UNICODE_STRING from nonpaged pool

Hi,

Is it possible to make UNICODE_STRING “Buffer” to be allocated from
non-paged pool? In the Remarks section of “RtlInitUnicodeString” it is
mentioned as “Callers of RtlInitUnicodeString can be running at IRQL <=
DISPATCH_LEVEL if the DestinationString buffer is nonpageable.”

I serached Internet couldn’t find any relevant information

Thanks,
Lloyd

On Sep 1, 2014, at 9:31 PM, Lloyd > wrote:

Is it possible to make UNICODE_STRING “Buffer” to be allocated from non-paged pool? In the Remarks section of “RtlInitUnicodeString” it is mentioned as "Callers of RtlInitUnicodeString can be running at IRQL <= DISPATCH_LEVEL if the DestinationString buffer is nonpageable.?

You can allocate the memory from wherever you want. Remember, however, that the Unicode tables in the kernel are in paged memory, so many of the Unicode manipulation routines can?t be run at a raised IRQL.
–
Tim Roberts, xxxxx@probo.commailto:xxxxx
Providenza & Boekelheide, Inc.</mailto:xxxxx>

are you looking for
#define MYTAG ‘GtyM’
#define Mysize MyfabulousSize
PUNICODE_STRING buff = ExAllocatePoolWithTag(NonPagedPool | XXXX ,
MySize,MYTAG);
if(buff)
{
RtlInitUnicodeString(buff,L"what a wonderful day today is");
dowhatever();
}

On 9/2/14, Lloyd wrote:
> Hi,
>
> Is it possible to make UNICODE_STRING “Buffer” to be allocated from
> non-paged pool? In the Remarks section of “RtlInitUnicodeString” it is
> mentioned as “Callers of RtlInitUnicodeString can be running at IRQL <=
> DISPATCH_LEVEL if the DestinationString buffer is nonpageable.”
>
> I serached Internet couldn’t find any relevant information
>
> Thanks,
> Lloyd
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Thank you Tim. based on your reply, I would like to make my question more
clear. I was *assuming* that “RtlInitUnicodeString” will allocate the
“Buffer” in “UNICODE_STRING”. I came in to this assumption based on a
sample driver code I have seen. Is this assumption wrong?

If this assumption is wrong, I would be doing it in the following way :-

UNICODE_STRING myString;

myString.Buffer =ExAllocatePoolWithTag(NonPagedPoolNx,…);

RtlInitUnicodeString(&myString,…);

What is right?

Thanks a lot,

Lloyd

On Tue, Sep 2, 2014 at 11:23 AM, Tim Roberts wrote:

> On Sep 1, 2014, at 9:31 PM, Lloyd wrote:
>
>
> Is it possible to make UNICODE_STRING “Buffer” to be allocated from
> non-paged pool? In the Remarks section of “RtlInitUnicodeString” it is
> mentioned as "Callers of RtlInitUnicodeString can be running at IRQL <=
> DISPATCH_LEVEL if the DestinationString buffer is nonpageable.”
>
>
> You can allocate the memory from wherever you want. Remember, however,
> that the Unicode tables in the kernel are in paged memory, so many of the
> Unicode manipulation routines can’t be run at a raised IRQL.
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Did you mean

PUNICODE_STRING buff;
buff.Buffer = ExAllocatePoolWithTag(NonPagedPool | XXXX ,MySize,MYTAG);
…

Thanks,
Lloyd

On Tue, Sep 2, 2014 at 11:24 AM, raj_r wrote:

> are you looking for
> #define MYTAG ‘GtyM’
> #define Mysize MyfabulousSize
> PUNICODE_STRING buff = ExAllocatePoolWithTag(NonPagedPool | XXXX ,
> MySize,MYTAG);
> if(buff)
> {
> RtlInitUnicodeString(buff,L"what a wonderful day today is");
> dowhatever();
> }
>
> On 9/2/14, Lloyd wrote:
> > Hi,
> >
> > Is it possible to make UNICODE_STRING “Buffer” to be allocated from
> > non-paged pool? In the Remarks section of “RtlInitUnicodeString” it is
> > mentioned as “Callers of RtlInitUnicodeString can be running at IRQL <=
> > DISPATCH_LEVEL if the DestinationString buffer is nonpageable.”
> >
> > I serached Internet couldn’t find any relevant information
> >
> > Thanks,
> > Lloyd
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
> >
> > OSR is HIRING!! See http://www.osr.com/careers
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

no

kd> bl
0 eu 0001 (0001) (exalloc!DriverEntry)

kd> g
Breakpoint 0 hit
exalloc!DriverEntry:
faf3949a 8bff mov edi,edi
kd> lsa .
1: #include <ntddk.h>
2: DRIVER_INITIALIZE DriverEntry;
3: DRIVER_UNLOAD DriverUnload;
4: void DriverUnload( PDRIVER_OBJECT DriverObject )
5: {
6: DbgPrint(“Driver unloading\n”);
7: }
8: NTSTATUS
9: DriverEntry( in PDRIVER_OBJECT DriverObject, in
PUNICODE_STRING RegistryPath )
> 10: {
11: PUNICODE_STRING buff;
12: DriverObject->DriverUnload = DriverUnload;
13: DbgPrint( “Allocating a buffer in nonPagedPool with tag mytg \n” );
14: buff = ( PUNICODE_STRING ) ExAllocatePoolWithTag(
NonPagedPool , 0x100 , ‘gtyM’ );
15: RtlInitUnicodeString( buff ,L"what a wonderful day this is");
16: DbgPrint(“%S\n”,buff->Buffer);
17: return STATUS_SUCCESS;
18: }?
kd> p 4
exalloc!DriverEntry+0x5:
faf3949f 8b4508 mov eax,dword ptr [ebp+8]
exalloc!DriverEntry+0x9:
faf394a3 684895f3fa push offset exalloc! ??
::FNODOBFM::string' (faf39548)<br>Allocating a buffer in nonPagedPool with tag mytg<br>exalloc!DriverEntry+0x1a:<br>faf394b4 c704244d797467 mov dword ptr [esp],6774794Dh<br>exalloc!DriverEntry+0x30:<br>faf394ca 680e95f3fa push offset exalloc! ??<br>::FNODOBFM::string’ (faf3950e)
kd> r $t0 = @eax
kd> ? @$t0
Evaluate expression: -2129110536 = 811859f8

kd> !pool @$t0 2
Pool page 811859f8 region is Nonpaged pool
*811859f0 size: 108 previous size: 10 (Allocated) *Mytg
Owning component : Unknown (update pooltag.txt)
kd> db @$t0 l10
811859f8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
kd> p
exalloc!DriverEntry+0x3c:
faf394d6 ff7604 push dword ptr [esi+4]
kd> db @$t0 l10
811859f8 38 00 3a 00 0e 95 f3 fa-00 00 00 00 00 00 00 00 8.:…
kd> dS @$t0
faf3950e “what a wonderful day this is”
kd> dt nt!_pool_header 811859f0
+0x000 PreviousSize : 0y000000010 (0x2)
+0x000 PoolIndex : 0y0000000 (0)
+0x002 BlockSize : 0y000100001 (0x21)
+0x002 PoolType : 0y0000101 (0x5)
+0x000 Ulong1 : 0xa210002
+0x004 ProcessBilled : 0x6774794d _EPROCESS
+0x004 PoolTag : 0x6774794d
+0x004 AllocatorBackTraceIndex : 0x794d
+0x006 PoolTagHash : 0x6774
kd> dt nt!_UNICODE_STRING @$t0
“what a wonderful day this is”
+0x000 Length : 0x38
+0x002 MaximumLength : 0x3a
+0x004 Buffer : 0xfaf3950e “what a wonderful day this is”

On 9/2/14, Lloyd wrote:
> Did you mean
>
> PUNICODE_STRING buff;
> buff.Buffer = ExAllocatePoolWithTag(NonPagedPool | XXXX ,MySize,MYTAG);
> …
>
> Thanks,
> Lloyd
>
>
>
>
> On Tue, Sep 2, 2014 at 11:24 AM, raj_r wrote:
>
>> are you looking for
>> #define MYTAG ‘GtyM’
>> #define Mysize MyfabulousSize
>> PUNICODE_STRING buff = ExAllocatePoolWithTag(NonPagedPool | XXXX ,
>> MySize,MYTAG);
>> if(buff)
>> {
>> RtlInitUnicodeString(buff,L"what a wonderful day today is");
>> dowhatever();
>> }
>>
>> On 9/2/14, Lloyd wrote:
>> > Hi,
>> >
>> > Is it possible to make UNICODE_STRING “Buffer” to be allocated from
>> > non-paged pool? In the Remarks section of “RtlInitUnicodeString” it is
>> > mentioned as “Callers of RtlInitUnicodeString can be running at IRQL <=
>> > DISPATCH_LEVEL if the DestinationString buffer is nonpageable.”
>> >
>> > I serached Internet couldn’t find any relevant information
>> >
>> > Thanks,
>> > Lloyd
>> >
>> > —
>> > NTDEV is sponsored by OSR
>> >
>> > Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>> >
>> > OSR is HIRING!! See http://www.osr.com/careers
>> >
>> > For our schedule of WDF, WDM, debugging and other seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</ntddk.h>

Hey Lloyd,
as people above have already said, you need to allocate a UNICODE_STRING size of memory, not just the buffer.
The UNICODE_STRING is a struct which has more than just a buffer and therefore needs memory space to set the other struct members as well as the buffer itself.
To make raj’s code a bit more clear for you:

PUNICODE_STRING buff;
buff = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), MYTAG);
RtlInitUnicodeString(buff ,L"Your string");

This should do.
The explanation is again - allocating a sizeof(UNICODE_STRING) which makes buff usable for RtlInitUnicodeString, and let RtlInitUnicodeString init the Buffer of the UNICODE_STRING.

Good luck,
Daniel

if your question is about how i can be sure that Rtlinituni provides a
buffer that is guaranteed to be in NonPagedPool

i am not sure i can answer that .

but you can try initialising UNICODE_STRING yourself

instead of Literal “your string” if you are struck on allocating space
to an unknown string hackishly denoted by wchar_t foo[0x100]

then you allocate that first with some thing like this

PWCHAR somestring =
( PWCHAR ) ExAllocatePoolWithTag(NonPagePool,ArbitrarySize,PredefinedTag)

this provides you an uninitialised buffer of the required
arbitrarysize on success

you should always zero it out to avoid security issues (may contain
undeleted password to your numbered bank account in switzerland )

RtlZeroMemory ( somestring , …);

tten initialise the buffer with whatever you please

say
unsafe_sprintf_kl_equi_that_always_overflows(somestring ,
“mypasswordtomybankaccount”);

then initialise the UNICODE_STRING myunistrcontainingmynonpagedbuffer;

myunistrcontainingmynonpagedbuffer.size =
sizeof/countof/actualwhateverof(mypasswordtomybankaccount);

myunistrcontainingmynonpagedbuffer.MAXSize = a+b where a = size b =
whatever needed for null terminating in the latest flavor or same as
size above as UNICODE_STRING is supposed to be a counted string type;

myunistrcontainingmynonpagedbuffer.Buffer = somestring ;

On 9/2/14, xxxxx@comsecglobal.com wrote:
> Hey Lloyd,
> as people above have already said, you need to allocate a UNICODE_STRING
> size of memory, not just the buffer.
> The UNICODE_STRING is a struct which has more than just a buffer and
> therefore needs memory space to set the other struct members as well as the
> buffer itself.
> To make raj’s code a bit more clear for you:
>
> PUNICODE_STRING buff;
> buff = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), MYTAG);
> RtlInitUnicodeString(buff ,L"Your string");
>
> This should do.
> The explanation is again - allocating a sizeof(UNICODE_STRING) which makes
> buff usable for RtlInitUnicodeString, and let RtlInitUnicodeString init the
> Buffer of the UNICODE_STRING.
>
> Good luck,
> Daniel
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

took a look at RtlInitUnicodeString it Shows it doesnt allocate
anything it takes the second argument and does a repne scasw so if the
buffer is uninitialised it potentially can count anything until a null
is encountered if that is the case it sets the max size to 0xfffe and
size to 0xfffd and initialises the Buffer member to the second
argument.

so if you want to have an arbitrary buffer instead of a Literal “YOUR
STRING” that gets plopped into binaries .data section (usually
pageable section) you should be allocating a buffer of size you please
(caveat read about NTSTRSAFE_UNICODE_STRING_MAX_CCH and go from there
as posted in an earlier reply

On 9/2/14, raj_r wrote:
> if your question is about how i can be sure that Rtlinituni provides a
> buffer that is guaranteed to be in NonPagedPool
>
> i am not sure i can answer that .
>
> but you can try initialising UNICODE_STRING yourself
>
> instead of Literal “your string” if you are struck on allocating space
> to an unknown string hackishly denoted by wchar_t foo[0x100]
>
> then you allocate that first with some thing like this
>
> PWCHAR somestring =
> ( PWCHAR ) ExAllocatePoolWithTag(NonPagePool,ArbitrarySize,PredefinedTag)
>
> this provides you an uninitialised buffer of the required
> arbitrarysize on success
>
> you should always zero it out to avoid security issues (may contain
> undeleted password to your numbered bank account in switzerland )
>
> RtlZeroMemory ( somestring , …);
>
> tten initialise the buffer with whatever you please
>
> say
> unsafe_sprintf_kl_equi_that_always_overflows(somestring ,
> “mypasswordtomybankaccount”);
>
> then initialise the UNICODE_STRING myunistrcontainingmynonpagedbuffer;
>
> myunistrcontainingmynonpagedbuffer.size =
> sizeof/countof/actualwhateverof(mypasswordtomybankaccount);
>
> myunistrcontainingmynonpagedbuffer.MAXSize = a+b where a = size b =
> whatever needed for null terminating in the latest flavor or same as
> size above as UNICODE_STRING is supposed to be a counted string type;
>
> myunistrcontainingmynonpagedbuffer.Buffer = somestring ;
>
>
>
>
>
>
>
> On 9/2/14, xxxxx@comsecglobal.com wrote:
>> Hey Lloyd,
>> as people above have already said, you need to allocate a UNICODE_STRING
>> size of memory, not just the buffer.
>> The UNICODE_STRING is a struct which has more than just a buffer and
>> therefore needs memory space to set the other struct members as well as
>> the
>> buffer itself.
>> To make raj’s code a bit more clear for you:
>>
>> PUNICODE_STRING buff;
>> buff = ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING),
>> MYTAG);
>> RtlInitUnicodeString(buff ,L"Your string");
>>
>> This should do.
>> The explanation is again - allocating a sizeof(UNICODE_STRING) which
>> makes
>> buff usable for RtlInitUnicodeString, and let RtlInitUnicodeString init
>> the
>> Buffer of the UNICODE_STRING.
>>
>> Good luck,
>> Daniel
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

One can assure that a UNICODE_STRING is allocated in a non-paged pool by doing the following:

PUNICODE_STRING makeUnicodeStringNonPaged(PCUNICODE_STRING unicodeString)
{
PUNICODE_STRING nonPagedUnicodeString;
nonPagedUnicodeString= ExAllocatePoolWithTag(NonPagedPool, sizeof(UNICODE_STRING), MYTAG);
nonPagedUnicodeString->Buffer = ExAllocatePoolWithTag(NonPagedPool, unicodeString->Length, MYTAG);
RtlCopyMemory(nonPagedUnicodeString->Buffer, unicodeString->Buffer, unicodeString->Length);

return nonPagedUnicodeString;
}

Dont forget to check if the allocations succeeded, or you will run into BSODs.

Lloyd wrote:

Thank you Tim. based on your reply, I would like to make my question
more clear. I was *assuming* that “RtlInitUnicodeString” will allocate
the “Buffer” in “UNICODE_STRING”. I came in to this assumption based
on a sample driver code I have seen. Is this assumption wrong?

I should have read more closely.

RtlInitUnicodeString doesn’t allocate memory at all. It simply sets the
fields of a UNICODE_STRING structure so that it points to the character
array you provide. It is used for wrapping a UNICODE_STRING around an
existing array of characters.

If you need an empty buffer to be filled in by someone else, then don’t
use RtlInitUnicdeString. Just allocate the buffer and set up the fields
yourself.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>Is it possible to make UNICODE_STRING “Buffer” to be allocated from non-paged pool?

Surely yes.

Note that Unicode string comparison and Unicode <-> ANSI <-> OEM conversions are < DISPATCH only anyway - the collation tables are pageable.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

The *RtlInitUnicodeString* routine is obsolete and is exported only to
support existing driver binaries. Drivers should use the safe-string
routines *RtlUnicodeStringInit*
http:
andRtlUnicodeStringInitEx
http:
instead.
- MSDN

Allocate PUNICODE_STRING from Non-Paged Pool then the allocate buffer
inside from non-paged pool.

-Rohan

On Tue, Sep 2, 2014 at 10:42 PM, Maxim S. Shatskih
wrote:

> >Is it possible to make UNICODE_STRING “Buffer” to be allocated from
> non-paged pool?
>
> Surely yes.
>
> Note that Unicode string comparison and Unicode <-> ANSI <-> OEM
> conversions are < DISPATCH only anyway - the collation tables are pageable.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></http:></http:>