I am using the scanner sample minifilter to create a driver and service that blocks access to certain executables. I added a field to the _SCANNER_NOTIFICATION structure to send the file name and process id to the usermode app so that it now looks like this:
typedef struct _SCANNER_NOTIFICATION {
ULONG BytesToScan;
ULONG Reserved;
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
UCHAR FileName[256];
ULONG ProcessId;
} SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION;
I use FltGetFileNameInformation to get a PFLT_FILE_NAME_INFORMATION object named “nameInfo” which exposes the file name as a UNICODE_STRING. So at this point I need to fix one of two problems:
-
I can’t declare the FileName field of the Scanner_Notification structure as UNICODE_STRING because that results in “error C2061: syntax error : identifier ‘UNICODE_STRING’”
-
Since I can’t fix #1, I have to convert the UNICODE_STRING nameInfo->FileName to my UCHAR FileName. I am attemptint to use WideCharToMultiByte but according to MSDN docs it requires that I include windows.h. When I do that and compile, I get lot of conflicts with fltKernel.h showing a list of over 100 errors (mostly redefinition issues from header files that two both use). If I don’t include windows.h, I get two errors:
c:\users\chris\desktop\scanner\filter\scanner.c(630) : error C4013: ‘WideCharToMultiByte’ undefined; assuming extern returning int
c:\users\chris\desktop\scanner\filter\scanner.c(631) : error C2065: ‘CP_UTF8’ : undeclared identifier
I am a novice in C\C++. Any help is greatly appreciated. I can send you the code (about 200K zipped) if you need it.
Thanks,
Chris
You have either messed up the include files or are trying to build the
driver in a non-standard way (i.e. not with the standard build environment
of the WDK). You have multiple problems here, first the FileName can be a
lot larger than 256 (i.e. 32K), windows.h is only a user space include you
can never include it in a driver, and WideCharToMultiByte is only a user
space function.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Chris Shaw” wrote in message news:xxxxx@ntfsd…
I am using the scanner sample minifilter to create a driver and service that
blocks access to certain executables. I added a field to the
_SCANNER_NOTIFICATION structure to send the file name and process id to the
usermode app so that it now looks like this:
typedef struct _SCANNER_NOTIFICATION {
ULONG BytesToScan;
ULONG Reserved;
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
UCHAR FileName[256];
ULONG ProcessId;
} SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION;
I use FltGetFileNameInformation to get a PFLT_FILE_NAME_INFORMATION object
named “nameInfo” which exposes the file name as a UNICODE_STRING. So at
this point I need to fix one of two problems:
1. I can’t declare the FileName field of the Scanner_Notification structure
as UNICODE_STRING because that results in “error C2061: syntax error :
identifier ‘UNICODE_STRING’”
2. Since I can’t fix #1, I have to convert the UNICODE_STRING
nameInfo->FileName to my UCHAR FileName. I am attemptint to use
WideCharToMultiByte but according to MSDN docs it requires that I include
windows.h. When I do that and compile, I get lot of conflicts with
fltKernel.h showing a list of over 100 errors (mostly redefinition issues
from header files that two both use). If I don’t include windows.h, I get
two errors:
>c:\users\chris\desktop\scanner\filter\scanner.c(630) : error C4013:
>‘WideCharToMultiByte’ undefined; assuming extern returning int
>c:\users\chris\desktop\scanner\filter\scanner.c(631) : error C2065:
>‘CP_UTF8’ : undeclared identifier
I am a novice in C\C++. Any help is greatly appreciated. I can send you
the code (about 200K zipped) if you need it.
Thanks,
Chris
Use RtlUnicodeStringToAnsiString then use a simple strcpy into the UCHAR buffer you want. (Make sure you do a RtlFreeAnsiString if you set the last parameter of RtlUnicodeStringToAnsiString to TRUE);
Date: Tue, 8 Apr 2008 14:11:35 -0400Subject: [ntfsd] IFS minifilter Problem Accessing WideCharToMultiByte (from Kernel32.lib)From: xxxxx@redbeardweb.comTo: xxxxx@lists.osr.comCC: I am using the scanner sample minifilter to create a driver and service that blocks access to certain executables. I added a field to the _SCANNER_NOTIFICATION structure to send the file name and process id to the usermode app so that it now looks like this:typedef struct _SCANNER_NOTIFICATION { ULONG BytesToScan; ULONG Reserved; UCHAR Contents[SCANNER_READ_BUFFER_SIZE]; UCHAR FileName[256]; ULONG ProcessId; } SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION; I use FltGetFileNameInformation to get a PFLT_FILE_NAME_INFORMATION object named “nameInfo” which exposes the file name as a UNICODE_STRING. So at this point I need to fix one of two problems:1. I can’t declare the FileName field of the Scanner_Notification structure as UNICODE_STRING because that results in "error C2061: syntax error : identifier ‘UNICODE_STRING’"2. Since I can’t fix #1, I have to convert the UNICODE_STRING nameInfo->FileName to my UCHAR FileName. I am attemptint to use WideCharToMultiByte but according to MSDN docs it requires that I include windows.h. When I do that and compile, I get lot of conflicts with fltKernel.h showing a list of over 100 errors (mostly redefinition issues from header files that two both use). If I don’t include windows.h, I get two errors:>c:\users\chris\desktop\scanner\filter\scanner.c(630) : error C4013: ‘WideCharToMultiByte’ undefined; assuming extern returning int >c:\users\chris\desktop\scanner\filter\scanner.c(631) : error C2065: ‘CP_UTF8’ : undeclared identifier I am a novice in C\C++. Any help is greatly appreciated. I can send you the code (about 200K zipped) if you need it.Thanks,Chris — NTFSD is sponsored by OSR For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com
Two points:
- Why not do the following ?
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
UINT FileNameLength;
WCHAR FileName[256];
You can of course do away with the FileNameLength so long as you
ensure the FileName field has a null terminator. But for safety in
string manipulation, most would recommend keeping a length associated
with a character array.
- Look in the WDK documentation for functions starting RtlXxxxx, not
that you should need them for this, but that’s where you’ll find
character conversion functions.
Mark.
At 19:11 08/04/2008, Chris Shaw wrote:
I am using the scanner sample minifilter to create a driver and
service that blocks access to certain executables. I added a field
to the _SCANNER_NOTIFICATION structure to send the file name and
process id to the usermode app so that it now looks like this:
typedef struct _SCANNER_NOTIFICATION {
ULONG BytesToScan;
ULONG Reserved;
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
UCHAR FileName[256];
ULONG ProcessId;
} SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION;
I use FltGetFileNameInformation to get a PFLT_FILE_NAME_INFORMATION
object named “nameInfo” which exposes the file name as a
UNICODE_STRING. So at this point I need to fix one of two problems:
-
I can’t declare the FileName field of the Scanner_Notification
structure as UNICODE_STRING because that results in “error C2061:
syntax error : identifier ‘UNICODE_STRING’”
-
Since I can’t fix #1, I have to convert the UNICODE_STRING
nameInfo->FileName to my UCHAR FileName. I am attemptint to use
WideCharToMultiByte but according to MSDN docs it requires that I
include windows.h. When I do that and compile, I get lot of
conflicts with fltKernel.h showing a list of over 100 errors (mostly
redefinition issues from header files that two both use). If I
don’t include windows.h, I get two errors:
>c:\users\chris\desktop\scanner\filter\scanner.c(630) : error
C4013: ‘WideCharToMultiByte’ undefined; assuming extern returning int
>c:\users\chris\desktop\scanner\filter\scanner.c(631) : error
C2065: ‘CP_UTF8’ : undeclared identifier
I am a novice in C\C++. Any help is greatly appreciated. I can
send you the code (about 200K zipped) if you need it.
Thanks,
Chris — NTFSD is sponsored by OSR For our schedule debugging and
file system seminars (including our new fs mini-filter seminar)
visit: http://www.osr.com/seminars You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com
thanks guys, this should get me moving in the right direction.
UNICODE_STRING is a simple way to handle 16-bit Unicode strings that allows safe code to be used. It contains a pointer to a buffer of 16-bit characters and two counts. The size of the buffer and the number of 8-bit bytes of data in the string. The correct way to count characters is that count divided by the sizeof(WSTR). There is no EOS (end of string) character present or if present it is not part of the count. Most call that a NULL, but I really hate that since it is not required that a NULL be a zero and may not be on some hardware when referring to pointers vice string terminators.
The full path and file name of the file may be as large as 64KB or 32K characters. Do NOT assume a hardwired 256 or any other value. You can know the length an allocate it as required even if you need to start with 64KB initially. I love to work down a directory tree that exceeds 2K characters just to blow up stuff. It helps me to decide if I should use a product.
Anytime the characters ‘kernel32’ are strung together it means user mode. It may be partially implemented in real kernel mode such as win32k.sys, but that driver is not accessable to real kernel mode components except under EXTREMELY narrow conditions.
I hope you have the WDK 6001.18000 or the 18001 variation so you can use the latest headers.
You may want to consider defining your own data types for the ‘BytesToScan’ such as MY_UINT32 so the kernel component and user component will always be in sync. Think about 64-bit versions of the OS too since many data items double in size in that environment. In Visual Studio for the application be sure to use the option to flag places where there might be a problem if 64-bit was to be used.
“Chris Shaw” wrote in message news:xxxxx@ntfsd…
I am using the scanner sample minifilter to create a driver and service that blocks access to certain executables. I added a field to the _SCANNER_NOTIFICATION structure to send the file name and process id to the usermode app so that it now looks like this:
typedef struct _SCANNER_NOTIFICATION {
ULONG BytesToScan;
ULONG Reserved;
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
UCHAR FileName[256];
ULONG ProcessId;
} SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION;
I use FltGetFileNameInformation to get a PFLT_FILE_NAME_INFORMATION object named “nameInfo” which exposes the file name as a UNICODE_STRING. So at this point I need to fix one of two problems:
1. I can’t declare the FileName field of the Scanner_Notification structure as UNICODE_STRING because that results in “error C2061: syntax error : identifier ‘UNICODE_STRING’”
2. Since I can’t fix #1, I have to convert the UNICODE_STRING nameInfo->FileName to my UCHAR FileName. I am attemptint to use WideCharToMultiByte but according to MSDN docs it requires that I include windows.h. When I do that and compile, I get lot of conflicts with fltKernel.h showing a list of over 100 errors (mostly redefinition issues from header files that two both use). If I don’t include windows.h, I get two errors:
>c:\users\chris\desktop\scanner\filter\scanner.c(630) : error C4013: ‘WideCharToMultiByte’ undefined; assuming extern returning int
>c:\users\chris\desktop\scanner\filter\scanner.c(631) : error C2065: ‘CP_UTF8’ : undeclared identifier
I am a novice in C\C++. Any help is greatly appreciated. I can send you the code (about 200K zipped) if you need it.
Thanks,
Chris
I guess the structure SCANNER_NOTIFICATION needs to be POD(Plain Old Data), so he cannot use UNICODE_STRING in it. Don’t convert it to Ansi, because you can loose information depending on current code page. If you want store it to char array use UTF8. You can find algorithm on unicode.org. You can convert it back to UTF16 in user mode. If I were you I use Mark’s recommendation, so I would change it to WCHAR array, but with variable size. Declare it WCHAR FileName[1];, but allocate sizeof(SCANNER_NOTIFICATION) + lengthof(Filename)*sizeof(WCHAR). I wouldn’t rely on terminating null character, so add FilenameLength field.
-bg
> UCHAR FileName[256];
I would never ever use ANSI pathnames in system-level Windows software.
Use WCHARs instead.
Also note that the NT native pathname can be by far longer then 256 chars.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> Also note that the NT native pathname can be by far longer then 256
chars.
… and even user-mode _MAX_PATH is 260…
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-320623-
xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, April 09, 2008 6:14 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] IFS minifilter Problem Accessing
WideCharToMultiByte (from Kernel32.lib)
> UCHAR FileName[256];
I would never ever use ANSI pathnames in system-level Windows software.
Use WCHARs instead.
Also note that the NT native pathname can be by far longer then 256
chars.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
No user mode for ASCII only, if you choose the UNICODE version of the
function it is 32768 Wide Characters.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Alex Shvedov” wrote in message news:xxxxx@ntfsd…
>> Also note that the NT native pathname can be by far longer then 256
>> chars.
> … and even user-mode _MAX_PATH is 260…
>
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:bounce-320623-
>> xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
>> Sent: Wednesday, April 09, 2008 6:14 PM
>> To: Windows File Systems Devs Interest List
>> Subject: Re:[ntfsd] IFS minifilter Problem Accessing
>> WideCharToMultiByte (from Kernel32.lib)
>>
>> > UCHAR FileName[256];
>>
>> I would never ever use ANSI pathnames in system-level Windows software.
>>
>> Use WCHARs instead.
>>
>> Also note that the NT native pathname can be by far longer then 256
>> chars.
>>
>> –
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Maxim,
You say to use WCHAR. Excuse my ignorance but, how would I convert the UNICODE_STRING to a WCHAR array? I didn’t see a specifice RtlXxxx function for that. I usually live in a .NET world where all this stuff is abstracted for me.
>You say to use WCHAR. Excuse my ignorance but, how would I convert the UNICODE_STRING to a WCHAR array?
I didn’t see a specifice RtlXxxx function for that.
I usually live in a .NET world where all this stuff is abstracted for me.
If you see the structure of UNICODE_STRING, you will find that the Buffer is actually a array of WCHAR.
This might/ might not be NULL terminated.
Actual no. of elements = string.Length / sizeof(WCHAR).
Now it shouldn’t be hard enough to convert it. 
Regards,
Ayush Gupta
I got a little further but I keep running full speed into a wall. I ended up changing my FileName field to be a PWSTR which works fine in user and kernel mode. But I still can’t get the UNICODE_STRING’s buffer to copy to my new string. This is what I’m trying:
status = RtlStringCbCopyUnicodeString(
notification->FileName
,nameInfo->FinalComponent.Length/sizeof(WCHAR)
,&nameInfo->FinalComponent);
nameInfo is a PFLT_FILE_NAME_INFORMATION object.
notification is my structure with FileName being defined as “PWSTR FileName;”
This produces an “Access violation - code c0000005 (!!! second chance !!!)” in my WinDbg console. Any help?
have you tried something like
wcsncpy(notification->FileName, nameInfo->FinalComponent.Buffer, nameInfo->FinalComponent.Length/sizeof(WCHAR));
Date: Fri, 11 Apr 2008 10:42:00 -0400> From: xxxxx@redbeardweb.com> To: xxxxx@lists.osr.com> Subject: RE:[ntfsd] IFS minifilter Problem Accessing WideCharToMultiByte (from Kernel32.lib)> > I got a little further but I keep running full speed into a wall. I ended up changing my FileName field to be a PWSTR which works fine in user and kernel mode. But I still can’t get the UNICODE_STRING’s buffer to copy to my new string. This is what I’m trying:> > status = RtlStringCbCopyUnicodeString(> notification->FileName> ,nameInfo->FinalComponent.Length/sizeof(WCHAR)> ,&nameInfo->FinalComponent);> > nameInfo is a PFLT_FILE_NAME_INFORMATION object.> notification is my structure with FileName being defined as “PWSTR FileName;”> > This produces an “Access violation - code c0000005 (!!! second chance !!!)” in my WinDbg console. Any help? > > —> NTFSD is sponsored by OSR> > For our schedule debugging and file system seminars> (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars\> > You are currently subscribed to ntfsd as: xxxxx@hotmail.com> To unsubscribe send a blank email to xxxxx@lists.osr.com
Well, for one thing, you’re using the wrong size. The second argument
should be the size of the destination buffer, in bytes.
nameInfo->FinalComponent.Length is the size of the unicode string
buffer, in bytes. Dividing it by sizeof (WCHAR) gives you the length in
WCHARs. Neither of these is the right thing to be passing. What you
should use instead is sizeof (notification->FileName) if it’s a static
length array in your notification struct, which I’m assuming it is.
If it indeed is an array, you should be using ¬ification->FileName as
well.
~Eric
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@redbeardweb.com
Sent: Friday, April 11, 2008 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] IFS minifilter Problem Accessing WideCharToMultiByte
(from Kernel32.lib)
I got a little further but I keep running full speed into a wall. I
ended up changing my FileName field to be a PWSTR which works fine in
user and kernel mode. But I still can’t get the UNICODE_STRING’s buffer
to copy to my new string. This is what I’m trying:
status = RtlStringCbCopyUnicodeString(
notification->FileName
,nameInfo->FinalComponent.Length/sizeof(WCHAR)
,&nameInfo->FinalComponent);
nameInfo is a PFLT_FILE_NAME_INFORMATION object.
notification is my structure with FileName being defined as “PWSTR
FileName;”
This produces an “Access violation - code c0000005 (!!! second chance
!!!)” in my WinDbg console. Any help?
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@edsiohio.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
> If it indeed is an array, you should be using ¬ification->FileName
as well.
I’ve lied, you don’t need that. By the way, the UNICODE string
functions only work at PASSIVE_LEVEL.
~Eric
Eric, you rock! Got that part working, thanks.