fix(fspy): hook NtQueryDirectoryFileEx for READ_DIR tracking on Windows

Add hook for NtQueryDirectoryFileEx (newer Windows API) to properly track
READ_DIR accesses. This fixes the oxlint_reads_directory test which uses
the newer API not covered by NtQueryDirectoryFile.

- Add ntdll.dll lookup support for dynamic symbols in DetourAny::attach
- Define NtQueryDirectoryFileEx function type (not in ntapi crate)
- Use Detour::dynamic for runtime symbol resolution
- Update readdir test to use tempdir with cross-platform explanation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: branchseer

crates/fspy/tests/rust_std.rs

@@ -37,11 +37,25 @@ async fn open_write() -> anyhow::Result<()> {
 
 #[test(tokio::test)]
 async fn readdir() -> anyhow::Result<()> {
-    let accesses = track_child!((), |(): ()| {
+    let tmpdir = tempfile::tempdir()?;
+    let tmpdir_path = std::fs::canonicalize(tmpdir.path())?;
+    // Reading a non-existent directory results in different tracked accesses on different platforms:
+    // - Windows: READ, because the NT APIs open the directory as handle just like files (NtCreateFile/NtOpenFile),
+    //   and if that fails, not read dir call (NtQueryDirectoryFile/NtQueryDirectoryFileEx) is made.
+    // - macOS/Linux:
+    //   - opendir results in a read_dir access. This call is directly made without trying to open the directory as a fd first.
+    //   - open + fopendir results in READ access, because open would fail with ENOENT, and fopendir is not called.
+    //
+    // This difference is acceptable because both will result in a "not found" fingerprint in vite-task.
+    // To keep the test consistent across platforms, we create the directory first.
+    std::fs::create_dir(tmpdir.path().join("hello_dir"))?;
+
+    let accesses = track_child!(tmpdir_path.to_str().unwrap().to_owned(), |tmpdir_path: String| {
+        std::env::set_current_dir(tmpdir_path).unwrap();
         let _ = std::fs::read_dir("hello_dir");
     })
     .await?;
-    assert_contains(&accesses, current_dir()?.join("hello_dir").as_path(), AccessMode::READ_DIR);
+    assert_contains(&accesses, tmpdir_path.join("hello_dir").as_path(), AccessMode::READ_DIR);
 
     Ok(())
 }

crates/fspy_preload_windows/src/windows/detour.rs

@@ -21,7 +21,6 @@ impl<T: Copy> Detour<T> {
         Detour { symbol_name, target: UnsafeCell::new(unsafe { transmute_copy(&target) }), new }
     }
 
-    #[expect(dead_code)]
     pub const unsafe fn dynamic(symbol_name: &'static CStr, new: T) -> Self {
         Detour { symbol_name, target: UnsafeCell::new(null_mut()), new }
     }
@@ -52,15 +51,18 @@ pub struct DetourAny {
 pub struct AttachContext {
     kernelbase: HMODULE,
     kernel32: HMODULE,
+    ntdll: HMODULE,
 }
 
 impl AttachContext {
     pub fn new() -> Self {
         let kernelbase = unsafe { LoadLibraryA(c"kernelbase".as_ptr()) };
         let kernel32 = unsafe { LoadLibraryA(c"kernel32".as_ptr()) };
+        let ntdll = unsafe { LoadLibraryA(c"ntdll".as_ptr()) };
         assert_ne!(kernelbase, null_mut());
         assert_ne!(kernel32, null_mut());
-        Self { kernelbase, kernel32 }
+        assert_ne!(ntdll, null_mut());
+        Self { kernelbase, kernel32, ntdll }
     }
 }
 
@@ -74,9 +76,14 @@ impl DetourAny {
             unsafe { *self.target = symbol_in_kernelbase.cast() };
         } else {
             if unsafe { *self.target }.is_null() {
-                // dynamic symbol
+                // dynamic symbol - look up from kernel32 or ntdll
                 let symbol_in_kernel32 = unsafe { GetProcAddress(ctx.kernel32, symbol_name) };
-                unsafe { *self.target = symbol_in_kernel32.cast() };
+                if !symbol_in_kernel32.is_null() {
+                    unsafe { *self.target = symbol_in_kernel32.cast() };
+                } else {
+                    let symbol_in_ntdll = unsafe { GetProcAddress(ctx.ntdll, symbol_name) };
+                    unsafe { *self.target = symbol_in_ntdll.cast() };
+                }
             }
         }
         if unsafe { *self.target }.is_null() {

crates/fspy_preload_windows/src/windows/detours/nt.rs

@@ -286,6 +286,55 @@ static DETOUR_NT_QUERY_DIRECTORY_FILE: Detour<
     })
 };
 
+// NtQueryDirectoryFileEx is not in ntapi crate, so we define it here.
+// https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntquerydirectoryfileex
+type NtQueryDirectoryFileExFn = unsafe extern "system" fn(
+    file_handle: HANDLE,
+    event: HANDLE,
+    apc_routine: PIO_APC_ROUTINE,
+    apc_context: PVOID,
+    io_status_block: PIO_STATUS_BLOCK,
+    file_information: PVOID,
+    length: ULONG,
+    file_information_class: FILE_INFORMATION_CLASS,
+    query_flags: ULONG,
+    file_name: PUNICODE_STRING,
+) -> NTSTATUS;
+
+static DETOUR_NT_QUERY_DIRECTORY_FILE_EX: Detour<NtQueryDirectoryFileExFn> = unsafe {
+    Detour::dynamic(c"NtQueryDirectoryFileEx", {
+        unsafe extern "system" fn new_fn(
+            file_handle: HANDLE,
+            event: HANDLE,
+            apc_routine: PIO_APC_ROUTINE,
+            apc_context: PVOID,
+            io_status_block: PIO_STATUS_BLOCK,
+            file_information: PVOID,
+            length: ULONG,
+            file_information_class: FILE_INFORMATION_CLASS,
+            query_flags: ULONG,
+            file_name: PUNICODE_STRING,
+        ) -> NTSTATUS {
+            unsafe { handle_open(AccessMode::READ_DIR, file_handle) };
+            unsafe {
+                (DETOUR_NT_QUERY_DIRECTORY_FILE_EX.real())(
+                    file_handle,
+                    event,
+                    apc_routine,
+                    apc_context,
+                    io_status_block,
+                    file_information,
+                    length,
+                    file_information_class,
+                    query_flags,
+                    file_name,
+                )
+            }
+        }
+        new_fn
+    })
+};
+
 pub const DETOURS: &[DetourAny] = &[
     DETOUR_NT_CREATE_FILE.as_any(),
     DETOUR_NT_OPEN_FILE.as_any(),
@@ -294,4 +343,5 @@ pub const DETOURS: &[DetourAny] = &[
     DETOUR_NT_OPEN_SYMBOLIC_LINK_OBJECT.as_any(),
     DETOUR_NT_QUERY_INFORMATION_BY_NAME.as_any(),
     DETOUR_NT_QUERY_DIRECTORY_FILE.as_any(),
+    DETOUR_NT_QUERY_DIRECTORY_FILE_EX.as_any(),
 ];