解读 SysNativeCompressFile
来源:互联网 发布:交大医学院网络教育 编辑:程序博客网 时间:2024/04/26 14:54
解读 SysNativeCompressFile
//----- (100EE3EA)--------------------------------------------------------
int __thiscallWindows::Rtl::SystemImplementation::DirectFileSystemProvider::SysNativeCompressFile(Windows::Rtl::SystemImplementation::DirectFileSystemProvider*this,unsigned __int32a2, void *a3, unsigned __int32*a4)
{
if (a4 )
*a4=0;
v4 =this;
v5 =*(_DWORD*)v4;
v9 =2;
v10 =1;
v11 =0;
v12 =0;
memset(&Dst,0,0x30u);
Dst =1;
// SysFsControlFile(ULONG,void *,void *,void (*)(void*,_IO_STATUS_BLOCK *,ULONG),void *,_IO_STATUS_BLOCK *,ULONG,void *,ULONG,void*,ULONG,ULONG *)
result =(*(int(__thiscall**)(Windows::Rtl::SystemImplementation::DirectFileSystemProvider*,signed int, void*, _DWORD, _DWORD, _DWORD,char*, signed int,int*, signed int, _DWORD,_DWORD,unsigned __int32 *))(v5+ 104))(
v4,
9,
a3,
0,
0,
0,
&v7,
590604,
&Dst,
48,
0,
0,
a4);
if (result >=0)
result =0;
return result;
}
//----- (100EDE10)--------------------------------------------------------
int __fastcallWindows::Rtl::SystemImplementation::DirectFileSystemProvider::SysFsControlFile(Windows::Rtl::SystemImplementation::DirectFileSystemProvider*this,structWindows::WCP::Rtl::_RTL_TRACING_FACILITY *a2,char a3,void *a4, void*a5,void (__stdcall *a6)(void *,struct _IO_STATUS_BLOCK *,unsigned__int32), void*a7, PIO_STATUS_BLOCK IoStatusBlock, ULONGFsControlCode,void *a10,ULONG InputBufferLength,void *Dst,size_t Size,unsigned __int32 *a14)
{
v41 =0;
FileHandle =a4;
Event =a5;
ApcRoutine =(void(*)(PVOID,PIO_STATUS_BLOCK, ULONG))a6;
v14 =IoStatusBlock;
v15 =Dst;
v16 =a14;
v27 =this;
ApcContext =a7;
InputBuffer =a10;
v31 =(const char*)InputBufferLength;
v32 =(const char*)InputBufferLength;
v33 =a10;
OutputBuffer = Dst;
v35 =Size;
v36 =Size;
v37 =Dst;
v38 =C00000E5;
v42 =0;
v40 =1;
if (Windows::WCP::Rtl::RtlGetFacilityTracingFlags((Windows::WCP::Rtl*)&Facility_SIL, a2)&0xE)
Windows::WCP::Rtl::CEnterExitTracer<Windows::ErrorHandling::Rtl::CSimpleNtStatusCarryingFrame,7>::Arm(
"Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysFsControlFile"
);
if (!v14)
{
v17 =(void*)4208;
v18 ="Not-null check failed: IoStatusBlock";
Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter_NullPointer(&v38);
LABEL_28:
Windows::WCP::Rtl::CEnterExitTracer<Windows::ErrorHandling::Rtl::CSimpleNtStatusCarryingFrame,7>::~CEnterExitTracer<Windows::ErrorHandling::Rtl::CSimpleNtStatusCarryingFrame,7>(
"Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysFsControlFile";
return v38;
}
if (v16 )
*v16=0;
v14->Status=0;
v14->Information=0;
if (v15 )
memset(v15,0, Size);
v19 =1;
v20 =NtFsControlFile(
FileHandle,
Event,
ApcRoutine,
ApcContext,
v14,
FsControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
Size);
if (v20 !=-1073741808)
{
switch ( v20 )
{
case -1073740761:
if ( a3 &2 )
{
v23 =3;
goto LABEL_21;
}
break;
case -1073740691:
if ( a3 &4 )
{
v23 =4;
goto LABEL_21;
}
break;
case -1073740689:
if ( a3 &8 )
{
v23 =5;
goto LABEL_21;
}
break;
default:
if ( v20 >=0 )
goto LABEL_22;
break;
}
LABEL_27:
v17 =(void*)4250;
v38 =v20;
v18 ="Status";
goto LABEL_28;
}
if (!(a3&1) )
goto LABEL_27;
v23 =2;
LABEL_21:
v19 =v23;
LABEL_22:
if (v16 )
*v16= v19;
v42 =1;
Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetCanonicalSuccess(&v38);
v21 =v38;
return v21;
}
ZwFsControlFile routine
The ZwFsControlFile routine sends a controlcode directly to a specified file system or file system filter driver, causingthe corresponding driver to perform the specified action.
Syntax
C++
Copy
NTSTATUSZwFsControlFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG FsControlCode,
_In_opt_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_opt_ PVOID OutputBuffer,
_In_ ULONG OutputBufferLength
);
Parameters
FileHandle [in]
Handle returned by ZwCreateFile or ZwOpenFile for the file object representingthe file or directory on which the specified action is to be performed. Thefile object must have been opened for asynchronous I/O if the caller specifiesanEvent, ApcRoutine, and an APC context (in ApcContext),or a completion context (inApcContext).
Event [in, optional]
Handle for a caller-created event.If this parameter is supplied, the caller will be put into a wait state untilthe requested operation is completed and the given event is set to the Signaledstate. This parameter is optional and can beNULL. It must be NULLif the caller will wait for theFileHandle to be set to the Signaledstate.
ApcRoutine [in, optional]
Address of a caller-supplied APCroutine to be called when the requested operation completes. This parameter isoptional and can beNULL. It must be NULL if there is an I/Ocompletion object associated with the file object.
ApcContext [in, optional]
Pointer to a caller-determinedcontext area. This parameter value is used as the APC context if the callersupplies an APC, or is used as the completion context if an I/O completionobject has been associated with the file object. When the operation completes,either the APC context is passed to the APC, if one was specified, or thecompletion context is included as part of the completion message that the I/OManager posts to the associated I/O completion object.
This parameter is optional and canbe NULL. It must beNULL if ApcRoutine is NULL andthere is no I/O completion object associated with the file object.
IoStatusBlock [out]
Pointer to an IO_STATUS_BLOCKstructure that receives the final completion status and information about theoperation. For successful calls that return data, the number of bytes writtento theOutputBuffer is returned in the Information member of thisstructure.
FsControlCode [in]
FSCTL_XXX code that indicateswhich file system control operation is to be carried out. The value of thisparameter determines the formats and required lengths of theInputBufferand OutputBuffer, as well as which of the following parameter pairs arerequired. For detailed information about the system-defined FSCTL_XXXcodes, see the "Remarks" section of the reference entry forDeviceIoControl in the Microsoft Windows SDKdocumentation.
InputBuffer [in, optional]
Pointer to a caller-allocated inputbuffer that contains device-specific information to be given to the targetdriver. IfFsControlCode specifies an operation that does not requireinput data, this pointer is optional and can beNULL.
InputBufferLength [in]
Size, in bytes, of the buffer at InputBuffer.This value is ignored ifInputBuffer is NULL.
OutputBuffer [out, optional]
Pointer to a caller-allocated outputbuffer in which information is returned from the target driver. IfFsControlCodespecifies an operation that does not produce output data, this pointer isoptional and can beNULL.
OutputBufferLength [in]
Size, in bytes, of the buffer at OutputBuffer.This value is ignored ifOutputBuffer is NULL.
Return value
ZwFsControlFile returns STATUS_SUCCESS or an appropriate NTSTATUSvalue such as one of the following:
STATUS_ACCESS_DENIED
STATUS_INSUFFICIENT_RESOURCES
STATUS_INVALID_HANDLE
STATUS_INVALID_PARAMETER
STATUS_IO_REPARSE_TAG_MISMATCH
STATUS_OBJECT_TYPE_MISMATCH
STATUS_REPARSE_ATTRIBUTE_CONFLICT
Remarks
ZwFsControlFile provides a consistent view of the input and outputdata to the system and to kernel-mode drivers, while providing applications andunderlying drivers with a driver-dependent method of specifying acommunications interface.
If the caller opened the file for asynchronous I/O(with neither FILE_SYNCHRONOUS_XXX create/open option set), thespecified event, if any, will be set to the signaled state when the devicecontrol operation completes. Otherwise, the file object specified by FileHandlewill be set to the signaled state. If an ApcRoutine was specified, it iscalled with the ApcContext and IoStatusBlock pointers.
The following FSCTL codes are currently documentedfor kernel-mode drivers:
FSCTL_DELETE_REPARSE_POINT
FSCTL_GET_REPARSE_POINT
FSCTL_OPBATCH_ACK_CLOSE_PENDING
FSCTL_OPLOCK_BREAK_ACK_NO_2
FSCTL_OPLOCK_BREAK_ACKNOWLEDGE
FSCTL_OPLOCK_BREAK_NOTIFY
FSCTL_REQUEST_BATCH_OPLOCK
FSCTL_REQUEST_FILTER_OPLOCK
FSCTL_REQUEST_OPLOCK_LEVEL_1
FSCTL_REQUEST_OPLOCK_LEVEL_2
FSCTL_SET_REPARSE_POINT
For more information about system-defined FSCTL_XXXcodes, see the "Remarks" section of the reference entry forDeviceIoControl in the Microsoft Windows SDKdocumentation.
For more information about system-defined IOCTL_XXXcodes, and about defining driver-specific IOCTL_XXX or FSCTL_XXXvalues, seeUsing I/O Control Codes in the Kernel Mode ArchitectureGuide andDevice Input and Output Control Codes in the Windows SDKdocumentation.
Minifilters should use FltFsControlFile instead of ZwFsControlFile.
Callers of ZwFsControlFile must be running atIRQL = PASSIVE_LEVEL andwith special kernel APCsenabled.
Note If the call to the ZwFsControlFilefunction occurs in user mode, you should use the name "NtFsControlFile"instead of "ZwFsControlFile".
Requirements
Target platform
Universal
Version
Available starting with Windows 2000.
Header
Ntifs.h (include Ntifs.h)
Library
NtosKrnl.lib
DLL
NtosKrnl.exe
IRQL
PASSIVE_LEVEL (see Remarks section)
DDI compliance rules
PowerIrpDDis,HwStorPortProhibitedDDIs
- 解读 SysNativeCompressFile
- 解读
- 解读数据?解读“人”!
- 解读数据?解读“人”!
- 解读P2P
- 解读深圳
- 解读睡眠
- Makefile解读
- Irda解读
- 解读防火墙
- sizeof解读
- 解读防火墙
- 解读防火墙
- 解读Makefile
- 事务解读
- Makefile解读
- 解读NTFS
- 解读CMVision
- 深入浅出DNS系列(八)- subnet
- POJ2289-Jamie's Contact Groups(二分图多重匹配)
- Linux 平台搭建C语言集成开发环境(Ubantu16.04)
- C指针基础(三)
- 【求职之路】(1)利用二分法查找一个数字在数组中的位置
- 解读 SysNativeCompressFile
- FABS函数
- 狄拉克函数- dirac 分布
- python安装环境的配置
- 导致全表扫描的情况
- CSS各种对齐代码,左对齐、右对齐、中间对齐、底部对齐、两端对齐等,代码简单
- Centos7虚拟机网络重启failed失败
- 283.Move Zeroes(C语言)
- pat L3-011. 直捣黄龙(dfs简单应用)