Is there an easy way to work out what device objects an application is using when it runs ?
The product i am looking at is a CD burning product which doesn’t come with much security protection (ie anyone can use it to burn CD/DVDs). If i was able to determine which device objects it used when doing its burning i may be able to improve its security by attaching an ACL to the device object. I could put an ACL on the user-mode .exe’s but this wouldn’t be as secure as doing it on the device objects themselves.
I should be able to work out what drivers are installed with the product so would potentially know that the driver being used for the burning is xyz.sys or whatever but its then a question of working out what device objects are used. I’ve got a few tools like irptracker, devicetree etc but these don’t seem to give me what i need.
thanks for any help/pointers,
Paolo
DeviceTree and the GUI Object Viewer will tell you everything you need. Well, that and/or WinDbg.
Start with the name the user app opens. Find the Device Object to which it corresponds. If there’s a file system mounted, note the file system’s Device Object not the media Device Object (the connection is via the VPB, which is shown in DeviceTree).
Unfortunately, I don’t think you’ll have much luck with your approach. If there’s a file system mounted on top of the stack (and that’s what the user app is talking to), then the file system will (almost certainly) be responsible for security. Check the FILE_DEVICE_SECURE_OPEN flag in the target Device Object (set = ACL enforced… clear = owning driver responsible for security).
The ACLs on the devices down the stack – that are not directly opened by the user – effectively don’t matter.
If you need to secure this stack, I suspect you’re looking at having to do a filter in one or more places. If you’re trying to actually make writing to the CD stack a secure activity, this is REALLY not simple as there are writing programs that are specifically designed to bypass most of the reasonable approaches to securing the stack. The last time we looked at this for a client, for example, we found the DVD burner “ALCOHOL 120%” to be particularly effective in bypassing the ordinary CD/DVD stack.
Peter
OSR
Process explorer from sysinternals will show you each handle the app opens and the underlying device object name that backs it.
d
dent from a phpne with no keynoard
-----Original Message-----
From: xxxxx@gmail.com
Sent: December 03, 2010 2:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Device Object Usage
Is there an easy way to work out what device objects an application is using when it runs ?
The product i am looking at is a CD burning product which doesn’t come with much security protection (ie anyone can use it to burn CD/DVDs). If i was able to determine which device objects it used when doing its burning i may be able to improve its security by attaching an ACL to the device object. I could put an ACL on the user-mode .exe’s but this wouldn’t be as secure as doing it on the device objects themselves.
I should be able to work out what drivers are installed with the product so would potentially know that the driver being used for the burning is xyz.sys or whatever but its then a question of working out what device objects are used. I’ve got a few tools like irptracker, devicetree etc but these don’t seem to give me what i need.
thanks for any help/pointers,
Paolo
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer