File Operations
NtWriteFile
Writes data to a file.Handle to the file to write to
Optional event to signal when operation completes
Pointer to the buffer containing data to write
Number of bytes to write
- File path
- Operation success status
NtCreateFile
Creates or opens a file.Receives a handle to the file
Access rights requested for the file
Attributes of the file to create/open
Action to take if the file exists or does not exist
Options for creating the file
- File path
- Desired access flags
- File attributes
- Create disposition
- Create options
- Share access
- Operation success status
NtOpenFile
Opens an existing file.Receives a handle to the file
Access rights requested for the file
Attributes of the file to open
Type of share access
Options for opening the file
- File path
- Desired access flags
- Share access
- Operation success status
NtDeleteFile
Deletes a file.Attributes of the file to delete
- File path
- Operation success status
NtClose
Closes a handle to a file or other object.Handle to close
File Information
NtQueryInformationFile
Retrieves information about a file.Handle to the file
Type of information to retrieve
- File handle
- Information class
- File path
- Operation success status
NtSetInformationFile
Sets information for a file, including renaming operations.Handle to the file
Buffer containing the information to set
Type of information to set
- File rename operations are tracked separately
- Logs both old and new paths for rename operations
NtQueryAttributesFile
Retrieves basic attributes of a file.Attributes identifying the file
Receives the file attributes
NtQueryFullAttributesFile
Retrieves extended attributes of a file.Attributes identifying the file
Receives the extended file attributes
- File path
- Operation success status
Directory Operations
NtQueryDirectoryFile
Enumerates files in a directory.Handle to the directory
Type of information to return for each file
Optional filter pattern
- Virtual filesystem directories are hidden from enumeration results
NtQueryDirectoryFileEx
Extended version of NtQueryDirectoryFile.Handle to the directory
Type of information to return
Flags controlling the query
NtCreateDirectoryObject
Creates or opens a directory object.Receives a handle to the directory object
Access rights for the directory
Attributes of the directory object
Section Objects
NtCreateSection
Creates a section object (memory-mapped file).Receives a handle to the section
Desired access to the section
Optional handle to file to map
Memory protection for the section
NtMapViewOfSection
Maps a view of a section into the virtual address space.Handle to the section object
Handle to the process
Pointer to receive the base address
Other File Operations
NtFlushBuffersFile
Flushes buffered data to disk.Handle to the file
NtCreateSymbolicLinkObject
Creates a symbolic link object.Receives a handle to the symbolic link
Desired access rights
Attributes of the symbolic link
Target of the symbolic link
NtCreatePagingFile
Creates a paging file. Access Control: This operation is denied with STATUS_PRIVILEGE_NOT_HELD as it requires elevated privileges.NtCreateIoCompletion
Creates an I/O completion object.Receives a handle to the I/O completion object
Desired access rights
Optional object attributes