Hi,

I have to deal with FindFirstFile, and i want to know what this WIN32_FIND_DATA is. I mean, I want to know if it is app related bytes, or just some bytes that are equal all the time, or if it is just an empty space, or whatever. You define it in masm, but i want to see it in pure asm...


Damn, this sounds complicated, but anyway, I hope you got it, and can help me.


DKT
Posted on 2003-12-13 10:24:37 by Kreatief
its a structure wich recieves information about the file or folder that FindFirst/NextFile has found.
the defination of the stucture in the inc file (windows.inc I think) is just to show what it looks like to allow you to work with it you still have to alocate some memory for that structure
like this
wfd WIN_32_FIND_DATA <>
or
LOCAL wfd:WIN32_FIND_DATA

wfd will be a pointer to an area of memory the size of WIN_32_FIND_DATA
Posted on 2003-12-13 10:34:15 by ENF
It is a structure that is used to pass information back and forth from Windows. Windows can only return 1 DWORD from an API call so it will sometimes use structures to make it possible to return more information. A structure is little more than a block of memory of a certain size that has a predetermined organization i.e. structure. In the case of FindFirstFile you define a structure (WIN32_FIND_DATA) and pass the address of that structure as a parameter of the API call. When the function returns the structure will be filled with the information you need.

.data

wfd WIN32_FIND_DATA <0>

.code
invoke FindFirstFile,ADDR path,ADDR wfd
mov hFind,eax
mov eax, wfd.nFileSizeLow
Posted on 2003-12-13 10:34:21 by donkey
Thank you both for the fast replies.

So, its just empty space (some dwords i guess), where information about the file is put to. (name etc.) Am I right?


DKT
Posted on 2003-12-13 10:37:35 by Kreatief
yes, if it is a local then it may contrain some garbage data but that is unimportant
Posted on 2003-12-13 10:40:37 by ENF
It's actual definition is in Windows.inc:

WIN32_FIND_DATA STRUCT

dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 14 dup(?)
WIN32_FIND_DATA ENDS


When you declare the structure in your program the number of bytes in the structure will be set aside and you can use the member names in the structure to address each member's value directly as I did in my example above.
Posted on 2003-12-13 10:42:40 by donkey
As I said, I wrote this code in pure asm. So, I just pushed a memory address (no stack address), where there is enough empty space. After calling the FindFirstFile function, I get a handle to it (in eax), and some dwords at the address that i pushed as this structure. But, normally I should find the Filename and anything, but I cant see it. And theres no error after calling (last error). Whats that all about?


DKT
Posted on 2003-12-13 10:44:49 by Kreatief
Post your code and it will be easier to help.
Posted on 2003-12-13 10:46:55 by donkey
you don't get a handle to the stucture in eax you get a search handle wich you need to you in the call to FindNextFile and FindClose
Posted on 2003-12-13 10:49:20 by ENF
@ENF: Yeah I know, sorry, it wasnt clear what i wrote.


Here is my little code:

004070C0 68 00714000 PUSH fsearch.00407100
004070C5 68 F4714000 PUSH fsearch.004071F4 ; ASCII "*.*"
004070CA FF15 CD714000 CALL DWORD PTR DS:[4071CD] ; kernel32.FindFirstFileA

This is what i get as structure after calling:

00407100 10 00 00 00 80 6D DB 90 F8 BF C3 01 00 D8 80 56 ...?m?????.?V
00407110 71 BF C3 01 00 88 E1 90 F8 BF C3 01 00 00 00 00 q??.??????....
00407120 00 00 00 00 8C F6 12 00 02 24 F7 77 2E 00 00 00 ....??.$?w....



And I get the search handle in eax...

So, it works, but why cant i see the name of the file?


DKT
Posted on 2003-12-13 10:52:32 by Kreatief
The file size is showing 0, you have found the dot (.) (ascii 2E at struct offset 44 .cFilename) next will be (..) then the first real file. Try to send a FindNextFile. BTW, debugger code is normally difficult to read, you should have just posted the actual source code.
Posted on 2003-12-13 10:59:35 by donkey
Hi,

wow, it works. I executed FindNextFile two times after FindFirstFile. Then I get the first file. But why not after first calling? Why so late? Is it everytime this way?


But anyway, thanks alot for that... Very nice


DKT
Posted on 2003-12-13 11:16:40 by Kreatief
Nur, warum erst so sp?t? Was hat das zu bedeuten? Ist das immer so?

. means the current direcotry .. means the directory the next level up.
Posted on 2003-12-13 11:20:44 by ENF
Ok, so, it makes sense to call FIndFirstFile once, and then two times FindNextFile?!


Hmm i think i should use the search button now...

EDIT: @Donkey: Hehe, its the way i am coding it... I dont use masm for that, because i add code to an existing exe file...


DKT
Posted on 2003-12-13 11:24:27 by Kreatief

@Donkey: Hehe, its the way i am coding it... I dont use masm for that, because i add code to an existing exe file...


DKT

If you are adding code to somebody else's program you should read the rules here. That is very close to the cracking/RE line and could get you into trouble if you don't have permission to do it.
Posted on 2003-12-13 11:39:06 by donkey
I have permission to do it...


DKT
Posted on 2003-12-13 11:41:31 by Kreatief
findfirstfile() finds the first file in the directory, which is "." for the current directory.
the first time findnextfile() is called it finds the directory, which is up one level, ".."
the second time findnextfile() is called it finds the first file that you would see in Windows Explorer.

The question I have is there a set size for WIN32_FIND_DATA?  I want to set aside memory for the object but I don't know how much to reserve.
Posted on 2005-07-13 11:52:39 by hipppofear
It's generally better to make a new thread instead of reviving a two-year-old one, but here goes :)

Use "sizeof WIN32_FIND_DATA" if you need to find it's size... that way you avoid using ugly "magic numbers".
Posted on 2005-07-13 12:47:37 by f0dder
what do you mean by magic numbers?

Is the structure, WIN32_FIND_DATA, a constant size or does it change with with each call to FindNextFile()?

I tried compiling code with "sizeof WIN32_FIND_DATA" but I got a syntax error.
Posted on 2005-07-13 13:02:16 by hipppofear
A "magic number" is a constant that "magically appears" somewhere in your source code, instead of a nice and meaningful name. Ie, "memset(buffer, 0, 1024);" instead of "memset(buffer, 0, BUFSIZE);".

WIN32_FIND_DATA has a constant size. You can look it up in the PlatformSDK to see the structure definition.


I tried compiling code with "sizeof WIN32_FIND_DATA" but I got a syntax error.

Are you doing C/C++ code? In that case, you need sizeof(WIN32_FIND_DATA);

If not, which assembler are you using?
Posted on 2005-07-13 13:25:28 by f0dder