Hi All,
I am studying minifilter driver concept and developed a sample driver that registers for prehandle create callback in the OB_OPERATION_REGISTRATION structure.
In the callback, I am checking for a specific target process id. Incase if the intended operation tries to open handle to that particular target process, I am masking off some flags for example process terminate flag.
When I test the minifilter driver using another driver that opens a handle to the specific process using the ObOpenObjectByPointer. When calling ObOpenObjectByPointer in the test driver code, I am requesting process terminate access. In minifilter prehandle create callback , I am masking off the terminate flag in the POB_PRE_OPERATION_INFORMATION->Parameters->CreateHandleInformation.DesiredAccess. But when I check the handle returned to my driver, it has termination access… Why OS is reverting the denied access by my code. The Msdn doc says that in the ObOpenObjectByPointer, when accessmode is kernel the requested access always granted as per the below snippet.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-obopenobjectbypointer
If the AccessMode parameter is KernelMode, the requested access is always allowed. If AccessMode is UserMode, the requested access is compared to the granted access for the object.
This is sample code that test my driver:
status = ZwOpenProcess(&hProcess, GENERIC_READ, &obj, &Pid);
status = ObReferenceObjectByHandle(
hProcess,
0,
*PsProcessType,
KernelMode,
&process,
NULL
);
if (!NT_SUCCESS(status))
{
DbgBreakPoint();
return;
}
DbgBreakPoint();
// Re-open the process to get a kernel handle.
if (NT_SUCCESS(status = ObOpenObjectByPointer(
process,
OBJ_KERNEL_HANDLE,
NULL,
0x1,
*PsProcessType,
KernelMode,
&newProcessHandle
)))
{
Could anyone explain what is happening here? I am confused by the OS behavior.
Thanks,