FsRtlIsNameInExpression and UpcaseTable parameter

Gabriel_Bercea · August 11, 2010, 7:52am

Hello everybody,
I use the mentioned function (FsRtlIsNameInExpression) in my minifilter to actually filter out some files that match some wildcard expressions, but I need case insensitive comparing.

The function works as it should if both the ExpressionParameter and Name are uppercase.
BOOLEAN FsRtlIsNameInExpression(
__in PUNICODE_STRING Expression,
__in PUNICODE_STRING Name,
__in BOOLEAN IgnoreCase,
__in_opt PWCH UpcaseTable
);

The Expression parameter, I already have in memory, and it is upper case, and I don’t want for performance reasons to perform an upcase to the Name string for the function to work correctly, for each IRP_MJ_CREATE for example.

I have read what I could on the internet about the UpcaseTable, and as far as I can tell if I provide the function with an upcasetable, than I won’t need to upper case the Name parameter as it would use the UpcaseTable for this. There is also another reason why I want to use this, and that is because the function RtlUpcaseUnicodeChar, does not work correctly for one of my country characters, this one: ‘?’ the upper version being of course ‘?’ , and RtlUpcaseUnicodeChar(‘?’) returns ‘?’ not ‘?’ . I don’t know if this is a bug or not, if that were not the case then what I want to create two different files on my computer called “?_test.txt” and “?_test.txt” I get an error, file already exists, so I am guessing that the file system somehow sees the uppser case version of ‘?’ is ‘?’ but RtlUpcaseUnicodeChar does not work, and RtlUpcaseUnicodeString as well. The funny thing is that for characters like ‘?’ or ‘?’ it works fine (the upcase functions I mean).

My current understanding is that the upcase table should the form of
UpcaseTable[‘a’] = ‘A’ am I right ?
This is one of the things that I am not sure about.
I have the upcase table of the size: 0x10000, as I see the declaration of FsRtlAreNamesEqual, gives me a hint on the size.

#if (NTDDI_VERSION >= NTDDI_WIN2K)
__checkReturn
__drv_maxIRQL(PASSIVE_LEVEL)
NTKERNELAPI
BOOLEAN
FsRtlAreNamesEqual (
__in PCUNICODE_STRING ConstantNameA,
__in PCUNICODE_STRING ConstantNameB,
__in BOOLEAN IgnoreCase,
__in_ecount_opt(0x10000) PCWCH UpcaseTable
);
#endif

I let almost all the characters in the table by the form of
UpcaseTable[‘*’] = ‘*’
UpcaseTable[‘%’] = ‘%’
except for letters ‘a’ to ‘z’ and other latin letters.
and for my special characters ‘?’ and ‘?’ .
The bad part is that FsRtlIsNameInExpression still fails to work. I am sure that I am doing something wrong. Maybe someone else used this, or has stumbled upon this.
Can you give me any tips on how can I make FsRtlIsNameInExpression work with an UpcaseTable ?
Thank you.

Gabriel_Bercea · August 11, 2010, 8:02am

Hmm, it seems there is a problem with displaying unicode characters.
The characters that actually don’t work with RtlUpcaseUnicodeChar are:
0x21a and 0x21b
The character for which it works are: 0xEE and 0xE2, 0xE3
Look them up here: http://unicodelookup.com/

Gabriel_Bercea · August 11, 2010, 10:11am

Hello again,
It seems that it is actually my bad. I was doing a little, miss initialization to the UpcaseTable.
It works correctly now, but I am still wondering why RtlUpcaseUnicodeChar won’t work for 0x21b and work for other characters, similar.

Scott_Noone_OSR · August 11, 2010, 10:18am

wrote in message news:xxxxx@ntdev…
> Can you give me any tips on how can I make FsRtlIsNameInExpression work
> with an UpcaseTable ?

I’ve never actually used it, but I think you need to have mappings for every
possible unicode character with its uppercase equivalent. Have you tried a
simple test of using FsRtlAreNamesEqual for various strings to see if your
table is working? If not I think that’s a relatively short and
straightforward function to walk through in the debugger.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntdev…
> Hello everybody,
> I use the mentioned function (FsRtlIsNameInExpression) in my minifilter to
> actually filter out some files that match some wildcard expressions, but I
> need case insensitive comparing.
>
> The function works as it should if both the ExpressionParameter and Name
> are uppercase.
> BOOLEAN FsRtlIsNameInExpression(
> in PUNICODE_STRING Expression,
> in PUNICODE_STRING Name,
> in BOOLEAN IgnoreCase,
> in_opt PWCH UpcaseTable
> );
>
> The Expression parameter, I already have in memory, and it is upper case,
> and I don’t want for performance reasons to perform an upcase to the Name
> string for the function to work correctly, for each IRP_MJ_CREATE for
> example.
>
> I have read what I could on the internet about the UpcaseTable, and as far
> as I can tell if I provide the function with an upcasetable, than I won’t
> need to upper case the Name parameter as it would use the UpcaseTable for
> this. There is also another reason why I want to use this, and that is
> because the function RtlUpcaseUnicodeChar, does not work correctly for one
> of my country characters, this one: ‘?’ the upper version being of course
> ‘?’ , and RtlUpcaseUnicodeChar(‘?’) returns ‘?’ not ‘?’ . I don’t know if
> this is a bug or not, if that were not the case then what I want to create
> two different files on my computer called “?_test.txt” and “?_test.txt” I
> get an error, file already exists, so I am guessing that the file system
> somehow sees the uppser case version of ‘?’ is ‘?’ but
> RtlUpcaseUnicodeChar does not work, and RtlUpcaseUnicodeString as well.
> The funny thing is that for characters like ‘?’ or ‘Î’ it works fine (the
> upcase functions I mean).
>
> My current understanding is that the upcase table should the form of
> UpcaseTable[‘a’] = ‘A’ am I right ?
> This is one of the things that I am not sure about.
> I have the upcase table of the size: 0x10000, as I see the declaration of
> FsRtlAreNamesEqual, gives me a hint on the size.
>
> #if (NTDDI_VERSION >= NTDDI_WIN2K)
> checkReturn
> drv_maxIRQL(PASSIVE_LEVEL)
> NTKERNELAPI
> BOOLEAN
> FsRtlAreNamesEqual (
> in PCUNICODE_STRING ConstantNameA,
> in PCUNICODE_STRING ConstantNameB,
> in BOOLEAN IgnoreCase,
> in_ecount_opt(0x10000) PCWCH UpcaseTable
> );
> #endif
>
>
> I let almost all the characters in the table by the form of
> UpcaseTable[‘'] = '’
> UpcaseTable[‘%’] = ‘%’
> except for letters ‘a’ to ‘z’ and other latin letters.
> and for my special characters ‘?’ and ‘?’ .
> The bad part is that FsRtlIsNameInExpression still fails to work. I am
> sure that I am doing something wrong. Maybe someone else used this, or has
> stumbled upon this.
> Can you give me any tips on how can I make FsRtlIsNameInExpression work
> with an UpcaseTable ?
> Thank you.
>

Peter_Viscarola_OSR · August 11, 2010, 10:43am

Might have better luck with this in NTFSD, where the file system cool kids all hang out.

Peter
OSR

Gabriel_Bercea · August 11, 2010, 10:51am

Thanks Peter and Scott,
I have fixed my stupid mistake now, I was not initializing the UpcaseTable correctly, at least a part of the table, now it actually works.
I am still thinking though that there is a small bug in RtlUpcaseUnicodeChar, regarding the system upcase table used, as the filesystem does not let me create two files called
0x21a_test.txt and 0x21b_test.txt (where 0x21a and 0x21b are 2 unicode characters one lower and one upper) so the filesystem detects that 0x21a and 0x21b are one and the same in different cases, but if I use RtlUpcaseUnicodeChar it does not work.
Am I right or there is something wrong with my logic ? Or the file system uses something different ?
I will post this on NTFSD too since they might have more experience with this.
Thank you.