Muokkaa

Jaa


COPY_INFORMATION structure (ntifs.h)

The COPY_INFORMATION structure correlates read and write calls to a copy operation from NtCopyFileChunk.

Syntax

typedef struct _COPY_INFORMATION {
  PFILE_OBJECT SourceFileObject;
  LONGLONG     SourceFileOffset;
} COPY_INFORMATION, *PCOPY_INFORMATION;

Members

SourceFileObject

The source file object of the copy.

SourceFileOffset

The file offset of the source file of the copy. This value can be compared to the destination's file offset during write to ensure the copy is complete and faithful.

Remarks

A copy's read and write operations contain the same information in their respective IRP extensions, so correlation can be done using COPY_INFORMATION for all writes that have the IopCopyInformationType IRP extension.

If the read and write operations are correlated and the copied data is verified, the written destination file can be considered a complete and faithful copy of the source. This means trust can be passed from the source file to the destination.

Copies generally happen in chunks. To validate the entire file copy:

  • Each chunk (each call to NtCopyFileChunk) must have its write operation correlated to a previous read operation.

  • All chunks copied together should cover the entire range of the file.

A filter can verify the correctness of the copied data with the source information provided in the IRP extension of the write as follows:

  • Verify that a matching read occurred on SourceFileObject.
  • Verify that SourceFileOffset matches the write operation's file offset.

See Kernel-mode file copy and detecting copy file scenarios for more information.

Requirements

Requirement Value
Minimum supported client Windows 11, version 22H2
Header ntifs.h

See also

FltGetCopyInformationFromCallbackData

IoCheckFileObjectOpenedAsCopySource

IoCheckFileObjectOpenedAsCopyDestination

NtCopyFileChunk

NtCreateFile