DRIVER_VERIFIER_DETECTED_VIOLATION problem

I check my driver by Verifier and receive problem which I don’t know how to fix.

The problem occurs on the ZwQueryInformationProcess() request and according DDK (http://msdn.microsoft.com/en-us/library/windows/hardware/ff560187(v=vs.85).aspx):

“A driver references a user-mode handle as kernel mode”.

Do I need to fix this problem, if driver works?
How if so?

ZwQueryInformationProcess() is called for current process in the contest of fltmgr!FltpCreate.

Other option. ZwQueryInformationProcess() is called to define parent process.
Probably it may be done by other way? I did not find it.

The !analyze -v reports:
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 000000000000017c, Handle value being referenced.
Arg3: fffffa80025b0b30, Address of the current process.
Arg4: fffff8800609a930, Address inside the driver that is performing the incorrect reference.

Thanks for help,
Michael.

This is a security hole. How are you obtaining this handle?

Only if you and/or your customers care about security.

Don’t use a user handle, use a kernel handle.

It should also be possible to perform the operation as a user mode request (rather than a kernel mode request) by using the Nt version instead of the Zw version (the Nt version *does not* re-enter the OS, and thus does not change the captured previous mode - the Zw version issues a sysenter/syscall operation).

Tony
OSR

So basically you need to convert the user mode handle to a kernel one. I
wrote a post about this (though it deals with a different sort of handle…
but you can use the same code anyway)
http://fsfilters.blogspot.com/2011/03/duplicating-user-mode-handles.html

Thanks,
Alex.

On Sun, Sep 7, 2014 at 8:37 AM, wrote:

> I check my driver by Verifier and receive problem which I don’t know how
> to fix.
>
> The problem occurs on the ZwQueryInformationProcess() request and
> according DDK (
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff560187(v=vs.85).aspx
> ):
>
> “A driver references a user-mode handle as kernel mode”.
>
> Do I need to fix this problem, if driver works?
> How if so?
>
> ZwQueryInformationProcess() is called for current process in the contest
> of fltmgr!FltpCreate.
>
> Other option. ZwQueryInformationProcess() is called to define parent
> process.
> Probably it may be done by other way? I did not find it.
>
> The !analyze -v reports:
> DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
> A device driver attempting to corrupt the system has been caught. This is
> because the driver was specified in the registry as being suspect (by the
> administrator) and the kernel has enabled substantial checking of this
> driver.
> If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA
> will
> be among the most commonly seen crashes.
> Arguments:
> Arg1: 00000000000000f6, Referencing user handle as KernelMode.
> Arg2: 000000000000017c, Handle value being referenced.
> Arg3: fffffa80025b0b30, Address of the current process.
> Arg4: fffff8800609a930, Address inside the driver that is performing the
> incorrect reference.
>
> Thanks for help,
> Michael.
>
>
>
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I found the problem!

The API ObOpenObjectByPointer() had been used with NULL in the 2-nd parameter.
Replacing it on OBJ_KERNEL_HANDLE helps.

Thanks for answers,
Regards,
Michael.