How to convert an address to UNICODE_STRING

0: kd> dc 0xfffff88005be4000 fffff88005be4000 00560050 004f004d 00450044 70240000 A.B.C.D.E.F…$p
fffff88005be4010 24748b48 01b04178 8b48d38b f38b44ce H.t$xA....H..D.. fffff88005be4020 ffef7fe8 75c085ff 858b4818 000000b0 …u.H…
fffff88005be4030 48ce8b48 ff30508b 0db82850 eb000000 H..H.P0.P(...... fffff88005be4040 2b3e8b5e fe0348df 2774db85 4ccb8b44 ^.>+.H…t’D…L
fffff88005be4050 8a41c78b cd8b48d5 24748948 efcae820 ..A..H..H.t$ ... fffff88005be4060 8b44ffff 75c085e0 14478b4d 2bf80348 …D…uM.G.H…+
fffff880`05be4070 44d975d8 d233068b 45cd8b48 034cf02b .u.D…3.H…E+.L.

I have this string ABCDEF (6 character) at the address 0xfffff880`05be4000. I need to convert it to a UNICODE_STRING string.
RtlInitUnicodeString() was the one I could think of but it does not take a string length.

pVarNameAdd is the address which points to 0xfffff880`05be4000.
UNICODE_STRING inputString;
What RTL call can help me?

Rtlxxxx(&inputString, (xxx)pVarNameAdd, …); –> Something like this. Please advice. Thanks

RtlInitUnicodeString will set

inputString.Buffer = pVarNameAdd;
inputString.Length = wcslen(pVarNameAdd) * sizeof(WCHAR);
inputString.MaximumLength = inputString.Length+ sizeof(WCHAR);

Why did you want a function that takes a string length? Do you actually want a copy of pVarNameAdd?

Thanks Jeff. Wow it is that simple? So in my case it would be:

inputString.Buffer = pVarNameAdd;
inputString.Length = 6 * sizeof(WCHAR);
inputString.MaximumLength = inputString.Length+ sizeof(WCHAR);

Then using the inputString I should be able to do:

DECLARE_GLOBAL_CONST_UNICODE_STRING(AbcdStr, L"ABCDEF");

RtlCompareUnicodeString(&AbcdStr, &inputString, FALSE);

And the above string should compare right? Sorry I am at home so cant test this out right now.

if the string is not NULL terminated, wcslen is not going to work. Santhosh, your code is almost correct, one small change

inputString.MaximumLength = inputString.Length;

since there is no NULL after “ABCDEF”, MaximumLength is the same as Length. There is no need to describe enough space for a NULL if there is no NULL present in the buffer.

d

If you’re using wcslen in a context like this, be mindful of the fact that a UNICODE_STRING can only encode a USHORT count of bytes (if you’re dealing with non-static input). Otherwise you may inadvertently chop off your string.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, January 26, 2011 6:35 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to convert an address to UNICODE_STRING

RtlInitUnicodeString will set

inputString.Buffer = pVarNameAdd;
inputString.Length = wcslen(pVarNameAdd) * sizeof(WCHAR); inputString.MaximumLength = inputString.Length+ sizeof(WCHAR);

Why did you want a function that takes a string length? Do you actually want a copy of pVarNameAdd?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thank you all very much I am good to go. This case might be closed.

> since there is no NULL after “ABCDEF”, MaximumLength is the same as Length. There is no need

to describe enough space for a NULL if there is no NULL present in the buffer.

IIRC there was some very strange API which actually required UNICODE_STRING to be NULL-terminated.

Forgot what it was (registry?), but it was really this strange, and the fact was even documented.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

max, that isn’t very helpful :). i expect it not to be the registry, when setting a REG_SZ, the registry code doesn’t even validate if there is a terminating NULL or not

d

The obvious question would be -

If a counted string is NULL ( i.e. \0 or ‘0’ ), what would be the value of length field? AFAIK, the whole idea of counted string is get rid off possible confusion of assumed null terminated string, which is not always the case. And sometime good for stack smashing …

So IMO, if any counted string is null terminated, then it is not well formed!
-pro

On Jan 30, 2011, at 1:42 PM, Maxim S. Shatskih wrote:

> since there is no NULL after “ABCDEF”, MaximumLength is the same as Length. There is no need
> to describe enough space for a NULL if there is no NULL present in the buffer.

IIRC there was some very strange API which actually required UNICODE_STRING to be NULL-terminated.

Forgot what it was (registry?), but it was really this strange, and the fact was even documented.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> The obvious question would be -
>
> If a counted string is NULL ( i.e. \0 or ‘0’ ), what would be the value
> of length field?

Counted strings can have embedded 0 chars. A counted string “\0” has one
null char, so its Length == sizeof(wchar_t).
This is how one can make funny filenames and registry entries :wink:
If a counted string is NULL (string.Buffer = NULL) then both MaximumLength
and Length better be 0.

– pa

Then what should be the length of “a\0”? Two or one?

-pro

On Jan 30, 2011, at 4:05 PM, Pavel A. wrote:

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
>> The obvious question would be -
>>
>> If a counted string is NULL ( i.e. \0 or ‘0’ ), what would be the value of length field?
>
> Counted strings can have embedded 0 chars. A counted string “\0” has one null char, so its Length == sizeof(wchar_t).
> This is how one can make funny filenames and registry entries :wink:
> If a counted string is NULL (string.Buffer = NULL) then both MaximumLength and Length better be 0.
>
> – pa
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> Then what should be the length of “a\0”? Two or one?
>
> -pro

As you wish. For a counted string, it can be two. If you pass it to
RtlInitString() - then one.

Regards,
–pa

> On Jan 30, 2011, at 4:05 PM, Pavel A. wrote:
>
>> “Prokash Sinha” wrote in message
>> news:xxxxx@ntdev…
>>> The obvious question would be -
>>>
>>> If a counted string is NULL ( i.e. \0 or ‘0’ ), what would be the value
>>> of length field?
>>
>> Counted strings can have embedded 0 chars. A counted string “\0” has one
>> null char, so its Length == sizeof(wchar_t).
>> This is how one can make funny filenames and registry entries :wink:
>> If a counted string is NULL (string.Buffer = NULL) then both
>> MaximumLength and Length better be 0.
>>
>> – pa
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>

However it was true for at least older versions of NT (and when I say
old I mean OLD), that putting non null terminated strings into some
registry values was a recipe for unmitigated disaster. So the OLD
HANDS here simply got into the habit of null terminating
UNICODE_STRING strings as a best practice.

The length of a null terminated unicode string, to answer another
question, includes the null terminator.

If the OS and all apps were written using UNICODE_STRING as the
fundamental string type, life would be good in a UNICODE_STRING world.
However that is not the reality, so UNICODE_STRING strings are a PITA.

Mark Roddy

On Sun, Jan 30, 2011 at 5:36 PM, wrote:
> max, that isn’t very helpful :). i expect it not to be the registry, when setting a REG_SZ, the registry code doesn’t even validate if there is a terminating NULL or not
>
> d
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Amusing trivia – NDIS’s datatype NDIS_STRING technically requires NULL termination. But NDIS_STRING is (on NT) typedef’d to UNICODE_STRING. Since Win98 died, the difference between NDIS_STRING and UNICODE_STRING has muddied a little bit.

Generally NDIS makes an effort to forcibly NULL-terminate any strings coming in from 3rd party drivers, before exposing those strings to *other* third-party drivers. (In other words, Postel’s law has even crept into our string routines!) But I suggest you don’t get cute and give us NDIS_STRINGs without null-termination. Fortunately, you usually have to *try* to obtain such a string.

(If you use NdisString.Buffer = L"Blah Blah"; then the programming language will leave a NULL terminator in memory, even if one isn’t technically part of the NdisString, i.e., you don’t include it in the NdisString.Length. Enough code relies on this [inside and outside of Microsoft] that I suppose it’s fine.)