解读 RtlConvertNtFilePathToWin32FilePath
与解读 RtlConvertWin32FilePathToNtFilePath相反。
转换 NtFilePath到 Win32FilePath。
a1 是输入,
a2 是输出。
类型都是 LUNICODE_STRING。
UINT_PTR RtlConvertNtFilePathToWin32FilePath(
LUNICODE_STRING *PathIn,
LUNICODE_STRING *PathOut);
还有点难呢?
得不到需要的结果。
还是对地址的概念不熟。
v4 = (int *)RtlInitLUnicodeStringFromNullTerminatedString(
(_WORD *)0x7FFE0030, (int)&v17);
0x7FFE0030 中保存的是: c:\windows,类型 WCHAR。
int *__fastcall RtlConvertNtFilePathToWin32FilePath(int a1, _DWORD *a2)
{
v14 = a1;
v2 = 0;
v13 = a2;
v20 = (int *) 0xC00000E5;
if ( a2 )
*a2 = 0;
v4 = (int *)RtlInitLUnicodeStringFromNullTerminatedString(
(_WORD *)0x7FFE0030, (int)&v17);
if ( (signed int)v4 >= 0 )
{
if ( *(_WORD *)&v19[2 * ((unsigned int)v17 >> 1) - 2] == 92 )
v17 -= 2;
v30 = 16;
v31 = 18;
v32 = L"\\??\\UNC\\";
v33 = 4;
v34 = 6;
v35 = L"\\\\";
v36 = 24;
v37 = 26;
v38 = L"\\??\\HardDisk";
v39 = 24;
v40 = 26;
v41 = L"\\\\?\\HardDisk";
v42 = 20;
v43 = 22;
v44 = L"\\??\\Volume";
v45 = 20;
v46 = 22;
v47 = L"\\\\?\\Volume";
v48 = 8;
v49 = 10;
v50 = L"\\??\\";
v51 = 0;
v52 = 2;
v53 = &dword_1000B0E8;
v54 = 32;
v55 = 34;
v56 = L"\\DosDevices\\UNC\\";
v57 = 4;
v58 = 6;
v59 = L"\\\\";
v60 = 24;
v61 = 26;
v62 = L"\\DosDevices\\";
v63 = 0;
v64 = 2;
v65 = &dword_1000B0E8;
v66 = 22;
v67 = 24;
v68 = L"\\SystemRoot";
v69 = v17;
v70 = v18;
v71 = (int)v19;
v20 = &v30;
v5 = &v30;
v6 = 0;
while ( 1 )
{
v15 = 0;
v4 = (int *)RtlEqualLUnicodeStringPrefix(v14, v5,
(int)RtlUpcaseUCSCharacter, &v15);
if ( (signed int)v4 < 0 )
break;
if ( !v15 )
{
++v6;
v5 = v20 + 6;
v20 += 6;
if ( v6 < 7 )
continue;
}
if ( v6 == 7 )
{
goto LABEL_17;
}
v8 = &v33 + 6 * v6;
v9 = *(&v30 + 6 * v6);
v10 = *(_DWORD *)(v14 + 4) - v9;
v21 = *v8;
++v8;
v18 = v10;
v11 = (const char *)(*(_DWORD *)v14 - v9);
v22 = *v8;
v17 = v11;
v12 = *(_DWORD *)(v14 + 8);
v23 = v8[1];
v19 = (const char *)(v9 + v12);
v24 = v17;
v25 = v18;
v26 = v9 + v12;
v27 = 2;
v28 = 2;
v29 = &dword_1000B0E8;
v4 = (int *)RtlConcatenateLUnicodeStrings(1, 3u, &v21, (int)v13);
if ( (signed int)v4 >= 0 )
{
if ( *v13 > 2u )
*v13 -= 2;
return 0;
}
return v4;
}
}
return v4;
}
分别调用:
int __stdcall RtlEqualLUnicodeStringPrefix(int a1, int *a2, int a3, _BYTE *a4)
{
*a4 = 0;
v4 = *a2;
if ( (unsigned int)*a2 > *(_DWORD *)a1
|| (v6 = *a2,
v7 = v4,
v8 = *(_DWORD *)(a1 + 8),
result = RtlEqualLUnicodeStrings((int)&v6, (int)a2, a3, a4),
result >= 0) )
{
result = 0;
}
return result;
}
int __stdcall RtlEqualLUnicodeStrings(int a1, int a2, int a3, _BYTE *a4)
{
size_t v4;
bool v5;
int result;
int v7;
*a4 = 0;
v4 = *(_DWORD *)a1;
if ( a3 )
{
if ( v4 != *(_DWORD *)a2 )
return 0;
v7 = 0;
result = RtlCompareLUnicodeStrings(a1, a2, a3, (int)&v7);
if ( result < 0 )
return result;
v5 = v7 == 0;
}
else
{
if ( v4 != *(_DWORD *)a2 )
return 0;
if ( !v4 )
{
LABEL_9:
*a4 = 1;
return 0;
}
v5 = memcmp(*(const void **)(a1 + 8), *(const void **)(a2 + 8), *(_DWORD *)a1) == 0;
}
if ( v5 )
goto LABEL_9;
return 0;
}
int __stdcall RtlCompareLUnicodeStrings(int a1, int a2, int a3, int a4)
{
return ((int (__thiscall *)(int, int, int (__fastcall *)(_DWORD, _DWORD), int, int))RtlCompareEncodedLBlobs)(
a1,
a2,
RtlDecodeUtf16LE,
a3,
a4);
}
前面的比较正常了以后,就进行字符串的连接:
int __stdcall RtlConcatenateLUnicodeStrings(int a1, unsigned int a2, _DWORD *a3, int a4)
{
v4 = a3;
v5 = 0;
v21 = a3;
i = (_DWORD *)0xC00000E5;
v6 = 0;
if ( !a4 )
{
v14 = Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter_NullPointer(&i);
v13 = (int)i;
LABEL_32:
v26 = v14;
v24 = "base\\lstring\\lunicode_string.cpp";
v25 = "RtlConcatenateLUnicodeStrings";
v27 = v15;
Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::ReportErrorOrigination(&v24);
return v13;
}
v7 = a1 & 1;
*(_DWORD *)a4 = 0;
if ( !(a1 & 1) )
{
*(_DWORD *)(a4 + 4) = 0;
*(_DWORD *)(a4 + 8) = 0;
}
if ( a1 & 0xFFFFFFFE || (v8 = a2) != 0 && !a3 )
{
LABEL_18:
v26 = Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter_NullPointer(&i);
v24 = "base\\lstring\\lunicode_string.cpp";
v25 = "RtlConcatenateLUnicodeStrings";
v27 = (const char *)v12;
Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::ReportErrorOrigination(&v24);
return (int)i;
}
v23 = 0;
if ( a2 )
{
v9 = (int)a3;
v19 = a3;
while ( (unsigned __int8)RtlIsLUnicodeStringValid(v9) )
{
v9 = (int)(v19 + 3);
++v23;
v19 += 3;
if ( v23 >= a2 )
{
v4 = a3;
v6 = 0;
v7 = a1 & 1;
goto LABEL_12;
}
}
goto LABEL_18;
}
LABEL_12:
v20 = 0;
if ( a2 )
{
for ( i = v4; ; v4 = i )
{
v10 = *v4;
v22 = v10;
v11 = v6 + v10;
if ( v11 < v6 || v11 < v22 )
break;
i += 3;
v6 = v11;
if ( ++v20 >= a2 )
goto LABEL_20;
}
v13 = 0xC0000095;
v14 = 644;
v15 = "BUCL::Rtl::AddInPlaceWithOverflowCheck(&MaximumLength,Sources[i].Length)";
i = (_DWORD *)0xC0000095;
goto LABEL_32;
}
LABEL_20:
if ( !v7 )
{
v16 = RtlAllocateLUnicodeString(v6, a4);
goto LABEL_23;
}
if ( v6 > *(_DWORD *)(a4 + 4) )
{
v16 = RtlReallocateLUnicodeString(0, v6, a4);
LABEL_23:
v13 = v16;
if ( v16 < 0 )
return v13;
v8 = a2;
}
if ( !v8 )
return 0;
v17 = (int)a3;
while ( 1 )
{
v13 = RtlAppendLUnicodeStringToLUnicodeString(v17, a4);
if ( v13 < 0 )
break;
++v5;
v17 = (int)(v21 + 3);
v21 += 3;
if ( v5 >= a2 )
return 0;
}
return v13;
}