
Next n
;
BackupRead_(file_h, *0,0,@bytes_read,0,0,@context)
CloseHandle_(file_h)

there's no error on createfile_()... are you running on ntfs?

[fweil]

Yes I run NTFS for sure.

[blueznl]

some generic info on streams...

http://www.diamondcs.com.au/index.php?p ... fs-streams

http://www.alcpress.com/articles/ads.html

http://win32.mvps.org/ntfs/dump_ntfs_streams.cpp

anyway, the code above should report 34 bytes stream length, doesn't it on your system?

[fweil]

Blueznl, yes the sample code you just posted works, but does not unlock the file if it is locked.

Here is my point, backuping files is possible by using API functions, but it somebody may exist another level to backup even the locked files.

ATM, I surrender after reading how possible to do worms and hack NTFS !

That's crazy, but too deep right now to work on.