我正在尝试将以下代码中的RootDirectory
转换为wstring。这段代码不断抛出xstring异常错误,为什么?
NTSTATUS __stdcall ZwOpenKey_Hook(OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes)
{
if (ObjectAttributes->RootDirectory != 0) {
std::wstring myval = *(std::wstring*)ObjectAttributes->RootDirectory;
}
}
代码可以正常编译,但是会引发异常错误(代码0xC0000005-访问冲突)。
再近一步....下面的代码仍然在第一个ExAllocatePoolWithTag上引发异常错误(访问冲突);
定义:
HMODULE hDll_NtosKrnl = GetModuleHandle(TEXT("NtosKrnl.lib"));
typedef PVOID(__stdcall * ExAllocatePoolWithTagFunc)(__drv_strictTypeMatch(__drv_typeExpr)POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag);
ExAllocatePoolWithTagFunc ExAllocatePoolWithTag = (ExAllocatePoolWithTagFunc)GetProcAddress(hDll_NtosKrnl, "ExAllocatePoolWithTag");
typedef VOID(__stdcall * RtlCopyUnicodeStringFunc)(PUNICODE_STRING DestinationString, PCUNICODE_STRING SourceString);
RtlCopyUnicodeStringFunc RtlCopyUnicodeString = (RtlCopyUnicodeStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlCopyUnicodeString");
typedef VOID(__stdcall * RtlAppendUnicodeToStringFunc)(PUNICODE_STRING Destination, PCWSTR Source);
RtlAppendUnicodeToStringFunc RtlAppendUnicodeToString = (RtlAppendUnicodeToStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlAppendUnicodeToString");
typedef VOID(__stdcall * RtlAppendUnicodeStringToStringFunc)(PUNICODE_STRING Destination, PCUNICODE_STRING Source);
RtlAppendUnicodeStringToStringFunc RtlAppendUnicodeStringToString = (RtlAppendUnicodeStringToStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlAppendUnicodeStringToString");
代码:
NTSTATUS __stdcall ZwOpenKey_Hook(OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes)
{
if (ObjectAttributes->RootDirectory != 0) { // means that "Rootdirectory" & "ObjectName->Buffer" must be combined to form complete path
UNICODE_STRING full_path;
POBJECT_NAME_INFORMATION nameInformation = NULL;
HANDLE kRootDirectory;
UNICODE_STRING kObjectName;
full_path.Buffer = NULL;
kObjectName.Buffer = NULL;
kObjectName.Length = ObjectAttributes->ObjectName->Length;
kObjectName.MaximumLength = ObjectAttributes->ObjectName->MaximumLength;
<ERROR> kObjectName.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, kObjectName.MaximumLength, 'mmoP');
RtlCopyUnicodeString(&kObjectName, ObjectAttributes->ObjectName);
kRootDirectory = ObjectAttributes->RootDirectory;
nameInformation = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024, 'mmoP');
if (nameInformation)
{
if (NT_SUCCESS(ZwQueryObject(kRootDirectory, ObjectNameInformation, nameInformation, 1024, NULL)))
{
full_path.MaximumLength = nameInformation->Name.Length + kObjectName.Length + 2 + sizeof(WCHAR);
full_path.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, full_path.MaximumLength, 'mmoP');
RtlZeroMemory(full_path.Buffer, full_path.MaximumLength);
RtlCopyUnicodeString(&full_path, &(nameInformation->Name));
RtlAppendUnicodeToString(&full_path, L"\\");
RtlAppendUnicodeStringToString(&full_path, &kObjectName);
}
}
}
return ZwOpenKey(pKeyHandle, DesiredAccess, ObjectAttributes);
}
有人有什么建议吗?我还不想放弃这一点。我只是想将RootDirectory
与ObjectName->Buffer
串联在一起,为什么这是一个如此困难的任务?