Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I have a minifilter. I want to restrict access to driver's IOCL (1) at least so non elevated users cannot call DeviceIoControl. The best will be (2) to restrict calls to IOCL to my user mode process only (it runs elevated), as IOCL exposes very powerful functionality.
From user mode I open driver like this:
HANDLE hDrv = CreateFileW( L"\\\\.\\DriverName", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
Then call IOCL like this:
#define MAKE_DANGEROUS_THING_IOCL CTL_CODE( SIOCTL_TYPE, 0x804, METHOD_BUFFERED, FILE_READ_DATA|FILE_WRITE_DATA) DeviceIoControl(hDrv, MAKE_DANGEROUS_THING_IOCL, nullptr, 0, readBuffer, sizeof(readBuffer), &dwBytesRead, NULL)
In driver I have:
extern "C" NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath) { IoCreateDevice(DriverObject, 0, &DEVICE_NAME, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &gMyDevice); IoCreateSymbolicLink(&DEVICE_SYM_LINK, &DEVICE_NAME); DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Function_IRP_DEVICE_CONTROL;
I tried to put in the .inf file the following ACL that I expect should prevent opening driver from interactive users:
[MiniFilter.AddRegistry.security] "O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
But I had no luck, CreateFileW and DeviceIoControl successfully execute from the non elevated user.
What am I doing wrong? How can I restrict IOCL functionality to admins or to my process only?
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Writing WDF Drivers | 7 Dec 2020 | LIVE ONLINE |
Internals & Software Drivers | 25 Jan 2021 | LIVE ONLINE |
Developing Minifilters | 8 March 2021 | LIVE ONLINE |
Comments
I found a problem with my approach. This
is to restrict access to registry only. So I changed INF file to this, so security settings will affect driver:
But even with no rights to the interactive users, I still can CreateFileW and DeviceIoControl successfully from the non elevated user.
Looks like this rights affect driver as an object of manipulation from the service manager, not as a Driver Object as I expected.
Any idea how to protect IOCL from calling by non elevated users?
You want IoCreateDeviceSecure.
-scott
OSR
I found that this works as I want too (can
CreateFileW( L"\\\\.\\DriverName", ...)
for admins, cannot for non-admins):I replaced
FILE_DEVICE_UNKNOWN
withFILE_DEVICE_DISK_FILE_SYSTEM
Is it ok to use
FILE_DEVICE_DISK_FILE_SYSTEM
with a minifilter?Why not use IoCreateDeviceSecure and not have to rely on some implementation detail?
-scott
OSR