Has anyone solved crash in SecLookupAccountSid

NTDEV
1

I am trying to extract username in kernel using SecLookupAccountSid. But it crashes inside RtlCopyUnicodeString.

Background:
a) implemented a TDI filter driver
b) facing issue on WinXP
c) inside Tdi address object creation i do the following
d) get current processId using PsGetCurrentProcessId
e) find PEPROCESS using PsLookupProcessByProcessId
f) get primary access token corresponding to process using PsReferencePrimaryToken
g) extract user sid for from process access token using SeQueryInformationToken (TokenUser type)
h) and then try to find username & domain using SecLookupAccountSid

Having searched on net at various earlier queries on this matter, i am yet to find a solution to this crash. Below is the code snippet which crashes on calling SecLookupAccountSid(last line).
Any help will be appreciated !!!

PUNICODE_STRING pName = NULL, pDomain = NULL;
ULONG namelen = 0, domainlen = 0;
SID_NAME_USE sidnameuse = SidTypeUnknown;
NTSTATUS RC;

pName = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), NONPAGED_TAG);
pDomain = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), NONPAGED_TAG);

if(!pName || !pDomain)
return;

RtlZeroMemory(pName, sizeof(UNICODE_STRING));
RtlZeroMemory(pDomain, sizeof(UNICODE_STRING));

RC = SecLookupAccountSid(pSid, &namelen, pName, &domainlen, pDomain, &sidnameuse );

if(RC==STATUS_BUFFER_TOO_SMALL)
{
namelen = namelen + sizeof(WCHAR);
pName->Length = 0;
pName->MaximumLength = namelen;
pName->Buffer = ExAllocatePoolWithTag(NonPagedPool, namelen, NONPAGED_TAG);
RtlZeroMemory(pName->Buffer, namelen);

domainlen = domainlen + sizeof(WCHAR);
pDomain->Length = 0;
pDomain->MaximumLength = domainlen;
pDomain->Buffer = ExAllocatePoolWithTag(NonPagedPool, domainlen, NONPAGED_TAG);
RtlZeroMemory(pDomain->Buffer, domainlen);

if(!pName->Buffer || !pDomain->Buffer)
return;

RC = SecLookupAccountSid(pSid, &namelen, pName , &domainlen, pDomain, &sidnameuse );

2

What IRQL are you running at?

This is unnecessary:
PUNICODE_STRING pName = NULL, pDomain = NULL;

You can just declare them as UNICODE_STRING. If you don’t understand that, you have bigger problems ahead of you.

if(!pName || !pDomain)
return;

Thus leaks pName if it is valid, but pDomain is null.

pDomain->Buffer = ExAllocatePoolWithTag(NonPagedPool, domainlen, NONPAGED_TAG);
RtlZeroMemory(pDomain->Buffer, domainlen);

if(!pName->Buffer || !pDomain->Buffer)
return;

Again, leaking the second Buffer of the first is valid, buy you would never get here in case of failure. You need to check for null before zeroing out the memory.

Two things you must do
1 run prefast on your code, fix all errors and warnings
2 send the output of !analyze -v with correct symbols

d

debt from my phone

From: xxxxx@yahoo.com
Sent: 12/12/2011 9:18 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Has anyone solved crash in SecLookupAccountSid

I am trying to extract username in kernel using SecLookupAccountSid. But it crashes inside RtlCopyUnicodeString.

Background:
a) implemented a TDI filter driver
b) facing issue on WinXP
c) inside Tdi address object creation i do the following
d) get current processId using PsGetCurrentProcessId
e) find PEPROCESS using PsLookupProcessByProcessId
f) get primary access token corresponding to process using PsReferencePrimaryToken
g) extract user sid for from process access token using SeQueryInformationToken (TokenUser type)
h) and then try to find username & domain using SecLookupAccountSid

Having searched on net at various earlier queries on this matter, i am yet to find a solution to this crash. Below is the code snippet which crashes on calling SecLookupAccountSid(last line).
Any help will be appreciated !!!

PUNICODE_STRING pName = NULL, pDomain = NULL;
ULONG namelen = 0, domainlen = 0;
SID_NAME_USE sidnameuse = SidTypeUnknown;
NTSTATUS RC;

pName = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), NONPAGED_TAG);
pDomain = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), NONPAGED_TAG);

if(!pName || !pDomain)
return;

RtlZeroMemory(pName, sizeof(UNICODE_STRING));
RtlZeroMemory(pDomain, sizeof(UNICODE_STRING));

RC = SecLookupAccountSid(pSid, &namelen, pName, &domainlen, pDomain, &sidnameuse );

if(RC==STATUS_BUFFER_TOO_SMALL)
{
namelen = namelen + sizeof(WCHAR);
pName->Length = 0;
pName->MaximumLength = namelen;
pName->Buffer = ExAllocatePoolWithTag(NonPagedPool, namelen, NONPAGED_TAG);
RtlZeroMemory(pName->Buffer, namelen);

domainlen = domainlen + sizeof(WCHAR);
pDomain->Length = 0;
pDomain->MaximumLength = domainlen;
pDomain->Buffer = ExAllocatePoolWithTag(NonPagedPool, domainlen, NONPAGED_TAG);
RtlZeroMemory(pDomain->Buffer, domainlen);

if(!pName->Buffer || !pDomain->Buffer)
return;

RC = SecLookupAccountSid(pSid, &namelen, pName , &domainlen, pDomain, &sidnameuse );

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

IRQL is PASSIVE_LEVEL

if(!pName || !pDomain)
return;

this was a temporary check (a wrong one indeed).
I changed to using UNICODE_STRING as suggested but still it crashes.
Below is the crash dump

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: b1fbf1fa, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8052ba28, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: b1fbf1fa

FAULTING_IP:
nt!RtlCopyUnicodeString+34
8052ba28 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: telnet.exe

TRAP_FRAME: b1ed44c4 – (.trap 0xffffffffb1ed44c4)
ErrCode = 00000000
eax=0000001e ebx=0000001e ecx=00000007 edx=b1ed46e4 esi=b1fbf1fa edi=822a3e08
eip=8052ba28 esp=b1ed4538 ebp=b1ed4544 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!RtlCopyUnicodeString+0x34:
8052ba28 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f8e09 to 8052b5ec

STACK_TEXT:
b1ed3ff8 804f8e09 00000003 b1fbf1fa 00000000 nt!RtlpBreakWithStatusInstruction
b1ed4044 804f99f4 00000003 00000000 c058fdf8 nt!KiBugCheckDebugBreak+0x19
b1ed4424 804f9f43 00000050 b1fbf1fa 00000000 nt!KeBugCheck2+0x574
b1ed4444 8052037a 00000050 b1fbf1fa 00000000 nt!KeBugCheckEx+0x1b
b1ed44ac 80544588 00000000 b1fbf1fa 00000000 nt!MmAccessFault+0x9a8
b1ed44ac 8052ba28 00000000 b1fbf1fa 00000000 nt!KiTrap0E+0xd0
b1ed4544 f845d3ed 822a3e08 b1ed4664 823afa60 nt!RtlCopyUnicodeString+0x34
b1ed466c f845798f 00000000 b1ed46fc b1ed46f8 KSecDD!SecpLookupAccountSid+0x187
b1ed469c b2945776 e17b28e0 b1ed46f8 b1ed46fc KSecDD!SecLookupAccountSid+0x59
b1ed473c b2943e51 82395588 823afa50 823afae4 ProcFlow!TF_TdiOpenAddress+0x246 [d:\coding\windows\sample\epsec-agent\tdi-driver\tdiagent\sys\addrobj.c @ 619]
b1ed4788 b294434b 82395588 823afa50 823afae4 ProcFlow!TF_Create+0xb1 [d:\coding\windows\sample\epsec-agent\tdi-driver\tdiagent\sys\tdiflow.c @ 483]
b1ed47e0 804ef19f 823954d0 823afa50 823afa50 ProcFlow!TF_DefaultDispatch+0x16b [d:\coding\windows\sample\epsec-agent\tdi-driver\tdiagent\sys\tdiflow.c @ 778]
b1ed47f0 805831fa 8213f970 822a27a4 b1ed4988 nt!IopfCallDriver+0x31
b1ed48d0 805bf450 8213f988 00000000 822a2700 nt!IopParseDevice+0xa12
b1ed4948 805bb9dc 00000000 b1ed4988 00000240 nt!ObpLookupObjectName+0x53c
b1ed499c 80576033 00000000 00000000 53919c00 nt!ObOpenObjectByName+0xea
b1ed4a18 805769aa 823355a0 02000000 b1ed4bc0 nt!IopCreateFile+0x407
b1ed4a74 b2cde65e 823355a0 02000000 b1ed4bc0 nt!IoCreateFile+0x8e
b1ed4c30 b2ce52d7 824f7500 82454330 b1ed4c64 afd!AfdBind+0x34e
b1ed4c40 804ef19f 824541a8 822b7b48 806e6410 afd!AfdDispatchDeviceControl+0x53
b1ed4c50 8057f982 822b7c24 824f7500 822b7b48 nt!IopfCallDriver+0x31
b1ed4c64 805807f7 824541a8 822b7b48 824f7500 nt!IopSynchronousServiceTail+0x70
b1ed4d00 80579274 00000710 00000728 00000000 nt!IopXxxControlFile+0x5c5
b1ed4d34 8054162c 00000710 00000728 00000000 nt!NtDeviceIoControlFile+0x2a
b1ed4d34 7c90e4f4 00000710 00000728 00000000 nt!KiFastCallEntry+0xfc
0099ed84 7c90d26c 71a54efc 00000710 00000728 ntdll!KiFastSystemCallRet
0099ed88 71a54efc 00000710 00000728 00000000 ntdll!NtDeviceIoControlFile+0xc
0099ee40 71ab44cd 00000710 0099ee90 00000010 mswsock!WSPBind+0x1ab
0099ee64 01005760 00000710 0099ee90 00000080 WS2_32!bind+0x50
0099f014 01005974 0102aca0 00000000 00000000 telnet!FProcessFDOOB+0x144
0099f22c 01003676 0102aca0 0099f878 0102aca0 telnet!FConnectToServer+0x30
0099f984 0100b46f 0099fbac 00034d18 00030164 telnet!OpenTelnetSession+0x3ce
0099ffb4 7c80b713 0102aca0 00034d18 00030164 telnet!DoTelnetCommands+0x12a
0099ffec 00000000 0100b345 0102aca0 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND: kb

FOLLOWUP_IP:
KSecDD!SecpLookupAccountSid+187
f845d3ed eb1c jmp KSecDD!SecpLookupAccountSid+0x1a5 (f845d40b)

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: KSecDD!SecpLookupAccountSid+187

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: KSecDD

IMAGE_NAME: KSecDD.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4802518c

FAILURE_BUCKET_ID: 0x50_KSecDD!SecpLookupAccountSid+187

BUCKET_ID: 0x50_KSecDD!SecpLookupAccountSid+187

Followup: MachineOwner

4

Any help from anyone???