Security of Native API calls

NTDEV
1

Hi experts

In my current project I replace several ZwXxx API with my own wrapper
functions.

While monitoring the ZwCreateFile it appears that system security
somehow is violated. When applying my wrapper the user seems to get full
access to directories. The “System Volume Information” for example can
be viewed from within the Windows Explorer.

I need more information about this topic, but don’t know what to look
for. I’ve tried every search term I can think of. Please help.

Kind regards,
Tobias

2

take a look at those articles on http://www.osronline.com/section.cfm?id=17

“Nt vs. Zw - Clearing Confusion On The Native API”
“Sidebar Discussion – Nt vs. Zw Continued”

In most cases, such wrappers can not be used for security purposes
because of Time Of See Time Of Use race conditions:
http://www.securityfocus.com/archive/1/348570

Best regards,
Andrey

TS> Hi experts

TS> In my current project I replace several ZwXxx API with my own wrapper
TS> functions.

TS> While monitoring the ZwCreateFile it appears that system security
TS> somehow is violated. When applying my wrapper the user seems to get full
TS> access to directories. The “System Volume Information” for example can
TS> be viewed from within the Windows Explorer.

TS> I need more information about this topic, but don’t know what to look
TS> for. I’ve tried every search term I can think of. Please help.

TS> Kind regards,
TS> Tobias

TS> —
TS> Questions? First check the Kernel Driver FAQ at
TS> http://www.osronline.com/article.cfm?id=256

TS> You are currently subscribed to ntdev as: xxxxx@sandy.ru
TS> To unsubscribe send a blank email to
TS> xxxxx@lists.osr.com

3

Andrey Kolishak wrote:

take a look at those articles on http://www.osronline.com/section.cfm?id=17

“Nt vs. Zw - Clearing Confusion On The Native API”
“Sidebar Discussion – Nt vs. Zw Continued”

In most cases, such wrappers can not be used for security purposes
because of Time Of See Time Of Use race conditions:
http://www.securityfocus.com/archive/1/348570

Thank you very much for pointing me at those excellent resources!

Tobias