Hi,
Long story short: I need to pass a file handle from a program to my driver and than execute ZwSetInformationFile on said handle.
So far so good, it works and it does what it should, but and this is a big BUT when the driver verifier is enabled this causes a BSOD with the issue 0xF6 “A driver references a user-mode handle as kernel mode.”
So is there a way to duplicate the handle to a kernel mode handle?
And will that work or would the other handle than potentially interfere with the file rename operation?
Cheers
David X.
First there are security problems using a user mode handle in the kernel. But if you must look at ObReferenceObjectByHandle followed by ObOpenObjectByPointer.
1 Like
What Mr. Burn said…
Let me provide the additional reminder that you need to be running in the context of the process that opened the file when you go through the ObReferenceObjectByHandle and ObOpenObjectByPointer. If you have a KMDF driver, that means you can’t be doing this in one of your EvtIoXxxx callbacks.
There is a semi-famous discussion about this from several years ago that you might want to take the time to read.
Peter
1 Like
@Don_Burn said:
First there are security problems using a user mode handle in the kernel. But if you must look at ObReferenceObjectByHandle followed by ObOpenObjectByPointer.
Ok great could you please be a bit more specific how to do that exactly?
Mr @DavidXanatos … Did you see my reply ten minutes before yours immediately above, but after Mr. Burn’s? If that doesn’t answer your question, please feel free to ask a specific question.
Peter
1 Like
Basically, you use ObReferenceObjectByHandle to get the object pointer, and then use ObOpenObjectByPointer to take that pointer and get a kernel handle. As Peter said make sure you are in the context of the process passing the pointer.
1 Like
@“Peter_Viscarola_(OSR)” said:
Mr @DavidXanatos … Did you see my reply ten minutes before yours immediately above, but after Mr. Burn’s? If that doesn’t answer your question, please feel free to ask a specific question.
Peter
Thanks I think I found the solution in the thread you’ve linked, testing it right now 
That seams to worked perfectly thank you very much for the help.