SecLookupAccountSid() is broken on XP SP3

M

matt_sykes

OK, I finally gave up messing around with this funciton. I even
specified the optional domaine unicode string.
Here is the output form dv:

domainelen = 0x400
namebuffer = struct _UNICODE_STRING ""
nameuse = 0 (No matching enumerant)
namelen = 0x400
domainbuffer = struct _UNICODE_STRING ""

UNICODE_STRINGS are heap allocated, the irql is passive level.

Sometimes it returns gibberish with a return STATUS_SUCCESS, sometimes
it crashes. In both cases the SID is the same
(S-1-5-21-1935655697-507921405-682003330-20811)

Here is the stack when it crashes: (from windbg)
ab1e57a0 f75343ed 897ad008 ab1e58c0 00000000 nt!RtlCopyUnicodeString
+0x34
ab1e58c8 f752e98f 00000000 ab1e594c ab1e5958 ksecdd!
SecpLookupAccountSid+0x187
ab1e58f8 f7559a4e e1f9a02c ab1e5958 ab1e594c ksecdd!SecLookupAccountSid
+0x59

Taking a look at the UNICODE_STRING params to RtlInitUnicodeString we
see:

Destination string:
0: kd> dt nt!_UNICODE_STRING 897ad008
"" +0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)

Source string:
0: kd> dt nt!_UNICODE_STRING ab1e58c0
"--- memory read error at address 0xab3027ae ---"
+0x000 Length : 0xc
+0x002 MaximumLength : 0xc
+0x004 Buffer : 0xab3027ae "--- memory read error at
address 0xab3027ae ---"


Note that neither of these are the addres of the strings passed in to
SecLookupAccountSid() which are at
0: kd> dt nt!_UNICODE_STRING ab1e594c
"Ô"
+0x000 Length : 0xa
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ac800 "Ô"

and

0: kd> dt nt!_UNICODE_STRING 0xab1e595c
""
+0x000 Length : 0xc
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ad008 ""


This is the actual ereror:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: ab3027ae, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f2dba, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)

As you can see the address referenced is the bufer address of the
source unicode string passed to RtlCopyUnicodeString();


I only wanted to trace the logged on user by name rather than SID
since its easier to read. Is there any other way of doing this in
kernel mode?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top