SecLookupAccountSid() is broken on XP SP3



OK, I finally gave up messing around with this funciton. I even
specified the optional domaine unicode string.
Here is the output form dv:

domainelen = 0x400
namebuffer = struct _UNICODE_STRING ""
nameuse = 0 (No matching enumerant)
namelen = 0x400
domainbuffer = struct _UNICODE_STRING ""

UNICODE_STRINGS are heap allocated, the irql is passive level.

Sometimes it returns gibberish with a return STATUS_SUCCESS, sometimes
it crashes. In both cases the SID is the same

Here is the stack when it crashes: (from windbg)
ab1e57a0 f75343ed 897ad008 ab1e58c0 00000000 nt!RtlCopyUnicodeString
ab1e58c8 f752e98f 00000000 ab1e594c ab1e5958 ksecdd!
ab1e58f8 f7559a4e e1f9a02c ab1e5958 ab1e594c ksecdd!SecLookupAccountSid

Taking a look at the UNICODE_STRING params to RtlInitUnicodeString we

Destination string:
0: kd> dt nt!_UNICODE_STRING 897ad008
"" +0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)

Source string:
0: kd> dt nt!_UNICODE_STRING ab1e58c0
"--- memory read error at address 0xab3027ae ---"
+0x000 Length : 0xc
+0x002 MaximumLength : 0xc
+0x004 Buffer : 0xab3027ae "--- memory read error at
address 0xab3027ae ---"

Note that neither of these are the addres of the strings passed in to
SecLookupAccountSid() which are at
0: kd> dt nt!_UNICODE_STRING ab1e594c
+0x000 Length : 0xa
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ac800 "Ô"


0: kd> dt nt!_UNICODE_STRING 0xab1e595c
+0x000 Length : 0xc
+0x002 MaximumLength : 0x400
+0x004 Buffer : 0x897ad008 ""

This is the actual ereror:
Invalid system memory was referenced. This cannot be protected by try-
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arg1: ab3027ae, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f2dba, If non-zero, the instruction address which referenced
the bad memory
Arg4: 00000000, (reserved)

As you can see the address referenced is the bufer address of the
source unicode string passed to RtlCopyUnicodeString();

I only wanted to trace the logged on user by name rather than SID
since its easier to read. Is there any other way of doing this in
kernel mode?

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question