Why am I not getting a match, I know I’m doing something stupid…
In windbg I’m seeing:
FileName == “\SYSTEM32\NOTEPAD.EXE” and
nameInfo == “Device\Harddisk0\volume1\windows\system32\notepad.exe”
WCHAR NoteFile[3][200] = {
L"\EXPLORER.EXE",
L"\SYSTEM32\NOTEPAD.EXE", <-what I’m searching for
…
};
NTSTATUS
CouldItBeNotePad (
__in PFLT_FILE_NAME_INFORMATION nameInfo,
__out PBOOLEAN MayBe
)
{
UNICODE_STRING FileName;
NTSTATUS status;
int i;
for(i = 0; i < 3; i++)
{
FileName.Length = 0x0;
FileName.MaximumLength = sizeof(NoteFile[i]);
FileName.Buffer = NoteFile[i];
if (FsRtlIsNameInExpression( &FileName, &nameInfo->Name, TRUE, NULL
) == TRUE)
{
//never get here
DbgPrint(“A match was found %S\n”, NoteFile[i]);
*MayBe = TRUE;
}else{
//FsRtlIsNameInExpression always returns no match. Expression is UCase
*MayBe = FALSE;
DbgPrint(“%wZ \n”, FileName);
DbgPrint(“%wZ \n”, &nameInfo->Name);
}
}
return STATUS_SUCCESS;
}
Did you try like …
FileName == “NOTEPAD.EXE”
nameInfo == “notepad.exe”
“MM” wrote in message news:xxxxx@ntfsd…
> Why am I not getting a match, I know I’m doing something stupid…
>
>
> In windbg I’m seeing:
> FileName == “\SYSTEM32\NOTEPAD.EXE” and
> nameInfo == “Device\Harddisk0\volume1\windows\system32\notepad.exe”
>
> ----------------------------------------------------------
> WCHAR NoteFile[3][200] = {
> L"\EXPLORER.EXE",
> L"\SYSTEM32\NOTEPAD.EXE", <-what I’m searching for
> …
> };
>
>
> NTSTATUS
> CouldItBeNotePad (
> in PFLT_FILE_NAME_INFORMATION nameInfo,
> out PBOOLEAN MayBe
> )
> {
> UNICODE_STRING FileName;
> NTSTATUS status;
> int i;
>
> for(i = 0; i < 3; i++)
> {
>
> FileName.Length = 0x0;
> FileName.MaximumLength = sizeof(NoteFile[i]);
> FileName.Buffer = NoteFile[i];
>
>
> if (FsRtlIsNameInExpression( &FileName, &nameInfo->Name, TRUE, NULL )
> == TRUE)
> {
> //never get here
> DbgPrint(“A match was found %S\n”, NoteFile[i]);
> *MayBe = TRUE;
> }else{
> //FsRtlIsNameInExpression always returns no match. Expression is UCase
> *MayBe = FALSE;
> DbgPrint(“%wZ \n”, FileName);
> DbgPrint(“%wZ \n”, &nameInfo->Name);
> }
> }
> return STATUS_SUCCESS;
> }
>
>
>
uh, no…
FileName == “\SYSTEM32\NOTEPAD.EXE” is the expression in the array that is being sought.
The string in “nameInfo” is what fltmgr is passing in during create, this is coming from a call to FltGetNameInfo.
There are some problems, this function is not searching for a substring but
does pattern matching. FileName is a misleading name for a pattern string.
Insert a wildcard character at the beginning and you should be fine. Then
setting the length of a unicode string to zero does not make sense, unicode
strings are counted. Use RtlInitUnicodeString instead.
/Daniel
“MM” wrote in message news:xxxxx@ntfsd…
> Why am I not getting a match, I know I’m doing something stupid…
>
>
> In windbg I’m seeing:
> FileName == “\SYSTEM32\NOTEPAD.EXE” and
> nameInfo == “Device\Harddisk0\volume1\windows\system32\notepad.exe”
>
> ----------------------------------------------------------
> WCHAR NoteFile[3][200] = {
> L"\EXPLORER.EXE",
> L"\SYSTEM32\NOTEPAD.EXE", <-what I’m searching for
> …
> };
>
>
> NTSTATUS
> CouldItBeNotePad (
> in PFLT_FILE_NAME_INFORMATION nameInfo,
> out PBOOLEAN MayBe
> )
> {
> UNICODE_STRING FileName;
> NTSTATUS status;
> int i;
>
> for(i = 0; i < 3; i++)
> {
>
> FileName.Length = 0x0;
> FileName.MaximumLength = sizeof(NoteFile[i]);
> FileName.Buffer = NoteFile[i];
>
>
> if (FsRtlIsNameInExpression( &FileName, &nameInfo->Name, TRUE, NULL )
> == TRUE)
> {
> //never get here
> DbgPrint(“A match was found %S\n”, NoteFile[i]);
> *MayBe = TRUE;
> }else{
> //FsRtlIsNameInExpression always returns no match. Expression is UCase
> *MayBe = FALSE;
> DbgPrint(“%wZ \n”, FileName);
> DbgPrint(“%wZ \n”, &nameInfo->Name);
> }
> }
> return STATUS_SUCCESS;
> }
>
>
>