Retrieving Integrity Level in Post-Read

Hi,

I have a filesystem MiniFilter driver and I want my post-read callback to know the integrity level of the process which initiated the IRP (or opened the file handle). I can’t use ObOpenObjectByPointer with a PACCESS_TOKEN argument in the callback itself because ObOpenObjectByPointer requires IRQL <= APC_LEVEL, nor can I use a stream handle context because FltGetStreamHandleContext also needs IRQL <= APC_LEVEL.

Could someone suggest how I can get this information through to my post-read handler please?

Thanks very much,

Ian.

> Could someone suggest how I can get this information through to my

post-read handler please?

  1. FLT_PREO_SYNCHRONIZE, bearing in mind that it will clobber performance
  2. Grab the stream handle context in pre and pass it across as the
    CompletionContext. You might have to post the dereference.
  3. Or do the dance to get filter manager to call you at <= APC_LEVEL (I
    cannot remember the name because I never use it because it can fail which is
    not a particularly useful paradigm IMO) and get the stream handle context
    then.

I must admit to being surprised that there was a IRQL limit, I guess its one
of those things that you remember every time you start a new minifilter
project.

Why do you need ObOpenObjectByPointer ?

Query the integrity level in pre-read with SeQueryInformationToken and pass it to the post-read callback. As we are talking about a read operation the performance impact from SeQueryInformationToken will be negligible as it normally copies data from the token structure. You can also be assured about pre-read IRQL being <= APC_LEVEL.

SeQueryInformationToken( Token,
TokenIntegrityLevel,
&IntegrityLevel );

Thank you both very much. Slava is right that I didn’t need the ObOpenObjectByPointer so my code now looks a bit like this:

PACCESS_TOKEN pAccessToken = PsReferencePrimaryToken(pEProcess);
status = SeQueryInformationToken(pAccessToken, TokenIntegrityLevel, &Integrity);