Convert Handle (Handle_Object_Attributes) To wstring

0

I am trying to convert the RootDirectory in the code below, to a wstring. This code keeps throwing an xstring exception error, why?

NTSTATUS __stdcall ZwOpenKey_Hook(OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes)
{
    if (ObjectAttributes->RootDirectory != 0) {
        std::wstring myval = *(std::wstring*)ObjectAttributes->RootDirectory;
    }
}

The code compiles fine, but throws an exception error (code 0xC0000005 - Access Violation).

One step closer .... the code below still throws an exception error (access violation) on the first ExAllocatePoolWithTag;

Definitions:

HMODULE hDll_NtosKrnl = GetModuleHandle(TEXT("NtosKrnl.lib"));
    typedef PVOID(__stdcall * ExAllocatePoolWithTagFunc)(__drv_strictTypeMatch(__drv_typeExpr)POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag);
    ExAllocatePoolWithTagFunc ExAllocatePoolWithTag = (ExAllocatePoolWithTagFunc)GetProcAddress(hDll_NtosKrnl, "ExAllocatePoolWithTag");
    typedef VOID(__stdcall * RtlCopyUnicodeStringFunc)(PUNICODE_STRING  DestinationString, PCUNICODE_STRING SourceString);
    RtlCopyUnicodeStringFunc RtlCopyUnicodeString = (RtlCopyUnicodeStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlCopyUnicodeString");
    typedef VOID(__stdcall * RtlAppendUnicodeToStringFunc)(PUNICODE_STRING Destination, PCWSTR Source);
    RtlAppendUnicodeToStringFunc RtlAppendUnicodeToString = (RtlAppendUnicodeToStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlAppendUnicodeToString"); 
    typedef VOID(__stdcall * RtlAppendUnicodeStringToStringFunc)(PUNICODE_STRING  Destination, PCUNICODE_STRING Source);
    RtlAppendUnicodeStringToStringFunc RtlAppendUnicodeStringToString = (RtlAppendUnicodeStringToStringFunc)GetProcAddress(hDll_NtosKrnl, "RtlAppendUnicodeStringToString");

Code:

NTSTATUS __stdcall ZwOpenKey_Hook(OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes)
{
    if (ObjectAttributes->RootDirectory != 0) {  // means that "Rootdirectory" & "ObjectName->Buffer" must be combined to form complete path
        UNICODE_STRING full_path;
        POBJECT_NAME_INFORMATION nameInformation = NULL;
        HANDLE kRootDirectory;
        UNICODE_STRING kObjectName;
        full_path.Buffer = NULL;
        kObjectName.Buffer = NULL;
        kObjectName.Length = ObjectAttributes->ObjectName->Length;
        kObjectName.MaximumLength = ObjectAttributes->ObjectName->MaximumLength;
<ERROR> kObjectName.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, kObjectName.MaximumLength, 'mmoP');
        RtlCopyUnicodeString(&kObjectName, ObjectAttributes->ObjectName);
        kRootDirectory = ObjectAttributes->RootDirectory;

        nameInformation = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024, 'mmoP');
        if (nameInformation)
        {
            if (NT_SUCCESS(ZwQueryObject(kRootDirectory, ObjectNameInformation, nameInformation, 1024, NULL)))
            {
                full_path.MaximumLength = nameInformation->Name.Length + kObjectName.Length + 2 + sizeof(WCHAR);
                full_path.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, full_path.MaximumLength, 'mmoP');
                RtlZeroMemory(full_path.Buffer, full_path.MaximumLength);
                RtlCopyUnicodeString(&full_path, &(nameInformation->Name));
                RtlAppendUnicodeToString(&full_path, L"\\");
                RtlAppendUnicodeStringToString(&full_path, &kObjectName);
            }
        }
    }
    return ZwOpenKey(pKeyHandle, DesiredAccess, ObjectAttributes);
}

Does anyone have any suggestions? I don't want to give up on this one just yet. I'm only trying to concatenate the RootDirectory with ObjectName->Buffer, why is this such a difficult task?

c++
asked on Stack Overflow Jul 19, 2019 by 99Boboster99 • edited Jul 20, 2019 by 99Boboster99

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0