Search for character in UNICODE_STRING

Question

There is a UNICODE_STRING and I want to check if there is a defined character in it (better: $ at the end).

We are using the OpenPasswordFilter and want to check if the submitted account is a user or a computer. If it is a computer, which is defined by a '$' at the end, the checks schould be omitted.

NTSTATUS PsamPasswordNotificationRoutine(
  PUNICODE_STRING UserName,
  ULONG RelativeId,
  PUNICODE_STRING NewPassword
)
{...}

from https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nc-ntsecapi-psam_password_notification_routine

In c# I would use something like:

char lastchar = UserName[UserName.Length - 1];
if (lastchar <> '$') {
....

Answer 1

The UNICODE_STRING::Buffer is a pointer to a wchar_t[] array. You can check the Buffer contents directly, eg:

enum eAccountType {atUnknown, atUser, atComputer};

eAccountType GetAccountType(const wchar_t *UserName, int Length)
{
    return ((UserName) && (Length > 0))
        ? ((UserName[Length-1] == L'$') ? atComputer : atUser)
        : atUnknown;
}

eAccountType GetAccountType(const UNICODE_STRING &UserName)
{
    // UNICODE_STRING::Length is expressed in bytes, not in characters...
    return GetAccountType(UserName.Buffer, UserName.Length / sizeof(wchar_t));
}

NTSTATUS PsamPasswordNotificationRoutine(
    PUNICODE_STRING UserName,
    ULONG RelativeId,
    PUNICODE_STRING NewPassword
)
{
    ...
    if ((UserName) && (GetAccountType(*UserName) == atUser))
    {
        ...
    }
    ...
}

Answer 2

Something like this will probably work: Just remember that the Length of PUNICODE_STRING is the number of bytes and not of "characters"

if (UserName->Buffer)
{
    std::wstring w = std::wstring(reinterpret_cast<wchar_t*>(UserName->Buffer), UserName->Length / sizeof(wchar_t));

    if(w[w.size()-1] != L'$')
    {
        ...
    }
}