Major Description
1. Create a blank file test.txt with e.g. Notepad and add some contents, then close it.
2. Open that file with an NtCreateFile (or ZwCreateFile) with the following flags:
Status = ZwCreateFile(&FileHandle,
|
FILE_APPEND_DATA | SYNCHRONIZE,
|
&ObjectAttributes,
|
&Iosb,
|
NULL,
|
FILE_ATTRIBUTE_NORMAL,
|
FILE_SHARE_READ,
|
FILE_OPEN_IF,
|
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
|
FILE_SEQUENTIAL_ONLY | FILE_WRITE_THROUGH,
|
NULL,
|
0);
|
(ObjectAttributes needs to be initialized obviously...)
3. Write new data with NtWriteFile (or ZwWriteFile):
Status = ZwWriteFile(FileHandle, NULL, NULL, NULL, &Iosb,
|
chBuffer, uRead, NULL, NULL);
|
(chBuffer: data buffer; uRead: number of bytes to write.)
Note that according to MSDN, and as it happens on Windows, since the file is opened with FILE_APPEND_DATA | SYNCHRONIZE, data is/should be always appended [1,2], even if no explicit file offset has been specified in the ZwWriteFile call or the file pointer explicitly positioned manually before the write operations.
[1]: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatefile#remarks
[2]: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwwritefile
On Windows: such code works as expected: new data gets appended to the end of the file.
On ReactOS: code doesn't work, and data gets written at the beginning of the file, overwriting any existing data.
I attach an interactive console program that illustrates all that; it can be run on Windows (2003+) or ReactOS and behaviour can be manually compared.
