BSOD when querying the user name

OSR_Community_User · December 8, 2008, 4:05pm

In my mini-filter, in IRP_MJ_CREATE PRE_OP I am querying the user
name, by queueing a work-item (FltQueue API), and calling
SeQueryAuthenticationIdToken on the token in the work thread. The token
queried is the provided token (ClientToken if non NULL, otherwise
PrimaryToken from Data->…->SSContext->…).
This worked fine, and I would expect it to… but on one customer
system, I get a bugcheck in the SeQueryAuthenticationIdToken call
(+0x17), when the API tries to access lpToken+0x30 address.

Long story short… is there anything wrong in the call hierarchy?
CREATE_PREOP:
lpWorkItem->lpToken = ClientToken ? ClientToken : PrimaryToken;
FltQueue…
WORK_THREAD:
SeQueryAuthenticationIdToken(lpWorkItem->lpToken, &LUIDStorage);

Anything I should check before the SeQuery call?

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

Frank_Friemel · December 9, 2008, 5:57am

Hi!

I am not this much into Sec stuff. But like any other “pointer to os object”
I would guess that this object is gone away before my WorkItem runs.

Or do you assure that this wouldn’t happen?

“Dejan Maksimovic” wrote news:xxxxx@ntfsd…
>
> In my mini-filter, in IRP_MJ_CREATE PRE_OP I am querying the user
> name, by queueing a work-item (FltQueue API), and calling
> SeQueryAuthenticationIdToken on the token in the work thread. The token
> queried is the provided token (ClientToken if non NULL, otherwise
> PrimaryToken from Data->…->SSContext->…).
> This worked fine, and I would expect it to… but on one customer
> system, I get a bugcheck in the SeQueryAuthenticationIdToken call
> (+0x17), when the API tries to access lpToken+0x30 address.
>
> Long story short… is there anything wrong in the call hierarchy?
> CREATE_PREOP:
> lpWorkItem->lpToken = ClientToken ? ClientToken : PrimaryToken;
> FltQueue…
> WORK_THREAD:
> SeQueryAuthenticationIdToken(lpWorkItem->lpToken, &LUIDStorage);
>
> Anything I should check before the SeQuery call?
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>

Bronislav_Gabrhelik · December 9, 2008, 7:34am

Do you wait for worker thread? It seems that IO Manager releases that token.
I would say you should pass whole securitySubjectContext, not just token, but there is not API for duplication of it. So reference token before you pass it to worker thread and release it in worker thread. The problem here is that you have to pass info which token you passed because there is different reference/dereference API for primary token and impersonation token.

Take look on.

PsReferencePrimaryToken/PsDereferencePrimaryToken
PsReferenceImpersonationToken/PsDereferenceImpersonationToken

-bg