I have a filter and a callback I receive can come in at DPC_LEVEL in any process.
Most of the time it enters as PASSIVE, so FltQuerySecurityObject()/ZwQuerySecurityObject()/ObGetObjectSecurity() etc can succeed, but they all run at <= PASSIVE. Often I will get BSOD, sometimes random (double fault etc), but they really do appear to come from here. As the docs themselves state "ObGetObjectSecurity should only be called at IRQL Level = PASSIVE_LEVEL with APCs enabled, otherwise deadlocks or crashes may occur."
So is it possible to analyze the SecurityDescriptor of a FileObject at DISPATCH? (All code is synchronous at the moment).
If not what are the options - Worker item (at PASSIVE), thread pool, any other non-async methods preferably?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|