Re[2]: BSOD to list files in DbgPrint();

Peter_Scott · January 24, 2017, 9:34am

Pretty simple:

UNICODE_STRING uniString;

uniString.Length = FileNameLength;
uniString.MaximumLength = uniString.Length;
uniString.Buffer = FileName;

DbgPrint(“File %wZ\n”, &uniString);

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@hotmail.com
To: “Windows File Systems Devs Interest List”
Sent: 1/24/2017 7:23:00 AM
Subject: RE:[ntfsd] BSOD to list files in DbgPrint();

>@Petter, thank you.
>
>could give me a code example, please?
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

Bo_Branten · January 24, 2017, 9:35am

On Tue, 24 Jan 2017, xxxxx@hotmail.com wrote:

@Petter, thank you.

could give me a code example, please?

DbgPrint(“%.*ws\n”, DirInformation->FileNameLength / sizeof(WCHAR),
&DirInformation->FileName[0]);

%.* let you specify the max length to print so this is the standard method
to do this (there is also a %Z and %wZ to print this kinds of strings but
the are newer and non standard so %.* is the good old method)

Bo Branten

Gabriel_Bercea · January 24, 2017, 1:58pm

I think the first time you call ZwQueryDirectoryFile you should call with
the RestartScan parameter set to TRUE and then just call with FALSE.

I see you call with *ReturnSingleEntry* set to TRUE which means
DirInformation->NextEntryOffset will always be zero so no need to do this:
DirInformation = (PFILE_BOTH_DIR_INFORMATION)(((PUCHAR)DirInformation) +
DirInformation->NextEntryOffset);.
Also make sure you go FileNameLength bytes down the struct no more. ( which
DbgPrint might try to do ).
You do not take into account that this function can return
STATUS_BUFFER_OVERFLOW,
STATUS_INFO_LENGTH_MISMATCH or related error codes in case the buffer you
specify initially is not enough to hold the needed info.

Cheers,
Gabriel
www.kasardia.com

On Tue, Jan 24, 2017 at 3:34 PM, Bo Branten wrote:

> On Tue, 24 Jan 2017, xxxxx@hotmail.com wrote:
>
> @Petter, thank you.
>>
>> could give me a code example, please?
>>
>
> DbgPrint("%.ws\n", DirInformation->FileNameLength / sizeof(WCHAR),
> &DirInformation->FileName[0]);
>
> %. let you specify the max length to print so this is the standard method
> to do this (there is also a %Z and %wZ to print this kinds of strings but
> the are newer and non standard so %.* is the good old method)
>
> Bo Branten
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Bercea. G.</http:>

Wega_Wilfried · January 24, 2017, 8:02pm

Hello,
I use the following to list the content of a directory in kernel mode and if has worked for me until now.

here is the code that does it.

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
RtlInitUnicodeString(&szFileName, directoryName);
InitializeObjectAttributes(&Oa,
&szFileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);

status= ZwCreateFile(&hFile,
GENERIC_READ,
&Oa,
&Iosb,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ, FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);

if (!NT_SUCCESS(status))
{
return status;
}

pfbInfo = ExAllocatePoolWithTag(PagedPool, uSize, DIR_LIST_TAG);
if (pfbInfo == NULL)
{
ZwClose(hFile);
return STATUS_NO_MEMORY;
}

while (TRUE)
{
_retry:
RtlZeroMemory(pfbInfo, uSize);
status= ZwQueryDirectoryFile(hFile,
0,
NULL,
NULL,
&Iosb,
pfbInfo,
uSize,
FileBothDirectoryInformation,
FALSE,
NULL,
bIReStart);

if (STATUS_BUFFER_OVERFLOW == status)
{
ExFreePoolWithTag(pfbInfo, DIR_LIST_TAG);

uSize = uSize * 2;
pfbInfo = ExAllocatePoolWithTag(PagedPool, uSize, DIR_LIST_TAG);

if (pfbInfo == NULL)
{
ZwClose(hFile);
return STATUS_NO_MEMORY;
}

goto _retry;
}
else if (STATUS_NO_MORE_FILES == status)
{
ExFreePoolWithTag(pfbInfo, DIR_LIST_TAG);
ZwClose(hFile);
return STATUS_SUCCESS;
}
else if (STATUS_SUCCESS != status)
{
ExFreePoolWithTag(pfbInfo, DIR_LIST_TAG);
ZwClose(hFile);

return status;
}

if (bReStart)
{
bReStart= FALSE;
}

while (TRUE)
{
WCHAR *aux;

WCHAR * objectFileName = ExAllocatePoolWithTag(PagedPool, (pfbInfo->FileNameLength + sizeof(UNICODE_NULL)), DIR_LIST_TAG);

if (objectFileName )
{
RtlZeroMemory(objectFileName , (pfbInfo->FileNameLength + sizeof(WCHAR)));
RtlCopyMemory(objectFileName , pfbInfo->FileName, pfbInfo->FileNameLength);

…print objectFileName here…

ExFreePoolWithTag(objectFileName , DIR_LIST_TAG);
}

if (pfbInfo->NextEntryOffset == 0)
{
break;
}

pfbInfo += pfbInfo->NextEntryOffset;
}
}

ZwClose(hFile);
ExFreePoolWithTag(pfbInfo, DIR_LIST_TAG);

return status;
}

Hope this helps.