Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

File access checks from kernel

AvalonAvalon Member Posts: 13

Hello. So a bit of context - I have a FS minifilter that is monitoring I/O on the pre/post path, so I have all those struct members if need be. On the Post path where I'm mainly operating, I'm checking the SD/ACL/ACE of the specified FileObject being accessed. But since my process is running from an admin, my token privileges are too high. I want the access checks to be done based on the standard user that got elevated.

I started going down the route of manually trying to check the ACCESS_MASK and building the Desired/Granted/Remaining Access and Allow/Deny based on masks in Dacl/Ace looping, and basing it from SIDs in the standard user token groups, but this is getting very complex, and I feel I will mess up the checks, hence looking at the use of APIs again.

  • So what APIs could I use to do the checks .. SeAccessCheck( "But I need security context of user, and current one is an admin" )? Do I need my thread to impersonate the standard user? Ideas..?
  • The last option is to have a UM component, where the minifilter passes paths to a UM process and have it simply check OpenFile for R/W, then return the result to the minifilter. I haven't tested this but unfortunately I will be blocking loads of operations, as post processing is based on this result.

Thanks.

Comments

  • anton_bassovanton_bassov Member Posts: 5,036

    Ideas..?

    Well, the very fist idea that gets into my head is asking FS-related questions on NTFSD, rather than NTDEV, in the first place

    On the Post path where I'm mainly operating, I'm checking the SD/ACL/ACE of the specified FileObject being accessed.
    But since my process is running from an admin, my token privileges are too high. I want the access checks to be done
    based on the standard user that got elevated.

    Concerning the above part, it does not really seem (at least to me) to make sense the way your question has been presented.
    First of all, what is "your process", taking into consideration that post callbacks are invoked in arbitrary thread context? Second, what is a "standard user" and how (and by whom) does it get "elevated"? Let's face it - in order for a process to run at Admin privilege level (for example, if you launch it via RunAs utility) one needs to enter Admin's password, which means that the user that may do something like that is actually an Admin.....

    Anton Bassov

  • AvalonAvalon Member Posts: 13
    edited July 3

    @anton_bassov said:

    Ideas..?

    Well, the very fist idea that gets into my head is asking FS-related questions on NTFSD, rather than NTDEV, in the first place

    On the Post path where I'm mainly operating, I'm checking the SD/ACL/ACE of the specified FileObject being accessed.
    But since my process is running from an admin, my token privileges are too high. I want the access checks to be done
    based on the standard user that got elevated.

    Concerning the above part, it does not really seem (at least to me) to make sense the way your question has been presented.
    First of all, what is "your process", taking into consideration that post callbacks are invoked in arbitrary thread context? Second, what is a "standard user" and how (and by whom) does it get "elevated"? Let's face it - in order for a process to run at Admin privilege level (for example, if you launch it via RunAs utility) one needs to enter Admin's password, which means that the user that may do something like that is actually an Admin.....

    Anton Bassov

    This question is about file access checks from kernel, the minifilter was merely the side context. It doesn't really matter what thread is hijacked to execute the callback, it could be a High Integrity thread, MI, LI, MI with a DebugToken, again the calling process accessing it is not of concern.

    My question is related to checking the access privileges based on the logged on standard user (yes an admin might have typed the password in for him to elevate him), any process could be accessing the file, however I would like to cross-correlate at the same time whether the "standard user" (not the elevated admin) can R/W to the file being operated upon in the callback. And the APIs related to access checks like SeAccessCheck operate on a SECURITY_SUBJECT_CONTEXT which are obtained from the current process. Hence why I wondered if impersonating a (non-elevated?) thread will somehow help here.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,380

    I have a FS minifilter

    The people who have knowledge about what your doing are file system practitioners, and they’re in NTFSD.

    I’m moving your post.

    Your welcome.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA