Thanks Branten, I don’t get that error now but the system crashes and I get the blue screen. It seems the error happens when adding the filter conditions because running it without them doesn’t cause any error. How do I know what caused the error ?
HANDLE fileHandle = 0;
BYTE* pObjectInfo = 0;
UINT32 objLength = 0;
UINT16 appIdSize = 0;
const UINT16 MAX_PATH1 = 256;
const UINT16 MY_TAG = (UINT32)‘raHD’;
const PWSTR pAppName = L"\DosDevices\C:\Program Files\Internet Explorer\iexplore.exe";
const UINT16 APP_LENGTH = 59 * sizeof(WCHAR);
PWSTR pApplicationId = 0;
OBJECT_ATTRIBUTES objAttributes;
IO_STATUS_BLOCK ioStatusBlock;
UNICODE_STRING unicodeString;
RtlZeroMemory(&objAttributes,
sizeof(OBJECT_ATTRIBUTES));
RtlZeroMemory(&ioStatusBlock,
sizeof(IO_STATUS_BLOCK));
RtlZeroMemory(&unicodeString,
sizeof(UNICODE_STRING));
pObjectInfo = ExAllocatePoolWithTag(NonPagedPool, sizeof(BYTE) * MAX_PATH1, MY_TAG);
if (pObjectInfo == 0)
DbgPrint(“Error in allocating pool!”);
unicodeString.Buffer = pAppName;
unicodeString.Length = APP_LENGTH;
unicodeString.MaximumLength = MAX_PATH1;
InitializeObjectAttributes(&objAttributes,
&unicodeString,
OBJ_CASE_INSENSITIVE |
OBJ_KERNEL_HANDLE |
OBJ_FORCE_ACCESS_CHECK,
0,
0);
DbgPrint(“Trying to open !!”);
status = ZwOpenFile(&fileHandle,
GENERIC_READ,
&objAttributes,
&ioStatusBlock,
0,
FILE_NON_DIRECTORY_FILE);
if (status != STATUS_SUCCESS || fileHandle == 0)
DbgPrint(“Error in opening the file %X” , status);
status = ZwQueryObject(fileHandle, 1, pObjectInfo, MAX_PATH1, (PULONG)&objLength);
if (status != STATUS_SUCCESS || objLength == 0)
DbgPrint(“Error in quering the object %X” , status);
appIdSize = (UINT16)((UNICODE_STRING*)pObjectInfo)->Length;
if (appIdSize != 0 &&
appIdSize < 256)
{
pApplicationId = ExAllocatePoolWithTag(NonPagedPool, sizeof(WCHAR) * (appIdSize + 1), MY_TAG);
if (pApplicationId == 0)
DbgPrint(“Error in allocaing the pool”);
for (UINT32 index = 0;
index < (appIdSize / sizeof(WCHAR));
index++)
{
((UNICODE_STRING*)pObjectInfo)->Buffer[index] = towlower(((UNICODE_STRING*)pObjectInfo)->Buffer[index]);
}
RtlCopyMemory(pApplicationId,
((UNICODE_STRING*)pObjectInfo)->Buffer,
appIdSize);
}
if (fileHandle)
{
ZwClose(fileHandle);
fileHandle = 0;
}
ExFreePoolWithTag((VOID*)pObjectInfo, MY_TAG);
filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
filterConditions[conditionIndex].conditionValue.type = FWP_BYTE_BLOB_TYPE;
filterConditions[conditionIndex].conditionValue.byteBlob = pApplicationId;
conditionIndex++;