将句柄(Handle_Object_Attributes)转换为wstring

时间:2019-07-19 15:31:32

标签: c++

我正在尝试将以下代码中的RootDirectory转换为wstring。这段代码不断抛出xstring异常错误,为什么?

NTSTATUS __stdcall ZwOpenKey_Hook(OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes)
{
    if (ObjectAttributes->RootDirectory != 0) {
        std::wstring myval = *(std::wstring*)ObjectAttributes->RootDirectory;
    }
}

代码可以正常编译,但是会引发异常错误(代码0xC0000005-访问冲突)。

再近一步....下面的代码仍然在第一个ExAllocatePoolWithTag上引发异常错误(访问冲突);

定义:

HMODULE hDll_NtosKrnl = GetModuleHandle(TEXT("NtosKrnl.lib"));
    typedef PVOID(__stdcall * ExAllocatePoolWithTagFunc)(__drv_strictTypeMatch(__drv_typeExpr)POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag);
    ExAllocatePoolWithTagFunc ExAllocatePoolWithTag = (ExAllocatePoolWithTagFunc)GetProcAddress(hDll_NtosKrnl, "ExAllocatePoolWithTag");
    typedef VOID(__stdcall * RtlCopyUnicodeStringFunc)(PUNICODE_STRING  DestinationString, PCUNICODE_STRING SourceString);
    RtlCopyUnicodeStringFunc RtlCopyUnicodeString = (RtlCopyUnicodeStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlCopyUnicodeString");
    typedef VOID(__stdcall * RtlAppendUnicodeToStringFunc)(PUNICODE_STRING Destination, PCWSTR Source);
    RtlAppendUnicodeToStringFunc RtlAppendUnicodeToString = (RtlAppendUnicodeToStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlAppendUnicodeToString"); 
    typedef VOID(__stdcall * RtlAppendUnicodeStringToStringFunc)(PUNICODE_STRING  Destination, PCUNICODE_STRING Source);
    RtlAppendUnicodeStringToStringFunc RtlAppendUnicodeStringToString = (RtlAppendUnicodeStringToStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlAppendUnicodeStringToString");

代码:

NTSTATUS __stdcall ZwOpenKey_Hook(OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes)
{
    if (ObjectAttributes->RootDirectory != 0) {  // means that "Rootdirectory" & "ObjectName->Buffer" must be combined to form complete path
        UNICODE_STRING full_path;
        POBJECT_NAME_INFORMATION nameInformation = NULL;
        HANDLE kRootDirectory;
        UNICODE_STRING kObjectName;
        full_path.Buffer = NULL;
        kObjectName.Buffer = NULL;
        kObjectName.Length = ObjectAttributes->ObjectName->Length;
        kObjectName.MaximumLength = ObjectAttributes->ObjectName->MaximumLength;
<ERROR> kObjectName.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, kObjectName.MaximumLength, 'mmoP');
        RtlCopyUnicodeString(&kObjectName, ObjectAttributes->ObjectName);
        kRootDirectory = ObjectAttributes->RootDirectory;

        nameInformation = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024, 'mmoP');
        if (nameInformation)
        {
            if (NT_SUCCESS(ZwQueryObject(kRootDirectory, ObjectNameInformation, nameInformation, 1024, NULL)))
            {
                full_path.MaximumLength = nameInformation->Name.Length + kObjectName.Length + 2 + sizeof(WCHAR);
                full_path.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, full_path.MaximumLength, 'mmoP');
                RtlZeroMemory(full_path.Buffer, full_path.MaximumLength);
                RtlCopyUnicodeString(&full_path, &(nameInformation->Name));
                RtlAppendUnicodeToString(&full_path, L"\\");
                RtlAppendUnicodeStringToString(&full_path, &kObjectName);
            }
        }
    }
    return ZwOpenKey(pKeyHandle, DesiredAccess, ObjectAttributes);
}

有人有什么建议吗?我还不想放弃这一点。我只是想将RootDirectoryObjectName->Buffer串联在一起,为什么这是一个如此困难的任务?

0 个答案:

没有答案