SeAccessCheck XP Issue

Matt_Klein · June 30, 2009, 6:55pm

Hi,

I am testing my filter again on XP and am running into an access violation that I don’t understand:

Access violation - code c0000005 (!!! second chance !!!)
nt!SepSidInToken+0x24:
805ef614 0fb64301 movzx eax,byte ptr [ebx+1]

nt!SepSidInToken+0x24
nt!SepTokenIsOwner+0x4d
nt!SeAccessCheck+0xc5

Granted = SeAccessCheck(
SecurityDescriptor,
&SubjectContext,
FALSE,
ImpliedAccess,
0,
&PrivilegeSet,
IoGetFileObjectGenericMapping(),
Data->Iopb->OperationFlags & SL_FORCE_ACCESS_CHECK ?
UserMode : Data->RequestorMode,
GrantedAccess,
&Status
);

I have tried passing both the subject context passed to me in the create parameters as well as a context initialized using SeCaptureSubjectContext().

Here is the subject context:

dt cpdrm!SECURITY_SUBJECT_CONTEXT 8a08587c
+0x000 ClientToken : (null)
+0x004 ImpersonationLevel : 0 ( SecurityAnonymous )
+0x008 PrimaryToken : 0xe106d8c0
+0x00c ProcessAuditId : 0x00000614

I’m guessing that the NULL client token is being de-refrenced?

FYI this works fine on Vista.

Any ideas what I am doing wrong?

Thanks,
Matt

Matt_Klein · June 30, 2009, 7:25pm

I figured it out. When I requested the descriptor from the underlying FSD I was only requesting the DACL and not the entire descriptor. (The documentation isn’t too clear that you can logical OR together that security information you are requesting).