Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


I need help to understand the following code in scanner MS sample minifilter

parsaparsa Member Posts: 27

I am seeing the following code in the scanner minifilter sample code converting array of UCHAR to PWCHAR and finding the number of strings as shown below. Is this correct code. H

----------------- snip -------------------
ch = (PWCHAR)(valueBuffer->Data);

count = 0;

//
//  Count how many strings are in the multi string
//

while (*ch != '\0') {

    ch = ch + wcslen( ch ) + 1;
    count++;
}

------------------------ end --------------------------
Here is the declaration of variable for your reference.

PWCHAR ch;

PKEY_VALUE_PARTIAL_INFORMATION valueBuffer = NULL;

typedef struct KEY_VALUE_PARTIAL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
_Field_size_bytes
(DataLength) UCHAR Data[1]; // Variable size
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;

My question is how the finding of the number of strings will work when the input is multi string in UCHAR format. For example say this is the input "Abc Def". When i checked "Abc Def" sample input "wcslen" is showing 16 in the first iteration inside the loop. I want to understand how 16 comes here.
Thanks

Comments

  • Jeremy_HurrenJeremy_Hurren Member - All Emails Posts: 17
    edited September 2019

    String data is stored in wide-characters in the kernel. So your "Abc Def" string is actually stored in bytes as 7 wide characters (14 bytes) plus a wide character null terminator for a total of 16 bytes. The KEY_VALUE_PARTIAL_INFORMATION structure just uses a placeholder byte in the structure and dynamically fills whatever buffer is available to be filled. The only thing I would change about the sample code would be to change the while loop to compare to a wide-character literal L'\0', but that's just because I'm picky, ha ha.

  • parsaparsa Member Posts: 27

    Thanks for clarification.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    Any time I see MULTI_SZ parsing in a driver I cringe...Just want to point out that this code is inherently unsafe in that the Registry does not guarantee that string values are:

    1. Properly NULL terminated.

    2. A multiple of sizeof(WCHAR)

    So, you can make this code go off a cliff by putting some arbitrary, non-NULL terminated junk in the MULTI_SZ value.

    The value being read here is under a somewhat restrictive ACL so you could say that makes it "safe" for the sample. It wouldn't take much to fix but I'd be careful about duplicating this code as is elsewhere.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA