I/O access to NDIS Filter Driver object for non-admin processes

I have Windows NDIS FilterDriver and it has name \Device\MyFilter. User application performs some DeviceIoControl operation with the FilterDriver and calls following code to open the device handle:

LPSECURITY_ATTRIBUTES   lpSecurityAttributes = NULL;
DWORD   CreationDistribution = OPEN_EXISTING;
DWORD   FlagsAndAttributes = FILE_FLAG_OVERLAPPED;
DWORD   DesiredAccess = GENERIC_READ | GENERIC_WRITE;
DWORD   ShareMode = FILE_SHARE_READ | FILE_SHARE_WRITE;
DWORD   lastErr = 0;

m_hFilter = CreateFileA(MY_FILTER_NAME, /* "\\\\.\\\\MyFilter" */
    DesiredAccess, ShareMode, lpSecurityAttributes, CreationDistribution, FlagsAndAttributes, NULL);

if (m_hFilter == INVALID_HANDLE_VALUE)
{
    lastErr = GetLastError();
    return false;
}

It works great if user application was run “As Administrator”, otherwise (if run as regular User) CreateFileA returns INVALID_HANDLE_VALUE, and lastErr = 5 (Access Denied)
Reasons why it returns “Access Denied” are clear, but how to make user’s application to open the Filter Driver object?
The idea of creating an interface with IoRegisterDeviceInterface() looks promising, but it requires the pointer to PDO, which I do not know where to obtain for the Filter Driver.

You need to use a different protection on your device object.

I’ve never written an NDIS Filter but it looks like you need to specify an appropriate SDDL string in your NDIS_DEVICE_OBJECT_ATTRIBUTES. If you’re not sure what you want for an SDDL string there are some reasonable default values available in wdmsec.h.

1 Like

Thanks, Scott!!!
This code helped:

//
DeviceAttribute.DefaultSDDLString = &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX;

// Register the filter driver
Status = NdisRegisterDeviceEx(g_FilterDriverHandle, &DeviceAttribute, &g_NdisDeviceObject, &g_NdisFilterDeviceHandle);
1 Like