I’am attempting a kernel mode server-side implementation of TLS Protocol 1.0 & am finding problems due to my lack of understanding of the lsass.exe process.
I create the SCHANNEL credential in a user mode process & roll my own IOCTL (buffered) & send it to \Device\Tcp & my driver, which filters \Device\Tcp, gets it OK.
I then call AcquireCredentialsHandleW() from the driver passing Irp->AssociatedIrp.SystemBuffer as the credential but receive status of access_violation (0xc0000005).
The SCHANNEL credential record contains a pointer to an array of pointers to credentials being passed in, with TLS the credential passed in is the server certificate.
If I pass a NULL pointer as a pointer to an array of pointers in the SCHANNEL credential record, the system crashes in lsass.exe & I see the following in the stack;
STACK_TEXT:
012dfe48 742c8ef9 00d5f980 012dfe70 00d5f950 LSASRV!GetClientString+0x6e
012dfe84 742c3b02 00000000 005bedf0 00588fb8 LSASRV!LpcAcquireCreds+0x64
012dfe9c 742c3a05 00d5f950 005aa9e8 00d80b68 LSASRV!DispatchAPI+0x46
012dff54 742c3035 00d5f950 012dff9c 77e68c85 LSASRV!LpcHandler+0x1fe
012dff78 742e746b 00588d78 00000000 00000000 LSASRV!SpmPoolThreadBase+0xb9
012dffb8 77e66063 0058ade8 00000000 00000000 LSASRV!LsapThreadBase+0x91
012dffec 00000000 742e7414 0058ade8 00000000 kernel32!BaseThreadStart+0x34
which leads me to suspect everything in the call to AcquireCredentialsHandleW() was OK, the LPC call to lsass.exe was OK, it is attempting to build the credentials & attempting to extract server certificate data when the crash occured.
I don’t understand how the lsass.exe process can “see” the certificate in another process address space.
What do I need to do to make the certificate “visable” to the lsass.exe process ???
regards
John