Hello. So a bit of context - I have a FS minifilter that is monitoring I/O on the pre/post path, so I have all those struct members if need be. On the Post path where I'm mainly operating, I'm checking the SD/ACL/ACE of the specified FileObject being accessed. But since my process is running from an admin, my token privileges are too high. I want the access checks to be done based on the standard user that got elevated.
I started going down the route of manually trying to check the ACCESS_MASK and building the Desired/Granted/Remaining Access and Allow/Deny based on masks in Dacl/Ace looping, and basing it from SIDs in the standard user token groups, but this is getting very complex, and I feel I will mess up the checks, hence looking at the use of APIs again.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|