作者:陆麟
转载请征得作者同意.
2000.8.26

 author: lulin
 date: 2000.8.25
Abstract:
 interface to NtQueryInformationFile
 stream portion.
 
---*/
#ifndef __STREAMINFO_H__
#define __STREAMINFO_H__
#include <windef.h>
extern "C"{
typedef LONG NTSTATUS;

typedef struct {
    union {
        NTSTATUS Status;
        PVOID Pointer;
    };

    ULONG *Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct { //infoclass 22
 ULONG NextEntryOffset;
 ULONG StreamNameLength;
 LARGE_INTEGER EndOfStream;
 LARGE_INTEGER AlloCationSize;
 WCHAR StreamName[1];
}FILE_STREAM_INFORMATION,*PFILE_STREAM_INFORMATION;

__declspec(dllimport) NTSTATUS __stdcall NtQueryInformationFile(
 HANDLE handle,
 PIO_STATUS_BLOCK io_status_block,
 PVOID FileInFormation,
 ULONG FileInformationLength,
 int FileInfomationClass
 );
}

#endif //__STREAMINFO_H__
NTFS真正存储流名时,名字里会加上:$DATA,例如:ABC:STREAM1在存储时,流名被存为了:STREAM1:$DATA,所以在查询结果中需要去除:$DATA.在这里,我不详细讨论STREAM.EXE如何运作,需要源程序的朋有同样可以购买.20元/份.付款信息件UTILITY页里的信息.