1.
NTSTATUS RtlStringCbLength( _In_ LPCTSTR psz, _In_ size_t cbMax, _Out_opt_ size_t *pcb);
Cbmax[In]
The maximum number of bytes allowed in the buffer that is pointed toPsz, Including the terminating null character.
Cbmax in rtlstringcblength contains the final '\ 0', but strlen does not.
2. exallocatepool
Like malloc in C, exallocatepool in kernel mode is also very important. But the exallocatepool function has to mention the exallocatepoolwithtag function. Compare the call methods of the two functions:
Pvoid P = exallocatepool (pool_type, size );
Pvoid P = exallocatepoolwithtag (pool_type, size, tag );
When exallocatepoolwithtag is called, the system will allocate an additional 4-byte tag Based on the required memory size. the tag occupies the first 4 bytes and is located before the address pointed by the returned pointer. in this way, when debugging, this label can help you identify problematic memory blocks.
In WDM. H (ntddk. h) It is declared that the memory allocation function is unconditionally controlled by the pre-processing macro pool_tagging (pool_tagging is unconditionally defined ). therefore, even if the exallocatepool function is called, exallocatepoolwithtag is actually executed. The label added is "MDW", indicating that it is a WDM memory block.
Alternatively, you can forcibly disable the pool_tagging macro and then call the exallocatepool. The actual execution is still exallocatepoolwithtag with the tag "enon ".
Therefore, we recommend that you directly call exallocatepoolwithtag and add a custom tag when allocating memory.