need help with filterdriver

WINDBG
1

i got a bug, when i try to follow tutorial of a book. the filter driver
registred/loaded and after all parameters to the hooked function are in
my defined variable: http://pastebin.com/rLDbKSe5 and the call to my
filter function is done:http://pastebin.com/V8jxNFcj i got a error in
RtlUnicodeStringToAnsiString this is my bugcheck:
http://pastebin.com/PMbzD39Y

the filter driver should look for
NoChangingWallPaper,DisableTaskMgr,NoControlPanel and disable them if
they are set.

maybe someone can help, i free the memory at the end but its complaining
about invalid system memory which got referenced…

2

benny_reichelt wrote:

i got a bug, when i try to follow tutorial of a book. the filter driver
registred/loaded and after all parameters to the hooked function are in
my defined variable: http://pastebin.com/rLDbKSe5 and the call to my
filter function is done:http://pastebin.com/V8jxNFcj i got a error in
RtlUnicodeStringToAnsiString this is my bugcheck:
http://pastebin.com/PMbzD39Y

The Unicode translation tables are very large. As a result, they are
stored in pageable memory. That is why each function that needs them –
including RtlUnicodeStringToAnsiString – are marked as being callable
only at PASSIVE_LEVEL. My guess is you are calling this from a raised IRQL.

The easy solution, and one that should have occurred to you from the
beginning, is to store all of your strings in Unicode. Then no
translation is needed. It takes three extra characters per line to do that:

w_char NoChangingWallPaper[MAX_SZ_VALUENAME] = L"NoChangingWallPaper";
2.
w_char DisableTaskMgr[MAX_SZ_VALUENAME] = L"DisableTaskMgr";
3.
w_char NoControlPanel[MAX_SZ_VALUENAME] = L"NoControlPanel";

I would point out, however, that it is silly for you to size these
arrays at MAX_SZ_VALUENAME. These are constants. There is no need to
make them any larger than the strings they hold. Also, because you did
not make those statics, the compiler will generate code to copy the
characters into those arrays every time the function runs. That’s wasteful.

static w_char NoChangingWallPaper = L"NoChangingWallPaper";
2.
static w_char DisableTaskMgr = L"DisableTaskMgr";
3.
static w_char NoControlPanel= L"NoControlPanel";

Or even:

static w_char * NoChangingWallPaper= L"NoChangingWallPaper";
2.
static w_char * DisableTaskMgr= L"DisableTaskMgr";
3.
static w_char * NoControlPanel= L"NoControlPanel";


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.