woodruffw/ntfs0.cpp Secret

## ntfs0.cpp
auto handle = CreateFile(volume_path,
                         FILE_GENERIC_READ,
                         FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
                         nullptr,
                         OPEN_EXISTING,
                         0,
                         nullptr);

## ntfs1.cpp
USN_JOURNAL_DATA_V2 journal_data = {};
DWORD bytes_received = 0U;
DeviceIoControl(handle,
                FSCTL_QUERY_USN_JOURNAL,
                nullptr,
                0,
                &journal_data,
                sizeof(journal_data),
                &bytes_received,
                nullptr);

USN next_usn = journal_data.NextUsn;

## ntfs2.cpp
// Only track renames for the purpose of this example.
DWORD flag_mask = USN_REASON_RENAME_OLD_NAME | USN_REASON_RENAME_NEW_NAME;

READ_USN_JOURNAL_DATA_V1 read_data_command = {next_usn,
                                              flag_mask,
                                              0U, /* ReturnOnlyOnClose */
                                              1U, /* Timeout */
                                              4096, /* BytesToWaitFor */
                                              journal_data.UsnJournalID,
                                              2U, /* MinMajorVersion */
                                              3U /* MaxMajorVersion */ };

std::array<std::uint8_t, 4096> read_buffer;
DWORD bytes_received = 0U;
auto status = ::DeviceIoControl(d_->volume_handle,
                                FSCTL_READ_USN_JOURNAL,
                                &read_data_command,
                                sizeof(read_data_command),
                                read_buffer.data(),
                                static_cast<DWORD>(read_buffer.size()),
                                &bytes_received,
                                nullptr);

## ntfs3.cpp
next_usn = *(reinterpret_cast<USN*>(read_buffer.data());

auto buffer_end = read_buffer.data() + bytes_received;
auto current_record_ptr = read_buffer.data() + sizeof(USN);

while (current_record_ptr < buffer_end) {
  const auto current_record =
    reinterpret_cast<const USN_RECORD*>(current_record_ptr);

  process_usn_record(current_record);

  current_record_ptr += current_record->RecordLength;
}

## ntfs4.cpp
switch (record->MajorVersion) {
  case 2U: {
    auto record_v2 =
      reinterpret_cast<const USN_RECORD_V2*>(record);

    // Operate on record_v2's fields.
    break;
  }
  case 3U: {
    auto record_v3 =
      reinterpret_cast<const USN_RECORD_V3*>(record);

    // Operate on record_v3's fields.
    break;
  }
  default: {
    assert(false);
    break;
  }
}

## osquery.conf.json
{
  "file_paths": {
    "downloads": [
      "C:\\Users\\user\\Downloads",
      "C:\\Users\\user\\Downloads\\*"
    ]
  }
}

## queries.sql
-- Select all file events corresponding to writes
SELECT * FROM ntfs_journal_events WHERE action = "FileWrite";

-- Select all file events on the members of the system32 folder
SELECT * FROM ntfs_journal_events WHERE path LIKE "C:\\system32\\%";

-- Select all file events on hidden files
SELECT * FROM ntfs_journal_events WHERE file_attributes LIKE "%FILE_ATTRIBUTE_HIDDEN%";
	auto handle = CreateFile(volume_path,
	FILE_GENERIC_READ,
	FILE_SHARE_READ \| FILE_SHARE_WRITE \| FILE_SHARE_DELETE,
	nullptr,
	OPEN_EXISTING,
	0,
	nullptr);
	USN_JOURNAL_DATA_V2 journal_data = {};
	DWORD bytes_received = 0U;
	DeviceIoControl(handle,
	FSCTL_QUERY_USN_JOURNAL,
	nullptr,
	0,
	&journal_data,
	sizeof(journal_data),
	&bytes_received,
	nullptr);

	USN next_usn = journal_data.NextUsn;
	// Only track renames for the purpose of this example.
	DWORD flag_mask = USN_REASON_RENAME_OLD_NAME \| USN_REASON_RENAME_NEW_NAME;

	READ_USN_JOURNAL_DATA_V1 read_data_command = {next_usn,
	flag_mask,
	0U, /* ReturnOnlyOnClose */
	1U, /* Timeout */
	4096, /* BytesToWaitFor */
	journal_data.UsnJournalID,
	2U, /* MinMajorVersion */
	3U /* MaxMajorVersion */ };

	std::array<std::uint8_t, 4096> read_buffer;
	DWORD bytes_received = 0U;
	auto status = ::DeviceIoControl(d_->volume_handle,
	FSCTL_READ_USN_JOURNAL,
	&read_data_command,
	sizeof(read_data_command),
	read_buffer.data(),
	static_cast<DWORD>(read_buffer.size()),
	&bytes_received,
	nullptr);
	next_usn = (reinterpret_cast<USN>(read_buffer.data());

	auto buffer_end = read_buffer.data() + bytes_received;
	auto current_record_ptr = read_buffer.data() + sizeof(USN);

	while (current_record_ptr < buffer_end) {
	const auto current_record =
	reinterpret_cast<const USN_RECORD*>(current_record_ptr);

	process_usn_record(current_record);

	current_record_ptr += current_record->RecordLength;
	}
	switch (record->MajorVersion) {
	case 2U: {
	auto record_v2 =
	reinterpret_cast<const USN_RECORD_V2*>(record);

	// Operate on record_v2's fields.
	break;
	}
	case 3U: {
	auto record_v3 =
	reinterpret_cast<const USN_RECORD_V3*>(record);

	// Operate on record_v3's fields.
	break;
	}
	default: {
	assert(false);
	break;
	}
	}
	{
	"file_paths": {
	"downloads": [
	"C:\\Users\\user\\Downloads",
	"C:\\Users\\user\\Downloads\\*"
	]
	}
	}
	-- Select all file events corresponding to writes
	SELECT * FROM ntfs_journal_events WHERE action = "FileWrite";

	-- Select all file events on the members of the system32 folder
	SELECT * FROM ntfs_journal_events WHERE path LIKE "C:\\system32\\%";

	-- Select all file events on hidden files
	SELECT * FROM ntfs_journal_events WHERE file_attributes LIKE "%FILE_ATTRIBUTE_HIDDEN%";