[RESOLVED] Directory Info using GetFileInformationByHandleEx

[itsmeash]

Hello all,

I hooked NtSetInformationFile to intercept delete call, This is done, Now i have a file which contains name of files and folder need to be protected, Protecting file is no problem as i get the file name from file handle and using strcmp i decide whether to delete the file or not, But how to determine that the file handle i get in NtSetInformationFile is folder?

I tried using GetFileInformationByHandleEx with FileStandardInfo which should give me whether the handle is directory or not, But it always returns TRUE(folder) when there are no files inside and FALSE(not folder) when there are files inside.


Thanks all.

[VictorN]

Did you try to use GetFileInformationByHandle instead and just check the FILE_ATTRIBUTE_DIRECTORY flag in dwFileAttributes of BY_HANDLE_FILE_INFORMATION Structure?

[itsmeash]

Did you try to use GetFileInformationByHandle instead and just check the FILE_ATTRIBUTE_DIRECTORY flag in dwFileAttributes of BY_HANDLE_FILE_INFORMATION Structure?

Yes Victor, I tried that also, But it's giving the same result as GetFileInformationByHandleEx...

[itsmeash]

Let me explain the scenario, I have a empty folder say "abcd" in C: drive and a non-empty folder say "efgh" in C: drive which contains a.txt, b.rar

Now when i access empty folder(i.e try to delete) the path i get is "C:\abcd", which is fine and a query for directory in GetFileInformationByHandleEx return TRUE, But when i access non empty folder the path i get is "C:\efgh\a.txt" and "C:\efgh\b.rar" , Please note i did not access the files inside it but folder.

[VictorN]

... when i access non empty folder the path i get is "C:\efgh\a.txt" and "C:\efgh\b.rar" , Please note i did not access the files inside it but folder.

Please, define "access ... folder".
How are you doing it?

[OReubens]

All sounds pretty normal to me.

When you (try to) delete an empty folder, then you'll get notified of the folder delete.

When you (try to) delete a non-empty folder, then first all the contents of this folder needs to be removed, since it's only possible to remove a folder that's empty. The OS will notify you of the entire folder contents you're trying to delete. If and only if ALL of the contents has been deleted will you get notified that the folder itself is getting deleted. Note that the folder can contain subfolders, which end up getting deleted also.

It really depends what you want to know or trying to achieve. If you want to know what the folder is that someone is trying to delete, then you can't do that by hooking the NtSetInformationFile() function.
Lets assume the following directory structure.

Code:

C:\
+- Folder1
|     +- Folder11
|     |   +- FileA
|     |   +- FileB
|     +- Folder12
+- F2
      +- Folder21

User selects Folder1 and hits delete. You will first get notified of a delete of FileA, then FileB. If both those succeed, you'll get notified of Folder11 and Folder12, if both those succeed, you'll get notified Folder1 is being deleted.

At the moment you get the notify of the FileA deletion, you can't know that the user is really trying to delete (at least not via intercepting NtSetInformationFile) Folder1. You can't even assume the user is trying to delete the containing folder (Folder11) because it could be any of the parents of the FileA. On NT there's even such a thing as soft links, junctions etc. So the user could even be trying to delete something that just by looking at the file path, is totally unrelated to the file being deleted.

If you just need to know the difference between file vs directory. Then GetFileInformationByHandleEx is what you need, but you seem to be using it wrong. This function will return true if the call worked, not whether the handle refers to an actual file or a directory. In NTFS, a directory IS a file afterall.
use GetFileInformationByHandleEx with FILE_BASIC_INFO, if the call returns true, then check the FileAttributes member of the returned FILE_BASIC_INFO, if this has the FILE_ATTRIBUTE_DIRECTORY set, then it's a directory, if not, it's a file.

[itsmeash]

Please, define "access ... folder".
How are you doing it?

When i try to delete...

All sounds pretty normal to me.

When you (try to) delete an empty folder, then you'll get notified of the folder delete.

When you (try to) delete a non-empty folder, then first all the contents of this folder needs to be removed, since it's only possible to remove a folder that's empty. The OS will notify you of the entire folder contents you're trying to delete. If and only if ALL of the contents has been deleted will you get notified that the folder itself is getting deleted. Note that the folder can contain subfolders, which end up getting deleted also.

It really depends what you want to know or trying to achieve. If you want to know what the folder is that someone is trying to delete, then you can't do that by hooking the NtSetInformationFile() function.
Lets assume the following directory structure.

Code:

C:\
+- Folder1
|     +- Folder11
|     |   +- FileA
|     |   +- FileB
|     +- Folder12
+- F2
      +- Folder21

User selects Folder1 and hits delete. You will first get notified of a delete of FileA, then FileB. If both those succeed, you'll get notified of Folder11 and Folder12, if both those succeed, you'll get notified Folder1 is being deleted.

At the moment you get the notify of the FileA deletion, you can't know that the user is really trying to delete (at least not via intercepting NtSetInformationFile) Folder1. You can't even assume the user is trying to delete the containing folder (Folder11) because it could be any of the parents of the FileA. On NT there's even such a thing as soft links, junctions etc. So the user could even be trying to delete something that just by looking at the file path, is totally unrelated to the file being deleted.

If you just need to know the difference between file vs directory. Then GetFileInformationByHandleEx is what you need, but you seem to be using it wrong. This function will return true if the call worked, not whether the handle refers to an actual file or a directory. In NTFS, a directory IS a file afterall.
use GetFileInformationByHandleEx with FILE_BASIC_INFO, if the call returns true, then check the FileAttributes member of the returned FILE_BASIC_INFO, if this has the FILE_ATTRIBUTE_DIRECTORY set, then it's a directory, if not, it's a file.

Cool, Thanks for the explanation OReubens, That make perfect sense... and yes i was using GetFileInformationByHandleEx in wrong way, i was using FileStandardInfo to get the directory, Lemme just check FILE_BASIC_INFO...

[itsmeash]

FILE_BASIC_INFO behaves same as FileStandardInfo , But that's logical because as soon i (try to ) delete the directory i get the handle of files inside it and FILE_BASIC_INFO and FileStandardInfo returns FALSE.

So i can't do it using NtSetInformationFile Hook?? Are there any other work around where i get the folder information first?

[VictorN]

Having the full path name of a file there is no any problem to obtain all the parent folders of it.

[itsmeash]

Yeah i guess that's the only thing i could do now, Was wondering if i could use the FileAttributes or Directory info from FileBasicInfo and FileStandardInfo..

Thanks anyways

[VictorN]

Yeah i guess that's the only thing i could do now, Was wondering if i could use the FileAttributes or Directory info from FileBasicInfo and FileStandardInfo..

Sure you can. But only for the file/directory the handle belongs to.