none
RtlCopyMemory: DbgPrint() to destination variable is empty RRS feed

  • Question

  • I'm trying see the content of a UNICODE_STRING variable that receives a value filled by RtlCopyMemory() function and the content is empty.

    What is wrong?

    My actual code is:

    NTSTATUS FileHandleToUNICODE_STRING(IN	HANDLE FileHandle, OUT PUNICODE_STRING FileName) {
    
    	PFILE_OBJECT        fileObject;
    	PDEVICE_OBJECT      fileSysDevice;
    	POBJECT_NAME_INFORMATION	pobjObjectNameInfo;
    	ULONG      ulLength = 0;
    	NTSTATUS            ntStatus;
    
    	ntStatus = STATUS_SUCCESS;
    
    	pobjObjectNameInfo = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH * 2), 'TG');
    
    	if (pobjObjectNameInfo == NULL)
    	{
    		DbgPrint("Failed to allocate memory for pobjObjectNameInfo\n");
    
    		ntStatus = STATUS_INSUFFICIENT_RESOURCES;
    
    		return ntStatus;
    	}
    
    	ntStatus = ObReferenceObjectByHandle(FileHandle, 0, NULL, KernelMode, &fileObject, NULL);
    
    	if (!NT_SUCCESS(ntStatus)) {
    
    		DbgPrint("Could not get fileobject from handle\n");
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    		return ntStatus;
    	}
    
    	ntStatus = ObQueryNameString(fileObject, pobjObjectNameInfo, sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH * 2), &ulLength);
    
    	if (ntStatus != STATUS_SUCCESS)
    	{
    		DbgPrint("ObQueryNameString() --. STATUS %x \n", ntStatus);
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    		return ntStatus;
    	}
    
    	fileSysDevice = IoGetRelatedDeviceObject(fileObject);
    
    	if (!fileSysDevice) {
    
    		DbgPrint("Could not get related device object\n");
    
    		ObDereferenceObject(fileObject);
    		ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    		return ntStatus;
    	}
    
    	ntStatus = IoQueryFileDosDeviceName(fileObject, &pobjObjectNameInfo);
    
    	if (ntStatus != STATUS_SUCCESS)
    	{
    		DbgPrint("IoQueryFileDosDeviceName() --. STATUS %x \n", ntStatus);
    
    		ObDereferenceObject(fileObject);
    		ExFreePool(pobjObjectNameInfo);
    
    		return ntStatus;
    	}
    
    	DbgPrint("FileName: %ws\n", pobjObjectNameInfo->Name.Buffer); // here works fine
    
    	RtlCopyMemory(FileName->Buffer, &pobjObjectNameInfo->Name.Buffer, pobjObjectNameInfo->Name.Length);
    
    	ObDereferenceObject(fileObject);
    	ExFreePoolWithTag(pobjObjectNameInfo, 'TG');
    
    	return ntStatus;
    }

    Using in other method:

    NTSTATUS PrintResult() {

    HANDLE hFile; NTSTATUS status; status = STATUS_SUCCESS; UNICODE_STRING FName = { 0 }; FName.Length = 0; FName.MaximumLength = 1024; FName.Buffer = ExAllocatePoolWithTag(NonPagedPool, FName.MaximumLength, '2leN'); if (FName.Buffer == NULL) return status; RtlZeroMemory(FName.Buffer, FName.MaximumLength);

    FileHandleToUNICODE_STRING(hFile, &FName); // obtain 'hFile' by NtOpenFile() function DbgPrint("---. FName: %wZ\n", &FName); // 'FName' print empty here ExFreePoolWithTag(FName.Buffer, '2leN'); return status; }







    • Edited by FL4SHC0D3R Wednesday, March 28, 2018 12:07 AM
    Tuesday, March 27, 2018 11:52 PM

Answers

  • You didn't set the length of the Unicode string in the descriptor, in FileHandleToUNICODE_STRING

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by FL4SHC0D3R Wednesday, March 28, 2018 1:57 AM
    • Unmarked as answer by FL4SHC0D3R Wednesday, March 28, 2018 4:38 AM
    • Marked as answer by Doron Holan [MSFT] Wednesday, March 28, 2018 6:43 AM
    Wednesday, March 28, 2018 12:53 AM
    Moderator
  • You line RtlCopyMemory(FileName->Buffer, &pobjObjectNameInfo->Name.Buffer, pobjObjectNameInfo->Name.Length + 100);

    should be RtlCopyMemory(FileName->Buffer, pobjObjectNameInfo->Name.Buffer, pobjObjectNameInfo->Name.Length + 100);


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FL4SHC0D3R Wednesday, March 28, 2018 5:01 PM
    Wednesday, March 28, 2018 4:27 PM
  • Obviously, you're not managing your pointer and length properly. This is something that you'll have to work out for yourself. I recommend stepping through the code and examining the descriptor and string buffer and figure out what you did wrong. This is no longer a driver/internals question.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, March 28, 2018 5:31 AM
    Moderator

All replies

  • You didn't set the length of the Unicode string in the descriptor, in FileHandleToUNICODE_STRING

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by FL4SHC0D3R Wednesday, March 28, 2018 1:57 AM
    • Unmarked as answer by FL4SHC0D3R Wednesday, March 28, 2018 4:38 AM
    • Marked as answer by Doron Holan [MSFT] Wednesday, March 28, 2018 6:43 AM
    Wednesday, March 28, 2018 12:53 AM
    Moderator
  • Thank you Brian Catlin, your suggestion above worked, but i still not have complete filename for example:

    while pobjObjectNameInfo->Name.Buffer in FileHandleToUNICODE_STRING() prints C:\Windows\myfile.txt

    FName in PrintResult() prints ??C:\Windows\myfile.t

    How fix?

    Wednesday, March 28, 2018 4:45 AM
  • Obviously, you're not managing your pointer and length properly. This is something that you'll have to work out for yourself. I recommend stepping through the code and examining the descriptor and string buffer and figure out what you did wrong. This is no longer a driver/internals question.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, March 28, 2018 5:31 AM
    Moderator
  • I have made this way:

    FileHandleToUNICODE_STRING()

            FileName->MaximumLength = pobjObjectNameInfo->Name.Length + 100;
    	FileName->Length = pobjObjectNameInfo->Name.Length + 100;
       
    	RtlZeroMemory(FileName->Buffer, FileName->MaximumLength);
    
    	RtlCopyMemory(FileName->Buffer, &pobjObjectNameInfo->Name.Buffer, pobjObjectNameInfo->Name.Length + 100);

    PrintResult()

            UNICODE_STRING FName = { 0 };
    	FName.Length = 1024;
    	FName.MaximumLength = 1024;
    	FName.Buffer = ExAllocatePoolWithTag(NonPagedPool, FName.MaximumLength, '2leN');
    
    	if (FName.Buffer == NULL)
    		return status;
    
       RtlZeroMemory(FName.Buffer, FName.MaximumLength);
    
       FileHandleToUNICODE_STRING(hFile, &FName);
    							 
       DbgPrint("---. FName: %wZ\n", &FName);
    
       ExFreePoolWithTag(FName.Buffer, '2leN');

    Where be wrong? Why FName prints: ??C:\Windows\myfile.txt with two "??" before filename?
    • Edited by FL4SHC0D3R Wednesday, March 28, 2018 4:24 PM
    Wednesday, March 28, 2018 4:19 PM
  • You line RtlCopyMemory(FileName->Buffer, &pobjObjectNameInfo->Name.Buffer, pobjObjectNameInfo->Name.Length + 100);

    should be RtlCopyMemory(FileName->Buffer, pobjObjectNameInfo->Name.Buffer, pobjObjectNameInfo->Name.Length + 100);


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FL4SHC0D3R Wednesday, March 28, 2018 5:01 PM
    Wednesday, March 28, 2018 4:27 PM