private static extern SafeFileHandle CreateFile(
string lpFileName, // ファイル名
DesiredAccess dwDesiredAccess, // アクセスモード
ShareMode dwShareMode, // 共有モード
int lpSecurityAttributes, // セキュリティ記述子
CreationDisposition dwCreationDisposition, // 作成方法
FlagsAndAttributes dwFlagsAndAttributes, // ファイル属性
IntPtr hTemplateFile // テンプレートファイルのハンドル
);
public unsafe static SafeFileHandle CreateFileRelative(
ReadOnlySpan <char> path,
SafeFileHandle rootDirectory,
CreateDisposition createDisposition,
DesiredAccess desiredAccess = DesiredAccess.GenericReadWrite | DesiredAccess.Synchronize,
ShareModes shareAccess = ShareModes.ReadWrite,
FileAttributes fileAttributes = FileAttributes.None,
CreateOptions createOptions = CreateOptions.SynchronousIoNonalert,
ObjectAttributes objectAttributes = ObjectAttributes.CaseInsensitive)
{
using (var handle = new UnwrapHandle(rootDirectory))
{
return(new SafeFileHandle(
CreateFileRelative(path, handle, createDisposition, desiredAccess,
shareAccess, fileAttributes, createOptions, objectAttributes),
true));
}
}
/// <summary>
/// Get a stream for the specified file.
/// </summary>
public static System.IO.Stream CreateFileStream(
StringSpan path,
DesiredAccess desiredAccess,
ShareModes shareMode,
CreationDisposition creationDisposition,
FileAttributes fileAttributes = FileAttributes.None,
FileFlags fileFlags = FileFlags.None,
SecurityQosFlags securityQosFlags = SecurityQosFlags.None)
{
var fileHandle = CreateFile(path, creationDisposition, desiredAccess, shareMode, fileAttributes, fileFlags, securityQosFlags);
// FileStream will own the lifetime of the handle
return(new System.IO.FileStream(
handle: fileHandle,
access: Conversion.DesiredAccessToFileAccess(desiredAccess),
bufferSize: 4096,
isAsync: (fileFlags & FileFlags.Overlapped) != 0));
}
public static IntPtr CreateFile(
string fileName,
ShareMode shareMode,
CreateDisposition creationDisposition,
DesiredAccess desiredAccess = DesiredAccess.None,
IntPtr securityAttributes = default,
uint flagsAndAttributes = 0,
IntPtr templateFile = default)
{
var handle = CreateFileCore(fileName, desiredAccess, shareMode, securityAttributes, creationDisposition, flagsAndAttributes, templateFile);
if (handle == new IntPtr(-1))
{
throw new Win32ErrorException();
}
return(handle);
}
/// <summary>
/// Get a stream for the specified file.
/// </summary>
public static System.IO.Stream CreateFileStream(
string path,
DesiredAccess desiredAccess,
ShareMode shareMode,
CreationDisposition creationDisposition,
FileAttributes fileAttributes = FileAttributes.NONE,
FileFlags fileFlags = FileFlags.NONE,
SecurityQosFlags securityQosFlags = SecurityQosFlags.NONE)
{
var fileHandle = CreateFile(path, desiredAccess, shareMode, creationDisposition, fileAttributes, fileFlags, securityQosFlags);
// FileStream will own the lifetime of the handle
return(new System.IO.FileStream(
handle: fileHandle,
access: Conversion.DesiredAccessToFileAccess(desiredAccess),
bufferSize: 4096,
isAsync: (fileFlags & FileFlags.FILE_FLAG_OVERLAPPED) != 0));
}
/// <summary>
/// CreateFile wrapper. Desktop only. Prefer File.CreateFile() as it will handle all supported platforms.
/// </summary>
/// <remarks>Not available in Windows Store applications.</remarks>
public unsafe static SafeFileHandle CreateFileW(
string path,
DesiredAccess desiredAccess,
ShareModes shareMode,
CreationDisposition creationDisposition,
FileAttributes fileAttributes = FileAttributes.None,
FileFlags fileFlags = FileFlags.None,
SecurityQosFlags securityQosFlags = SecurityQosFlags.None)
{
uint flags = (uint)fileAttributes | (uint)fileFlags | (uint)securityQosFlags;
SafeFileHandle handle = Imports.CreateFileW(path, desiredAccess, shareMode, lpSecurityAttributes: null, creationDisposition, flags, hTemplateFile: IntPtr.Zero);
if (handle.IsInvalid)
{
throw Error.GetExceptionForLastError(path);
}
return(handle);
}
internal unsafe static (int status, IntPtr handle) CreateFile(
ReadOnlySpan <char> path,
IntPtr rootDirectory,
CreateDisposition createDisposition,
DesiredAccess desiredAccess = DesiredAccess.FILE_GENERIC_READ | DesiredAccess.SYNCHRONIZE,
System.IO.FileShare shareAccess = System.IO.FileShare.ReadWrite | System.IO.FileShare.Delete,
System.IO.FileAttributes fileAttributes = 0,
CreateOptions createOptions = CreateOptions.FILE_SYNCHRONOUS_IO_NONALERT,
ObjectAttributes objectAttributes = ObjectAttributes.OBJ_CASE_INSENSITIVE,
void *eaBuffer = null,
uint eaLength = 0)
{
fixed(char *c = &MemoryMarshal.GetReference(path))
{
UNICODE_STRING name = new UNICODE_STRING
{
Length = checked ((ushort)(path.Length * sizeof(char))),
MaximumLength = checked ((ushort)(path.Length * sizeof(char))),
Buffer = (IntPtr)c
};
OBJECT_ATTRIBUTES attributes = new OBJECT_ATTRIBUTES(
&name,
objectAttributes,
rootDirectory);
int status = NtCreateFile(
out IntPtr handle,
desiredAccess,
ref attributes,
out IO_STATUS_BLOCK statusBlock,
AllocationSize: null,
fileAttributes,
shareAccess,
createDisposition,
createOptions,
eaBuffer,
eaLength);
return(status, handle);
}
}
public void Open(
DesiredAccess fDesiredAccess,
ShareMode fShareMode,
CreationDisposition fCreationDisposition,
FlagsAndAttributes fFlagsAndAttributes)
{
if (_sFileName.Length == 0)
{
throw new ArgumentNullException("FileName");
}
_hFile = CreateFile(_sFileName, fDesiredAccess, fShareMode,
IntPtr.Zero, fCreationDisposition, fFlagsAndAttributes,
IntPtr.Zero);
if (_hFile.IsInvalid)
{
_hFile = null;
ThrowLastWin32Err();
}
_fDisposed = false;
}
public unsafe static IntPtr CreateFileRelative(
ReadOnlySpan <char> path,
IntPtr rootDirectory,
CreateDisposition createDisposition,
DesiredAccess desiredAccess = DesiredAccess.GenericReadWrite | DesiredAccess.Synchronize,
ShareModes shareAccess = ShareModes.ReadWrite,
FileAttributes fileAttributes = FileAttributes.None,
CreateOptions createOptions = CreateOptions.SynchronousIoNonalert,
ObjectAttributes objectAttributes = ObjectAttributes.CaseInsensitive)
{
fixed(char *c = &path.DangerousGetPinnableReference())
{
UNICODE_STRING name = new UNICODE_STRING(c, path.Length);
OBJECT_ATTRIBUTES attributes = new OBJECT_ATTRIBUTES(
&name,
objectAttributes,
rootDirectory,
null,
null);
NTSTATUS status = Imports.NtCreateFile(
out IntPtr handle,
desiredAccess,
ref attributes,
out IO_STATUS_BLOCK statusBlock,
AllocationSize: null,
FileAttributes: fileAttributes,
ShareAccess: shareAccess,
CreateDisposition: createDisposition,
CreateOptions: createOptions,
EaBuffer: null,
EaLength: 0);
if (status != NTSTATUS.STATUS_SUCCESS)
{
throw ErrorMethods.GetIoExceptionForNTStatus(status, path.ToString());
}
return(handle);
}
}
/// <summary>
/// CreateFile wrapper. Desktop only. Prefer FileManagement.CreateFile() as it will handle all supported platforms.
/// </summary>
/// <remarks>Not available in Windows Store applications.</remarks>
public static SafeFileHandle CreateFile(
string path,
DesiredAccess desiredAccess,
ShareMode shareMode,
CreationDisposition creationDisposition,
FileAttributes fileAttributes = FileAttributes.NONE,
FileFlags fileFlags = FileFlags.NONE,
SecurityQosFlags securityQosFlags = SecurityQosFlags.NONE)
{
uint flags = (uint)fileAttributes | (uint)fileFlags | (uint)securityQosFlags;
unsafe
{
SafeFileHandle handle = Direct.CreateFileW(path, desiredAccess, shareMode, null, creationDisposition, flags, IntPtr.Zero);
if (handle.IsInvalid)
{
throw ErrorHelper.GetIoExceptionForLastError(path);
}
return(handle);
}
}
/// <summary>
/// Attempts to report a file access to BuildXL without actually performing any IO
/// </summary>
/// <remarks>
/// Failure means this method was invoked from a process that was not configured to breakaway from the sandbox.
/// The provided path is required to be non-null and rooted
/// </remarks>
public bool TryReportAugmentedFileAccess(
ReportedFileOperation reportedFileOperation,
RequestedAccess requestedAccess,
FileAccessStatus fileAccessStatus,
uint errorCode,
Usn usn,
DesiredAccess desiredAccess,
ShareMode shareMode,
CreationDisposition creationDisposition,
FlagsAndAttributes flagsAndAttributes,
FlagsAndAttributes openedFileOrDirectoryAttributes,
string path,
[CanBeNull] string enumeratePattern = null,
[CanBeNull] string processArgs = null)
{
Contract.Requires(!string.IsNullOrEmpty(path));
if (m_detoursReportHandle == null)
{
return(false);
}
DoReportAccess(
reportedFileOperation,
requestedAccess,
fileAccessStatus,
errorCode,
usn,
desiredAccess,
shareMode,
creationDisposition,
flagsAndAttributes,
openedFileOrDirectoryAttributes,
path,
enumeratePattern,
processArgs);
return(true);
}
public static LzHandle LzCreateFile(
string path,
out string uncompressedName,
DesiredAccess access = DesiredAccess.GenericRead,
ShareModes share = ShareModes.ReadWrite,
CreationDisposition creation = CreationDisposition.OpenExisting)
{
string name = null;
LzHandle handle = null;
BufferHelper.BufferInvoke((StringBuffer buffer) =>
{
buffer.EnsureCharCapacity(Paths.MaxPath);
int result = ValidateLzResult(Imports.LZCreateFileW(path, access, share, creation, buffer), path);
buffer.SetLengthToFirstNull();
name = buffer.ToString();
handle = new LzCreateHandle(result);
});
uncompressedName = name;
return(handle);
}
private static DesiredAccess GetDesiredAccess(FileAccess access, FileMode fileMode, FileOptions options)
{
DesiredAccess result = DesiredAccess.FILE_READ_ATTRIBUTES | DesiredAccess.SYNCHRONIZE; // default values used by CreateFileW
if ((access & FileAccess.Read) != 0)
{
result |= DesiredAccess.FILE_GENERIC_READ;
}
if ((access & FileAccess.Write) != 0)
{
result |= DesiredAccess.FILE_GENERIC_WRITE;
}
if (fileMode == FileMode.Append)
{
result |= DesiredAccess.FILE_APPEND_DATA;
}
if ((options & FileOptions.DeleteOnClose) != 0)
{
result |= DesiredAccess.DELETE; // required by FILE_DELETE_ON_CLOSE
}
return(result);
}
private void DoReportAccess(
ReportedFileOperation reportedFileOperation,
RequestedAccess requestedAccess,
FileAccessStatus fileAccessStatus,
uint errorCode,
Usn usn,
DesiredAccess desiredAccess,
ShareMode shareMode,
CreationDisposition creationDisposition,
FlagsAndAttributes flagsAndAttributes,
string path,
string enumeratePattern,
string processArgs)
{
var process = Process.GetCurrentProcess();
string access = FileAccessReportLine.GetReportLineForAugmentedFileAccess(
reportedFileOperation,
(uint)process.Id,
requestedAccess,
fileAccessStatus,
errorCode,
usn,
desiredAccess,
shareMode,
creationDisposition,
flagsAndAttributes,
path,
enumeratePattern,
processArgs);
if (!FileUtilities.TryWriteFileSync(m_detoursReportHandle, m_encoding.GetBytes(access), out int nativeErrorCode))
{
// Something didn't go as expected. We cannot let the process continue if we failed at reporting an access
throw new NativeWin32Exception(nativeErrorCode, $"Writing augmented file access report failed. Line: {access}");
}
}
public unsafe static IntPtr CreateFileRelative(
ReadOnlySpan <char> path,
IntPtr rootDirectory,
CreateDisposition createDisposition,
DesiredAccess desiredAccess = DesiredAccess.GenericReadWrite | DesiredAccess.Synchronize,
ShareModes shareAccess = ShareModes.ReadWrite,
FileAttributes fileAttributes = FileAttributes.None,
CreateOptions createOptions = CreateOptions.SynchronousIoNonalert,
ObjectAttributes objectAttributes = ObjectAttributes.CaseInsensitive)
{
fixed(char *c = &MemoryMarshal.GetReference(path))
{
var name = new SafeString.Unsafe.UNICODE_STRING(c, path.Length);
var attributes = new Handles.Unsafe.OBJECT_ATTRIBUTES(
&name,
objectAttributes,
rootDirectory,
null,
null);
Imports.NtCreateFile(
out IntPtr handle,
desiredAccess,
ref attributes,
out IO_STATUS_BLOCK statusBlock,
AllocationSize: null,
FileAttributes: fileAttributes,
ShareAccess: shareAccess,
CreateDisposition: createDisposition,
CreateOptions: createOptions,
EaBuffer: null,
EaLength: 0)
.ThrowIfFailed(path.ToString());
return(handle);
}
}
public ReportedFileAccess(
ReportedFileOperation operation,
ReportedProcess process,
RequestedAccess requestedAccess,
FileAccessStatus status,
bool explicitlyReported,
uint error,
Usn usn,
DesiredAccess desiredAccess,
ShareMode shareMode,
CreationDisposition creationDisposition,
FlagsAndAttributes flagsAndAttributes,
FlagsAndAttributes openedFileOrDirectoryAttribute,
AbsolutePath manifestPath,
string path,
string enumeratePattern,
FileAccessStatusMethod fileAccessStatusMethod = FileAccessStatusMethod.PolicyBased)
{
Contract.Requires(process != null);
Operation = operation;
Process = process;
RequestedAccess = requestedAccess;
Status = status;
ExplicitlyReported = explicitlyReported;
Error = error;
Usn = usn;
DesiredAccess = desiredAccess;
ShareMode = shareMode;
CreationDisposition = creationDisposition;
FlagsAndAttributes = flagsAndAttributes;
OpenedFileOrDirectoryAttributes = openedFileOrDirectoryAttribute;
ManifestPath = manifestPath;
Path = path;
EnumeratePattern = enumeratePattern;
Method = fileAccessStatusMethod;
}
public NTCreateAndXRequest(byte[] buffer, int offset, bool isUnicode) : base(buffer, offset, isUnicode)
{
Reserved = ByteReader.ReadByte(this.SMBParameters, 4);
ushort nameLength = LittleEndianConverter.ToUInt16(this.SMBParameters, 5);
Flags = (NTCreateFlags)LittleEndianConverter.ToUInt32(this.SMBParameters, 7);
RootDirectoryFID = LittleEndianConverter.ToUInt32(this.SMBParameters, 11);
DesiredAccess = (DesiredAccess)LittleEndianConverter.ToUInt32(this.SMBParameters, 15);
AllocationSize = LittleEndianConverter.ToUInt64(this.SMBParameters, 19);
ExtFileAttributes = (ExtendedFileAttributes)LittleEndianConverter.ToUInt32(this.SMBParameters, 27);
ShareAccess = (ShareAccess)LittleEndianConverter.ToUInt32(this.SMBParameters, 31);
CreateDisposition = (CreateDisposition)LittleEndianConverter.ToUInt32(this.SMBParameters, 35);
CreateOptions = (CreateOptions)LittleEndianConverter.ToUInt32(this.SMBParameters, 39);
ImpersonationLevel = (ImpersonationLevel)LittleEndianConverter.ToUInt32(this.SMBParameters, 43);
SecurityFlags = (SecurityFlags)ByteReader.ReadByte(this.SMBParameters, 47);
int dataOffset = 0;
if (isUnicode)
{
dataOffset = 1; // 1 byte padding for 2 byte alignment
}
FileName = SMBHelper.ReadSMBString(this.SMBData, dataOffset, isUnicode);
}
private static extern SafeFileHandle CreateFile(string lpFileName, DesiredAccess dwDesiredAccess,
ShareMode dwShareMode, IntPtr lpSecurityAttributes, CreationDisposition dwCreationDisposition,
FlagsAndAttributes dwFlagsAndAttributes, IntPtr hTemplateFile);
private static extern SafeFileHandle CreateFile(string lpFileName, DesiredAccess dwDesiredAccess, ShareMode dwShareMode, IntPtr lpSecurityAttributes, CreationDisposition dwCreationDisposition, FlagsAndAttributes dwFlagsAndAttributes, IntPtr hTemplateFile);
public static SafeFileHandle CreatePhysicalDriveFile(int DriveIndex, DesiredAccess desiredAccess = DesiredAccess.ReadWrite, FileShare fileShare = FileShare.ReadWrite)
{
return(CreateFile(GetCreateFileNamePhysicalDrive(DriveIndex), desiredAccess, fileShare, IntPtr.Zero, FileMode.Open, 0, IntPtr.Zero));
}
static public extern Microsoft.Win32.SafeHandles.SafeFileHandle CreateConsoleScreenBuffer(DesiredAccess DesiredAccess, ShareMode ShareMode, IntPtr SecurityAttributes, ConsoleFlags Flags, IntPtr ScreenBufferData);
/* ---------------------------------------------------------
* Open and Close
* ------------------------------------------------------ */
// [PrincipalPermission(SecurityAction.Demand, Role = @"BUILTIN\Administrators")]
private static void Open(string sFileName,
DesiredAccess fDesiredAccess,
ShareMode fShareMode,
CreationDisposition fCreationDisposition,
FlagsAndAttributes fFlagsAndAttributes)
{
//System.Security.Principal.WindowsIdentity.Impersonate( x=new System.Security.Principal.WindowsIdentity(
if (sFileName.Length == 0)
throw new ArgumentNullException("FileName");
_hFile = CreateFile(sFileName, fDesiredAccess, fShareMode,
IntPtr.Zero, fCreationDisposition, fFlagsAndAttributes,
IntPtr.Zero);
if (_hFile.IsInvalid)
{
_hFile = null;
ThrowLastWin32Err();
}
//_fDisposed = false;
}
/* --------------------------------------------------------------------------------------
* Constructors
* -------------------------------------------------------------------------------------- */
public UnmanagedFileLoader(string sFileName, DesiredAccess fDesiredAccess)
{
FileName = sFileName;
Open(fDesiredAccess);
}
internal static bool TryParse(
ref string line,
out uint processId,
out ReportedFileOperation operation,
out RequestedAccess requestedAccess,
out FileAccessStatus status,
out bool explicitlyReported,
out uint error,
out Usn usn,
out DesiredAccess desiredAccess,
out ShareMode shareMode,
out CreationDisposition creationDisposition,
out FlagsAndAttributes flagsAndAttributes,
out AbsolutePath absolutePath,
out string path,
out string enumeratePattern,
out string processArgs,
out string errorMessage)
{
// TODO: Task 138817: Refactor passing and parsing of report data from native to managed code
operation = ReportedFileOperation.Unknown;
requestedAccess = RequestedAccess.None;
status = FileAccessStatus.None;
processId = error = 0;
usn = default;
explicitlyReported = false;
desiredAccess = 0;
shareMode = ShareMode.FILE_SHARE_NONE;
creationDisposition = 0;
flagsAndAttributes = 0;
absolutePath = AbsolutePath.Invalid;
path = null;
enumeratePattern = null;
processArgs = null;
errorMessage = string.Empty;
var i = line.IndexOf(':');
var index = 0;
if (i > 0)
{
var items = line.Substring(i + 1).Split('|');
if (!Operations.TryGetValue(line.Substring(0, i), out operation))
{
// We could consider the report line malformed in this case; but in practice it is easy to forget to update this parser
// after adding a new call. So let's be conservative about throwing the line out so long as we can parse the important bits to follow.
operation = ReportedFileOperation.Unknown;
}
// When the command line arguments of the process are not reported there will be 12 fields
// When command line arguments are included, everything after the 12th field is the command line argument
// Command line arguments are only reported when the reported file operation is Process
if (operation == ReportedFileOperation.Process)
{
// Make sure the formatting happens only if the condition is false.
if (items.Length < 12)
{
errorMessage = I($"Unexpected message items (potentially due to pipe corruption) for {operation.ToString()} operation. Message '{line}'. Expected >= 12 items, Received {items.Length} items");
return(false);
}
}
else
{
// An ill behaved tool can try to do GetFileAttribute on a file with '|' char. This will result in a failure of the API, but we get a report for the access.
// Allow that by handling such case.
// In Office build there is a call to GetFileAttribute with a small xml document as a file name.
if (items.Length < 12)
{
errorMessage = I($"Unexpected message items (potentially due to pipe corruption) for {operation.ToString()} operation. Message '{line}'. Expected >= 12 items, Received {items.Length} items");
return(false);
}
}
if (
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out processId) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var requestedAccessValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var statusValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var explicitlyReportedValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out error) &&
ulong.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var usnValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var desiredAccessValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var shareModeValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var creationDispositionValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var flagsAndAttributesValue) &&
uint.TryParse(items[index++], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out var absolutePathValue))
{
if (statusValue > (uint)FileAccessStatus.CannotDeterminePolicy)
{
errorMessage = I($"Unknown file access status '{statusValue}'");
return(false);
}
if (requestedAccessValue > (uint)RequestedAccess.All)
{
errorMessage = I($"Unknown requested access '{requestedAccessValue}'");
return(false);
}
requestedAccess = (RequestedAccess)requestedAccessValue;
status = (FileAccessStatus)statusValue;
explicitlyReported = explicitlyReportedValue != 0;
desiredAccess = (DesiredAccess)desiredAccessValue;
shareMode = (ShareMode)shareModeValue;
creationDisposition = (CreationDisposition)creationDispositionValue;
flagsAndAttributes = (FlagsAndAttributes)flagsAndAttributesValue;
absolutePath = new AbsolutePath(unchecked ((int)absolutePathValue));
path = items[index++];
// Detours is only guaranteed to sent at least 12 items, so here (since we are at index 12), we must check if this item is included
enumeratePattern = index < items.Length ? items[index++] : null;
if (requestedAccess != RequestedAccess.Enumerate)
{
// If the requested access is not enumeration, enumeratePattern does not matter.
enumeratePattern = null;
}
if ((operation == ReportedFileOperation.Process) && (items.Length > index))
{
processArgs = items[index++];
while (index < items.Length)
{
processArgs += "|";
processArgs += items[index++];
}
}
else
{
processArgs = string.Empty;
}
usn = new Usn(usnValue);
Contract.Assert(index <= items.Length);
return(true);
}
}
return(false);
}
private bool TryParseAugmentedFileAccess(
ref string data,
out uint processId,
out ReportedFileOperation operation,
out RequestedAccess requestedAccess,
out FileAccessStatus status,
out bool explicitlyReported,
out uint error,
out Usn usn,
out DesiredAccess desiredAccess,
out ShareMode shareMode,
out CreationDisposition creationDisposition,
out FlagsAndAttributes flagsAndAttributes,
out AbsolutePath manifestPath,
out string path,
out string enumeratePattern,
out string processArgs,
out string errorMessage)
{
// An augmented file access has the same structure as a regular one, so let's call
// the usual parser
var result = FileAccessReportLine.TryParse(
ref data,
out processId,
out operation,
out requestedAccess,
out status,
out explicitlyReported,
out error,
out usn,
out desiredAccess,
out shareMode,
out creationDisposition,
out flagsAndAttributes,
out manifestPath,
out path,
out enumeratePattern,
out processArgs,
out errorMessage);
// Augmented file accesses never have the manifest path set, since there is no easy access to the manifest for
// processes to use.
// Let's recreate the manifest path based on the current path and manifest
// The manifest may have its own path table after deserialization, so make sure we use the right one
if (string.IsNullOrEmpty(path) || !AbsolutePath.TryCreate(m_manifest.PathTable, path, out var absolutePath))
{
return(result);
}
var success = m_manifest.TryFindManifestPathFor(absolutePath, out AbsolutePath computedManifestPath, out FileAccessPolicy policy);
// If the manifest specified to not report any accesses, then we just ignore this report line
// We could impose trusted tools the responsibility of knowing this (and not reporting these accesses), but
// this type of coordination is hard to achieve
if ((policy & FileAccessPolicy.ReportAccess) == 0)
{
path = null;
return(true);
}
// If there is no explicit policy for this path, just keep the manifest path as it came from the report
if (!success)
{
return(result);
}
manifestPath = computedManifestPath;
return(result);
}
/// <inheritdoc/>
public override void HandleFileAccess(long pipId, string pipDescription, ReportedFileOperation operation, RequestedAccess requestedAccess, FileAccessStatus status, bool explicitlyReported, uint processId, uint error, DesiredAccess desiredAccess, ShareMode shareMode, CreationDisposition creationDisposition, FlagsAndAttributes flagsAndAttributes, string path, string processArgs)
{
if (AbsolutePath.TryCreate(m_pathTable, path, out AbsolutePath absolutePath))
{
m_fileAccessPaths.Add(absolutePath);
}
m_allFileAccessPaths.Add(path);
}
public static extern SafeProcessHandle OpenProcess(
[In, MarshalAs(UnmanagedType.U4)] DesiredAccess desiredAccess,
[In, MarshalAs(UnmanagedType.Bool)] bool inheritHandle,
[In, MarshalAs(UnmanagedType.U4)] uint processId);
public static extern IntPtr CreateFile(string Name, DesiredAccess Access, FileShare ShareMode, IntPtr Sec, FileMode CrDisp, FileAttributes FlagsAttrs, IntPtr Template);
public static extern IntPtr CreateFile(string FileName, DesiredAccess da, ShareMode sm, IntPtr SecurityAttributesZero, CreateDisposition cd, FlagsAndAttributes fa, IntPtr TemplateFileZero);
public UnmanagedFileLoader(string sFileName, DesiredAccess fDesiredAccess,
CreationDisposition fCreationDisposition)
{
FileName = sFileName;
Open(fDesiredAccess, fCreationDisposition);
}
public static extern IntPtr ReOpenFile(
SafeFileHandle hOriginalFile,
DesiredAccess dwDesiredAccess,
ShareModes dwShareMode,
uint dwFlags);
/* --------------------------------------------------------------------------------------
* Open/Close
* -------------------------------------------------------------------------------------- */
public void Open(DesiredAccess fDesiredAccess)
{
Open(fDesiredAccess, CreationDisposition.OPEN_EXISTING);
}
public static IntPtr CreateFile(string Name, DesiredAccess Access)
{
return(CreateFile(Name, Access, FileShare.ReadWrite, IntPtr.Zero, FileMode.Open, FileAttributes.Normal, IntPtr.Zero));
}
public static extern Microsoft.Win32.SafeHandles.SafeFileHandle CreateFile(string Filename, DesiredAccess dwDesiredAccess, ShareMode dwShareMode, IntPtr lpSecurityAttributes, CreationDispositionType CreationDisposition, uint FlagsAndAttributes, IntPtr TemplateFile);
