Added directory change notification support with async.

tyranid · tyranid · commit 655c3bbbec19 · 2020-02-09T17:34:49.000-08:00
diff --git a/NtApiDotNet/NtFile.cs b/NtApiDotNet/NtFile.cs
@@ -358,6 +358,28 @@ private NtResult<FileBasicInformation> QueryBasicInformation(bool throw_on_error
             return Query(FileInformationClass.FileBasicInformation, new FileBasicInformation(), throw_on_error);
         }
 
+        private static IEnumerable<DirectoryChangeNotification> ReadNotifications(SafeHGlobalBuffer buffer, IoStatus status)
+        {
+            List<DirectoryChangeNotification> ns = new List<DirectoryChangeNotification>();
+
+            // Change buffer size to reflect what's in the buffer.
+            buffer.Initialize((uint)status.Information32);
+
+            int offset = 0;
+            while (offset < buffer.Length)
+            {
+                var info = buffer.GetStructAtOffset<FileNotifyInformation>(offset);
+                var result = info.Result;
+                ns.Add(new DirectoryChangeNotification(result.Action, info.Data.ReadUnicodeString(result.FileNameLength / 2)));
+                if (result.NextEntryOffset == 0)
+                {
+                    break;
+                }
+                offset += result.NextEntryOffset;
+            }
+            return ns.AsReadOnly();
+        }
+
         #endregion
 
         #region Static Methods
@@ -3249,6 +3271,99 @@ public IEnumerable<string> FindFilesBySid(Sid sid)
             }
         }
 
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The list of changes.</returns>
+        public NtResult<IEnumerable<DirectoryChangeNotification>> GetChangeNotification(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, bool throw_on_error)
+        {
+            using (NtAsyncResult result = new NtAsyncResult(this))
+            {
+                using (var buffer = new SafeHGlobalBuffer(4096))
+                {
+                    return result.CompleteCall(NtSystemCalls.NtNotifyChangeDirectoryFile(
+                        Handle, result.EventHandle, IntPtr.Zero, IntPtr.Zero, result.IoStatusBuffer,
+                        buffer, buffer.Length, completion_filter, watch_subtree))
+                        .CreateResult(throw_on_error, () => ReadNotifications(buffer, result.IoStatusBuffer.Result));
+                }
+            }
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <returns>The list of changes.</returns>
+        public IEnumerable<DirectoryChangeNotification> GetChangeNotification(DirectoryChangeNotifyFilter completion_filter, bool watch_subtree)
+        {
+            return GetChangeNotification(completion_filter, watch_subtree, true).Result;
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <param name="token">Cancellation token.</param>
+        /// <returns>The list of changes.</returns>
+        public async Task<NtResult<IEnumerable<DirectoryChangeNotification>>> GetChangeNotificationAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, CancellationToken token, bool throw_on_error)
+        {
+            using (var buffer = new SafeHGlobalBuffer(4096))
+            {
+                var status = await RunFileCallAsync(result => NtSystemCalls.NtNotifyChangeDirectoryFile(
+                        Handle, result.EventHandle, IntPtr.Zero, IntPtr.Zero, result.IoStatusBuffer,
+                        buffer, buffer.Length, completion_filter, watch_subtree), token, throw_on_error);
+                return status.Map(r => ReadNotifications(buffer, r));
+            }
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The list of changes.</returns>
+        public Task<NtResult<IEnumerable<DirectoryChangeNotification>>> GetChangeNotificationAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, bool throw_on_error)
+        {
+            return GetChangeNotificationAsync(completion_filter, watch_subtree, CancellationToken.None, throw_on_error);
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="token">Cancellation token.</param>
+        /// <returns>The list of changes.</returns>
+        public async Task<IEnumerable<DirectoryChangeNotification>> GetChangeNotificationAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, CancellationToken token)
+        {
+            var result = await GetChangeNotificationAsync(completion_filter, watch_subtree, token, true);
+            return result.Result;
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="token">Cancellation token.</param>
+        /// <returns>The list of changes.</returns>
+        public Task<IEnumerable<DirectoryChangeNotification>> GetChangeNotificationAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree)
+        {
+            return GetChangeNotificationAsync(completion_filter, watch_subtree, CancellationToken.None);
+        }
+
         /// <summary>
         /// Method to query information for this object type.
         /// </summary>
diff --git a/NtApiDotNet/NtFileNative.cs b/NtApiDotNet/NtFileNative.cs
@@ -254,6 +254,19 @@ public static extern NtStatus NtReplacePartitionUnit(UnicodeString TargetInstanc
         [DllImport("ntdll.dll")]
         public static extern NtStatus NtCancelSynchronousIoFile(SafeKernelObjectHandle ThreadHandle, 
             [In] SafeIoStatusBuffer IoRequestToCancel, [Out] IoStatus IoStatusBlock);
+
+        [DllImport("ntdll.dll")]
+        public static extern NtStatus NtNotifyChangeDirectoryFile(
+            SafeKernelObjectHandle FileHandle,
+            SafeKernelObjectHandle Event,
+            IntPtr ApcRoutine,
+            IntPtr ApcContext,
+            SafeIoStatusBuffer IoStatusBlock,
+            SafeBuffer Buffer,
+            int BufferSize,
+            DirectoryChangeNotifyFilter CompletionFilter,
+            bool WatchTree
+        );
     }
 
     public static partial class NtRtl
@@ -1408,5 +1421,55 @@ public struct FileCaseSensitiveInformation
         public FileCaseSensitiveFlags Flags;
     }
 
+
+    [Flags]
+    public enum DirectoryChangeNotifyFilter
+    {
+        None = 0,
+        FileName = 0x00000001,
+        DirName = 0x00000002,
+        Attributes = 0x00000004,
+        Size = 0x00000008,
+        LastWrite = 0x00000010,
+        LastAccess = 0x00000020,
+        Creation = 0x00000040,
+        Ea = 0x00000080,
+        Security = 0x00000100,
+        StreamName = 0x00000200,
+        StreamSize = 0x00000400,
+        StreamWrite = 0x00000800,
+        All = 0x00000FFF
+    }
+
+    public enum FileNotificationAction
+    {
+        Added = 1,
+        Removed = 2,
+        Modified = 3,
+        RenamedOldName = 4,
+        RenamedNewName = 5,
+    }
+
+    [StructLayout(LayoutKind.Sequential), DataStart("FileName")]
+    public struct FileNotifyInformation
+    {
+        public int NextEntryOffset;
+        public FileNotificationAction Action;
+        public int FileNameLength;
+        public char FileName;
+    }
+
+    public class DirectoryChangeNotification
+    {
+        public FileNotificationAction Action { get; }
+        public string FileName { get; }
+
+        internal DirectoryChangeNotification(FileNotificationAction action, string file_name)
+        {
+            Action = action;
+            FileName = file_name;
+        }
+    }
+
 #pragma warning restore 1591
 }
