The handle could get closed and reopened in between calling ZwQueryKey
and ObReferenceObjectByHandle. The same is true if you invert the call
order. Also you don’t want to call a Zw function on untrusted input
from the user.
You might be able to call NtOpenKey using the provided handle as the
root directory and NULL as the object name. Set the OBJ_KERNEL_HANDLE
flag to ensure that the app can’t remap your handle out from under you.
Note that I’m not certain this will work - you might get an error so you
should try it out before shipping your product
An alternative would be ZwDuplicateObject which appears to be exposed in
the IFS kit headers (at least it is a the moment that I’m looking at LH
sources … I don’t have a kit installed that I can check). I believe
you can use this to duplicate the caller’s handle to into the system
handle table (OBJ_KERNEL_HANDLE) so as to ensure that your copy can’t be
tampered with. This will keep the underlying object around regardless
of whether the caller closes their handle. It’s also atomic so the
caller can’t screw with you in the middle of your validation pass.
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Friday, August 05, 2005 8:22 AM
To: Windows System Software Devs Interest List
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
handle
No no no no no no NO. Digging in undocumented, unexposed headers should
always be a warning that you are doing something wrong.
If you want to validate that something is a registry key, and you can’t
get direct access to the registry key object type, then at least do
something reasonable – don’t manually dig in undocumented structures.
How many times has this blown up?! Just go read some of Raymond Chen’s
descriptions of the agony that this has caused.
If you have a handle, and you suspect that it is a registry key but you
want to verify this, then ask it to do something that only registry keys
do.
Call ZwQueryKey, and request something innocuous, like
KeyBasicInformation.
If this succeeds, then you have a pretty good idea that it is a registry
key. Then you can call ObReferenceObjectByHandle, with ObjectType =
NULL, and have some peace of mind that this will work two service packs
down the road.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Friday, August 05, 2005 10:21 AM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
handle
Use undocumented means of getting the KeyObjectType, like
ZwOpenKey+ObReferenceObjectByHandle+digging into the undocumented object
header. It holds a type pointer.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com