CODEWITHSUNDEEP
c++winapi
99Boboster99
99Boboster99

Reputation: 63

FileInformation - extract file rename details

What is the easiest and most efficient way to extract the file details from the "FileInformation" parameter, when the "FileInformationClass" is equal to "10" (i.e. file rename operation)?

I am trying to intercept an NtSetInformation API call and I'd like to modify the resultant file name.

At this point the only code I have is the definition for NtSetInformationFile, which is;

__kernel_entry NTSYSCALLAPI NTSTATUS NtSetInformationFile(
  HANDLE                 FileHandle,
  PIO_STATUS_BLOCK       IoStatusBlock,
  PVOID                  FileInformation,
  ULONG                  Length,
  FILE_INFORMATION_CLASS FileInformationClass
);

I searched the web and found an example where the FileInformation was changed to a "uint32_t" (link - see line 794), but then the code, to get the file details, is rather extensive (Boost). Is there an efficient way to accomplish this task without using Boost?

Upvotes: 0

Views: 278

Answers (1)

Anders
Anders

Reputation: 101616

Why look at random code you find online when the structure you are asking about is documented?

Like most of the NT API, file locations can be relative to a directory handle:

If the file is not being moved to a different directory, or if the FileName member contains the full pathname, this member is NULL. Otherwise, it is a handle for the root directory under which the file will reside after it is renamed.

MSDN also tells you that there are 3 possible combinations:

The file name string in the FileName member must be specified in one of the following forms.

  • A simple file name. (The RootDirectory member is NULL.) In this case, the file is simply renamed within the same directory. That is, the rename operation changes the name of the file but not its location.
  • A fully qualified file name. (The RootDirectory member is NULL.) In this case, the rename operation changes the name and location of the file.
  • A relative file name. In this case, the RootDirectory member contains a handle to the target directory for the rename operation. The file name itself must be a simple file name.

You probably need to use something like GetFinalPathNameByHandle if you care about the full path. If you only care about the filename and not the path you can just parse the FileName member (the name part is after the last \).

To change the name you must call the real NtSetInformationFile function with your own FILE_RENAME_INFORMATION buffer.

Upvotes: 1

Related Questions