Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hello,

I have an NDIS device driver derived from NetVMini 5.x which works perfectly well in Win XP. My aim is to migrate this driver to Windows 7 and access it as a normal user.
As Win7 has some stricter security features therefore, I just cannot access it the way I was accessing it in XP as even the CreateFile fails.

So I took a new approach to resolve this problem, I created 3 IRP handlers viz, Create, Read and Write thinking that now this permissions issue will get resolved unlike the case with IOCTLs.
However it seems that I have gone fathoms deeper in a different problem than before; now my Irp->AssociatedIrp.SystemBuffer is coming as NULL.

Can anybody please help me in this.

Thanks

Warm Regds,
Rahul Mathur

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

1.) The approach you have taken will not change the permission issue that you see with NDIS 5 miniport running on Windows 7. So, what you are attempting is not worthwhile. The solution is migrating to a NDIS 6 miniport where NdisRegisterDeviceEx can be used instead of NdisMRegisterDevice.

2.) For your buffer problem: Did you set DO_BUFFERED_IO in the Flags field of your device object after calling NdisMRegisterDevice? Also, lengths are passed in a different field in the IRP stack for read/write/ioctl. If you examine the wrong field you may fetch the wrong length and think your buffer is zero length even though it isn’t.

Thomas F. Divine
http://www.pcausa.com

From: Rahul Mathur
Sent: Friday, January 20, 2012 7:20 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hello,

I have an NDIS device driver derived from NetVMini 5.x which works perfectly well in Win XP. My aim is to migrate this driver to Windows 7 and access it as a normal user.

As Win7 has some stricter security features therefore, I just cannot access it the way I was accessing it in XP as even the CreateFile fails.

So I took a new approach to resolve this problem, I created 3 IRP handlers viz, Create, Read and Write thinking that now this permissions issue will get resolved unlike the case with IOCTLs.

However it seems that I have gone fathoms deeper in a different problem than before; now my Irp->AssociatedIrp.SystemBuffer is coming as NULL.

Can anybody please help me in this.

Thanks

Warm Regds,

Rahul Mathur

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Thomas,

Thank you for guiding me in this however, I still have some queries -

a) If I migrate to NDIS 6 and use NdisMRegisterDeviceEx, will my application in user-mode be able to access the driver using IOCTLs ?

b) If not, then do I have to write the IRP handlers for Read/Write & Create and then I will be able to access it ?

c) Do I need to change the inf file for permissions issue ?

d) I have not used the device object explicitly just plain pass-through logic (where I use DispatchTable to populate the IRP array pointer). Moreover my understanding was that NDIS libraries internally use the device object and doesn’t provide the access outside of it.

Please confirm.

Thanks

Warm Regds,
Rahul Mathur

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, January 20, 2012 6:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

1.) The approach you have taken will not change the permission issue that you see with NDIS 5 miniport running on Windows 7. So, what you are attempting is not worthwhile. The solution is migrating to a NDIS 6 miniport where NdisRegisterDeviceEx can be used instead of NdisMRegisterDevice.

2.) For your buffer problem: Did you set DO_BUFFERED_IO in the Flags field of your device object after calling NdisMRegisterDevice? Also, lengths are passed in a different field in the IRP stack for read/write/ioctl. If you examine the wrong field you may fetch the wrong length and think your buffer is zero length even though it isn’t.

Thomas F. Divine
http://www.pcausa.com

From: Rahul Mathurmailto:xxxxx
Sent: Friday, January 20, 2012 7:20 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hello,

I have an NDIS device driver derived from NetVMini 5.x which works perfectly well in Win XP. My aim is to migrate this driver to Windows 7 and access it as a normal user.
As Win7 has some stricter security features therefore, I just cannot access it the way I was accessing it in XP as even the CreateFile fails.

So I took a new approach to resolve this problem, I created 3 IRP handlers viz, Create, Read and Write thinking that now this permissions issue will get resolved unlike the case with IOCTLs.
However it seems that I have gone fathoms deeper in a different problem than before; now my Irp->AssociatedIrp.SystemBuffer is coming as NULL.

Can anybody please help me in this.

Thanks

Warm Regds,
Rahul Mathur

________________________________
::DISCLAIMER::
-----------------------------------------------------------------------------------------------------------------------

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

-----------------------------------------------------------------------------------------------------------------------

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

And I haven’t set DO_BUFFERED_IO after calling NdisMRegisterDevice.

Rephrasing the first point:

a) If I migrate to NDIS 6 and use NdisMRegisterDeviceEx, will my application in user-mode be able to access the driver using IOCTLs using DeviceIoControl ?

Thanks

Warm Regds,
Rahul Mathur
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Rahul Mathur
Sent: Friday, January 20, 2012 7:32 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hi Thomas,

Thank you for guiding me in this however, I still have some queries -

b) If I migrate to NDIS 6 and use NdisMRegisterDeviceEx, will my application in user-mode be able to access the driver using IOCTLs ?

c) If not, then do I have to write the IRP handlers for Read/Write & Create and then I will be able to access it ?

d) Do I need to change the inf file for permissions issue ?

e) I have not used the device object explicitly just plain pass-through logic (where I use DispatchTable to populate the IRP array pointer). Moreover my understanding was that NDIS libraries internally use the device object and doesn’t provide the access outside of it.

Please confirm.

Thanks

Warm Regds,
Rahul Mathur

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, January 20, 2012 6:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

1.) The approach you have taken will not change the permission issue that you see with NDIS 5 miniport running on Windows 7. So, what you are attempting is not worthwhile. The solution is migrating to a NDIS 6 miniport where NdisRegisterDeviceEx can be used instead of NdisMRegisterDevice.

2.) For your buffer problem: Did you set DO_BUFFERED_IO in the Flags field of your device object after calling NdisMRegisterDevice? Also, lengths are passed in a different field in the IRP stack for read/write/ioctl. If you examine the wrong field you may fetch the wrong length and think your buffer is zero length even though it isn’t.

Thomas F. Divine
http://www.pcausa.com

From: Rahul Mathurmailto:xxxxx
Sent: Friday, January 20, 2012 7:20 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hello,

I have an NDIS device driver derived from NetVMini 5.x which works perfectly well in Win XP. My aim is to migrate this driver to Windows 7 and access it as a normal user.
As Win7 has some stricter security features therefore, I just cannot access it the way I was accessing it in XP as even the CreateFile fails.

So I took a new approach to resolve this problem, I created 3 IRP handlers viz, Create, Read and Write thinking that now this permissions issue will get resolved unlike the case with IOCTLs.
However it seems that I have gone fathoms deeper in a different problem than before; now my Irp->AssociatedIrp.SystemBuffer is coming as NULL.

Can anybody please help me in this.

Thanks

Warm Regds,
Rahul Mathur

________________________________
::DISCLAIMER::
-----------------------------------------------------------------------------------------------------------------------

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

-----------------------------------------------------------------------------------------------------------------------

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

a.) Yes.
b.) You do not have to write IRP_MJ_READ/IRP_MJ_WRITE handlers. HOWEVER, remember that faster I/O techniques such as ReadFileEx and IOCPs operate primarily on Read/Write operations. So, while limiting yourself to IOCTL you are also eliminating the possibility of using some of the async I/O techniques.
c.) No.
d.) NDIS certainly does play games with the DeviceObject. However, If you are implementing R/W the setting the DO Flags for DO_BUFFERED_IO should be OK. If it isn’t, then you must figure out what NDIS has decided for you and it may not be buffered I/O. If it isn’t buffered I/O then you can’t expect the SystemBuffer to even be used for R/W.

Good luck!

Thomas F. Divine
http:/www.pcausa.com

From: Rahul Mathur
Sent: Friday, January 20, 2012 9:02 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hi Thomas,

Thank you for guiding me in this however, I still have some queries -

a) If I migrate to NDIS 6 and use NdisMRegisterDeviceEx, will my application in user-mode be able to access the driver using IOCTLs ?

b) If not, then do I have to write the IRP handlers for Read/Write & Create and then I will be able to access it ?

c) Do I need to change the inf file for permissions issue ?

d) I have not used the device object explicitly just plain pass-through logic (where I use DispatchTable to populate the IRP array pointer). Moreover my understanding was that NDIS libraries internally use the device object and doesn’t provide the access outside of it.

Please confirm.

Thanks

Warm Regds,

Rahul Mathur

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, January 20, 2012 6:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

1.) The approach you have taken will not change the permission issue that you see with NDIS 5 miniport running on Windows 7. So, what you are attempting is not worthwhile. The solution is migrating to a NDIS 6 miniport where NdisRegisterDeviceEx can be used instead of NdisMRegisterDevice.

2.) For your buffer problem: Did you set DO_BUFFERED_IO in the Flags field of your device object after calling NdisMRegisterDevice? Also, lengths are passed in a different field in the IRP stack for read/write/ioctl. If you examine the wrong field you may fetch the wrong length and think your buffer is zero length even though it isn’t.

Thomas F. Divine

http://www.pcausa.com

From: Rahul Mathur

Sent: Friday, January 20, 2012 7:20 AM

To: Windows System Software Devs Interest List

Subject: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hello,

I have an NDIS device driver derived from NetVMini 5.x which works perfectly well in Win XP. My aim is to migrate this driver to Windows 7 and access it as a normal user.

As Win7 has some stricter security features therefore, I just cannot access it the way I was accessing it in XP as even the CreateFile fails.

So I took a new approach to resolve this problem, I created 3 IRP handlers viz, Create, Read and Write thinking that now this permissions issue will get resolved unlike the case with IOCTLs.

However it seems that I have gone fathoms deeper in a different problem than before; now my Irp->AssociatedIrp.SystemBuffer is coming as NULL.

Can anybody please help me in this.

Thanks

Warm Regds,

Rahul Mathur

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Yes.

From: Rahul Mathur
Sent: Friday, January 20, 2012 9:31 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

And I haven’t set DO_BUFFERED_IO after calling NdisMRegisterDevice.

Rephrasing the first point:

a) If I migrate to NDIS 6 and use NdisMRegisterDeviceEx, will my application in user-mode be able to access the driver using IOCTLs using DeviceIoControl ?

Thanks

Warm Regds,

Rahul Mathur

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Rahul Mathur
Sent: Friday, January 20, 2012 7:32 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hi Thomas,

Thank you for guiding me in this however, I still have some queries -

b) If I migrate to NDIS 6 and use NdisMRegisterDeviceEx, will my application in user-mode be able to access the driver using IOCTLs ?

c) If not, then do I have to write the IRP handlers for Read/Write & Create and then I will be able to access it ?

d) Do I need to change the inf file for permissions issue ?

e) I have not used the device object explicitly just plain pass-through logic (where I use DispatchTable to populate the IRP array pointer). Moreover my understanding was that NDIS libraries internally use the device object and doesn’t provide the access outside of it.

Please confirm.

Thanks

Warm Regds,

Rahul Mathur

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, January 20, 2012 6:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

1.) The approach you have taken will not change the permission issue that you see with NDIS 5 miniport running on Windows 7. So, what you are attempting is not worthwhile. The solution is migrating to a NDIS 6 miniport where NdisRegisterDeviceEx can be used instead of NdisMRegisterDevice.

2.) For your buffer problem: Did you set DO_BUFFERED_IO in the Flags field of your device object after calling NdisMRegisterDevice? Also, lengths are passed in a different field in the IRP stack for read/write/ioctl. If you examine the wrong field you may fetch the wrong length and think your buffer is zero length even though it isn’t.

Thomas F. Divine

http://www.pcausa.com

From: Rahul Mathur

Sent: Friday, January 20, 2012 7:20 AM

To: Windows System Software Devs Interest List

Subject: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Hello,

I have an NDIS device driver derived from NetVMini 5.x which works perfectly well in Win XP. My aim is to migrate this driver to Windows 7 and access it as a normal user.

As Win7 has some stricter security features therefore, I just cannot access it the way I was accessing it in XP as even the CreateFile fails.

So I took a new approach to resolve this problem, I created 3 IRP handlers viz, Create, Read and Write thinking that now this permissions issue will get resolved unlike the case with IOCTLs.

However it seems that I have gone fathoms deeper in a different problem than before; now my Irp->AssociatedIrp.SystemBuffer is coming as NULL.

Can anybody please help me in this.

Thanks

Warm Regds,

Rahul Mathur

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Note that you can make IOCTL codes as not requiring neither read or write access, and then call CreateFile with zero access mask, and then be able to use the driver from non-administrative user without having to change it to NDIS 6.

Didn’t think of that! Thanks for the tip.
On Jan 20, 2012 1:00 PM, wrote:

> Note that you can make IOCTL codes as not requiring neither read or write
> access, and then call CreateFile with zero access mask, and then be able to
> use the driver from non-administrative user without having to change it to
> NDIS 6.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I would wonder why using this tip wouldn’t be a security hole…

Can DeviceIoControl be used with I/O completion ports?

Thomas F. Divine

From:
Sent: Friday, January 20, 2012 1:02 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Access NDIS virtual miniport adapter on Windows 7 from
non-administrator user

> Note that you can make IOCTL codes as not requiring neither read or write
> access, and then call CreateFile with zero access mask, and then be able
> to use the driver from non-administrative user without having to change it
> to NDIS 6.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Thomas F. Divine wrote:

I would wonder why using this tip wouldn’t be a security hole…

Why? This only works for ioctls where the access field is
FILE_ANY_ACCESS, which changes the ioctl code. The driver is only going
to respond to it if it has a case statement for that specific ioctl
code. Presumably, the driver is smart enough not to do anything dangerous.

I suppose one could use it to put in a back door, but you still have to
get the driver installed. That requires permission.

Can DeviceIoControl be used with I/O completion ports?

Sure.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

The thing is in my existing architecture, I have IOCTLs functions called from the switch case depending upon the kind of ioctl I call from my client application in user-mode. It calls with FILE_ANY_ACCESS but it fails in Win7 and ACL says that CreateFileA has failed.

Now with all this I am totally confounded what to do and where to go from here…

Warm Regds,
Rahul Mathur

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Tim Roberts [xxxxx@probo.com]
Sent: Saturday, January 21, 2012 3:30 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Thomas F. Divine wrote:

I would wonder why using this tip wouldn’t be a security hole…

Why? This only works for ioctls where the access field is
FILE_ANY_ACCESS, which changes the ioctl code. The driver is only going
to respond to it if it has a case statement for that specific ioctl
code. Presumably, the driver is smart enough not to do anything dangerous.

I suppose one could use it to put in a back door, but you still have to
get the driver installed. That requires permission.

Can DeviceIoControl be used with I/O completion ports?

Sure.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

Yes.

And if you intend to do so by opening the handle for overlapped operation
there is a nice little ‘trick’ whereby setting the event handle value in the
OVERLAPPED structure to (IIRC) 1 *that* DeviceIoControl() request will be
processed synchronously. So this is a handy way to have real ‘control’
IOCTL that is synchronous and ‘data’ IOCTL that is asynchronous (and handle
by completion port).

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, January 20, 2012 4:45 PM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Access NDIS virtual miniport adapter on Windows 7
from non-administrator user

I would wonder why using this tip wouldn’t be a security hole…

Can DeviceIoControl be used with I/O completion ports?

Thomas F. Divine

Well, if something does not work, the developer is confounded to dig it down
and get some clue.
To begin with: what error returns CreateFileA? is it ACCESS_DENIED or other?
– pa

“Rahul Mathur” wrote in message news:xxxxx@ntdev…

The thing is in my existing architecture, I have IOCTLs functions called
from the switch case depending upon the kind of ioctl I call from my
client application in user-mode. It calls with FILE_ANY_ACCESS but it
fails in Win7 and ACL says that CreateFileA has failed.

Now with all this I am totally confounded what to do and where to go from
here…

Warm Regds,
Rahul Mathur

---

From: Tim Roberts
Sent: Saturday, January 21, 2012 3:30 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7
from non-administrator user

Thomas F. Divine wrote:
> I would wonder why using this tip wouldn’t be a security hole…

Why? This only works for ioctls where the access field is
FILE_ANY_ACCESS, which changes the ioctl code. The driver is only going
to respond to it if it has a case statement for that specific ioctl
code. Presumably, the driver is smart enough not to do anything
dangerous.

I suppose one could use it to put in a back door, but you still have to
get the driver installed. That requires permission.

> Can DeviceIoControl be used with I/O completion ports?

Sure.

–

It gives ACCESS_DENIED (0x05) in ACL.

Warm Regds,
Rahul Mathur

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Pavel A. [xxxxx@fastmail.fm]
Sent: Sunday, January 22, 2012 5:38 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Well, if something does not work, the developer is confounded to dig it down
and get some clue.
To begin with: what error returns CreateFileA? is it ACCESS_DENIED or other?
– pa

“Rahul Mathur” wrote in message news:xxxxx@ntdev…

The thing is in my existing architecture, I have IOCTLs functions called
from the switch case depending upon the kind of ioctl I call from my
client application in user-mode. It calls with FILE_ANY_ACCESS but it
fails in Win7 and ACL says that CreateFileA has failed.

Now with all this I am totally confounded what to do and where to go from
here…

Warm Regds,
Rahul Mathur

---

From: Tim Roberts
Sent: Saturday, January 21, 2012 3:30 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7
from non-administrator user

Thomas F. Divine wrote:
> I would wonder why using this tip wouldn’t be a security hole…

Why? This only works for ioctls where the access field is
FILE_ANY_ACCESS, which changes the ioctl code. The driver is only going
to respond to it if it has a case statement for that specific ioctl
code. Presumably, the driver is smart enough not to do anything
dangerous.

I suppose one could use it to put in a back door, but you still have to
get the driver installed. That requires permission.

> Can DeviceIoControl be used with I/O completion ports?

Sure.

–

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

Despite the tips given by others, my understanding still seems to be
unchanged. If you are writing a NDIS 5 miniport, then you must use
NdisMRegisterDevice to create the device. When this driver is run on Vista
or later then attempts to open the symbolic link using any variation of
CreateFile will fail with ERROR_ACCESS_DENIED unless the application us
running with elevated privileges.

As far as I know there is no way to change this behavior for a NDIS 5
miniport running on Vista or later platforms.

On the other hand, a NDIS 6 miniport uses NdisRegisterDeviceEx. This
function allows specification of an SDDL that allows non-Admin users to open
the symbolic link.

Good luck!

Thomas F. Divine

From: “Rahul Mathur”
Sent: Saturday, January 21, 2012 9:57 PM
To: “Windows System Software Devs Interest List”
Subject: RE: Re:[ntdev] Access NDIS virtual miniport adapter on Windows 7
from non-administrator user

> It gives ACCESS_DENIED (0x05) in ACL.
>
>
> Warm Regds,
> Rahul Mathur
>
> From: xxxxx@lists.osr.com
> [xxxxx@lists.osr.com] On Behalf Of Pavel A.
> [xxxxx@fastmail.fm]
> Sent: Sunday, January 22, 2012 5:38 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Access NDIS virtual miniport adapter on Windows 7 from
> non-administrator user
>
> Well, if something does not work, the developer is confounded to dig it
> down
> and get some clue.
> To begin with: what error returns CreateFileA? is it ACCESS_DENIED or
> other?
> – pa
>
>
> “Rahul Mathur” wrote in message news:xxxxx@ntdev…
>> The thing is in my existing architecture, I have IOCTLs functions called
>> from the switch case depending upon the kind of ioctl I call from my
>> client application in user-mode. It calls with FILE_ANY_ACCESS but it
>> fails in Win7 and ACL says that CreateFileA has failed.
>>
>> Now with all this I am totally confounded what to do and where to go from
>> here…
>>
>>
>> Warm Regds,
>> Rahul Mathur
>>
>> From: Tim Roberts
>> Sent: Saturday, January 21, 2012 3:30 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7
>> from non-administrator user
>>
>> Thomas F. Divine wrote:
>>> I would wonder why using this tip wouldn’t be a security hole…
>>
>> Why? This only works for ioctls where the access field is
>> FILE_ANY_ACCESS, which changes the ioctl code. The driver is only going
>> to respond to it if it has a case statement for that specific ioctl
>> code. Presumably, the driver is smart enough not to do anything
>> dangerous.
>>
>> I suppose one could use it to put in a back door, but you still have to
>> get the driver installed. That requires permission.
>>
>>> Can DeviceIoControl be used with I/O completion ports?
>>
>> Sure.
>>
>> –
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> ::DISCLAIMER::
> -----------------------------------------------------------------------------------------------------------------------
>
> The contents of this e-mail and any attachment(s) are confidential and
> intended for the named recipient(s) only.
> It shall not attach any liability on the originator or HCL or its
> affiliates. Any views or opinions presented in
> this email are solely those of the author and may not necessarily reflect
> the opinions of HCL or its affiliates.
> Any form of reproduction, dissemination, copying, disclosure,
> modification, distribution and / or publication of
> this message without the prior written consent of the author of this
> e-mail is strictly prohibited. If you have
> received this email in error please delete it and notify the sender
> immediately. Before opening any mail and
> attachments please check them for viruses and defect.
>
> -----------------------------------------------------------------------------------------------------------------------
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Try to call CreateFile with FILE_READ_ATTRIBUTES required access only. If it succeeds, you can use IOCTLs with FILE_ANY_ACCESS.

> OVERLAPPED structure to (IIRC) 1 *that* DeviceIoControl() request will be

Is it documented anywhere? can this cease to work if the OS update is installed?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Rahul Mathur wrote:

The thing is in my existing architecture, I have IOCTLs functions called from the switch case depending upon the kind of ioctl I call from my client application in user-mode. It calls with FILE_ANY_ACCESS but it fails in Win7 and ACL says that CreateFileA has failed.

You aren’t passing FILE_ANY_ACCESS to CreateFile, are you? The idea is
that you don’t request either GENERIC_READ or GENERIC_WRITE in the call
to CreateFile.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Max,

Thank you for keeping me honest. I should have found the references before posting. So now that I dug them up again, here they are:

I originaly saw the technique in an MSDN book on writing server applications for Win2K (the thick orange & white one).

I see that the MSDN/Bing search finds this article referencing the same: http://msdn.microsoft.com/en-us/library/ms810436.aspx

The reference for GetQueuedCompletionStatus() contians this:

Even if you have passed the function a file handle associated with a completion port and a valid OVERLAPPED structure, an application can prevent completion port notification. This is done by specifying a valid event handle for the hEvent member of the OVERLAPPED structure, and setting its low-order bit. A valid event handle whose low-order bit is set keeps I/O completion from being queued to the completion port.

See http://msdn.microsoft.com/en-us/library/windows/desktop/aa364986(v=vs.85).aspx

So yeah, it is documented, and now correctly stated as well. One must supply an event handle and presumably wait on the event handle to achieve ‘syncronous’ behavior. The flag simply prevents Completion Port handling of the I/O and so I did not accurately describe the mechanism.

My applogies for not getting that out correctly the first time around.

I will be sure to go look at the code next time!

Dave Cattley

The whole programming construct of netvmini 6x (WDK 7600) is totally different than that of 5x.
There is no ioctl handlers, no Dispatch routines; it uses NdisMRegisterMiniportDriver while apparently I was trying to find NdisRegisterDeviceEx.

Seems to me that this activity is a humungous task

Warm Regds,
Rahul

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Sunday, January 22, 2012 8:50 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Access NDIS virtual miniport adapter on Windows 7 from non-administrator user

Despite the tips given by others, my understanding still seems to be
unchanged. If you are writing a NDIS 5 miniport, then you must use
NdisMRegisterDevice to create the device. When this driver is run on Vista
or later then attempts to open the symbolic link using any variation of
CreateFile will fail with ERROR_ACCESS_DENIED unless the application us
running with elevated privileges.

As far as I know there is no way to change this behavior for a NDIS 5
miniport running on Vista or later platforms.

On the other hand, a NDIS 6 miniport uses NdisRegisterDeviceEx. This
function allows specification of an SDDL that allows non-Admin users to open
the symbolic link.

Good luck!

Thomas F. Divine

From: “Rahul Mathur”
Sent: Saturday, January 21, 2012 9:57 PM
To: “Windows System Software Devs Interest List”
Subject: RE: Re:[ntdev] Access NDIS virtual miniport adapter on Windows 7
from non-administrator user

> It gives ACCESS_DENIED (0x05) in ACL.
>
>
> Warm Regds,
> Rahul Mathur
>
> From: xxxxx@lists.osr.com
> [xxxxx@lists.osr.com] On Behalf Of Pavel A.
> [xxxxx@fastmail.fm]
> Sent: Sunday, January 22, 2012 5:38 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Access NDIS virtual miniport adapter on Windows 7 from
> non-administrator user
>
> Well, if something does not work, the developer is confounded to dig it
> down
> and get some clue.
> To begin with: what error returns CreateFileA? is it ACCESS_DENIED or
> other?
> – pa
>
>
> “Rahul Mathur” wrote in message news:xxxxx@ntdev…
>> The thing is in my existing architecture, I have IOCTLs functions called
>> from the switch case depending upon the kind of ioctl I call from my
>> client application in user-mode. It calls with FILE_ANY_ACCESS but it
>> fails in Win7 and ACL says that CreateFileA has failed.
>>
>> Now with all this I am totally confounded what to do and where to go from
>> here…
>>
>>
>> Warm Regds,
>> Rahul Mathur
>>
>> From: Tim Roberts
>> Sent: Saturday, January 21, 2012 3:30 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] Access NDIS virtual miniport adapter on Windows 7
>> from non-administrator user
>>
>> Thomas F. Divine wrote:
>>> I would wonder why using this tip wouldn’t be a security hole…
>>
>> Why? This only works for ioctls where the access field is
>> FILE_ANY_ACCESS, which changes the ioctl code. The driver is only going
>> to respond to it if it has a case statement for that specific ioctl
>> code. Presumably, the driver is smart enough not to do anything
>> dangerous.
>>
>> I suppose one could use it to put in a back door, but you still have to
>> get the driver installed. That requires permission.
>>
>>> Can DeviceIoControl be used with I/O completion ports?
>>
>> Sure.
>>
>> –
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> ::DISCLAIMER::
> -----------------------------------------------------------------------------------------------------------------------
>
> The contents of this e-mail and any attachment(s) are confidential and
> intended for the named recipient(s) only.
> It shall not attach any liability on the originator or HCL or its
> affiliates. Any views or opinions presented in
> this email are solely those of the author and may not necessarily reflect
> the opinions of HCL or its affiliates.
> Any form of reproduction, dissemination, copying, disclosure,
> modification, distribution and / or publication of
> this message without the prior written consent of the author of this
> e-mail is strictly prohibited. If you have
> received this email in error please delete it and notify the sender
> immediately. Before opening any mail and
> attachments please check them for viruses and defect.
>
> -----------------------------------------------------------------------------------------------------------------------
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer