Question

I try to find the address of a given import using the MMGetSystemRoutineAddress function. The only problem is that this function takes a pointer to a UNICODE_STRING and my import name variable has the type char*.

To convert it to a UNICODE_STRING I tried using the function RtlInitUnicodeString. The problem here is that this function takes a PCWSTR and as I read that it is not possible to use a non const value for this. This is my code:

DbgPrint("%s", image_import_by_name->Name); // >> outputs "DbgPrintEx"
                
UNICODE_STRING routineNameByInput;
RtlInitUnicodeString(&routineNameByInput, L"DbgPrintEx");

UNICODE_STRING routineNameByVar;
RtlInitUnicodeString(&routineNameByVar, (PUNICODE_STRING)&image_import_by_name->Name);

DbgPrint("%wZ", routineNameByInput); // >> outputs "DbgPrintEx"
DbgPrint("%wZ", routineNameByVar); // >> outputs "???"
                 
MmGetSystemRoutineAddress(&routineNameByInput); // >> works perfectly
MmGetSystemRoutineAddress(&routineNameByInput); // >> bluescreens
MmGetSystemRoutineAddress((PUNICODE_STRING)&image_import_by_name->Name); // >> bluescreens

我也试图重启民阵。零打断进口名称,但无所作为。

难道不容易将果园变成一个UNICODE_STRING?

RtlInitUnicodeString哪怕是首当其冲。

Answer 1

快速谷歌搜索windows ansi to unicode kernel Mode 揭示了 ∗ ∗

<>RtlAnsiStringToUnicodeString function (wdm.h)

RtlAnsiStringToUnicodeString 将上述ANSI来源扼制成统法协会编码。

定义:

NTSYSAPI NTSTATUS RtlAnsiStringToUnicodeString(
  [in, out] PUNICODE_STRING DestinationString,
  [in]      PCANSI_STRING   SourceString,
  [in]      BOOLEAN         AllocateDestinationString
);

就像你想要的东西一样。

友情链接