I´ve tried to minimise the example as much as possible.
I have the following function that tries to convert a "\Device\Harddiskvolumex\path" file path to "C:\path" and return it as a PUNICODE_STRING.
/*
path has a string such as L"C:\\path"
*/
PUNICODE_STRING convert_path(WCHAR* path)
{
HANDLE fileHandle = NULL;
OBJECT_ATTRIBUTES objectAttributes;
PUNICODE_STRING myUnicodeStr=NULL;
PFILE_OBJECT Object = NULL;
POBJECT_NAME_INFORMATION dosNameInfo = NULL;
RtlInitUnicodeString(myUnicodeStr, path);
InitializeObjectAttributes(&objectAttributes,
myUnicodeStr,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
ZwOpenSymbolicLinkObject(&fileHandle, GENERIC_READ, &objectAttributes);
ZwQuerySymbolicLinkObject(fileHandle,myUnicodeStr, NULL);
ObReferenceObjectByHandle(
fileHandle,
GENERIC_READ,
NULL,
KernelMode,
(PVOID*)Object,
NULL);
IoQueryFileDosDeviceName(Object, &dosNameInfo);
ExFreePool(Object);
return &(dosNameInfo->Name);
}
When I use it in my code as:
UNICODE_STRING myUnicodeStr;
RtlCopyUnicodeString(&myUnicodeStr, convert_path(L"C:\\Users\\JohnDoe\\file.txt"));
//I expect myUnicodeStr->Buffer contains L"Device\Harddiskvolumex\\Users\\JohnDoe\\file.txt"
I am not getting the path in format "\Device\Harddiskvolumex\path" because when I filter on this path I am getting a blue screen; and I cannot figure out what I am doing wroing in my function.
I suppose the problem is the opposite as the one posted in here.
