The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I am developing a Windows Minifilter driver and I am trying to get the user's SID from the
IO_SECURITY_CONTEXT structure in the PreCreate operation. I am aware that there is no way to directly get the SID from the
IO_SECURITY_CONTEXT in other operations as the SID is only checked by the system on create operations.
I have tried multiple solutions in order to extract the
SID_AND_ATTRIBUTES structure from the
IO_SECURITY_CONTEXT structure. As for now I am trying the following:
IO_SECURITY_CONTEXT(SecurityContext->AccessState.SecuritySubjectContext). If the
ClientTokenis NULL, then I take the
ObOpenObjectByPointer(AccessToken, OBJ_CASE_INSENSITIVE, NULL, TOKEN_QUERY, NULL, KernelMode, &TokenHandle);Where
ZwQueryInformationTokento query for
NULLbuffer in order to get the return length size.
ZwQueryInformationTokenagain with the newly allocated buffer. This should fill the buffer with a
The problem is that on step 2, calling
ObOpenObjectByPointer generates a
00000000c0000005 access violation.
SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff8047d518d62, Address of the instruction which caused the bugcheck Arg3: fffffe87a08ad8a0, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero.
I have checked the contents of the
SECURITY_SUBJECT_CONTEXT using the command
kp and I can see the following token pointers inside this structure:
(*((<REDACTED>!_SECURITY_SUBJECT_CONTEXT *)0xffffb30e4656b900)) [Type: _SECURITY_SUBJECT_CONTEXT] [+0x000] ClientToken : 0x3066744e03030000 [Type: void *] [+0x008] ImpersonationLevel : SecurityAnonymous (0) [Type: _SECURITY_IMPERSONATION_LEVEL] [+0x010] PrimaryToken : 0xffffb30e458aa460 [Type: void *] [+0x018] ProcessAuditId : 0xffffb30e466cd448 [Type: void *]
Now I check the data on both of the memory addresses (ClientToken and PrimaryToken) using the
db command and I get lots of question marks, I guess that means that memory is not accessible by the driver?
3066744e`03030000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 3066744e`03030010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ...
Sometimes the PrimaryToken pointer will point to access data, but sometimes both (Client and Primary) will point to inaccessible data.
I basically want to get the SID in order to pass it as a string representation to one of my user mode modules. Despite following all kinds of posts on this and other forums I have been unable to get the
SID_AND_ATTRIBUTES from the
PreCreate. I have now been stuck for several weeks with this problem.
How may I solve this problem? What am I doing wrong? Any help is really appreciated.
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Developing Minifilters||24 May 2021||Live, Online|
|Writing WDF Drivers||14 June 2021||Live, Online|
|Internals & Software Drivers||27 September 2021||Live, Online|
|Kernel Debugging||15 November 2021||Live, Online|