I've been asking a lot of questions . Sorry if that disturbs or somehow "floods" the OSR.
This one is quite short and focused.
Microsoft always highlights usage of OBJ_KERNEL_HANDLE to keep it secure from the context of application made the I/O request. If not opened with OBJ_KERNEL_HANDLE, the application can use it and gain access.
My questions are:
How safe is this for the application to use the handle?
Can the application duplicate the handle?
2.1. Will the duplicated handle remain valid when driver closes the original one via ZwClose?
Can the application close handle by calling Close on kernel32.dll?
The documentation seems quite clear. If you use OBJ_KERNEL_HANDLE, then the handle only has meaning in kernel mode. A user-mode application cannot use it. It will be an invalid handle. If you don't use OBJ_KERNEL_HANDLE, then it is valid in user mode like any other handle.
There's no "safety" issue here. Either it is kernel-only, or it is not.
So I'm assuming all answers to my other questions are also yes:
(1) Application can close the handle via Close, (2) can duplicate it, (3) and can use the duplicated handle even if driver closes the original one with ZwClose?
. Sorry if that disturbs or somehow "floods" the OSR.