Sending PUNICODE_STRING as a parameter to a function

#2004 by Mehdi
Mon Aug 16, 2010 8:03 am

Hello everyone
In my Syscall Hooker, I want to print the values of hooked-syscall arguments; I've defined a function for each data type (save_HANDLE, save_ULONG, save_PUNICODE_STRING ...) that writes the value of that argument to a file.
Before designing this save_XXX functions, everything worked correctly, but now I've BSOD in save_PUNICODE_STRING.

Code: Select all

void save_UNICODE_STRING(HANDLE fileHandle,WCHAR* name, PUNICODE_STRING value)
{
	size_t  cb;
	IO_STATUS_BLOCK ioStatusBlock;
	WCHAR* msg;
	msg = (WCHAR*)ExAllocatePoolWithTag(NonPagedPool,255 * sizeof(WCHAR), 'abWd');
	RtlStringCbPrintfW(msg,255 * sizeof(WCHAR),L"%wZ:%d\"%wZ\"\n",name,(value->Length)/2,value);
	RtlStringCbLengthW(msg, 255 * sizeof(WCHAR), &cb);
	ZwWriteFile(fileHandle, NULL, NULL, NULL, &ioStatusBlock,msg, cb, NULL, NULL);
	ExFreePoolWithTag(msg,'abWd');
}

I call it like this:

Code: Select all

 ....
save_UNICODE_STRING(fileHandle,L"ValueName",ValueName); // ValueName is a PUNICODE_STRING (its the argument of hooked ZwSetValueKey)
...

I analyzed the crash dump file and the exact point of crash is after RtlStringCbPrintfW.
Is there anything wrong with my save_UNICODE_STRING ?

We work in the dark, we do what we can, we give what we have.
Our doubt is our passion and our passion is our task.
The rest is the madness of art

Username

Mehdi

Posts

27

Joined

Sun Jun 20, 2010 6:04 am

Location

SSDT

Contact

Re: Sending PUNICODE_STRING as a parameter to a function

#2005 by EP_X0FF
Mon Aug 16, 2010 8:10 am

Just most obvious. You have no parameters checking inside save_UNICODE_STRING.

something like this in main handler...

Code: Select all


UNICODE_STRING name;
WCHAR *buffer;

__try
{
    if (KeGetPreviousMode()!=KernelMode)
    {
        ProbeForRead(ValueName,sizeof(UNICODE_STRING),1);
        RtlCopyMemory(&name,ValueName,sizeof(name));
        ProbeForRead(name.Buffer,name.Length,1);
        buffer=(WCHAR*)ExAllocatePoolWithTag(NonPagedPool,name.Length,'kdD');
        if (!buffer) return STATUS_INSUFFICIENT_RESOURCES;
        RtlCopyMemory(buffer,name.Buffer,name.Length);
       ..........
    } 
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
.....
}

after this you can work with buffer.

If all other code looks similar posted by you above then any other pointer-related handler will also crash your computer in BSOD.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Sending PUNICODE_STRING as a parameter to a function

#2007 by Mehdi
Mon Aug 16, 2010 11:58 am

Thank you, after reading your post I realized that PreviousMode is actually KernelMode, because before this code I call ZwWriteFile.
I think the problem with my code was in this line

Code: Select all

RtlStringCbPrintfW(msg,255 * sizeof(WCHAR),L"%wZ:%d\"%wZ\"\n",name,(value->Length)/2,value);

The first %wZ should change to %ws ("name" is WCHAR*, not UNICODE_STRING)
I changed that and now everything works!

We work in the dark, we do what we can, we give what we have.
Our doubt is our passion and our passion is our task.
The rest is the madness of art

Username

Mehdi

Posts

27

Joined

Sun Jun 20, 2010 6:04 am

Location

SSDT

Contact