FsRtlIsNameInExpression never matches anything
-
06-06-2021 - |
Frage
I do string matching in a kernel driver using the Boyer-Moore algorithm, but I also need to implement basic wildcard support. This answer on SO mentionned the function FsRtlIsNameInExpression
, which looks just right for my needs. It even looks like it handles case insensitivity for Unicode strings.
But it can't even get it to match a simple string with itself.
I tried a few things, but FsRtlIsNameInExpression never matches anything. Here is some code I used to test (I put the call to MyTest
at the end of my DriverEntry
routine).
NTSTATUS MyTest()
{
int matches = 0;
UNICODE_STRING a3times;
UNICODE_STRING A5times;
UNICODE_STRING bbb;
UNICODE_STRING patterna;
UNICODE_STRING patternb;
RtlInitUnicodeString(&a3times, L"aaa");
RtlInitUnicodeString(&A5times, L"AAAAA");
RtlInitUnicodeString(&bbb, L"bbb");
RtlInitUnicodeString(&patterna, L"a*a");
RtlInitUnicodeString(&patternb, L"b*");
if(FsRtlIsNameInExpression(&patterna, &a3times, TRUE, 0))
++matches; // a*a should match aaa
if(FsRtlIsNameInExpression(&patterna, &A5times, FALSE, 0))
++matches; // a*a should match (insensitive) AAAAA
if(FsRtlIsNameInExpression(&a3times, &a3times, TRUE, 0))
++matches; //aaa should match aaa
if(FsRtlIsNameInExpression(&patternb, &bbb, TRUE, 0))
++matches; //b* should match bbb
return matches; //Should be 4, but is 0
}
For the record :
- I am using WDK version 7600.16385.1, checked build (my code, not Windows)
- The driver runs in a Virtual Box hosted Windows 7 Pro 64 bits on my Windows 7 Ultimate 64 bits
- The driver is signed by a test certificate
- I trace the code in a kernel debugger
- The code does not crash, but can't be called in user mode
What is the obvious that I am missing ?
Lösung
The documentation says
If
IgnoreCase
isTRUE
,Expression
must be uppercase.
Note that, per your comments, you misunderstood the case-sensitivity parameter. It is IgnoreCase
not CaseSensitive
.
As for the results:
- Lower-case expression with
IgnoreCase
set toTRUE
- won't work - Lower-case expression,
IgnoreCase
set toFALSE
, upper case pattern - won't match - Lower-case expression with
IgnoreCase
set toTRUE
- won't work - Lower-case expression with
IgnoreCase
set toTRUE
- won't work
Just really bad luck that not a single one worked :)