解读 RtlConvertNtFilePathToWin32FilePath
与解读 RtlConvertWin32FilePathToNtFilePath相反。
转换 NtFilePath到 Win32FilePath。
a1 是输入,
a2 是输出。
类型都是 LUNICODE_STRING。
UINT_PTR RtlConvertNtFilePathToWin32FilePath(
LUNICODE_STRING *PathIn,
LUNICODE_STRING *PathOut);
还有点难呢?
得不到需要的结果。
还是对地址的概念不熟。
v4 = (int *)RtlInitLUnicodeStringFromNullTerminatedString(
(_WORD *), (int)&v17);
中保存的是: c:\windows,类型 WCHAR。
//----- (101309F0) --------------------------------------------------------
int *__fastcall RtlConvertNtFilePathToWin32FilePath(int a1, _DWORD *a2)
{
v14 = a1;
v2 = ;
v13 = a2;
v20 = (int *) ;
if ( a2 )
*a2 = ;
v4 = (int *)RtlInitLUnicodeStringFromNullTerminatedString(
(_WORD *), (int)&v17);
if ( (signed int)v4 >= )
{
if ( *(_WORD *)&v19[ * ((unsigned int)v17 >> ) - ] == )
v17 -= ;
// 定义一组字符串 LUNICODE_STRING
v30 = ;
v31 = ;
v32 = L"\\??\\UNC\\";
v33 = ;
v34 = ;
v35 = L"\\\\";
v36 = ;
v37 = ;
v38 = L"\\??\\HardDisk";
v39 = ;
v40 = ;
v41 = L"\\\\?\\HardDisk";
v42 = ;
v43 = ;
v44 = L"\\??\\Volume";
v45 = ;
v46 = ;
v47 = L"\\\\?\\Volume";
v48 = ;
v49 = ;
v50 = L"\\??\\";
v51 = ;
v52 = ;
v53 = &dword_1000B0E8;
v54 = ;
v55 = ;
v56 = L"\\DosDevices\\UNC\\";
v57 = ;
v58 = ;
v59 = L"\\\\";
v60 = ;
v61 = ;
v62 = L"\\DosDevices\\";
v63 = ;
v64 = ;
v65 = &dword_1000B0E8;
v66 = ;
v67 = ;
v68 = L"\\SystemRoot";
v69 = v17;
v70 = v18;
v71 = (int)v19;
v20 = &v30;
v5 = &v30;
v6 = ;
while ( )
{
v15 = ;
v4 = (int *)RtlEqualLUnicodeStringPrefix(v14, v5,
(int)RtlUpcaseUCSCharacter, &v15);
if ( (signed int)v4 < )
break;
if ( !v15 )
{
++v6;
v5 = v20 + ;
v20 += ;
if ( v6 < )
continue;
}
if ( v6 == )
{
// 出错了
goto LABEL_17;
}
v8 = &v33 + * v6;
v9 = *(&v30 + * v6);
v10 = *(_DWORD *)(v14 + ) - v9;
v21 = *v8;
++v8;
v18 = v10;
v11 = (const char *)(*(_DWORD *)v14 - v9);
v22 = *v8;
v17 = v11;
v12 = *(_DWORD *)(v14 + );
v23 = v8[];
v19 = (const char *)(v9 + v12);
v24 = v17;
v25 = v18;
v26 = v9 + v12;
v27 = ;
v28 = ;
v29 = &dword_1000B0E8;
v4 = (int *)RtlConcatenateLUnicodeStrings(, , &v21, (int)v13);
if ( (signed int)v4 >= )
{
if ( *v13 > )
*v13 -= ;
return ;
}
return v4;
}
}
return v4;
}
分别调用:
int __stdcall RtlEqualLUnicodeStringPrefix(int a1, int *a2, int a3, _BYTE *a4)
{
*a4 = ;
v4 = *a2;
if ( (unsigned int)*a2 > *(_DWORD *)a1
|| (v6 = *a2,
v7 = v4,
v8 = *(_DWORD *)(a1 + ),
result = RtlEqualLUnicodeStrings((int)&v6, (int)a2, a3, a4),
result >= ) )
{
result = ;
}
return result;
}
int __stdcall RtlEqualLUnicodeStrings(int a1, int a2, int a3, _BYTE *a4)
{
size_t v4; // [email protected]
bool v5; // [email protected]
int result; // [email protected]
int v7; // [sp+8h] [bp-8h]@6
*a4 = ;
v4 = *(_DWORD *)a1;
if ( a3 )
{
if ( v4 != *(_DWORD *)a2 )
return ;
v7 = ;
result = RtlCompareLUnicodeStrings(a1, a2, a3, (int)&v7);
if ( result < )
return result;
v5 = v7 == ;
}
else
{
if ( v4 != *(_DWORD *)a2 )
return ;
if ( !v4 )
{
LABEL_9:
*a4 = ;
return ;
}
v5 = memcmp(*(const void **)(a1 + ), *(const void **)(a2 + ), *(_DWORD *)a1) == ;
}
if ( v5 )
goto LABEL_9;
return ;
}
int __stdcall RtlCompareLUnicodeStrings(int a1, int a2, int a3, int a4)
{
return ((int (__thiscall *)(int, int, int (__fastcall *)(_DWORD, _DWORD), int, int))RtlCompareEncodedLBlobs)(
a1,
a2,
RtlDecodeUtf16LE,
a3,
a4);
}
前面的比较正常了以后,就进行字符串的连接:
int __stdcall RtlConcatenateLUnicodeStrings(int a1, unsigned int a2, _DWORD *a3, int a4)
{
v4 = a3;
v5 = ;
v21 = a3;
i = (_DWORD *);
v6 = ;
if ( !a4 )
{
v14 = Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter_NullPointer(&i);
v13 = (int)i;
LABEL_32:
v26 = v14;
v24 = "base\\lstring\\lunicode_string.cpp";
v25 = "RtlConcatenateLUnicodeStrings";
v27 = v15;
Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::ReportErrorOrigination(&v24);
return v13;
}
v7 = a1 & ;
*(_DWORD *)a4 = ;
if ( !(a1 & ) )
{
*(_DWORD *)(a4 + ) = ;
*(_DWORD *)(a4 + ) = ;
}
if ( a1 & || (v8 = a2) != && !a3 )
{
LABEL_18:
v26 = Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter_NullPointer(&i);
v24 = "base\\lstring\\lunicode_string.cpp";
v25 = "RtlConcatenateLUnicodeStrings";
v27 = (const char *)v12;
Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::ReportErrorOrigination(&v24);
return (int)i;
}
v23 = ;
if ( a2 )
{
v9 = (int)a3;
v19 = a3;
while ( (unsigned __int8)RtlIsLUnicodeStringValid(v9) )
{
v9 = (int)(v19 + );
++v23;
v19 += ;
if ( v23 >= a2 )
{
v4 = a3;
v6 = ;
v7 = a1 & ;
goto LABEL_12;
}
}
goto LABEL_18;
}
LABEL_12:
v20 = ;
if ( a2 )
{
for ( i = v4; ; v4 = i )
{
v10 = *v4;
v22 = v10;
v11 = v6 + v10;
if ( v11 < v6 || v11 < v22 )
break;
i += ;
v6 = v11;
if ( ++v20 >= a2 )
goto LABEL_20;
}
v13 = ;
v14 = ;
v15 = "BUCL::Rtl::AddInPlaceWithOverflowCheck(&MaximumLength,Sources[i].Length)";
i = (_DWORD *);
goto LABEL_32;
}
LABEL_20:
if ( !v7 )
{
v16 = RtlAllocateLUnicodeString(v6, a4);
goto LABEL_23;
}
if ( v6 > *(_DWORD *)(a4 + ) )
{
v16 = RtlReallocateLUnicodeString(, v6, a4);
LABEL_23:
v13 = v16;
if ( v16 < )
return v13;
v8 = a2;
}
if ( !v8 )
return ;
v17 = (int)a3;
while ( )
{
v13 = RtlAppendLUnicodeStringToLUnicodeString(v17, a4);
if ( v13 < )
break;
++v5;
v17 = (int)(v21 + );
v21 += ;
if ( v5 >= a2 )
return ;
}
return v13;
}