Hello,
I need to open a handle (user or kernel, it doesn’t matter) to a directory object specified by a user-mode root handle and a relative path.
I can’t call NtOpenDirectoryObject because it is not exported by the kernel and Driver Verifier complains of “Referencing user handle as KernelMode” when I call ZwOpenDirectoryObject.
Is there any other way?
Thank you.
Please explain why you would ever want to do this? Most people don’t
worry about object directories, and passing in a user-mode handle is a
great security hole.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@yahoo.com” wrote in message
news:xxxxx@ntdev:
> Hello,
>
> I need to open a handle (user or kernel, it doesn’t matter) to a directory object specified by a user-mode root handle and a relative path.
> I can’t call NtOpenDirectoryObject because it is not exported by the kernel and Driver Verifier complains of “Referencing user handle as KernelMode” when I call ZwOpenDirectoryObject.
>
> Is there any other way?
>
> Thank you.
I want to monitor access to process objects like events, sections, mutexes, etc.
Did you specify OBJ_KERNEL_HANDLE when you called InitializeObjectAttributes?
Mark Roddy
On Thu, Nov 18, 2010 at 12:29 PM, wrote:
> ZwOpenDirectoryObject
Yes and it makes no difference.
Did you specify OBJ_KERNEL_HANDLE when you called InitializeObjectAttributes?
Mark Roddy
wrote in message news:xxxxx@ntdev…
> Hello,
>
> I need to open a handle (user or kernel, it doesn’t matter) to a directory
> object specified by a user-mode root handle and a relative path.
> I can’t call NtOpenDirectoryObject because it is not exported by the
> kernel and Driver Verifier complains of “Referencing user handle as
> KernelMode” when I call ZwOpenDirectoryObject.
>
Convert the user handle to kernel handle, using ObReferenceObjectByHandle(
… KernelMode … ) -
which also verifies the user handle.
Then you could hack away with ZwOpenDirectoryObject. It is not clear what to
specify as ObjectType, though.
–pa
“Pavel A.” wrote in message news:xxxxx@ntdev…
> wrote in message news:xxxxx@ntdev…
>> Hello,
>>
>> I need to open a handle (user or kernel, it doesn’t matter) to a
>> directory object specified by a user-mode root handle and a relative
>> path.
>> I can’t call NtOpenDirectoryObject because it is not exported by the
>> kernel and Driver Verifier complains of “Referencing user handle as
>> KernelMode” when I call ZwOpenDirectoryObject.
>>
>
> Convert the user handle to kernel handle, using
> ObReferenceObjectByHandle( … KernelMode … ) -
> which also verifies the user handle.
and then ObOpenObjectByPointer(… KernelMode …)
–pa
> Then you could hack away with ZwOpenDirectoryObject. It is not clear what
> to specify as ObjectType, though.
> --pa
You need to use an access mode of UserMode and not KernelMode if you are dealing with a user handle. Otherwise the handle is not verified.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Thursday, November 18, 2010 8:19 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] opening a directory object in kernel mode using a user mode root
wrote in message news:xxxxx@ntdev…
> Hello,
>
> I need to open a handle (user or kernel, it doesn’t matter) to a
> directory object specified by a user-mode root handle and a relative path.
> I can’t call NtOpenDirectoryObject because it is not exported by the
> kernel and Driver Verifier complains of “Referencing user handle as
> KernelMode” when I call ZwOpenDirectoryObject.
>
Convert the user handle to kernel handle, using ObReferenceObjectByHandle( … KernelMode … ) - which also verifies the user handle.
Then you could hack away with ZwOpenDirectoryObject. It is not clear what to specify as ObjectType, though.
–pa
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
“Skywing” wrote in message
news:xxxxx@ntdev…
> You need to use an access mode of UserMode and not KernelMode if you are
> dealing with a user handle. Otherwise the handle is not verified.
>
> - S
Oops, sorry, you are correct of course.
ObReferenceObjectByHandle with UserMode, then ObOpenObjectByPointer with
KernelMode.
– pa
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
> Sent: Thursday, November 18, 2010 8:19 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] opening a directory object in kernel mode using a user
> mode root
>
> wrote in message news:xxxxx@ntdev…
>> Hello,
>>
>> I need to open a handle (user or kernel, it doesn’t matter) to a
>> directory object specified by a user-mode root handle and a relative
>> path.
>> I can’t call NtOpenDirectoryObject because it is not exported by the
>> kernel and Driver Verifier complains of “Referencing user handle as
>> KernelMode” when I call ZwOpenDirectoryObject.
>>
>
> Convert the user handle to kernel handle, using
> ObReferenceObjectByHandle( … KernelMode … ) - which also verifies the
> user handle.
> Then you could hack away with ZwOpenDirectoryObject. It is not clear what
> to specify as ObjectType, though.
> --pa
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Thank you Pavel and Ken, the problem is fixed.