I am trying to extract username in kernel using SecLookupAccountSid. But it crashes inside RtlCopyUnicodeString.
Background:
a) implemented a TDI filter driver
b) facing issue on WinXP
c) inside Tdi address object creation i do the following
d) get current processId using PsGetCurrentProcessId
e) find PEPROCESS using PsLookupProcessByProcessId
f) get primary access token corresponding to process using PsReferencePrimaryToken
g) extract user sid for from process access token using SeQueryInformationToken (TokenUser type)
h) and then try to find username & domain using SecLookupAccountSid
Having searched on net at various earlier queries on this matter, i am yet to find a solution to this crash. Below is the code snippet which crashes on calling SecLookupAccountSid(last line).
Any help will be appreciated !!!
PUNICODE_STRING pName = NULL, pDomain = NULL;
ULONG namelen = 0, domainlen = 0;
SID_NAME_USE sidnameuse = SidTypeUnknown;
NTSTATUS RC;
pName = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), NONPAGED_TAG);
pDomain = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), NONPAGED_TAG);
if(!pName || !pDomain)
return;
RtlZeroMemory(pName, sizeof(UNICODE_STRING));
RtlZeroMemory(pDomain, sizeof(UNICODE_STRING));
RC = SecLookupAccountSid(pSid, &namelen, pName, &domainlen, pDomain, &sidnameuse );
if(RC==STATUS_BUFFER_TOO_SMALL)
{
namelen = namelen + sizeof(WCHAR);
pName->Length = 0;
pName->MaximumLength = namelen;
pName->Buffer = ExAllocatePoolWithTag(NonPagedPool, namelen, NONPAGED_TAG);
RtlZeroMemory(pName->Buffer, namelen);
domainlen = domainlen + sizeof(WCHAR);
pDomain->Length = 0;
pDomain->MaximumLength = domainlen;
pDomain->Buffer = ExAllocatePoolWithTag(NonPagedPool, domainlen, NONPAGED_TAG);
RtlZeroMemory(pDomain->Buffer, domainlen);
if(!pName->Buffer || !pDomain->Buffer)
return;
RC = SecLookupAccountSid(pSid, &namelen, pName , &domainlen, pDomain, &sidnameuse );