Kernel Mode TLS

OSR_Community_User · November 15, 2005, 9:10pm

I’am attempting a kernel mode server-side implementation of TLS Protocol 1.0 & am finding problems due to my lack of understanding of the lsass.exe process.

I create the SCHANNEL credential in a user mode process & roll my own IOCTL (buffered) & send it to \Device\Tcp & my driver, which filters \Device\Tcp, gets it OK.

I then call AcquireCredentialsHandleW() from the driver passing Irp->AssociatedIrp.SystemBuffer as the credential but receive status of access_violation (0xc0000005).

If I pass a NULL pointer in the credentials the system crashes in lsass.exe & I see the following in the stack;

STACK_TEXT:
012dfe48 742c8ef9 00d5f980 012dfe70 00d5f950 LSASRV!GetClientString+0x6e
012dfe84 742c3b02 00000000 005bedf0 00588fb8 LSASRV!LpcAcquireCreds+0x64
012dfe9c 742c3a05 00d5f950 005aa9e8 00d80b68 LSASRV!DispatchAPI+0x46
012dff54 742c3035 00d5f950 012dff9c 77e68c85 LSASRV!LpcHandler+0x1fe
012dff78 742e746b 00588d78 00000000 00000000 LSASRV!SpmPoolThreadBase+0xb9
012dffb8 77e66063 0058ade8 00000000 00000000 LSASRV!LsapThreadBase+0x91
012dffec 00000000 742e7414 0058ade8 00000000 kernel32!BaseThreadStart+0x34

which leads me to suspect everything in the call to AcquireCredentialsHandleW() was OK, the LPC call to lsass.exe was OK, it is attempting to build the credentials & attempting to extract certificate data when the crash occured.

I don’t understand how the lsass.exe process can “see” the certificate in another process address space.

What do I need to do to make the certificate “visable” to the lsass.exe process ???

regards

John

OSR_Community_User · November 16, 2005, 3:15pm

Its not clear what you mean by when you pass NULL in “credentials”. Are
you attempting to pass system credentials or your own credentials (your
own package perhaps) ? If you post some code frags, then someone in this
group may be able to help you.

Thanks

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of John Burgoyne
Sent: Tuesday, November 15, 2005 6:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel Mode TLS

I’am attempting a kernel mode server-side implementation of TLS Protocol
1.0 & am finding problems due to my lack of understanding of the
lsass.exe process.

I create the SCHANNEL credential in a user mode process & roll my own
IOCTL (buffered) & send it to \Device\Tcp & my driver, which filters
\Device\Tcp, gets it OK.

I then call AcquireCredentialsHandleW() from the driver passing
Irp->AssociatedIrp.SystemBuffer as the credential but receive status of
access_violation (0xc0000005).

If I pass a NULL pointer in the credentials the system crashes in
lsass.exe & I see the following in the stack;

STACK_TEXT:
012dfe48 742c8ef9 00d5f980 012dfe70 00d5f950 LSASRV!GetClientString+0x6e
012dfe84 742c3b02 00000000 005bedf0 00588fb8 LSASRV!LpcAcquireCreds+0x64
012dfe9c 742c3a05 00d5f950 005aa9e8 00d80b68 LSASRV!DispatchAPI+0x46
012dff54 742c3035 00d5f950 012dff9c 77e68c85 LSASRV!LpcHandler+0x1fe
012dff78 742e746b 00588d78 00000000 00000000
LSASRV!SpmPoolThreadBase+0xb9
012dffb8 77e66063 0058ade8 00000000 00000000 LSASRV!LsapThreadBase+0x91
012dffec 00000000 742e7414 0058ade8 00000000
kernel32!BaseThreadStart+0x34

which leads me to suspect everything in the call to
AcquireCredentialsHandleW() was OK, the LPC call to lsass.exe was OK, it
is attempting to build the credentials & attempting to extract
certificate data when the crash occured.

I don’t understand how the lsass.exe process can “see” the certificate
in another process address space.

What do I need to do to make the certificate “visable” to the lsass.exe
process ???

regards

John

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com