Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Check in IRP_MJ_CREATE if allowed access

Gova_GimerGova_Gimer Member - All Emails Posts: 43
edited August 2019 in NTFSD

Hello,
In my disk filesystem in IRP_MJ_CREATE i'am a (PACL or PSECURITY_DESCRIPTOR) extracted from my fat ,How do i check if a 'windows user logged' is authorized access of the file ?

Solution : I capture PACCESS_TOKEN in SECURITY_SUBJECT_CONTEXT::client token from _IO_STACK_LOCATION::Create::SecurityContext::AccessState::SubjectSecurityContext::ClientToken;
AND i call SeQueryInformationToken with TokenOwner for get SID , and browse the PACL extracted from my fat for compare SID of each PACL by SID extracted from ClientToken.
I have not yet test this option.
It is good ?

if no then how ?????

Thank.

Comments

  • Eric_BergeEric_Berge Member Posts: 32

    See the Windows API SeAccessCheck which I believe will do a lot of the work for you in this case.

  • Gova_GimerGova_Gimer Member - All Emails Posts: 43
    edited August 2019

    How do i capture PSECURITY_DESCRIPTOR in IRP_MJ_CREATE ?

    Is it possible to check access in user-mode mode ?
    For information i developpe a kernel virtual disk filesystem for manage a virtual disk since user-mode

  • Gova_GimerGova_Gimer Member - All Emails Posts: 43

    Solution purpose :
    i capture from my fat data PACL and data SID of owner and group , in my kernel driver
    i create SECURITY_DESCRIPTOR with SIDs and PACE added.
    i call SeAccessCheck.

    It's good ?
    Thank.

  • Eric_BergeEric_Berge Member Posts: 32

    I believe the general outline is that you'll get the SECURITY_DESCRIPTOR from your file system and you'll get the SECURITY_SUBJECT_CONTEXT from the parameters to the IRP_MJ_CREATE (Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext). That's not be all the pieces you need but I believe that's the major part of it. It would be best to point you to a Microsoft example like the FastFat code, but unfortunately that does not support ACLs. In general the FastFat and the "File System Algoritms" document from Microsoft are some of the best sources for info on file systems (and the old NT 4.0-based Nagar book which in spite of it's age still has a lot of good info and you might still be able to order one from OSR -- although I just looked at it and I didn't see code for dealing with ACLs in their "Create" function).

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA