Enumerating Streams

Previous page
Table of content
Next page

How is it possible to determine, which streams could be inside a file? Built-in Windows tools provide no such capability. Functions for working with streams are undocumented and are available only through native API. These are NtCreateFile, NtQueryEaFile, and NtSetEaFile, descriptions of which can be found, in particular, in " Undocumented Functions for Microsoft Windows NT/2000 " by Tomasz Nowak. The electronic version can be downloaded for free from http://undocumented.ntinternals.net/title.html . It is also advisable to read the " Win2k.Stream " article from issue 5 of the #29A virus magazine. Other e-zines are also recommended.

New streams are created by calling the NtCreateFile function, which, along with other arguments, accepts the pointer to the FILE_FULL_EA_INFORMATION structure passed using EaBuffer . As a variant, it is possible to use the NtSetEaFile function by passing to it the descriptor returned by NtCreateFile when opening the file in a normal way. The NtQueryEaFile function evaluates and reads all existing streams. The prototypes of all functions and the definitions of all structures are in the ntddk.h file, which contains a sufficient amount of comments, allowing you to grasp the idea and further gain an understanding of the particulars.


Previous page
Table of content
Next page
Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164
Authors: Kris Kaspersky
BUY ON AMAZON
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
The Complete Cisco VPN Configuration Guide
Visual C# 2005 How to Program (2nd Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
What is Lean Six Sigma
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy