How can I write the file mapping object?

allen_zhang · June 29, 2010, 11:05am

Dear All,

There is my question,
I want to write a file mapping by another process, It is created by CreateFileMapping with PAGE_READWRITE and a specify SECURITY_ATTRIBUTES.
The SECURITY_ATTRIBUTES is created by the follow function:
InitializeSecurityDescriptor,InitializeAcl, SetSecurityDescriptorDacl, AddAccessAllowedAce and MakeSelfRelativeSD…,
After CreateFileMapping be called, Get the SD length by GetSecurityDescriptorLength , Get the kernel object pointer by GetKernelObjectSecurity, last copy the specify SECURITY_ATTRIBUTES to kernel object security.

It can read by OpenFileMapping(or CreateFileMapping) with the READ protection.
It will be fail when with WRITE protection, the return error code is ERROR_ACCESS_DENIED.
I try to get the kernel object pointer by GetKernelObjectSecurity after OpenFileMapping(read only), The ERROR_ACCESS_DENIED error code will be received.
Is it possible write the file mapping object in application?

B.R.
Allen

anton_bassov · June 29, 2010, 11:14am

The only thing I can say here is “Where is Chris”…

Anton Bassov

allen_zhang · June 29, 2010, 11:54am

Hi, Anton Bassov
Thank you for your answer.
Sorry, I don’t understand the meaning of “Where is Chris”, Could you excuse it?

Thank you very much

B.R.
Allen

Tim_Roberts · June 29, 2010, 1:16pm

xxxxx@sina.com wrote:

There is my question,
I want to write a file mapping by another process, It is created by CreateFileMapping with PAGE_READWRITE and a specify SECURITY_ATTRIBUTES.
The SECURITY_ATTRIBUTES is created by the follow function:
InitializeSecurityDescriptor,InitializeAcl, SetSecurityDescriptorDacl, AddAccessAllowedAce and MakeSelfRelativeSD…,
After CreateFileMapping be called, Get the SD length by GetSecurityDescriptorLength , Get the kernel object pointer by GetKernelObjectSecurity, last copy the specify SECURITY_ATTRIBUTES to kernel object security.

It can read by OpenFileMapping(or CreateFileMapping) with the READ protection.
It will be fail when with WRITE protection, the return error code is ERROR_ACCESS_DENIED.
I try to get the kernel object pointer by GetKernelObjectSecurity after OpenFileMapping(read only), The ERROR_ACCESS_DENIED error code will be received.
Is it possible write the file mapping object in application?

If the application created the security descriptor so that it could not
be written from other processes, then what makes you think you should be
allowed to write to it from another process?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

allen_zhang · June 30, 2010, 9:45am

Hi Tim Roberts,

Thank you very much.
There is the reason why I want to do it, The method is straightforward by update share memory, I can’t find the other method except by driver, There is the first Opt by application for compatibility.
It comes to different in Vista and Windows 7, More and more include but not limits API are undocumented.
Is it possible by API in application ?

B.R.
Allen

Tim_Roberts · June 30, 2010, 12:52pm

xxxxx@sina.com wrote:

Thank you very much.
There is the reason why I want to do it, The method is straightforward by update share memory, I can’t find the other method except by driver, There is the first Opt by application for compatibility.
It comes to different in Vista and Windows 7, More and more include but not limits API are undocumented.
Is it possible by API in application ?

If the first application WANTS to allow other applications to write to
that area, then it simply needs to set up the permissions and security
descriptors to allow that. I may have misunderstood – I thought you
were trying to reverse engineer something here. The permission model
can be tricky, so it’s easy to get it wrong. Why don’t you post the
code that creates the file object, and we’ll take a look?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Maxim_S_Shatskih · July 1, 2010, 7:58am

> I want to write a file mapping by another process, It is created by CreateFileMapping with

PAGE_READWRITE and a specify SECURITY_ATTRIBUTES.

If the creation call have specified too tight an ACL - then this will be intentionally impossible to update this ACL from another process.

You will need a “write DAC” right to it, or the Take Ownership privilege.

For me, all of this is looking strange.

Are the 2 apps running under the same user?

Is the first (creating) app yours or not? if not - then why are you meddling with the objects created by the other app?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

allen_zhang · July 1, 2010, 12:29pm

Tim Roberts & Maxim S. Shatskih,

Thank you for your answer.

I do this by the follow steps.
1, Create a SID(named gSid) by StringSid.
lResult = ConvertStringSidToSid(StringSid, &gSid);
2, Allocate another SID(named pSid).
siaWorld.Value[0] = 0;
siaWorld.Value[1] = 0;
siaWorld.Value[2] = 0;
siaWorld.Value[3] = 0;
siaWorld.Value[4] = 0;
siaWorld.Value[5] = 1;
lResult = AllocateAndInitializeSid(&siaWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSid);
3,Initalize a ACL.
lResult = InitializeAcl(pAcl, uSize, ACL_REVISION);

4,Add ACL to pSid and gSid.
lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x000F001F, pSid);
lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x00000004, pSid);

5,Alloc and set the Dacl
pAbsoluteSecurityDescriptor = (SECURITY_DESCRIPTOR *)HeapAlloc(hHeap, 0, sizeof(SECURITY_DESCRIPTOR));
lResult = InitializeSecurityDescriptor(pAbsoluteSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
lResult = SetSecurityDescriptorDacl(pAbsoluteSecurityDescriptor, 1, pAcl, FALSE);

6, Get relative SD(named pRSD).
lResult = MakeSelfRelativeSD(pAbsoluteSecurityDescriptor, pSelfRelativeSD, &uSize);

7, CreateFileMapping with pRSD.
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
sa.lpSecurityDescriptor = pRSD;
hMapFile = CreateFileMapping(GetCurrentProcess(), NULL, PAGE_READWRITE, 0, 0x1000, L"Global\MyShareObject");
and then Map File by MapViewOfFile…

8, another process try to open the share object with FILE_MAP_WRITE,
hMapFile = OpenFileMapping(FILE_MAP_WRITE, 0, L"Global\MyShareObject");

If StringSid equal L"S-1-5-21-3130373783-975427623-3179037776-1000", TRUE will be return by OpenFileMapping.
If StringSid equal L"S-1-5-21-2052111302-746137067-839522115-16296", FALSE will be return by OpenFileMapping.
What is wrong?

allen_zhang · July 4, 2010, 1:09pm

Hi, Maxim S. Shatskih

How to “write DAC” right to it?
I can’t write DAC, If it is opened by OpenFileMapping with FILE_MAP_READ.

B.R.
Allen

Maxim_S_Shatskih · July 4, 2010, 1:51pm

> lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x000F001F, pSid);

lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x00000004, pSid);

What are 0x000f001f and 0x00000004?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

allen_zhang · July 7, 2010, 2:03pm

Maxim S. Shatskih

Thank’s for your answer.

Sorry, I have a mistake about the follow code,
lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x000F001F, pSid);
lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x00000004, pSid);

It should be that,
lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x000F001F, gSid);
lResult = AddAccessAllowedAce(pAcl, ACL_REVISION, 0x00000004, pSid);

For the “0x000F001F” included standard rights(0x000F0000) and specific rights 0x000000004.
For the “0x000000004” , there is only specific rights.

It should be fail when if I try to read or write the DAC under the different user.
process 1 is a service, process 2 is an application, How to do it? Thank you.

allen_zhang · July 9, 2010, 12:02pm

I create a new SD from SECURITY_LOCAL_SYSTEM_RID by AllocateAndInitializeSid, and add all rights to it by AllocateAndInitializeSid, Then call CreateFileMapping with the SD, the same error code will be received.

I must get and duplicate the token of the first process?

Best Regards
Allen