2.2.8.3.12 SMB_QUERY_FILE_STREAM_INFO
This information level structure is used in TRANS2_QUERY_PATH_INFORMATION (section 2.2.6.6) and TRANS2_QUERY_FILE_INFORMATION (section 2.2.6.8) responses to return the stream information for the file in the request.<180>
-
SMB_QUERY_FILE_STREAM_INFO { ULONG NextEntryOffset; ULONG StreamNameLength; LARGE_INTEGER StreamSize; LARGE_INTEGER StreamAllocationSize; WCHAR StreamName[StreamNameLength/2]; }
NextEntryOffset: (4 bytes): A 32-bit unsigned integer that contains the byte offset from the beginning of this entry, at which the next FILE_ STREAM _INFORMATION entry is located, if multiple entries are present in a buffer. This member is 0x00000000 if no other entries follow this one. An implementation MUST use this value to determine the location of the next entry (if multiple entries are present in a buffer) and MUST NOT assume that the value of NextEntryOffset is the same as the size of the current entry.
StreamNameLength: (4 bytes): A 32-bit unsigned integer that contains the length, in bytes, of the stream name string.
StreamSize: (8 bytes): A 64-bit signed integer that contains the size, in bytes, of the stream. The value of this field MUST be greater than or equal to 0x0000000000000000.
StreamAllocationSize: (8 bytes): A 64-bit signed integer that contains the file stream allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. The value of this field MUST be greater than or equal to 0x0000000000000000.
StreamName: (variable): A sequence of Unicode characters containing the name of the stream using the form ":streamname:$DATA", or "::$DATA" for the default stream. The :$DATA string that follows streamname is an internal data type tag that is unintentionally exposed. The leading ':' and trailing ':$DATA' characters are not part of the stream name and MUST be stripped from this field to derive the actual stream name. A resulting empty string for the stream name denotes the default stream. Because this field might not be null-terminated, it MUST be handled as a sequence of StreamNameLength bytes.