I recall years back when Vista first came out having a number of clients panic because their user mode disk utilities could no longer write to the disk without having a kernel driver component which added the SL_FORCE_DIRECT_WRITE flag to a write IRP. I've pretty much just worked off the assumption for the last 10+ years that you couldn't write an MBR from user mode for security reasons. But to my surprise today I found that simple CreateFile/WriteFile on \.\PhysicalDriveX allows updating sector 0 on both an MBR and GPT style disk (even while online and in use) as long as the process is run as admin. Was this relaxed at some point or did I just misunderstand it all these years? Seems awfully easy to modify the MBR, though you could make the argument that if a user has admin access they could just as well load their own driver to perform the IO that way... but with that line of thinking I'm not clear what the purpose of the IRP flag and the protection mechanism was ever meant to be in the first place. In other words, you can't open \.\PhysicalDriveX unless you are admin anyway, so what is the point of an additional write restriction which goes away if you are admin?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|