Hi, All, I’m new for windows driver development.
I want to implement a kernel module, to intercept some system calls, like file access, network access, and give a user based access control. for example: userA can read fileA, and can not read FileB, userB can read fileB, but not fileA.
It’s quite easy for Linux System. in Linux Kernel, it has a global variable to record the current uid, so the kernel procesure know what user he is servering for.
My question is “How to get the user id in windows kernel”?
Thanks in advance.
> I want to implement a kernel module, to intercept some system calls, like file
access, network access, and give a user based access control. for example: userA
can read fileA, and can not read FileB, userB can read fileB, but not fileA.
You don’t neeed to intercept system calls in order to achieve the above goal - the whole thing is done simply by assigning access rights to the target object, i.e. all checks are done by OS itself, rather than by third-party modules. In any case, these days interception of a system calls in the kernel mode is considered a bad programming technique, so that you should not do it, at least not in a situation where the problem can be solved ia n “supported” way…
My question is “How to get the user id in windows kernel”?
As long as you know the ID of the process that has originated the request, it can be done via ZwOpenProcessToken() - ZwQueryInformationToken() sequence. However, please note that some requests may be submitted in context of a thread other than request originator. For example, IRP_MJ_WRITE that writes data of memory-mapped file to the disk is processed in context of mapped page writer thread; IRP_MJ_WRITE that writes data of cached file to the disk is processed in context of a system worker thread; etc
Therefore, if you want to control access rights in a driver, the best thing to do is to filter IRP_MJ_CREATE requests (they are always processed in context of a thread that calls CreateFile()) -before a user can do any operation on the target object he/she has to open a handle with appropriate access rights to it, in the first place. Therefore, by controlling this request your driver can control user-access rights relationship…
Anton Bassov
Anton, Thank you very much.
It’s great if can implement the access control without intercepting the
system call.
could you kindly please show me some doc/resource/link/examples about
“assign access rights to the target object”?
thanks.
On 9/29/07, xxxxx@hotmail.com wrote:
>
> > I want to implement a kernel module, to intercept some system calls,
> like file
> > access, network access, and give a user based access control. for
> example: userA
> > can read fileA, and can not read FileB, userB can read fileB, but not
> fileA.
>
> You don’t neeed to intercept system calls in order to achieve the above
> goal - the whole thing is done simply by assigning access rights to the
> target object, i.e. all checks are done by OS itself, rather than by
> third-party modules. In any case, these days interception of a system calls
> in the kernel mode is considered a bad programming technique, so that you
> should not do it, at least not in a situation where the problem can be
> solved ia n “supported” way…
>
>
> > My question is “How to get the user id in windows kernel”?
>
> As long as you know the ID of the process that has originated the request,
> it can be done via ZwOpenProcessToken() - ZwQueryInformationToken()
> sequence. However, please note that some requests may be submitted in
> context of a thread other than request originator. For example, IRP_MJ_WRITE
> that writes data of memory-mapped file to the disk is processed in context
> of mapped page writer thread; IRP_MJ_WRITE that writes data of cached file
> to the disk is processed in context of a system worker thread; etc
>
> Therefore, if you want to control access rights in a driver, the best
> thing to do is to filter IRP_MJ_CREATE requests (they are always processed
> in context of a thread that calls CreateFile()) -before a user can do any
> operation on the target object he/she has to open a handle with appropriate
> access rights to it, in the first place. Therefore, by controlling this
> request your driver can control user-access rights relationship…
>
> Anton Bassov
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> could you kindly please show me some doc/resource/link/examples about
“assign access rights to the target object”?
The link below is your starting point:
http://msdn2.microsoft.com/en-us/library/aa374860.aspx
Anton Bassov
thank you very much.
I checked this link, seems the security object is programmable on User
Space. It’s cool, but seems it’s file system related.
my questions are:
- For file ACL, is it file system independent? or it only apply to NTFS
file system?
- could the security object be used on network? for example, userA could
access network, but userB can not.
thanks.
On 9/29/07, xxxxx@hotmail.com wrote:
>
> > could you kindly please show me some doc/resource/link/examples about
> > “assign access rights to the target object”?
>
> The link below is your starting point:
>
> http://msdn2.microsoft.com/en-us/library/aa374860.aspx
>
> Anton Bassov
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Brady Chen wrote:
thank you very much.
I checked this link, seems the security object is programmable on User
Space. It’s cool, but seems it’s file system related.
my questions are:
- For file ACL, is it file system independent? or it only apply to NTFS
file system?
- could the security object be used on network? for example, userA
could access network, but userB can not.
Pretty much every kernel object is securable with a SD [Security Descriptor]
that contains a DACL [Discretionary ACL] to control the level of access that
different users have to the object. This includes folders & files on NTFS
volumes. Remotely accessed NTFS volumes enforce the same access controls as
locally accessed NTFS volumes. Other file systems, such as FAT, FAT32 and
CDFS do not support this type of access control mechanism, although, if they
are remotely accessed via share, some very basic permissions can be applied
to the share itself.
When you ask the question, “Could the security object be used on network?”,
you’re not very clear about what it is that you’re asking for. Are you
asking if a Security Descriptor could be applied such that it restricts a
user’s ability to access network resources? If so, which network? Are you
asking if you can prevent user-mode access of the TCP/IP stack? Are you
asking if you can prevent user-mode access to a particular NT domain or AD
tree/forest? Please elaborate in more detail.
Also, a suggestion for you, read all of the MSDN docs on Security & Access
Control. There’s several decent books on Windows NT internals that explain
NT security & access controls at both kernel mode & user mode levels. It
would be advisable to obtain & read one or more of these books.
Thank you, Chuck
When you ask the question, “Could the security object be used on network?”,
you’re not very clear about what it is that you’re asking for. Are you
asking if a Security Descriptor could be applied such that it restricts a
user’s ability to access network resources? If so, which network? Are
you
asking if you can prevent user-mode access of the TCP/IP stack? Are you
asking if you can prevent user-mode access to a particular NT domain or AD
tree/forest? Please elaborate in more detail.
i want to control the use of TCP/IP stack, for example, userA could
establish TCP connections (connect to www.google.com), but userB can not. (a
user based network firewall actually)
Also, a suggestion for you, read all of the MSDN docs on Security & Access
Control. There’s several decent books on Windows NT internals that
explain
NT security & access controls at both kernel mode & user mode levels. It
would be advisable to obtain & read one or more of these books.
Chuck, could you please recommend some books about this area? thank you in
advance.
-Brady
Chuck wrote:
There’s several decent books on Windows NT internals that explain
NT security & access controls at both kernel mode …
Chuck, other than the “NT Windows Internals” series by Custer/Russinovich/Solomon I don’t know of any book about this topic.
Can you list these books please ?
I heard, long time ago, Rajeev Nagar (yes the guy who wrote that book about file systems) was planing to write a book on security at the kernel level.
Did anyone heard about it ?
OT: By the way, is Rajeev still working at MS, writing books or is he already retired ?
Inaki.
> i want to control the use of TCP/IP stack, for example, userA could
establish TCP connections (connect to www.google.com), but userB can not.
TDI filter is a solution here. Once IRP_MJ_CREATE always gets sent in context of a caller process,
you are not going to have a slightest problem here - if a current caller does not have sufficient rights to access the network, just fail IRP_MJ_CREATE, and that’s it…
Anton Bassov