Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Check in IRP_MJ_CREATE if allowed access

Gova_GimerGova_Gimer Member - All Emails Posts: 29
edited August 23 in NTFSD

Hello,
In my disk filesystem in IRP_MJ_CREATE i'am a (PACL or PSECURITY_DESCRIPTOR) extracted from my fat ,How do i check if a 'windows user logged' is authorized access of the file ?

Solution : I capture PACCESS_TOKEN in SECURITY_SUBJECT_CONTEXT::client token from _IO_STACK_LOCATION::Create::SecurityContext::AccessState::SubjectSecurityContext::ClientToken;
AND i call SeQueryInformationToken with TokenOwner for get SID , and browse the PACL extracted from my fat for compare SID of each PACL by SID extracted from ClientToken.
I have not yet test this option.
It is good ?

if no then how ?????

Thank.

Comments

  • Eric_BergeEric_Berge Member Posts: 32

    See the Windows API SeAccessCheck which I believe will do a lot of the work for you in this case.

  • Gova_GimerGova_Gimer Member - All Emails Posts: 29
    edited August 23

    How do i capture PSECURITY_DESCRIPTOR in IRP_MJ_CREATE ?

    Is it possible to check access in user-mode mode ?
    For information i developpe a kernel virtual disk filesystem for manage a virtual disk since user-mode

  • Gova_GimerGova_Gimer Member - All Emails Posts: 29

    Solution purpose :
    i capture from my fat data PACL and data SID of owner and group , in my kernel driver
    i create SECURITY_DESCRIPTOR with SIDs and PACE added.
    i call SeAccessCheck.

    It's good ?
    Thank.

  • Eric_BergeEric_Berge Member Posts: 32

    I believe the general outline is that you'll get the SECURITY_DESCRIPTOR from your file system and you'll get the SECURITY_SUBJECT_CONTEXT from the parameters to the IRP_MJ_CREATE (Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext). That's not be all the pieces you need but I believe that's the major part of it. It would be best to point you to a Microsoft example like the FastFat code, but unfortunately that does not support ACLs. In general the FastFat and the "File System Algoritms" document from Microsoft are some of the best sources for info on file systems (and the old NT 4.0-based Nagar book which in spite of it's age still has a lot of good info and you might still be able to order one from OSR -- although I just looked at it and I didn't see code for dealing with ACLs in their "Create" function).

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE