Looking for a file, but FindFile is strange

[learn64bit]

Can I get the filepath of "...\drivers\etc\hosts" without use this strange "\\127.0.0.1\c$\" thing

[learn64bit]

btw: I can upload the source code(I'm not the author, I download it in the forum plus some copy & past), but I need to delete a lot of shit comment I wrote when I learn the code.

[jj2007]

Can I get the filepath of "...\drivers\etc\hosts" without use this strange "\\127.0.0.1\c$\" thing

What about posting your source???

include \masm32\MasmBasic\MasmBasic.inc         ; download
  Init
  GetFiles C:\Windows\System32\drivers\etc\*
  For_ ecx=0 To eax-1           ; print the results
       PrintLine Str$(GfSize(ecx)), Tb$, GfDate$(ecx), Spc2$, GfTime$(ecx), Tb$, Files$(ecx)
  Next
EndOfCode

Code Select Expand

1615    08.03.2020  06:07:34    C:\Windows\System32\drivers\etc\hosts
3683    10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\lmhosts.sam
407     10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\networks
1358    10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\protocol
17463   10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\services

[learn64bit]

Oh.
btw: source added on top post.

[NoCforMe]

That's got to be some of the most unreadable damn assembler source I've ever seen.

[jj2007]

That's got to be some of the most unreadable damn assembler source I've ever seen.

Impressing indeed

So, learn64bit, what exactly is your problem? Both sources assemble "out of the box", no problem at all, and work fine...

[learn64bit]

damn...

Ok, Problem is strange as below:

I think this "C:\Windows\System32\drivers\etc" folder is special.

My Windows 7 64-bit with SP1

Browse button -> drivers -> can not see "etc" folder.

Manually input "C:\Windows\System32\drivers", no "etc" in result.txt at all!

This "C:\Windows\System32\drivers\etc" is fine, but I don't want this, I want "C:\" or "C:\Windows\System32\drivers".


Your code is same problem:
Change "C:\Windows\System32\drivers\etc\*" to "C:\Windows\System32\drivers\*", no "etc" folder!

Wooo, MasmBasic looks amazing!

[NoCforMe]

Same result here, I guess (Win7-64). Scan of c:\windows\system32\drivers:

c:\windows\system32\drivers\en-US\bfe.dll.mui
c:\windows\system32\drivers\en-US\ndiscap.sys.mui
c:\windows\system32\drivers\en-US\pacer.sys.mui
c:\windows\system32\drivers\en-US\qwavedrv.sys.mui
c:\windows\system32\drivers\en-US\scfilter.sys.mui
c:\windows\system32\drivers\en-US\tcpip.sys.mui
c:\windows\system32\drivers\gm.dls
c:\windows\system32\drivers\gmreadme.txt
c:\windows\system32\drivers\wimmount.sys

Maybe we're being "protected" from seeing "sacred" operating-system files?

[jj2007]

Your code is same problem:
Change "C:\Windows\System32\drivers\etc\*" to "C:\Windows\System32\drivers\*", no "etc" folder!

Code Select Expand

include \masm32\MasmBasic\MasmBasic.inc
  Init
  GetFiles C:\Windows\System32\drivers\*
  For_ ecx=0 To eax-1           ; print the results
       PrintLine Str$(GfSize(ecx)), Tb$, GfDate$(ecx), Spc2$, GfTime$(ecx), Tb$, Files$(ecx)
  Next
EndOfCode

1615    08.03.2020  06:07:34    C:\Windows\System32\drivers\etc\hosts
3683    10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\lmhosts.sam
407     10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\networks
1358    10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\protocol
17463   10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\services
30720   16.01.2012  18:58:37    C:\Windows\System32\drivers\it-IT\bfe.dll.mui
6144    16.01.2012  18:58:28    C:\Windows\System32\drivers\it-IT\ndiscap.sys.mui
16384   16.01.2012  18:58:37    C:\Windows\System32\drivers\it-IT\pacer.sys.mui
... (many more)

So etc is clearly there on my Win7-64 machine. Have you checked the folder properties? Mine is read-only but not hidden. I tried to hide etc, Windows asks me to become administrator for doing that but surprise, surprise, even an admin cannot hide etc

Slightly different test (note the quotes):

Code Select Expand

include \masm32\MasmBasic\MasmBasic.inc
  Init
  Cls 5
  GetFolders "C:\Windows\System32\drivers"
  For_ ecx=0 To eax-1           ; print the results
       PrintLine Str$(GfSize(ecx)), Tb$, GfDate$(ecx), Spc2$, GfTime$(ecx), Tb$, Files$(ecx)
  Next
EndOfCode

0       01.06.2015  12:43:18    C:\Windows\System32\drivers\etc
0       16.01.2012  18:59:26    C:\Windows\System32\drivers\it-IT
0       14.10.2011  05:50:07    C:\Windows\System32\drivers\nti
0       14.10.2011  05:50:07    C:\Windows\System32\drivers\nti\2003_amd64
... (some more)

Wooo, MasmBasic looks amazing!

Thanks

[NoCforMe]

Your program will show files in c:\windows\system32\drivers\etc:

C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\drivers\etc\lmhosts.sam
C:\Windows\System32\drivers\etc\networks
C:\Windows\System32\drivers\etc\protocol
C:\Windows\System32\drivers\etc\services

but you can't navigate to it by browsing. Weird ...
So what is it about that folder that's so special? As JJ said, it's read-only, but so are all the folders below c:\windows. If you look at the folder's properties, nothing seems different from any other folder in that branch of the tree.

[jj2007]

Try Explorer, logged in as administrator...

[NoCforMe]

I'm logged in as me (who's been crowned with administrator rights), and I can see all kinds of stuff there w/Explorer. So what does he know that we don't? Probably using some fancy Shell stuff ...

[TimoVJL]

If OP want to see real C:\windows\system32\drivers filelist with 32-bit program in x64 system

https://docs.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector

[learn64bit]

jj,

win7sp1 64
login as Non administrator

D:\>jj.exe





D:\>_

It looks empty!

###################################################


TimoVJL,

Thanks.

Looks like Microsoft make it far more complicated.

Use "C:\Windows\System32", you get fake(redirected) one.
Use "\\127.0.0.1\C$\Windows\System32", you get real(Non redirected) one.

Win64 is simple. Okay...

[jj2007]

jj,

win7sp1 64
login as Non administrator

D:\>jj.exe


D:\>_

It looks empty!

???

Use "C:\Windows\System32", you get fake(redirected) one.
Use "\\127.0.0.1\C$\Windows\System32", you get real(Non redirected) one.

Win7-64:

include \masm32\MasmBasic\MasmBasic.inc
  Init
  Cls 5
  GetFiles \\127.0.0.1\C$\Windows\System32\drivers\etc\*        ; long form
  For_ ecx=0 To eax-1          ; print the results
       PrintLine Str$(GfSize(ecx)), Tb$, GfDate$(ecx), Spc2$, GfTime$(ecx), Tb$, Files$(ecx)
  Next
  Print
  GetFiles C:\Windows\System32\drivers\etc\*                    ; short form
  For_ ecx=0 To eax-1          ; print the results
       PrintLine Str$(GfSize(ecx)), Tb$, GfDate$(ecx), Spc2$, GfTime$(ecx), Tb$, Files$(ecx)
  Next
EndOfCode

Code Select Expand

1615    08.03.2020  06:07:34    \\127.0.0.1\C$\Windows\System32\drivers\etc\hosts
3683    10.06.2009  23:00:26    \\127.0.0.1\C$\Windows\System32\drivers\etc\lmhosts.sam
407     10.06.2009  23:00:26    \\127.0.0.1\C$\Windows\System32\drivers\etc\networks
1358    10.06.2009  23:00:26    \\127.0.0.1\C$\Windows\System32\drivers\etc\protocol
17463   10.06.2009  23:00:26    \\127.0.0.1\C$\Windows\System32\drivers\etc\services

1615    08.03.2020  06:07:34    C:\Windows\System32\drivers\etc\hosts
3683    10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\lmhosts.sam
407     10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\networks
1358    10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\protocol
17463   10.06.2009  23:00:26    C:\Windows\System32\drivers\etc\services