M
matt_sykes
OK, I finally gave up messing around with this funciton. I even
specified the optional domaine unicode string.
Here is the output form dv:
domainelen = 0x400
namebuffer = struct _UNICODE_STRING ""
nameuse = 0 (No matching enumerant)
namelen = 0x400
domainbuffer = struct _UNICODE_STRING ""
UNICODE_STRINGS are heap allocated, the irql is passive level.
Sometimes it returns gibberish with a return STATUS_SUCCESS, sometimes
it crashes. In both cases the SID is the same
(S-1-5-21-1935655697-507921405-682003330-20811)
Here is the stack when it crashes: (from windbg)
ab1e57a0 f75343ed 897ad008 ab1e58c0 00000000 nt!RtlCopyUnicodeString
+0x34
ab1e58c8 f752e98f 00000000 ab1e594c ab1e5958 ksecdd!
SecpLookupAccountSid+0x187
ab1e58f8 f7559a4e e1f9a02c ab1e5958 ab1e594c ksecdd!SecLookupAccountSid
+0x59
Taking a look at the UNICODE_STRING params to RtlInitUnicodeString we
see:
Destination string:
0: kd> dt nt!_UNICODE_STRING 897ad008
"" +0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
Source string:
0: kd> dt nt!_UNICODE_STRING ab1e58c0
"--- memory read error at address 0xab3027ae ---"
+0x000 Length : 0xc
+0x002 MaximumLength : 0xc
+0x004 Buffer : 0xab3027ae "--- memory read error at
address 0xab3027ae ---"
Note that neither of these are the addres of the strings passed in to
SecLookupAccountSid() which are at
0: kd> dt nt!_UNICODE_STRING ab1e594c
"Ô"
+0x000 Length : 0xa
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ac800 "Ô"
and
0: kd> dt nt!_UNICODE_STRING 0xab1e595c
""
+0x000 Length : 0xc
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ad008 ""
This is the actual ereror:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: ab3027ae, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f2dba, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)
As you can see the address referenced is the bufer address of the
source unicode string passed to RtlCopyUnicodeString();
I only wanted to trace the logged on user by name rather than SID
since its easier to read. Is there any other way of doing this in
kernel mode?
specified the optional domaine unicode string.
Here is the output form dv:
domainelen = 0x400
namebuffer = struct _UNICODE_STRING ""
nameuse = 0 (No matching enumerant)
namelen = 0x400
domainbuffer = struct _UNICODE_STRING ""
UNICODE_STRINGS are heap allocated, the irql is passive level.
Sometimes it returns gibberish with a return STATUS_SUCCESS, sometimes
it crashes. In both cases the SID is the same
(S-1-5-21-1935655697-507921405-682003330-20811)
Here is the stack when it crashes: (from windbg)
ab1e57a0 f75343ed 897ad008 ab1e58c0 00000000 nt!RtlCopyUnicodeString
+0x34
ab1e58c8 f752e98f 00000000 ab1e594c ab1e5958 ksecdd!
SecpLookupAccountSid+0x187
ab1e58f8 f7559a4e e1f9a02c ab1e5958 ab1e594c ksecdd!SecLookupAccountSid
+0x59
Taking a look at the UNICODE_STRING params to RtlInitUnicodeString we
see:
Destination string:
0: kd> dt nt!_UNICODE_STRING 897ad008
"" +0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
Source string:
0: kd> dt nt!_UNICODE_STRING ab1e58c0
"--- memory read error at address 0xab3027ae ---"
+0x000 Length : 0xc
+0x002 MaximumLength : 0xc
+0x004 Buffer : 0xab3027ae "--- memory read error at
address 0xab3027ae ---"
Note that neither of these are the addres of the strings passed in to
SecLookupAccountSid() which are at
0: kd> dt nt!_UNICODE_STRING ab1e594c
"Ô"
+0x000 Length : 0xa
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ac800 "Ô"
and
0: kd> dt nt!_UNICODE_STRING 0xab1e595c
""
+0x000 Length : 0xc
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ad008 ""
This is the actual ereror:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: ab3027ae, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f2dba, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)
As you can see the address referenced is the bufer address of the
source unicode string passed to RtlCopyUnicodeString();
I only wanted to trace the logged on user by name rather than SID
since its easier to read. Is there any other way of doing this in
kernel mode?