Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Access granted when ObOpenObjectByPointer request mode is KERNEL

parsaparsa Member Posts: 67

Hi All,

I am studying minifilter driver concept and developed a sample driver that registers for prehandle create callback in the OB_OPERATION_REGISTRATION structure.
In the callback, I am checking for a specific target process id. Incase if the intended operation tries to open handle to that particular target process, I am masking off some flags for example process terminate flag.

When I test the minifilter driver using another driver that opens a handle to the specific process using the ObOpenObjectByPointer. When calling ObOpenObjectByPointer in the test driver code, I am requesting process terminate access. In minifilter prehandle create callback , I am masking off the terminate flag in the POB_PRE_OPERATION_INFORMATION->Parameters->CreateHandleInformation.DesiredAccess. But when I check the handle returned to my driver, it has termination access.. Why OS is reverting the denied access by my code. The Msdn doc says that in the ObOpenObjectByPointer, when accessmode is kernel the requested access always granted as per the below snippet.

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-obopenobjectbypointer

If the AccessMode parameter is KernelMode, the requested access is always allowed. If AccessMode is UserMode, the requested access is compared to the granted access for the object.

This is sample code that test my driver:

status = ZwOpenProcess(&hProcess, GENERIC_READ, &obj, &Pid);

status = ObReferenceObjectByHandle(
    hProcess,
    0,
    *PsProcessType,
    KernelMode,
    &process,
    NULL
);

if (!NT_SUCCESS(status))
{
    DbgBreakPoint();
    return;
}
DbgBreakPoint();
// Re-open the process to get a kernel handle.
if (NT_SUCCESS(status = ObOpenObjectByPointer(
    process,
    OBJ_KERNEL_HANDLE,
    NULL,
    0x1,
    *PsProcessType,
    KernelMode,
    &newProcessHandle
)))
{

Could anyone explain what is happening here? I am confused by the OS behavior.

Thanks,

Comments

  • HHosseinKHHosseinK Member Posts: 8
    edited January 4

    Hi, Microsoft says you must be in Process context to grantee your access allowed, in your example seems you are not in process context,

    Are you there?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online