Hello,
I am developing a Windows Minifilter driver and I am trying to get the user’s SID from the IO_SECURITY_CONTEXT
structure in the PreCreate operation. I am aware that there is no way to directly get the SID from the IO_SECURITY_CONTEXT
in other operations as the SID is only checked by the system on create operations.
I have tried multiple solutions in order to extract the SID_AND_ATTRIBUTES
structure from the IO_SECURITY_CONTEXT
structure. As for now I am trying the following:
- Get the token from
SECURITY_SUBJECT_CONTEXT
insidePACCESS_STATE
insideIO_SECURITY_CONTEXT
(SecurityContext->AccessState.SecuritySubjectContext). If theClientToken
is NULL, then I take thePrimaryToken
. - Call
ObOpenObjectByPointer(AccessToken, OBJ_CASE_INSENSITIVE, NULL, TOKEN_QUERY, NULL, KernelMode, &TokenHandle);
WhereTokenHandle
is aHANDLE
. - Call
ZwQueryInformationToken
to query forTokenUser
with aNULL
buffer in order to get the return length size. - Allocate the buffer with the given size.
- Call
ZwQueryInformationToken
again with the newly allocated buffer. This should fill the buffer with aSID_AND_ATTRIBUTES
structure. - Call
ZwClose
on theTokenHandle
.
The problem is that on step 2, calling ObOpenObjectByPointer
generates a 00000000c0000005
access violation.
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8047d518d62, Address of the instruction which caused the bugcheck
Arg3: fffffe87a08ad8a0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
I have checked the contents of the SECURITY_SUBJECT_CONTEXT
using the command kp
and I can see the following token pointers inside this structure:
(*((<REDACTED>!_SECURITY_SUBJECT_CONTEXT *)0xffffb30e4656b900)) [Type: _SECURITY_SUBJECT_CONTEXT]
[+0x000] ClientToken : 0x3066744e03030000 [Type: void *]
[+0x008] ImpersonationLevel : SecurityAnonymous (0) [Type: _SECURITY_IMPERSONATION_LEVEL]
[+0x010] PrimaryToken : 0xffffb30e458aa460 [Type: void *]
[+0x018] ProcessAuditId : 0xffffb30e466cd448 [Type: void *]
Now I check the data on both of the memory addresses (ClientToken and PrimaryToken) using the db
command and I get lots of question marks, I guess that means that memory is not accessible by the driver?
3066744e`03030000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
3066744e`03030010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
...
Sometimes the PrimaryToken pointer will point to access data, but sometimes both (Client and Primary) will point to inaccessible data.
I basically want to get the SID in order to pass it as a string representation to one of my user mode modules. Despite following all kinds of posts on this and other forums I have been unable to get the SID_AND_ATTRIBUTES
from the SECURITY_CONTEXT
in PreCreate
. I have now been stuck for several weeks with this problem.
How may I solve this problem? What am I doing wrong? Any help is really appreciated.