Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

There's a new issue of The NT Insider available

Sept/Oct 2019 Issue:

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Get SecurityDescriptor for objects at PASSIVE_LEVEL

AvalonAvalon Member Posts: 15

I have a filter and a callback I receive can come in at DPC_LEVEL in any process.

Most of the time it enters as PASSIVE, so FltQuerySecurityObject()/ZwQuerySecurityObject()/ObGetObjectSecurity() etc can succeed, but they all run at <= PASSIVE. Often I will get BSOD, sometimes random (double fault etc), but they really do appear to come from here. As the docs themselves state "ObGetObjectSecurity should only be called at IRQL Level = PASSIVE_LEVEL with APCs enabled, otherwise deadlocks or crashes may occur."

So is it possible to analyze the SecurityDescriptor of a FileObject at DISPATCH? (All code is synchronous at the moment).
If not what are the options - Worker item (at PASSIVE), thread pool, any other non-async methods preferably?


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE