Thanks you very much for the reply, I tested this today at office and I was definitely missing this part of abstraction.
Unfortunately there is still an issue with FltQuerySecurityObject. I was missing a NT_SUCCESS check after the second call to FltQuerySecurityObject and came accross that the function always returns me a STATUS_BUFFER_TOO_SMALL status (also in the second query where I already put the correct size from the first query). I tested what happens while ignoring the STATUS_BUFFER_TOO_SMALL result:
RtlGetOwnerSecurityDescriptor(pSecDescriptor, ownerSID, &ownerDefaulted); succeeds but SecLookupAccountSid tells me about STATUS_INVALID_SID than.
FltQuerySecurityObject mostly returns 0x24 for required size, in rare cases it returns 0x20.
Once more the code for FltQuerySecurityObject with the newly added check:
status = FltQuerySecurityObject(fltObjects->Instance,
fltObjects->FileObject,
OWNER_SECURITY_INFORMATION,
NULL,
0,
&bytesNeededSecObject);
if (status == STATUS_BUFFER_TOO_SMALL) {
wasAllocated = TRUE;
pSecDescriptor = ExAllocatePoolWithTag(NonPagedPool, (SIZE_T)bytesNeededSecObject, ‘sec’);
status = FltQuerySecurityObject(fltObjects->Instance,
fltObjects->FileObject,
OWNER_SECURITY_INFORMATION,
pSecDescriptor,
bytesNeededSecObject,
NULL);
if (NT_SUCCESS(status)) {
// i dont get here because status is STATUS_BUFFER_TOO_SMALL again
// rest of the code ommited for now
}
}
I came accross this thread: http://osronline.com/ShowThread.cfm?link=228119. Looks to me that the thread creator was facing a similar problem while FltQuerySecurityObject also returned STATUS_BUFFER_TOO_SMALL with buffersize set to 0x24. Im testing with Win7 x64 as well.
Do you may have any further suggestions?
Thanks again.
Regards Christian