NtDisplayString is not able to display unicode string
in [Win32 Kernel]
|
Prev: Create non-elevated process from elevated process,...?
Next: Disable file system cache for a certain file
From: Prashant on 24 Feb 2010 04:12 Hi all, The function NtDisplayString is not able to display unicoded strings on russian version of windows xp. Please suggest the solution for it. Thanks, Prashant Roberto Baggio wrote: I think I ran into the same problem. 24-Jan-08 I think I ran into the same problem. The parameter passed into the "main" of your native application doesn't point to the same thing that the example expects (PSTARTUP_ARGUMENT). It points to something like a process environment block. If you have the correct structure for it, then you'll be able to access the information correctly. The paramater passed into the entry point would look like void NtProcessStartup(PPEB ppeb); Below is the PEB and is dependant structures. Hope this helps. typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); typedef struct _CURDIR { UNICODE_STRING DosPath; PVOID Handle; } CURDIR, *PCURDIR; typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; UNICODE_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; // 00h ULONG Length; // 04h ULONG Flags; // 08h ULONG DebugFlags; // 0Ch PVOID ConsoleHandle; // 10h ULONG ConsoleFlags; // 14h HANDLE InputHandle; // 18h HANDLE OutputHandle; // 1Ch HANDLE ErrorHandle; // 20h CURDIR CurrentDirectory; // 24h UNICODE_STRING DllPath; // 30h UNICODE_STRING ImagePathName; // 38h UNICODE_STRING CommandLine; // 40h PWSTR Environment; // 48h ULONG StartingX; // 4Ch ULONG StartingY; // 50h ULONG CountX; // 54h ULONG CountY; // 58h ULONG CountCharsX; // 5Ch ULONG CountCharsY; // 60h ULONG FillAttribute; // 64h ULONG WindowFlags; // 68h ULONG ShowWindowFlags; // 6Ch UNICODE_STRING WindowTitle; // 70h UNICODE_STRING DesktopInfo; // 78h UNICODE_STRING ShellInfo; // 80h UNICODE_STRING RuntimeInfo; // 88h RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; // 90h } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _PEB_FREE_BLOCK { struct _PEB_FREE_BLOCK* Next; ULONG Size; } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; typedef struct _PEB { UCHAR InheritedAddressSpace; // 00h UCHAR ReadImageFileExecOptions; // 01h UCHAR BeingDebugged; // 02h UCHAR Spare; // 03h PVOID Mutant; // 04h PVOID ImageBaseAddress; // 08h PPEB_LDR_DATA Ldr; // 0Ch PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h PVOID SubSystemData; // 14h PVOID ProcessHeap; // 18h PVOID FastPebLock; // 1Ch PPEBLOCKROUTINE FastPebLockRoutine; // 20h PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h ULONG EnvironmentUpdateCount; // 28h PVOID* KernelCallbackTable; // 2Ch PVOID EventLogSection; // 30h PVOID EventLog; // 34h PPEB_FREE_BLOCK FreeList; // 38h ULONG TlsExpansionCounter; // 3Ch PVOID TlsBitmap; // 40h ULONG TlsBitmapBits[0x2]; // 44h PVOID ReadOnlySharedMemoryBase; // 4Ch PVOID ReadOnlySharedMemoryHeap; // 50h PVOID* ReadOnlyStaticServerData; // 54h PVOID AnsiCodePageData; // 58h PVOID OemCodePageData; // 5Ch PVOID UnicodeCaseTableData; // 60h ULONG NumberOfProcessors; // 64h ULONG NtGlobalFlag; // 68h UCHAR Spare2[0x4]; // 6Ch LARGE_INTEGER CriticalSectionTimeout; // 70h ULONG HeapSegmentReserve; // 78h ULONG HeapSegmentCommit; // 7Ch ULONG HeapDeCommitTotalFreeThreshold; // 80h ULONG HeapDeCommitFreeBlockThreshold; // 84h ULONG NumberOfHeaps; // 88h ULONG MaximumNumberOfHeaps; // 8Ch PVOID** ProcessHeaps; // 90h PVOID GdiSharedHandleTable; // 94h PVOID ProcessStarterHelper; // 98h PVOID GdiDCAttributeList; // 9Ch PVOID LoaderLock; // A0h ULONG OSMajorVersion; // A4h ULONG OSMinorVersion; // A8h ULONG OSBuildNumber; // ACh ULONG OSPlatformId; // B0h ULONG ImageSubSystem; // B4h ULONG ImageSubSystemMajorVersion; // B8h ULONG ImageSubSystemMinorVersion; // C0h ULONG GdiHandleBuffer[0x22]; // C4h } PEB, *PPEB; "Deepak" <deep_81_11(a)yahoo.co.in> wrote in message news:591AA37E-563E-469B-8FCE-C88ACC215654(a)microsoft.com... Previous Posts In This Thread: On Thursday, January 17, 2008 5:05 AM deep_81_1 wrote: native application (& NtCreateFile) Hi to all respected members i have downloaded the Native Application From here http://technet.microsoft.com/en-us/sysinternals/bb897447.aspx i want to use it on "Vista" How do i go about it . I have DDK 6000 .i compiled the application for Windows Vista . but it simply does not work ! Any thing that needs to corrected ! i found very less documentation about this topic! i tried in the Window 2000 OS too and tried to open file using NtCreateFile() i managed to get error code that returns" 3" means system can not find the path specified. i do not know what is going wrong! i am passing file name as \\??\\C:\a.txt this always returns "3" the file is present but not able to open! RtlInitUnicodeString(&msg,L"\\??\\c:\\a.txt"); InitializeObjectAttributes(&ObjectAttributes,&msg,0,NULL,NULL); // Opening a file Status = NtCreateFile(&hBeep, GENERIC_READ /*| FILE_WRITE_DATA*/, &ObjectAttributes, &IoStatusBlock, NULL, 0, FILE_SHARE_READ /*| FILE_SHARE_WRITE*/, FILE_OPEN, 0, NULL, 0 ); but the returned NTSTATUS value gives error code "3" any pointers or suggestion regards -- deep On Thursday, January 17, 2008 5:37 AM Volodymyr Shcherbyna wrote: Re: native application (& NtCreateFile) The code: { NTSTATUS ntStatus = STATUS_SUCCESS; UNICODE_STRING szPath = {0}; OBJECT_ATTRIBUTES Attr = {0}; IO_STATUS_BLOCK IoStatusBlock = {0}; HANDLE hBeep = 0; RtlInitUnicodeString(&szPath, L"\\??\\C:\\A.TXT"); InitializeObjectAttributes(&Attr, &szPath, 0, NULL, NULL); ntStatus = NtCreateFile(&hBeep, GENERIC_READ, &Attr, &IoStatusBlock, NULL, 0, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0); if (hBeep != NULL) { NtClose(ntStatus); } } Works OK for me. -- V This posting is provided "AS IS" with no warranties, and confers no rights. "Deepak" <deep_81_11(a)yahoo.co.in> wrote in message news:5B246EC1-B616-4768-9184-90DFF66B95C7(a)microsoft.com... On Thursday, January 17, 2008 6:02 AM Kerem G?mr?kc? wrote: Where did he get that example? Where did he get that example? Regards K. -- ----------------------- Beste Gr?sse / Best regards / Votre bien devoue Kerem G?mr?kc? Microsoft Live Space: http://kerem-g.spaces.live.com/ Latest Open-Source Projects: http://entwicklung.junetz.de ----------------------- "This reply is provided as is, without warranty express or implied." On Thursday, January 17, 2008 6:19 AM Volodymyr Shcherbyna wrote: I am discussing code attached to the end of OP's message. I am discussing code attached to the end of OP's message. -- V This posting is provided "AS IS" with no warranties, and confers no rights. On Thursday, January 17, 2008 7:10 AM deep_81_1 wrote: hi thanks it works now ! silly mistake variables "Initialization" ! hi thanks it works now ! silly mistake variables "Initialization" ! but i am have one more concern could you please take a look the native Application I Got from the http://technet.microsoft.com/en-us/sysinternals/bb897447.aspx i compiled the code for 2003 ! and Vista too. but i saw no "Hello World" String could you help me out ! why it is not showing ! regards On Thursday, January 17, 2008 8:14 AM Volodymyr Shcherbyna wrote: Sorry, today my telepathy does not work. Can you provide us more details, i.e. Sorry, today my telepathy does not work. Can you provide us more details, i.e. a snipped of source code? -- V This posting is provided "AS IS" with no warranties, and confers no rights. On Thursday, January 17, 2008 8:33 AM deep_81_1 wrote: the link i gave you contains that sample code . the link i gave you contains that sample code . that is why i did not provide but here you have //====================================================================== // // Native.c // // Mark Russinovich // http://www.ntinternals.com // // This is a demonstration of a Native NT program. These programs // run outside of the Win32 environment and must rely on the raw // services provided by NTDLL.DLL. AUTOCHK (the program that executes // a chkdsk activity during the system boot) is an example of a // native NT application. // // This example is a native 'hello world' program. When installed with // the regedit file associated with it, you will see it print // "hello world" on the initialization blue screen during the system // boot. This program cannot be run from inside the Win32 environment. // //====================================================================== // // Our heap // HANDLE Heap; //---------------------------------------------------------------------- // // NtProcessStartup // // Instead of a 'main' or 'winmain', NT applications are entered via // this entry point. // //---------------------------------------------------------------------- void NtProcessStartup( PSTARTUP_ARGUMENT Argument ) { PUNICODE_STRING commandLine; PWCHAR stringBuffer, argPtr; UNICODE_STRING helloWorld; RTL_HEAP_DEFINITION heapParams; // // Initialize some heap // print(L"Step1\n"); memset( &heapParams, 0, sizeof( RTL_HEAP_DEFINITION )); heapParams.Length = sizeof( RTL_HEAP_DEFINITION ); Heap = RtlCreateHeap( 2, 0, 0x100000, 0x1000, 0, &heapParams ); print(L"Step2\n"); // // Point at command line // commandLine = &Argument->Environment->CommandLine; print(L"Step3\n"); // // Locate the argument // argPtr = commandLine->Buffer; //while( *argPtr != ' ' ) argPtr++; // argPtr++; print(L"Step4\n"); // this never gets executed ! // // Print out the argument // stringBuffer = RtlAllocateHeap( Heap, 0, 256 ); swprintf( stringBuffer, L"\n%s", argPtr ); helloWorld.Buffer = stringBuffer; helloWorld.Length = wcslen( stringBuffer ) * sizeof(WCHAR); helloWorld.MaximumLength = helloWorld.Length + sizeof(WCHAR); NtDisplayString( &helloWorld ); print(L"Step4\n"); // // Free heap // RtlFreeHeap( Heap, 0, stringBuffer ); // // Terminate // NtTerminateProcess( NtCurrentProcess(), 0 ); } void print(__wchar_t *msg) { UNICODE_STRING umsg; RtlInitUnicodeString(&umsg, msg); NtDisplayString(&umsg); } there a registry file too and a batch file too REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\ 00,6e,61,74,69,76,65,20,48,65,6c,6c,6f,20,57,6f,72,6c,64,21,00,00 // batch file @echo off copy native.exe %systemroot%\system32\. regedit /s add.reg echo Native Example Installe -- deep "Volodymyr Shcherbyna" wrote: On Thursday, January 17, 2008 9:55 AM Volodymyr Shcherbyna wrote: Did you tried to use debugger? Did you tried to use debugger? Build application, at the beginning of entry point write __asm int 3 Install application, reboot machine with \DEBUG switch, attach WinDbg, and do analysis. -- V This posting is provided "AS IS" with no warranties, and confers no rights. "Deepak" <deep_81_11(a)yahoo.co.in> wrote in message news:2F1C2943-B582-4BBF-A08B-E8AAE49AC71B(a)microsoft.com... On Sunday, January 20, 2008 12:16 PM Check Abdoul wrote: Hi Deepak, You need to have the /SOS enabled in your BCD to see the text Hi Deepak, You need to have the /SOS enabled in your BCD to see the text that NtDisplayString() displays on the screen. Cheers Check Abdoul --------------------- On Tuesday, January 22, 2008 8:05 PM deep_81_1 wrote: thanks for reply and concerni can see the text by using the native API by thanks for reply and concern i can see the text by using the native API by "NTdisplayString" as i did in the wrapper function "Print" i can see the strings "Step1" and "Step2" but what i saw while debugging that some how the command line parameters that Windows passes to the "Native" Application like as in the example "Hello World" do not get passed correctly. and because of this if we try to dereference a NULL pointer so my application simply terninates. so the "step4 " never gets executed. i do not know how this is happining ; as the command line parameters are passed correctly in the XP. but not in the Vista and 2k3. any pointers one more thing that i want to ask : can i modify "HKEY_CURRENT_USER\Software\test" section of the registry by Native API i read in the documentaion and article in the code project "Ntregistry" that it should be mapped to "\Registry\user\S-1-5-21-1220945662-261478967-682003330-1000\Software\test" which should be passed tp to native API "NtOpenKey" key ! but i am confused why it do not work ! it works if i access the "Registry\MACHINE" sections regards -- deep "Check Abdoul" wrote: On Tuesday, January 22, 2008 8:14 PM deep_81_1 wrote: opps i posted but . i do not know why it did not appearhere again ! opps i posted but . i do not know why it did not appear here again ! thanks to all people i am able to see the message "step1" ,"step2","step3" but "step 4" never prints , what i diagonsed is that the command line parameters as comming NULL so because i am accessing the NULL pointer that is way my programe do not print the "Step4" message. i do knot know why this is happning ! because the same code works on Xp. some how the parameters are NULL ////////////////// argPtr = commandLine->Buffer; ...... any help ! -- deep "Check Abdoul" wrote: On Thursday, January 24, 2008 5:24 AM Roberto Baggio wrote: I think I ran into the same problem. I think I ran into the same problem. The parameter passed into the "main" of your native application doesn't point to the same thing that the example expects (PSTARTUP_ARGUMENT). It points to something like a process environment block. If you have the correct structure for it, then you'll be able to access the information correctly. The paramater passed into the entry point would look like void NtProcessStartup(PPEB ppeb); Below is the PEB and is dependant structures. Hope this helps. typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); typedef struct _CURDIR { UNICODE_STRING DosPath; PVOID Handle; } CURDIR, *PCURDIR; typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; UNICODE_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; // 00h ULONG Length; // 04h ULONG Flags; // 08h ULONG DebugFlags; // 0Ch PVOID ConsoleHandle; // 10h ULONG ConsoleFlags; // 14h HANDLE InputHandle; // 18h HANDLE OutputHandle; // 1Ch HANDLE ErrorHandle; // 20h CURDIR CurrentDirectory; // 24h UNICODE_STRING DllPath; // 30h UNICODE_STRING ImagePathName; // 38h UNICODE_STRING CommandLine; // 40h PWSTR Environment; // 48h ULONG StartingX; // 4Ch ULONG StartingY; // 50h ULONG CountX; // 54h ULONG CountY; // 58h ULONG CountCharsX; // 5Ch ULONG CountCharsY; // 60h ULONG FillAttribute; // 64h ULONG WindowFlags; // 68h ULONG ShowWindowFlags; // 6Ch UNICODE_STRING WindowTitle; // 70h UNICODE_STRING DesktopInfo; // 78h UNICODE_STRING ShellInfo; // 80h UNICODE_STRING RuntimeInfo; // 88h RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; // 90h } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _PEB_FREE_BLOCK { struct _PEB_FREE_BLOCK* Next; ULONG Size; } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; typedef struct _PEB { UCHAR InheritedAddressSpace; // 00h UCHAR ReadImageFileExecOptions; // 01h UCHAR BeingDebugged; // 02h UCHAR Spare; // 03h PVOID Mutant; // 04h PVOID ImageBaseAddress; // 08h PPEB_LDR_DATA Ldr; // 0Ch PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h PVOID SubSystemData; // 14h PVOID ProcessHeap; // 18h PVOID FastPebLock; // 1Ch PPEBLOCKROUTINE FastPebLockRoutine; // 20h PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h ULONG EnvironmentUpdateCount; // 28h PVOID* KernelCallbackTable; // 2Ch PVOID EventLogSection; // 30h PVOID EventLog; // 34h PPEB_FREE_BLOCK FreeList; // 38h ULONG TlsExpansionCounter; // 3Ch PVOID TlsBitmap; // 40h ULONG TlsBitmapBits[0x2]; // 44h PVOID ReadOnlySharedMemoryBase; // 4Ch PVOID ReadOnlySharedMemoryHeap; // 50h PVOID* ReadOnlyStaticServerData; // 54h PVOID AnsiCodePageData; // 58h PVOID OemCodePageData; // 5Ch PVOID UnicodeCaseTableData; // 60h ULONG NumberOfProcessors; // 64h ULONG NtGlobalFlag; // 68h UCHAR Spare2[0x4]; // 6Ch LARGE_INTEGER CriticalSectionTimeout; // 70h ULONG HeapSegmentReserve; // 78h ULONG HeapSegmentCommit; // 7Ch ULONG HeapDeCommitTotalFreeThreshold; // 80h ULONG HeapDeCommitFreeBlockThreshold; // 84h ULONG NumberOfHeaps; // 88h ULONG MaximumNumberOfHeaps; // 8Ch PVOID** ProcessHeaps; // 90h PVOID GdiSharedHandleTable; // 94h PVOID ProcessStarterHelper; // 98h PVOID GdiDCAttributeList; // 9Ch PVOID LoaderLock; // A0h ULONG OSMajorVersion; // A4h ULONG OSMinorVersion; // A8h ULONG OSBuildNumber; // ACh ULONG OSPlatformId; // B0h ULONG ImageSubSystem; // B4h ULONG ImageSubSystemMajorVersion; // B8h ULONG ImageSubSystemMinorVersion; // C0h ULONG GdiHandleBuffer[0x22]; // C4h } PEB, *PPEB; "Deepak" <deep_81_11(a)yahoo.co.in> wrote in message news:591AA37E-563E-469B-8FCE-C88ACC215654(a)microsoft.com... On Wednesday, February 24, 2010 4:02 AM Prashant Waman wrote: NtDisplayString is not able to display unicode string Hi all, I have tested the code on russian version of Windows XP and tried to display all the console messages in russian language. The function NtDisplayString is not able to display the russian strings and instead of that it is showing some garbage characters. Is there any solution for the problem? Thanks, Prashant Submitted via EggHeadCafe - Software Developer Portal of Choice SharePoint - Managing Unused or Archive sites automatically http://www.eggheadcafe.com/tutorials/aspnet/96bf1f1c-ab6f-43f1-9a5b-a2a8deb60cad/sharepoint--managing-unu.aspx |