[utsav.0202]

Hi

We can find if a particular file has been modified or not by using WIN32_FIND_DATA structure. But it is possible to change the values of this structure after modifying the file.
Is there any way using NTFS properties to find out if the file has been modified without reading the file?

[EP_X0FF]

Hi

We can find if a particular file has been modified or not by using WIN32_FIND_DATA structure. But it is possible to change the values of this structure after modifying the file.
Is there any way using NTFS properties to find out if the file has been modified without reading the file?

Well file still needs to be opened first. However metadata can be read without touching file itself.

GetFileAttributes uses NtQueryAttributesFile
Also see NtQueryInformationFile

and overall
http://msdn.microsoft.com/en-us/library ... s.85).aspx

Call NT API via direct syscall to bypass r3 hookers. There is no SUPER_DUPER_HIDDEN_NTFS_UNBYPASSEABLE_FILE_INFO structure.

[Eric_71]

Is there any way using NTFS properties

It is possible to read this (and more) without opening the file and without handle to this file, by parsing directly the master file table.

to find out if the file has been modified without reading the file?

You mean the modification date?
-> Stored directly within the file MFT record itself ( resident attribute )