解读 SysNativeCompressFile

解读 SysNativeCompressFile

 

 

//----- (100EE3EA)--------------------------------------------------------
int __thiscallWindows::Rtl::SystemImplementation::DirectFileSystemProvider::SysNativeCompressFile(Windows::Rtl::SystemImplementation::DirectFileSystemProvider*this,unsigned __int32a2, void *a3, unsigned __int32*a4)
{

  if (a4 )
    *a4=0;
  v4 =this;
  v5 =*(_DWORD*)v4;
  v9 =2;
  v10 =1;
  v11 =0;
  v12 =0;
  memset(&Dst,0,0x30u);
  Dst =1;
// SysFsControlFile(ULONG,void *,void *,void (*)(void*,_IO_STATUS_BLOCK *,ULONG),void *,_IO_STATUS_BLOCK *,ULONG,void *,ULONG,void*,ULONG,ULONG *)

  result =(*(int(__thiscall**)(Windows::Rtl::SystemImplementation::DirectFileSystemProvider*,signed int, void*, _DWORD, _DWORD, _DWORD,char*, signed int,int*, signed int, _DWORD,_DWORD,unsigned __int32 *))(v5+ 104))(
             v4,
             9,
             a3,
             0,
             0,
             0,
             &v7,
             590604,
             &Dst,
             48,
             0,
             0,
             a4);
  if (result >=0)
    result =0;
  return result;
}

 

//----- (100EDE10)--------------------------------------------------------
int __fastcallWindows::Rtl::SystemImplementation::DirectFileSystemProvider::SysFsControlFile(Windows::Rtl::SystemImplementation::DirectFileSystemProvider*this,structWindows::WCP::Rtl::_RTL_TRACING_FACILITY *a2,char a3,void *a4, void*a5,void (__stdcall *a6)(void *,struct _IO_STATUS_BLOCK *,unsigned__int32), void*a7, PIO_STATUS_BLOCK IoStatusBlock, ULONGFsControlCode,void *a10,ULONG InputBufferLength,void *Dst,size_t Size,unsigned __int32 *a14)
{

  v41 =0;
  FileHandle =a4;
  Event =a5;
  ApcRoutine =(void(*)(PVOID,PIO_STATUS_BLOCK, ULONG))a6;
  v14 =IoStatusBlock;
  v15 =Dst;
  v16 =a14;
  v27 =this;
  ApcContext =a7;
  InputBuffer =a10;
  v31 =(const char*)InputBufferLength;
  v32 =(const char*)InputBufferLength;
  v33 =a10;
  OutputBuffer = Dst;
  v35 =Size;
  v36 =Size;
  v37 =Dst;
  v38 =C00000E5;
  v42 =0;
  v40 =1;
  if (Windows::WCP::Rtl::RtlGetFacilityTracingFlags((Windows::WCP::Rtl*)&Facility_SIL, a2)&0xE)
    Windows::WCP::Rtl::CEnterExitTracer<Windows::ErrorHandling::Rtl::CSimpleNtStatusCarryingFrame,7>::Arm(

"Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysFsControlFile"

);
  if (!v14)
  {
    v17 =(void*)4208;
    v18 ="Not-null check failed: IoStatusBlock";
   Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter_NullPointer(&v38);
LABEL_28:
    Windows::WCP::Rtl::CEnterExitTracer<Windows::ErrorHandling::Rtl::CSimpleNtStatusCarryingFrame,7>::~CEnterExitTracer<Windows::ErrorHandling::Rtl::CSimpleNtStatusCarryingFrame,7>(
"Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysFsControlFile";
    return v38;
  }
  if (v16 )
    *v16=0;
  v14->Status=0;
  v14->Information=0;
  if (v15 )
    memset(v15,0, Size);
  v19 =1;
  v20 =NtFsControlFile(
          FileHandle,
          Event,
          ApcRoutine,
          ApcContext,
          v14,
          FsControlCode,
          InputBuffer,
          InputBufferLength,
          OutputBuffer,
          Size);
  if (v20 !=-1073741808)
  {
    switch ( v20 )
    {
      case -1073740761:
        if ( a3 &2 )
        {
          v23 =3;
          goto LABEL_21;
        }
        break;
      case -1073740691:
        if ( a3 &4 )
        {
          v23 =4;
          goto LABEL_21;
        }
        break;
      case -1073740689:
        if ( a3 &8 )
        {
          v23 =5;
          goto LABEL_21;
        }
        break;
      default:
        if ( v20 >=0 )
          goto LABEL_22;
        break;
    }
LABEL_27:
    v17 =(void*)4250;
    v38 =v20;
    v18 ="Status";
    goto LABEL_28;
  }
  if (!(a3&1) )
    goto LABEL_27;
  v23 =2;
LABEL_21:
  v19 =v23;
LABEL_22:
  if (v16 )
    *v16= v19;
  v42 =1;
  Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetCanonicalSuccess(&v38);
  v21 =v38;

  return v21;
}

 

ZwFsControlFile routine

The ZwFsControlFile routine sends a controlcode directly to a specified file system or file system filter driver, causingthe corresponding driver to perform the specified action.

Syntax

C++

Copy

 

NTSTATUSZwFsControlFile(

 _In_      HANDLE          FileHandle,

  _In_opt_  HANDLE          Event,

  _In_opt_  PIO_APC_ROUTINE ApcRoutine,

  _In_opt_  PVOID           ApcContext,

 _Out_     PIO_STATUS_BLOCK IoStatusBlock,

  _In_      ULONG           FsControlCode,

  _In_opt_  PVOID           InputBuffer,

  _In_      ULONG           InputBufferLength,

  _Out_opt_ PVOID           OutputBuffer,

  _In_      ULONG           OutputBufferLength

);

 

Parameters

FileHandle [in]

Handle returned by ZwCreateFile or ZwOpenFile for the file object representingthe file or directory on which the specified action is to be performed. Thefile object must have been opened for asynchronous I/O if the caller specifiesanEvent, ApcRoutine, and an APC context (in ApcContext),or a completion context (inApcContext).

Event [in, optional]

Handle for a caller-created event.If this parameter is supplied, the caller will be put into a wait state untilthe requested operation is completed and the given event is set to the Signaledstate. This parameter is optional and can beNULL. It must be NULLif the caller will wait for theFileHandle to be set to the Signaledstate.

ApcRoutine [in, optional]

Address of a caller-supplied APCroutine to be called when the requested operation completes. This parameter isoptional and can beNULL. It must be NULL if there is an I/Ocompletion object associated with the file object.

ApcContext [in, optional]

Pointer to a caller-determinedcontext area. This parameter value is used as the APC context if the callersupplies an APC, or is used as the completion context if an I/O completionobject has been associated with the file object. When the operation completes,either the APC context is passed to the APC, if one was specified, or thecompletion context is included as part of the completion message that the I/OManager posts to the associated I/O completion object.

This parameter is optional and canbe NULL. It must beNULL if ApcRoutine is NULL andthere is no I/O completion object associated with the file object.

IoStatusBlock [out]

Pointer to an IO_STATUS_BLOCKstructure that receives the final completion status and information about theoperation. For successful calls that return data, the number of bytes writtento theOutputBuffer is returned in the Information member of thisstructure.

FsControlCode [in]

FSCTL_XXX code that indicateswhich file system control operation is to be carried out. The value of thisparameter determines the formats and required lengths of theInputBufferand OutputBuffer, as well as which of the following parameter pairs arerequired. For detailed information about the system-defined FSCTL_XXXcodes, see the "Remarks" section of the reference entry forDeviceIoControl in the Microsoft Windows SDKdocumentation.

InputBuffer [in, optional]

Pointer to a caller-allocated inputbuffer that contains device-specific information to be given to the targetdriver. IfFsControlCode specifies an operation that does not requireinput data, this pointer is optional and can beNULL.

InputBufferLength [in]

Size, in bytes, of the buffer at InputBuffer.This value is ignored ifInputBuffer is NULL.

OutputBuffer [out, optional]

Pointer to a caller-allocated outputbuffer in which information is returned from the target driver. IfFsControlCodespecifies an operation that does not produce output data, this pointer isoptional and can beNULL.

OutputBufferLength [in]

Size, in bytes, of the buffer at OutputBuffer.This value is ignored ifOutputBuffer is NULL.

Return value

ZwFsControlFile returns STATUS_SUCCESS or an appropriate NTSTATUSvalue such as one of the following:

STATUS_ACCESS_DENIED

STATUS_INSUFFICIENT_RESOURCES

STATUS_INVALID_HANDLE

STATUS_INVALID_PARAMETER

STATUS_IO_REPARSE_TAG_MISMATCH

STATUS_OBJECT_TYPE_MISMATCH

STATUS_REPARSE_ATTRIBUTE_CONFLICT

Remarks

ZwFsControlFile provides a consistent view of the input and outputdata to the system and to kernel-mode drivers, while providing applications andunderlying drivers with a driver-dependent method of specifying acommunications interface.

If the caller opened the file for asynchronous I/O(with neither FILE_SYNCHRONOUS_XXX create/open option set), thespecified event, if any, will be set to the signaled state when the devicecontrol operation completes. Otherwise, the file object specified by FileHandlewill be set to the signaled state. If an ApcRoutine was specified, it iscalled with the ApcContext and IoStatusBlock pointers.

The following FSCTL codes are currently documentedfor kernel-mode drivers:

FSCTL_DELETE_REPARSE_POINT

FSCTL_GET_REPARSE_POINT

FSCTL_OPBATCH_ACK_CLOSE_PENDING

FSCTL_OPLOCK_BREAK_ACK_NO_2

FSCTL_OPLOCK_BREAK_ACKNOWLEDGE

FSCTL_OPLOCK_BREAK_NOTIFY

FSCTL_REQUEST_BATCH_OPLOCK

FSCTL_REQUEST_FILTER_OPLOCK

FSCTL_REQUEST_OPLOCK_LEVEL_1

FSCTL_REQUEST_OPLOCK_LEVEL_2

FSCTL_SET_REPARSE_POINT

For more information about system-defined FSCTL_XXXcodes, see the "Remarks" section of the reference entry forDeviceIoControl in the Microsoft Windows SDKdocumentation.

For more information about system-defined IOCTL_XXXcodes, and about defining driver-specific IOCTL_XXX or FSCTL_XXXvalues, seeUsing I/O Control Codes in the Kernel Mode ArchitectureGuide andDevice Input and Output Control Codes in the Windows SDKdocumentation.

Minifilters should use FltFsControlFile instead of ZwFsControlFile.

Callers of ZwFsControlFile must be running atIRQL = PASSIVE_LEVEL andwith special kernel APCsenabled.

Note  If the call to the ZwFsControlFilefunction occurs in user mode, you should use the name "NtFsControlFile"instead of "ZwFsControlFile".

 

Requirements

Target platform

Universal

Version

Available starting with Windows 2000.

Header

Ntifs.h (include Ntifs.h)

Library

NtosKrnl.lib

DLL

NtosKrnl.exe

IRQL

PASSIVE_LEVEL (see Remarks section)

DDI compliance rules

PowerIrpDDis,HwStorPortProhibitedDDIs