[StriderH2]

Is there a way to imply the current working directory of a driver through an LPSTR or string?
ie.
L\\SystemRoot\\System

Problem:

Code: Select all

#include <stdio.h>
#include <windows.h> //<-- Required for the GetCurrentDirectory function, but it conflicts with "ntddk.h:": 102 compile errors (relating to ntdef.h and wdm.h) mostly "identifier;missing ) "
#include "ntddk.h"
char CurrentDirectory[255];

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{
GetCurrentDirectory(sizeof CurrentDirectory, CurrentDirectory);
DbgPrint("%s",CurrentDirectory);
   return STATUS_SUCCESS;//;
}

[EP_X0FF]

There is no such thing as current directory for drivers.

GetCurrentDirectory retrieves path from PEB->ProcessParameters->CurrentDirectory.
Code running in DriverEntry routine works in context of System process which have no PEB at all.

[StriderH2]

Thanks for the info!
I guess it'll have to be done through file handles then.

[EP_X0FF]

What file handles?

you have theRegistryPath. Get path to driver from ImagePath registry value.

[StriderH2]

What file handles?
you have theRegistryPath. Get path to driver from ImagePath registry value.

I would do that naturally as it is more efficient, but it goes back to the issues with the Zwxxx function zwqueryvaluekey.
It only copies one character from the buffer to the string (strcpy). Was it supposed to null-terminate or was there a buffer overflow?


Other Reference to similar problem:
http://www.osronline.com/showThread.CFM?link=98423

Code: Select all

#include <ntddk.h>  
#define  VALUE_BUFFER_SIZE 50
#define  BUFFER_SIZE 50
#include <string.h>
char s1[50];
CHAR buffer[BUFFER_SIZE];
UNICODE_STRING currentDir;
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)  
{
    NTSTATUS NtStatus = STATUS_SUCCESS;  
OBJECT_ATTRIBUTES ObjectAttributes;
   UNICODE_STRING KeyName = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\Software\\test");
   UNICODE_STRING ValueName = RTL_CONSTANT_STRING(L"test");
   HANDLE KeyHandle;
  ULONG ValueLength;
   UCHAR ValueBuffer[VALUE_BUFFER_SIZE];
   PKEY_VALUE_PARTIAL_INFORMATION ValueInfo;
   UNICODE_STRING ValueString;
   ///////////////////////////////////////
 NTSTATUS Status;
  InitializeObjectAttributes(&ObjectAttributes,&KeyName,OBJ_CASE_INSENSITIVE,NULL,NULL);			      
   Status = ZwOpenKey(&KeyHandle,
		      KEY_QUERY_VALUE,
		      &ObjectAttributes);
		 
   if (NT_SUCCESS(Status))
     {
ValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer;
	Status = ZwQueryValueKey(KeyHandle,&ValueName,KeyValuePartialInformation,ValueBuffer, VALUE_BUFFER_SIZE,&ValueLength);
	     ValueString.Buffer = (PWSTR)ValueInfo->Data;
	     ValueBuffer[255-1] = '\0';
    DbgPrint("Valueinfo->data %S",ValueInfo->Data);
				     DbgPrint("%S vsb",  ValueString.Buffer);//Debug Print prints the exact value
                      currentDir= ValueInfo->Data); //<-- incorrect as well, because currentDir is not a PWSTR
                      //There's also the idea that it isn't guaranteed to null-terminate
				       DbgPrint("test1 %S",&currentDir);
	  }
	  ZwClose(KeyHandle);
 }

[EP_X0FF]

It's UNICODE. Your code is incorrect.

[StriderH2]

It's UNICODE. Your code is incorrect.

The overall goal was to get a unicode path from a value in the registry, and concatenate it with a specified filename.

The reason I resorted to file handles, was because I could not query these values into unicode strings from the registry.

[EP_X0FF]

It's UNICODE. Your code is incorrect.

The overall goal was to get a unicode path from a value in the registry, and concatenate it with a specified filename.
I had to use a standard string to convert it to an integer to perform calculations.

The reason I resorted to file handles, was because I could not query these values into unicode strings from the registry.

pseudo code, no checks.

ZwOpenKey(&KeyHandle, GENERIC_READ, &KeyAttr);
RtlInitUnicodeString(&ValueName, L"ImagePath");
ZwQueryValueKey(KeyHandle, &ValueName, KeyValueBasicInformation, NULL, 0, &bytesIO);
bytesIO *= 2;
bytesIO += sizeof KEY_VALUE_FULL_INFORMATION;
PVOID InfoBuf = memalloc(bytesIO);
ULONG NameLength;

ZwQueryValueKey(KeyHandle, &ValueName, KeyValueFullInformation, InfoBuf, bytesIO, &NameLength);
NameLength = PKEY_VALUE_FULL_INFORMATION(InfoBuf)->NameLength / sizeof WCHAR;
ULONG DataLength = PKEY_VALUE_FULL_INFORMATION(InfoBuf)->DataLength / sizeof WCHAR;
wcsncpy(myUnicodeStringBuffer, &PKEY_VALUE_FULL_INFORMATION(InfoBuf)->Name[NameLength], DataLength);

[StriderH2]

Thank you for your help and patience, I will try and post the solution when I fix it.