NtQueryDirectoryObject - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTOBAPI_H
//
// Directory objects
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * Retrieves information about the specified directory object.
 * 
 * @param DirectoryHandle A handle to the directory object. This handle must have been opened with the appropriate access rights.
 * @param Buffer A pointer to a buffer that receives the directory information.
 * @param Length The size, in bytes, of the buffer pointed to by the Buffer parameter.
 * @param ReturnSingleEntry A BOOLEAN value that specifies whether to return a single entry or multiple entries.
 * @param RestartScan A BOOLEAN value that specifies whether to restart the scan from the beginning of the directory.
 * @param Context A pointer to a variable that maintains the context of the directory enumeration.
 * @param ReturnLength An optional pointer to a variable that receives the number of bytes returned in the buffer.
 * @return NTSTATUS Successful or errant status.
 * @sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntquerydirectoryobject
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDirectoryObject(
    _In_ HANDLE DirectoryHandle,
    _Out_writes_bytes_opt_(Length) PVOID Buffer,
    _In_ ULONG Length,
    _In_ BOOLEAN ReturnSingleEntry,
    _In_ BOOLEAN RestartScan,
    _Inout_ PULONG Context,
    _Out_opt_ PULONG ReturnLength
    );

#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject(
    _In_ HANDLE DirectoryHandle,
    _Out_writes_bytes_opt_(Length) PVOID Buffer,
    _In_ ULONG Length,
    _In_ BOOLEAN ReturnSingleEntry,
    _In_ BOOLEAN RestartScan,
    _Inout_ PULONG Context,
    _Out_opt_ PULONG ReturnLength
    );

#endif

View code on GitHub
NTSTATUS WINAPI NtQueryDirectoryObject(
  _In_      HANDLE  DirectoryHandle,
  _Out_opt_ PVOID   Buffer,
  _In_      ULONG   Length,
  _In_      BOOLEAN ReturnSingleEntry,
  _In_      BOOLEAN RestartScan,
  _Inout_   PULONG  Context,
  _Out_opt_ PULONG  ReturnLength
);
View the official Win32 development documentation

NtDoc

No description available.

Edit description on GitHub

Win32 development documentation (ntquerydirectoryobject)

NtQueryDirectoryObject function

[This function may be altered or unavailable in the future.]

Retrieves information about the specified directory object.

Parameters

DirectoryHandle [in]

A handle to the directory object.

Buffer [out, optional]

A pointer to a buffer that receives the directory information. This buffer receives one or more OBJECT_DIRECTORY_INFORMATION structures, the last one being NULL, followed by strings that contain the names of the directory entries. For more information, see Remarks.

Length [in]

The size of the user-supplied output buffer, in bytes.

ReturnSingleEntry [in]

Indicates whether the function should return only a single entry.

RestartScan [in]

Indicates whether to restart the scan or continue the enumeration using the information passed in the Context parameter.

Context [in, out]

The enumeration context.

ReturnLength [out, optional]

A pointer to a variable that receives the length of the directory information returned in the output buffer, in bytes.

Return value

The function returns STATUS_SUCCESS or an error status.

Remarks

The following is the definition of the OBJECT_DIRECTORY_INFORMATION structure.

typedef struct _OBJECT_DIRECTORY_INFORMATION {
    UNICODE_STRING Name;
    UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;

This function has no associated import library or header file; you must call it using the LoadLibrary and GetProcAddress functions.

Requirements

Requirement Value
DLL
 Ntdll.dll

See also

NtOpenDirectoryObject

View the official Win32 development documentation

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows SDK.

DirectoryObjectHandle

Handle to Directory Object opened with DIRECTORY_QUERY access.

DirObjInformation

Pointer to OBJDIR_INFORMATION structure. Warning: structure has variable length depending on length of object name.
To test for required length of buffer use DataWritten parameter.

BufferLength

Length of DirObjInformation buffer.

GetNextIndex

Decide of ObjectIndex parameter usage on output.
If FALSE: ObjectIndex is number of object in Object Directory.
If TRUE: ObjectIndex is index of next object to queried object (see below) in Object Directory.

IgnoreInputIndex

Decide how to use ObjectIndex on function input.
If FALSE: ObjectIndex point to ULONG index of object in Object Directory.
If TRUE: ObjectIndex input value is ignored. Function always return information about first object in Object Directory.

ObjectIndex

Pointer to ULONG value described above.

DataWritten

Pointer to ULONG value receiving required / written buffer size. This parameter is optional.

Documented by

See also

Edit description on GitHub