I am developing an upper volume filter driver, it monitors the read/write blocks of volume. I am getting the volume offset and 1st sector(LBA) from it when any read/write happens. How can I obtain the file name from volume offset or 1st sector using C/C++? Any kind of help appreciated. Thanks in advance.
Obtain file name from volume offset or sector(Windows)
1.6k views Asked by Jorge Chon At
2
There are 2 answers
14
On
It is almost possible, sort of. You can enumerate all the files on a volume using this code. (Warning: some of the printf functions use %lu when they should be using %I64u, so some of the information being printed is wrong, most notably the file reference numbers; I believe the main logic is OK though.)
For each file you find, you can use FSCTL_GET_RETRIEVAL_POINTERS to find its location on disk.
So you could build a database ahead of time. You could keep it mostly up to date using FSCTL_READ_USN_JOURNAL rather than having to constantly rescan the entire disk.
However, even having identified the file that used to be at a given location, you would then need to check it again in case it has been moved. The USN journal probably does not record when files are relocated on the disk without being logically modified.
And, even then, there's no guarantee that the file wasn't moved away and then moved back before you checked it. Or a file might be created and then deleted again before you have a chance to collect any data for it at all.
So, basically: No. You can't do that.
(There may be some scenarios where another solution is possible. For example, if your driver can snapshot the contents of the volume at the point of interest, you could examine the snapshot to determine the file in question. You'd have to include your own NTFS stack, though. You might be able to borrow the NTFS code from Linux. Basically still more effort than it is likely to be worth.)
FSCTL_LOOKUP_STREAM_FROM_CLUSTER does what you want but it's slow.