I need help to understand the following code in scanner MS sample minifilter

I am seeing the following code in the scanner minifilter sample code converting array of UCHAR to PWCHAR and finding the number of strings as shown below. Is this correct code. H

----------------- snip -------------------
ch = (PWCHAR)(valueBuffer->Data);

count = 0;

//  Count how many strings are in the multi string

while (*ch != '\0') {

    ch = ch + wcslen( ch ) + 1;

------------------------ end --------------------------
Here is the declaration of variable for your reference.



ULONG TitleIndex;
ULONG DataLength;
Field_size_bytes(DataLength) UCHAR Data[1]; // Variable size

My question is how the finding of the number of strings will work when the input is multi string in UCHAR format. For example say this is the input “Abc Def”. When i checked “Abc Def” sample input “wcslen” is showing 16 in the first iteration inside the loop. I want to understand how 16 comes here.

String data is stored in wide-characters in the kernel. So your “Abc Def” string is actually stored in bytes as 7 wide characters (14 bytes) plus a wide character null terminator for a total of 16 bytes. The KEY_VALUE_PARTIAL_INFORMATION structure just uses a placeholder byte in the structure and dynamically fills whatever buffer is available to be filled. The only thing I would change about the sample code would be to change the while loop to compare to a wide-character literal L’\0’, but that’s just because I’m picky, ha ha.

Thanks for clarification.

Any time I see MULTI_SZ parsing in a driver I cringe…Just want to point out that this code is inherently unsafe in that the Registry does not guarantee that string values are:

  1. Properly NULL terminated.

  2. A multiple of sizeof(WCHAR)

So, you can make this code go off a cliff by putting some arbitrary, non-NULL terminated junk in the MULTI_SZ value.

The value being read here is under a somewhat restrictive ACL so you could say that makes it “safe” for the sample. It wouldn’t take much to fix but I’d be careful about duplicating this code as is elsewhere.