Communicate to Minifilter

Musharraf_Hussain · September 21, 2010, 3:31am

Hi all,

Is there any possibility to communicate from user application to Minifilter driver , but user application doesn’t have any UAC rights and running on Non-Admin User.

Thanks

OSR_Community_User · September 21, 2010, 3:37am

> Is there any possibility to communicate from user application to

Minifilter driver , but user application doesn’t have any UAC rights and running on Non-Admin User.

IIRC I was looking for the answer as well, because I came across
the same issue when testing FileSpy/Minispy. The answer was that
it’s a feature - non-admin user has no rights to access communication
port.

L.

Ayush_Gupta-2 · September 21, 2010, 4:47am

Sure. Just set the correct ACL and stuff.

Regards,
Ayush Gupta
AI Consulting

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, September 21, 2010 1:03 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Communicate to Minifilter

Hi all,

Is there any possibility to communicate from user application to
Minifilter driver , but user application doesn’t have any UAC rights and
running on Non-Admin User.

Thanks

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Musharraf_Hussain · September 21, 2010, 7:43am

Hi Ayush Gupta,

I m using the following code in user application to connect to Minifilte after setting ACLs but still getting error of Access Denied.

char InputBuffer[100];
PVOID alignedBuffer[BUFFER_SIZE/sizeof(PVOID)];
PCHAR buffer = (PCHAR) alignedBuffer;
DWORD bytesReturned = 0;
HRESULT hResult = S_OK;
HANDLE port = INVALID_HANDLE_VALUE;
int i;

DWORD dwRes, dwDisposition;
PSID pEveryoneSID = NULL, pAdminSID = NULL;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea[2];
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
SECURITY_ATTRIBUTES sa;
LONG lRes;
HKEY hkSub = NULL;

// Create a well-known SID for the Everyone group.
if(!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID))
{
printf(“AllocateAndInitializeSid Error %u\n”, GetLastError());
goto Cleanup;
}

// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow Everyone read access to the key.
ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS));
ea[0].grfAccessPermissions = KEY_READ;
ea[0].grfAccessMode = GRANT_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID;

// Create a SID for the BUILTIN\Administrators group.
if(! AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID))
{
printf(“AllocateAndInitializeSid Error %u\n”, GetLastError());
goto Cleanup;
}

// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow the Administrators group full access to
// the key.
ea[1].grfAccessPermissions = KEY_ALL_ACCESS;
ea[1].grfAccessMode = GRANT_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pAdminSID;

// Create a new ACL that contains the new ACEs.
dwRes = SetEntriesInAcl(2, ea, NULL, &pACL);
if (ERROR_SUCCESS != dwRes)
{
printf(“SetEntriesInAcl Error %u\n”, GetLastError());
goto Cleanup;
}

// Initialize a security descriptor.
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (NULL == pSD)
{
printf(“LocalAlloc Error %u\n”, GetLastError());
goto Cleanup;
}

if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
{
printf(“InitializeSecurityDescriptor Error %u\n”,
GetLastError());
goto Cleanup;
}

// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // bDaclPresent flag
pACL,
FALSE)) // not a default DACL
{
printf(“SetSecurityDescriptorDacl Error %u\n”,
GetLastError());
goto Cleanup;
}

// Initialize a security attributes structure.
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;

if(argv[1] != NULL)
{
hResult = FilterConnectCommunicationPort( WINFLT_PORT_NAME,
0,
NULL,
0,
&sa,
&port);

sprintf(InputBuffer,“%s”,(char*)argv[1]);

if (SUCCEEDED(hResult ))
{
hResult = FilterSendMessage( port,
InputBuffer,
strlen(InputBuffer),
buffer,
sizeof(alignedBuffer),
&bytesReturned );

CloseHandle(port);
}
else
{
printf( “Could not connect to filter: 0x%08x\n”, hResult );
}
}
else
{
hResult = FilterConnectCommunicationPort( WINFLT_PORT_NAME,
0,
NULL,
0,
NULL,
&port);

if (SUCCEEDED(hResult ))
{
hResult = FilterSendMessage( port,
InputBuffer,
strlen(InputBuffer),
buffer,
sizeof(alignedBuffer),
&bytesReturned );
CloseHandle(port);
}
}

Cleanup:

if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pAdminSID)
FreeSid(pAdminSID);
if (pACL)
LocalFree(pACL);
if (pSD)
LocalFree(pSD);

Still getting error

Could not connect to filter: 0x80070005 (Access Denied)

Let me know if any problem in ACL’s code

Thanks

OSR_Community_User · September 21, 2010, 8:18am

Shouldn’t the ACL be assigned at the point where you are creating the communication port (in the driver), instead of connecting to it ?

Daniel_Terhell · September 21, 2010, 9:28am

Call RtlSetDaclSecurityDescriptor on the security descriptor that you pass
to FltCreateCommunicationPort. Note that users with limited rights may
connect to the communication port but they cannot load or unload the
minifilter so you will need a separate service application for
loading/unloading or the minifilter must be loaded as a boot start driver.
Also manual attachments from usermode will fail. If on the fly attachments
are to be supported then the minifilter needs to be equipped to handle the
attachments (FltAttachVolume).

//Daniel

wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> Is there any possibility to communicate from user application to
> Minifilter driver , but user application doesn’t have any UAC rights and
> running on Non-Admin User.
>
>
> Thanks
>

OSR_Community_User · September 25, 2010, 4:20pm

Use FltBuildDefaultSecurityDescriptor with FLT_PORT_ALL_ACCESS when you
create the communication port. Much easier.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, September 21, 2010 5:46 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Communicate to Minifilter

Hi Ayush Gupta,

I m using the following code in user application to connect to Minifilte
after setting ACLs but still getting error of Access Denied.