_BENNY:

http://mygreenpaste.blogspot.com/2006/08/ntfs-alternate-data-streams.html
http://www.reddragonfly.org/ntfs/concepts/file.html

proc to delat jednoduse, kdyz to muzeme uplne zprasit, ze? :D

Nemel byste nekdo strukturu ($PIR) tabulky

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\RealModeIrqRoutingTable\0\\Configuration Data

popr. nejaky slusny text o tom, jak xp provadi PCI steering?

Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (PRO-Developer) (Hardcover)

API – nektere veci vcelku srozumitelne (a cesky). (html)

JACHYMKO:

No ja vim. Pravdepodobne to byl reg key. Potom se to zobrazovalo rozbalene jak v process exploreru tak i v task manageru.

JACHYMKO:

Dekuji. Ale myslim ze to bylo neco jineho po zadani prikazu se svchost rozbalil v process exploreru nebo ve spravci uloh. Takhle dostanu jen vypis.

JACHYMKO: vida, dik!

Pomuze mi nekdo, prosim?
[ OASHI @ ghostovani - Ghost (DOS, Norton, Symantec), DriveImage, Acronis. Zalohovani disku, zaloha partition, image, imageovani ]

http://svn.reactos.org/svn/reactos/trunk/press-media/presentations/Imaginatica%202009/ReactOS%20(no)%20es%20Windows.pdf?view=co

- super uvod do windows internals

Potreboval bych prikaz v cmd ktery rozbali svchost.exe instance na jednotlive procesy. Nekde jsem to videl na webu a uz to nemuzu najit.

_BENNY: stroj Win2003 x64

_BENNY: 18:16:50 explorer.exe:2188 OPEN C:\WINDOWS\ServicePackFiles\amd64\netbt.sys:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA NOT FOUND Options: Open Access: All

JACHYMKO: nikomu nic necpu ;-)

jo, proste klasickej search na obsah

JACHYMKO: mne zas prijdou odporny ty "vzdusny" kerneli zdrojaky ;)

JACHYMKO: presne tak. explorer jen prohledava na obsah "x" v kazdym souboru a takhle se na kazdy soubor v obou variantach "dotazuje". neco pred nami skryvaji :)

JACHYMKO: zaklad je de facto stejny jako minifilter samples "scanner" v IFSKitu. moje rutina na prevod jmena (ktera se vola v pre/post handlerech) je zde:

NTSTATUS ScannerGetDOSFileName(PUNICODE_STRING pUS, PCFLT_RELATED_OBJECTS pFltObjects, PFLT_FILE_NAME_INFORMATION pNameInfo) {

	NTSTATUS		status;
	UNICODE_STRING	us = {0,0,0};

	PAGED_CODE();

	if (!pFltObjects->FileObject->FileName.Length)
		return STATUS_BUFFER_TOO_SMALL;

	RtlInitUnicodeString(&us,NULL);

	if (!NT_SUCCESS(status = IoVolumeDeviceToDosName(pFltObjects->FileObject->DeviceObject,&us)))
		return status;
	if (!NT_SUCCESS(status = RtlAppendUnicodeStringToString(pUS,&us))) {
		RtlFreeUnicodeString(&us);
		return status;
	}
	RtlFreeUnicodeString(&us);
	if (pFltObjects->FileObject->RelatedFileObject) {
		if (!NT_SUCCESS(status = RtlAppendUnicodeStringToString(pUS,&pFltObjects->FileObject->RelatedFileObject->FileName)))
			return status;
		if (!NT_SUCCESS(status = RtlAppendUnicodeToString(pUS,L"\\")))
			return status;
		if (!NT_SUCCESS(status = RtlAppendUnicodeStringToString(pUS,&pNameInfo->FinalComponent)))
			return status;
	} else {
		if (!NT_SUCCESS(status = RtlAppendUnicodeStringToString(pUS,&pFltObjects->FileObject->FileName)))
			return status;
	}
	DbgPrint("string %S\n",pUS->Buffer);
	return status;
}

JACHYMKO:

Plylst1.wpl:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA
Plylst1.wpl:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

nemuze to byt jakousi nahodou dvoji interpretace tehoz?

hlavne ten GUID mi tam bije do oci...

JACHYMKO: explorer.exe - Start / Hledat / *.* / obsah "x" / vsechny pevne disky

nevim jestli neco zahlasi filemonitor, ale muj minifilter driver kazdopadne ano.

JACHYMKO: mno, jsem holt taky s napadama v koncich :-)