I'm trying to detect the flag FILE_FLAG_DELETE_ON_CLOSE in the "FsContext" of FILE_OBJECT (IRP_MJ_CLEANUP). I have verified that the first structure is FSRTL_COMMON_FCB_HEADER. With this structure, I get the NodeTypeCode parameter that returns 0x0705. From what I researched on the internet, this value indicates that I should use the _FCB or _SCB structure to strip the rest of the data, to which I want to extract the FcbState value to check the FCB_STATE_DELETE_ON_CLOSE flag. The problem is that both the _FCB structure and the _SBC are returning erroneous values. Does anyone know how to handle the issue?
"Ya, VCB, DCB, and FCB all have a FSRTL_COMMON_FCB_HEADER as their first member . Cc manager expects that FsContext points to a FSRTL_COMMON..., and this is respected by all standard disk file systems..." http://www.osronline.com/showThread.cfm?link=32329
...
It looks like I'm having a problem with the version of Structure.