COPY_INFORMATION - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
// ntifs.h
typedef struct _COPY_INFORMATION {
PFILE_OBJECT SourceFileObject;
LONGLONG SourceFileOffset;
} COPY_INFORMATION, *PCOPY_INFORMATION;
View the official Windows Driver Kit DDI referenceNo description available.
The COPY_INFORMATION structure correlates read and write calls to a copy operation from NtCopyFileChunk.
SourceFileObjectThe source file object of the copy.
SourceFileOffsetThe file offset of the source file of the copy. This value can be compared to the destination's file offset during write to ensure the copy is complete and faithful.
A copy's read and write operations contain the same information in their respective IRP extensions, so correlation can be done using COPY_INFORMATION for all writes that have the IopCopyInformationType IRP extension.
If the read and write operations are correlated and the copied data is verified, the written destination file can be considered a complete and faithful copy of the source. This means trust can be passed from the source file to the destination.
Copies generally happen in chunks. To validate the entire file copy:
Each chunk (each call to NtCopyFileChunk) must have its write operation correlated to a previous read operation.
All chunks copied together should cover the entire range of the file.
A filter can verify the correctness of the copied data with the source information provided in the IRP extension of the write as follows:
See Kernel-mode file copy and detecting copy file scenarios for more information.
FltGetCopyInformationFromCallbackData
IoCheckFileObjectOpenedAsCopySource
IoCheckFileObjectOpenedAsCopyDestination