Added support for extended change notifications.

Author: tyranid

NtApiDotNet/NtFile.cs

@@ -370,7 +370,29 @@ private static IEnumerable<DirectoryChangeNotification> ReadNotifications(SafeHG
             {
                 var info = buffer.GetStructAtOffset<FileNotifyInformation>(offset);
                 var result = info.Result;
-                ns.Add(new DirectoryChangeNotification(result.Action, info.Data.ReadUnicodeString(result.FileNameLength / 2)));
+                ns.Add(new DirectoryChangeNotification(info));
+                if (result.NextEntryOffset == 0)
+                {
+                    break;
+                }
+                offset += result.NextEntryOffset;
+            }
+            return ns.AsReadOnly();
+        }
+
+        private static IEnumerable<DirectoryChangeNotificationExtended> ReadExtendedNotifications(SafeHGlobalBuffer buffer, IoStatus status)
+        {
+            List<DirectoryChangeNotificationExtended> ns = new List<DirectoryChangeNotificationExtended>();
+
+            // Change buffer size to reflect what's in the buffer.
+            buffer.Initialize((uint)status.Information32);
+
+            int offset = 0;
+            while (offset < buffer.Length)
+            {
+                var info = buffer.GetStructAtOffset<FileNotifyExtendedInformation>(offset);
+                var result = info.Result;
+                ns.Add(new DirectoryChangeNotificationExtended(info));
                 if (result.NextEntryOffset == 0)
                 {
                     break;
@@ -2788,8 +2810,9 @@ public void CancelIo()
         /// <summary>
         /// Get the extended attributes of a file.
         /// </summary>
+        /// <param name="throw_on_error">True to throw on error.</param>
         /// <returns>The extended attributes, empty if no extended attributes.</returns>
-        public EaBuffer GetEa()
+        public NtResult<EaBuffer> GetEa(bool throw_on_error)
         {
             int ea_size = 1024;
             while (true)
@@ -2804,30 +2827,51 @@ public EaBuffer GetEa()
                 }
                 else if (status.IsSuccess())
                 {
-                    return new EaBuffer(buffer);
+                    return new EaBuffer(buffer).CreateResult();
                 }
                 else if (status == NtStatus.STATUS_NO_EAS_ON_FILE)
                 {
-                    return new EaBuffer();
+                    return new EaBuffer().CreateResult();
                 }
                 else
                 {
-                    throw new NtException(status);
+                    return status.CreateResultFromError<EaBuffer>(throw_on_error);
                 }
             }
         }
 
+        /// <summary>
+        /// Get the extended attributes of a file.
+        /// </summary>
+        /// <returns>The extended attributes, empty if no extended attributes.</returns>
+        public EaBuffer GetEa()
+        {
+            return GetEa(true).Result;
+        }
+
         /// <summary>
         /// Set the extended attributes for a file.
         /// </summary>
         /// <param name="ea">The EA buffer to set.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
         /// <remarks>This will add entries if they no longer exist, 
         /// remove entries if the data is empty or update existing entires.</remarks>
-        public void SetEa(EaBuffer ea)
+        public NtStatus SetEa(EaBuffer ea, bool throw_on_error)
         {
             byte[] ea_buffer = ea.ToByteArray();
             IoStatus io_status = new IoStatus();
-            NtSystemCalls.NtSetEaFile(Handle, io_status, ea_buffer, ea_buffer.Length).ToNtException();
+            return NtSystemCalls.NtSetEaFile(Handle, io_status, ea_buffer, ea_buffer.Length).ToNtException(throw_on_error);
+        }
+
+        /// <summary>
+        /// Set the extended attributes for a file.
+        /// </summary>
+        /// <param name="ea">The EA buffer to set.</param>
+        /// <remarks>This will add entries if they no longer exist, 
+        /// remove entries if the data is empty or update existing entires.</remarks>
+        public void SetEa(EaBuffer ea)
+        {
+            SetEa(ea, true);
         }
 
         /// <summary>
@@ -2900,13 +2944,22 @@ public bool IsAccessGranted(FileDirectoryAccessRights access)
             return IsAccessMaskGranted(access);
         }
 
+        /// <summary>
+        /// Get the cached signing level for a file.
+        /// </summary>
+        /// <returns>The cached signing level.</returns>
+        public NtResult<CachedSigningLevel> GetCachedSigningLevel(bool throw_on_error)
+        {
+            return NtSecurity.GetCachedSigningLevel(Handle, throw_on_error);
+        }
+
         /// <summary>
         /// Get the cached signing level for a file.
         /// </summary>
         /// <returns>The cached signing level.</returns>
         public CachedSigningLevel GetCachedSigningLevel()
         {
-            return NtSecurity.GetCachedSigningLevel(Handle);
+            return GetCachedSigningLevel(true).Result;
         }
 
         /// <summary>
@@ -3356,14 +3409,114 @@ public async Task<IEnumerable<DirectoryChangeNotification>> GetChangeNotificatio
         /// </summary>
         /// <param name="completion_filter">The filter of events to watch for.</param>
         /// <param name="watch_subtree">True to watch all sub directories.</param>
-        /// <param name="token">Cancellation token.</param>
         /// <returns>The list of changes.</returns>
         public Task<IEnumerable<DirectoryChangeNotification>> GetChangeNotificationAsync(
             DirectoryChangeNotifyFilter completion_filter, bool watch_subtree)
         {
             return GetChangeNotificationAsync(completion_filter, watch_subtree, CancellationToken.None);
         }
 
+
+        /// <summary>
+        /// Get extended change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The list of changes.</returns>
+        [SupportedVersion(SupportedVersion.Windows10_RS3)]
+        public NtResult<IEnumerable<DirectoryChangeNotificationExtended>> GetChangeNotificationEx(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, bool throw_on_error)
+        {
+            using (NtAsyncResult result = new NtAsyncResult(this))
+            {
+                using (var buffer = new SafeHGlobalBuffer(8192))
+                {
+                    return result.CompleteCall(NtSystemCalls.NtNotifyChangeDirectoryFileEx(
+                        Handle, result.EventHandle, IntPtr.Zero, IntPtr.Zero, result.IoStatusBuffer,
+                        buffer, buffer.Length, completion_filter, watch_subtree, 
+                        DirectoryNotifyInformationClass.DirectoryNotifyExtendedInformation))
+                        .CreateResult(throw_on_error, () => ReadExtendedNotifications(buffer, result.IoStatusBuffer.Result));
+                }
+            }
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <returns>The list of changes.</returns>
+        [SupportedVersion(SupportedVersion.Windows10_RS3)]
+        public IEnumerable<DirectoryChangeNotificationExtended> GetChangeNotificationEx(DirectoryChangeNotifyFilter completion_filter, bool watch_subtree)
+        {
+            return GetChangeNotificationEx(completion_filter, watch_subtree, true).Result;
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <param name="token">Cancellation token.</param>
+        /// <returns>The list of changes.</returns>
+        [SupportedVersion(SupportedVersion.Windows10_RS3)]
+        public async Task<NtResult<IEnumerable<DirectoryChangeNotificationExtended>>> GetChangeNotificationExAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, CancellationToken token, bool throw_on_error)
+        {
+            using (var buffer = new SafeHGlobalBuffer(8192))
+            {
+                var status = await RunFileCallAsync(result => NtSystemCalls.NtNotifyChangeDirectoryFileEx(
+                        Handle, result.EventHandle, IntPtr.Zero, IntPtr.Zero, result.IoStatusBuffer,
+                        buffer, buffer.Length, completion_filter, watch_subtree, 
+                        DirectoryNotifyInformationClass.DirectoryNotifyExtendedInformation), token, throw_on_error);
+                return status.Map(r => ReadExtendedNotifications(buffer, r));
+            }
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The list of changes.</returns>
+        [SupportedVersion(SupportedVersion.Windows10_RS3)]
+        public Task<NtResult<IEnumerable<DirectoryChangeNotificationExtended>>> GetChangeNotificationExAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, bool throw_on_error)
+        {
+            return GetChangeNotificationExAsync(completion_filter, watch_subtree, CancellationToken.None, throw_on_error);
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <param name="token">Cancellation token.</param>
+        /// <returns>The list of changes.</returns>
+        [SupportedVersion(SupportedVersion.Windows10_RS3)]
+        public async Task<IEnumerable<DirectoryChangeNotificationExtended>> GetChangeNotificationExAsync(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree, CancellationToken token)
+        {
+            var result = await GetChangeNotificationExAsync(completion_filter, watch_subtree, token, true);
+            return result.Result;
+        }
+
+        /// <summary>
+        /// Get change notifications.
+        /// </summary>
+        /// <param name="completion_filter">The filter of events to watch for.</param>
+        /// <param name="watch_subtree">True to watch all sub directories.</param>
+        /// <returns>The list of changes.</returns>
+        [SupportedVersion(SupportedVersion.Windows10_RS3)]
+        public Task<IEnumerable<DirectoryChangeNotificationExtended>> GetChangeNotificationAsyncEx(
+            DirectoryChangeNotifyFilter completion_filter, bool watch_subtree)
+        {
+            return GetChangeNotificationExAsync(completion_filter, watch_subtree, CancellationToken.None);
+        }
+
         /// <summary>
         /// Method to query information for this object type.
         /// </summary>

NtApiDotNet/NtFileNative.cs

@@ -267,6 +267,20 @@ public static extern NtStatus NtNotifyChangeDirectoryFile(
             DirectoryChangeNotifyFilter CompletionFilter,
             bool WatchTree
         );
+
+        [DllImport("ntdll.dll")]
+        public static extern NtStatus NtNotifyChangeDirectoryFileEx(
+            SafeKernelObjectHandle FileHandle,
+            SafeKernelObjectHandle Event,
+            IntPtr ApcRoutine,
+            IntPtr ApcContext,
+            SafeIoStatusBuffer IoStatusBlock,
+            SafeBuffer Buffer,
+            int BufferSize,
+            DirectoryChangeNotifyFilter CompletionFilter,
+            bool WatchTree,
+            DirectoryNotifyInformationClass DirectoryNotifyInformationClass
+        );
     }
 
     public static partial class NtRtl
@@ -1450,7 +1464,7 @@ public enum FileNotificationAction
         RenamedNewName = 5,
     }
 
-    [StructLayout(LayoutKind.Sequential), DataStart("FileName")]
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode), DataStart("FileName")]
     public struct FileNotifyInformation
     {
         public int NextEntryOffset;
@@ -1459,17 +1473,76 @@ public struct FileNotifyInformation
         public char FileName;
     }
 
-    public class DirectoryChangeNotification
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode), DataStart("FileName")]
+    public struct FileNotifyExtendedInformation
+    {
+        public int NextEntryOffset;
+        public FileNotificationAction Action;
+        public LargeIntegerStruct CreationTime;
+        public LargeIntegerStruct LastModificationTime;
+        public LargeIntegerStruct LastChangeTime;
+        public LargeIntegerStruct LastAccessTime;
+        public LargeIntegerStruct AllocatedLength;
+        public LargeIntegerStruct FileSize;
+        public FileAttributes FileAttributes;
+        public int ReparsePointTag;
+        public LargeIntegerStruct FileId;
+        public LargeIntegerStruct ParentFileId;
+        public int FileNameLength;
+        public char FileName;
+    }
+
+    public sealed class DirectoryChangeNotification
     {
         public FileNotificationAction Action { get; }
         public string FileName { get; }
 
-        internal DirectoryChangeNotification(FileNotificationAction action, string file_name)
+        internal DirectoryChangeNotification(SafeStructureInOutBuffer<FileNotifyInformation> buffer)
         {
-            Action = action;
-            FileName = file_name;
+            var info = buffer.Result;
+            Action = info.Action;
+            FileName = buffer.Data.ReadUnicodeString(info.FileNameLength / 2);
         }
     }
 
+    public sealed class DirectoryChangeNotificationExtended
+    {
+        public FileNotificationAction Action { get; }
+        public string FileName { get; }
+        public DateTime CreationTime { get; }
+        public DateTime LastModificationTime { get; }
+        public DateTime LastChangeTime { get; }
+        public DateTime LastAccessTime { get; }
+        public long AllocatedLength { get; }
+        public long FileSize { get; }
+        public FileAttributes FileAttributes { get; }
+        public ReparseTag ReparsePointTag { get; }
+        public long FileId { get; }
+        public long ParentFileId { get; }
+
+        internal DirectoryChangeNotificationExtended(SafeStructureInOutBuffer<FileNotifyExtendedInformation> buffer)
+        {
+            var info = buffer.Result;
+            Action = info.Action;
+            CreationTime = info.CreationTime.ToDateTime();
+            LastModificationTime = info.LastModificationTime.ToDateTime();
+            LastChangeTime = info.LastChangeTime.ToDateTime();
+            LastAccessTime = info.LastAccessTime.ToDateTime();
+            AllocatedLength = info.AllocatedLength.QuadPart;
+            FileSize = info.FileSize.QuadPart;
+            FileAttributes = info.FileAttributes;
+            ReparsePointTag = (ReparseTag)info.ReparsePointTag;
+            FileId = info.FileId.QuadPart;
+            ParentFileId = info.ParentFileId.QuadPart;
+            FileName = buffer.Data.ReadUnicodeString(info.FileNameLength / 2);
+        }
+    }
+
+    public enum DirectoryNotifyInformationClass
+    {
+        DirectoryNotifyInformation = 1,
+        DirectoryNotifyExtendedInformation = 2
+    }
+
 #pragma warning restore 1591
 }

NtApiDotNet/NtSecurity.cs

@@ -893,13 +893,7 @@ public static byte[] StringToConditionalAce(string condition_sddl)
         /// <returns>The cached signing level.</returns>
         public static CachedSigningLevel GetCachedSigningLevel(SafeKernelObjectHandle handle)
         {
-            byte[] thumb_print = new byte[0x68];
-            int thumb_print_size = thumb_print.Length;
-
-            NtSystemCalls.NtGetCachedSigningLevel(handle, out int flags,
-                out SigningLevel signing_level, thumb_print, ref thumb_print_size, out HashAlgorithm thumb_print_algo).ToNtException();
-            Array.Resize(ref thumb_print, thumb_print_size);
-            return new CachedSigningLevel(flags, signing_level, thumb_print, thumb_print_algo);
+            return GetCachedSigningLevel(handle, true).Result;
         }
 
         /// <summary>

NtApiDotNet/NtStructures.cs

@@ -12,6 +12,7 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using System;
 using System.Runtime.InteropServices;
 
 namespace NtApiDotNet
@@ -35,6 +36,11 @@ public LargeInteger(long value)
         {
             QuadPart = value;
         }
+
+        internal DateTime ToDateTime()
+        {
+            return DateTime.FromFileTime(QuadPart);
+        }
     }
 
     [StructLayout(LayoutKind.Explicit)]
@@ -46,6 +52,11 @@ public struct LargeIntegerStruct
         public int HighPart;
         [FieldOffset(0)]
         public long QuadPart;
+
+        internal DateTime ToDateTime()
+        {
+            return DateTime.FromFileTime(QuadPart);
+        }
     }
 #pragma warning restore 1591
 }