Hi,
I have a KMDF Driver (Bus Driver) that creates a Control Device Object to handle IOCTLs sent from my own Windows Service. I want to lock down the Control Device Object so it can be accessed only from my service. I’m using the following code.
DECLARE_CONST_UNICODE_STRING(securityDescriptor, L"D:P(A;;GA;;;MY_SERVICE_SID))");
deviceInit = WdfControlDeviceInitAllocate(WdfDeviceGetDriver(Fdo),&securityDescriptor);
WdfDeviceInitSetExclusive(deviceInit, …);
status = WdfDeviceInitAssignName(deviceInit, &ntDeviceName);
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes,CONTROL_DEVICE_CONTEXT);
status = WdfDeviceCreate(&deviceInit, &deviceAttributes, &controlDevice);
In Windows 10 the code works correctly. The Control Device Object is created and I see that the proper security settings are applied, everything works Ok.
The issue is when running in Windows Server 2016, the WdfDeviceCreate returns STATUS_NONE_MAPPED.
My Driver loads very early in the startup process, the windows service that communicates with the control device object is not started yet when the Driver is Loading. I think this is what is causing the issue. It is like the system knows that service SID is not “present” at that moment in the system causing WdfDeviceCreate to failed.
Questions:
Why is this only happening in Windows Server?
Is there a better way to protect my Control Device Object, so only a specific service can access it?
have you tried creating an ACE / ACL / SD from the same SDDL after the boot has completed on the same machine?
note that no matter what you do, the design of windows means that no driver can be sure that only a specific UM service can ever be the only UM client. A security descriptor like this would mean that only a ceritan security principal would have access, but there could be an unlimited number of processes that could run as this principcal
many shcemes to ‘authenticate’ the UM process have been tried - and most suck horribly including the local users adminstered by IIS that Microsoft has implemented
Hi, thanks for answering.
I have not tried creating ACE / ACL / SD from the same SDDL after the boot has completed. The Control Device Object is created very early when EvtAddDevice callback is called. After that, the driver waits for UM requests. Because WdfDeviceCreate fails I do not have DO, so the service cannot open a handle.
I don’t suppose there’s any more specific info available in the !WDFLOGDUMP?
STATUS_NONE_MAPPED sounds to ME like the SID in your SDDL isn’t known. Or something. Do the systems on which you’re trying this differ in terms of how they’re configured (AD Joined vs not AD joined)? How did you pick your service SID?
Hi Peter,
The most obvious difference is the windows deployment (workstatioin vs terminal service). Both of my systems are AD joined.
I’m using the windows’s assigned Service SID, same returned by “sc showsid MyService”
It is understandable that the SID is unknown (the driver runs before MyService has started), the weird thing is that Windows 10 behaves different. Win10 is happy to create the device object and apply the proper security descriptor.
It is understandable that the SID is unknown (the driver runs before MyService has started),
Well, no. Your service doesn’t have to be RUNNING for the SID to be known. Anymore than a user has to be logged-on for their SID to be known.
Again, “I don’t suppose there’s any more specific info available in the !WDFLOGDUMP?”
Also, what Mr. Bond said earlier: “Try to create an ACE / ACL / SD from the same SDDL after the boot has completed”… It’s entirely possible that there’s just a very simple error, like a config error, that’s tripping you up here.
WDFLOGDUMP information
There are 40 log entries
— start of log —
…
38: FxDevice::DeleteDeviceFromFailedCreateNoDelete - WDFDEVICE 0000577AAD477408 !devobj 0000000000000000 created, but EvtDriverDeviceAdd returned status 0xc0000073(STATUS_NONE_MAPPED) or failure in creation
39: FxDevice::Destroy - Deleting !devobj 0000000000000000, WDFDEVICE 0000577AAD477408, attached to !devobj 0000000000000000
40: FxDevice::Destroy - Deleting !devobj 0000000000000000, WDFDEVICE 0000577AAD477408, attached to !devobj 0000000000000000
---- end of log ----
“Try to create an ACE / ACL / SD from the same SDDL after the boot has completed”
If I understand correctly, the suggestion is to create the Device Object (at boot time) with well-known Security Descriptor e.g. “D:P(A;;GRGW;;;LS)” so I can create my device object, and later on (after boot) create an ACE / ACL / SD using Service SDDL.
The suggestion was to try creating your Control Device — exactly as you do it now — much later. Just to see if it works. Take your existing code, put it in a subroutine. Call the subroutine from an IOCTL handler.