Uncover the real hidden file under NTFS - the mystery of 'Flow'
[Author: Lu Lin Add Time: 2001-9-4 14:21:15]
Author: Lu Lin
Source: http://lu0.126.com
Under NTFS, support a special concept, that is, 'flow'. How is a flow method? First look at 'Flow' definition:
Stream
A Sequence of Bits, Bytes, or Other Small Structurally Uniform Uniform.
Bit sequence, or small uniform structural unit. Of course, small unified structural units do not mean that they must be unified and formatted.
The stream is present in the file, you can store 2 credit data, text or other things in the stream. Like a file. What is the file, the stream can save? But flow Also differ from the file. Every stream is opened, and a CREATFILE (...) operation is required. It is not open to open the file.
The name and file name of the stream are separated by ':'. For example: ABC: a.
ABC is the file name, and the name of the stream is A. When we operate, you can use the following simple method:
Echo Stream1> ABC: stream1
Echo Stream2> ABC: stream2
Now, ABC has: stream1 and: stream2 a total of 2 streams.
And the reading flow can be used:
More More In this way, the content is read. CREATEFILE ("ABC: stream1", ...); If you use a programming method. Operation is the same as the file operation. So why do you want to use a stream? The benefits of stream are hidden. Winnt doesn't have any tool to find the existence of the stream. We look C: /> echo "hi reader"> xx.txt: MyStream C: /> DIR XX.TXT Volume In Drive C Is Wizard Volume Serial Number IS 40E5-92D4 Directory of C: / 03/18/98 08: 36A 0 xx.txt 1 File (s) 0 bytes 0 DIR (s) 3,399,192,576 bytes free This is the benefit. So, there is an article in the green corps to introduce the stream. Said a deepest file access format. Deep, but NT only did not provide tools. And we still have the existence of the stream. That is, inside programming is the stream.exe provided by everyone. This tool can see the file containing the stream and all the names of all streams . Of course, NT provides an API, backupread (...) for reading. Since INSIDE Programming, introduce this API clearly can't provide more help, then introduced is a native API: NTQueryInformationFile (... ) The part of the API involves the stream is given below: / * Streaminfo.h Author: lulin Date: 2000.8.25 Abstract: Interface to NTQueryInformationFile Stream Portion. --- * / #ifndef __streamInfo_h__ #define __streamInfo_h__ #include Extern "C" { TypedEf long NTSTATUS; Typedef struct { Union { NTSTATUS STATUS; PVOID POINTER; } Ulong * information; } }_Status_block, * pio_status_block; Typedef struct {// infoclass 22 Ulong nextentryoffset; ulong streamnamelength; Large_integer endofstream; Large_integer allocationsize; Wchar streamname [1]; } File_stream_information, * pfile_stream_information; __DECLSPEC (DLLIMPORT) NTSTATUS __STDCALL NTQUERYINFORMATIONFILE Handle Handle, PIO_STATUS_BLOCK IO_STATUS_BLOCK, PVOID FILEINFORMATION, Ulong fileinformationLENGTH, Int fileInfomationclass ); } #ENDIF // __ streaminfo_h__ When NTFS is really stored, the name will be added to: $ data, for example: ABC: stream1 In storage, the position is stored for: stream1: $ data, so removes in the query results: $ data. Here, I don't discuss how stream.exe works in detail, and the friends who need the source program can also purchase. 20 yuan / share. Payment information Utility page information.
